Software Development Activities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Software development activities.
00:00
The learning objectives for this lesson are to
00:00
define formal methods of integrating security,
00:00
describe testing approaches,
00:00
describe continuous delivery methods,
00:00
and to evaluate web application security concepts.
00:00
Let's get started. This is
00:00
the software development life cycle,
00:00
it begins with planning.
00:00
This is where all the ideas and
00:00
requirements are put together
00:00
to have a formalized idea of what you want the app to be.
00:00
From there, we take it to the solution,
00:00
this is where the formal requirements for the app are
00:00
taken from everything that
00:00
was done in the planning stage.
00:00
Then we move to the coding stage where
00:00
the requirements are built.
00:00
The actual coding will take
00:00
place here to develop the product.
00:00
Once the product is ready for testing,
00:00
we will move to the testing stage.
00:00
This is where the app will be put through its paces to
00:00
make sure that it lines up with the requirements.
00:00
Finally, we move to release,
00:00
this is where the product is released to the end-users.
00:00
However, the current software development life cycle
00:00
has its limitations as far as security is concerned.
00:00
Security isn't added into every part of the cycle,
00:00
it's usually an afterthought
00:00
that is bolted on afterwards.
00:00
This is a very dangerous approach for
00:00
software development because there
00:00
could be fundamental issues with the product from
00:00
the very beginning that cannot be
00:00
addressed by security on the back end.
00:00
In addition to that, our current SDLC
00:00
lacks a formal approach to adding
00:00
security into the creation of new apps.
00:00
Testing approaches, regression testing.
00:00
When you're developing software and you make changes,
00:00
did any of the changes cause previously
00:00
existing functionality or features to fail?
00:00
This is what regression testing will let you know.
00:00
Next we have unit testing,
00:00
this makes sure that a block of code performs
00:00
exactly what it was supposed to do.
00:00
If it was supposed to perform this function,
00:00
then you want to make sure that it only performs
00:00
that function and it does it
00:00
exactly the way it's supposed to.
00:00
Next, we have integration testing,
00:00
this is where we take individual
00:00
components and then we test
00:00
them together to ensure that
00:00
they work together as expected.
00:00
Development approaches, first,
00:00
we have the waterfall model.
00:00
The key to remember about this is,
00:00
you have to complete
00:00
each phase before moving on to the next one.
00:00
Because of that waterfall is considered very rigid.
00:00
Code checks are performed at the end of
00:00
each phase before you can move on to the next.
00:00
We start with the requirement phase,
00:00
then the design, then implementation,
00:00
verification and finally maintenance.
00:00
The next development method we will
00:00
discuss is the spiral method.
00:00
Development has been modified
00:00
continually through the process
00:00
from stakeholder feedback a product is released,
00:00
receives feedback, it is
00:00
modified and that's a continual cycle.
00:00
Risk analysis performed at each interactive step.
00:00
It's well suited for large complex projects.
00:00
Next we have the Agile model.
00:00
This uses iterative processes
00:00
to release well-tested code in smaller blocks.
00:00
Development is considered to be continuous,
00:00
it is adaptive to allow for changes throughout
00:00
the process and it focuses on rapid deployment,
00:00
often at the expense of security.
00:00
The thing to keep in mind about Agile is they
00:00
want it fast and it's always moving.
00:00
It's not rigid like the waterfall method is.
00:00
SecDevOps, there are
00:00
two main requirements for SecDevOps.
00:00
The first is security as code,
00:00
this uses automated methods for
00:00
static code testing and dynamic application testing.
00:00
We also have infrastructure as code,
00:00
uses configuration management tools
00:00
to control code changes.
00:00
Examples of this would be Puppet and Ansible.
00:00
You want to consider requiring security to be
00:00
included in all decisions plans and coding.
00:00
It requires developers to have strong understanding of
00:00
possible vulnerabilities and must
00:00
use version control for code changes.
00:00
Following this process ensures that you
00:00
develop secure code from
00:00
the outset all the way through to deployment.
00:00
This is a much more time-consuming process
00:00
and also requires
00:00
deeper understanding of what you're trying
00:00
to do and how that works with security.
00:00
Instructor side note.
00:00
You might want to look at Ansible for your own network,
00:00
it's not just useful for code
00:00
and for code management, that type of thing.
00:00
It will also allow you to rapidly deploy
00:00
configurations or keep devices at a specific baseline.
00:00
Ansible makes use of playbooks,
00:00
and these can be deployed for
00:00
configuration management and updates.
00:00
For example, if you're deploying many Linux servers,
00:00
you can use an Ansible playbook that will automatically
00:00
configure that server to
00:00
the standard or the baseline that you're looking for.
00:00
It will ensure that it has
00:00
the specific apps that you're looking for installed,
00:00
configuration changes, that type of
00:00
thing done automatically for you.
00:00
I use Ansible to keep all of
00:00
our devices up-to-date and current,
00:00
and also to make sure that
00:00
they stay at a certain baseline,
00:00
that things aren't deviating from that.
00:00
Continuous delivery methods.
00:00
First we have is continuous integration
00:00
DevOps should commit and test updates often.
00:00
Next we have continuous delivery.
00:00
Testing the infrastructure that supports the app,
00:00
networks, databases, client software insecurity.
00:00
Next is continuous deployment.
00:00
This utilizes configuration management tools to
00:00
make changes to the production environment.
00:00
Finally, we have continuous validation.
00:00
Feedback from delivery and development
00:00
is monitored and evaluated to ensure
00:00
goals are meeting user
00:00
needs this also must stay with secure config baselines.
00:00
Web Application Security Concepts.
00:00
OWASP, or the Open Web Application Security Project is
00:00
something you really need to get to know if
00:00
you're developing web applications.
00:00
They are a non-profit online community that
00:00
creates an publishes guides for secure app creation.
00:00
The next thing you want to consider is
00:00
HTTP headers these are
00:00
security options they can be set in headers,
00:00
returned by a web server to a client.
00:00
There are quite a few of them,
00:00
but some of the examples are
00:00
HTTP Strict Security Transport,
00:00
DSTS, X- Frame Options,
00:00
XFO, X-Content-Type-Options and others.
00:00
OWASP also has their own secure headers project,
00:00
these are recommendations for
00:00
HTTP response headers for increased security.
00:00
You can get all their information at the OWASP website.
00:00
Also keep in mind that Cybrary has
00:00
their own course on the OWASP Top
00:00
10 and these are
00:00
the most common vulnerabilities for web applications.
00:00
Summary, we went
00:00
over integrating security into development,
00:00
we also discussed software testing approaches.
00:00
We went over continuous delivery methods
00:00
and then Web Application Security concepts.
00:00
Let's do some example questions. Question 1.
00:00
Which development model uses
00:00
interactive processes to really smaller blocks
00:00
of code that had been well-tested?
00:00
This is the Agile model.
00:00
Question 2. What organization
00:00
publishes a top 10 list of
00:00
the most critical application security risks?
00:00
OWASP. Question 3.
00:00
Which stage of the software
00:00
development life-cycle is responsible
00:00
for gathering all of
00:00
the necessary information on
00:00
how an application should function?
00:00
Planning and requirements gathering.
00:00
Finally question 4.
00:00
Which type of testing seeks to find if any changes in
00:00
code have caused previously existing functions
00:00
or features to fail?
00:00
Regression testing. I hope
00:00
this lesson was useful for
00:00
you, and I'll see you in the next one.
Up Next