Given a scenario, use application security best practices while participating in the Software Development Life Cycle (SDLC).CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
Best Practices During Software Development
The software development life cycle is the framework for how software should be created and upgraded.
- Plan/initiate project
- Gather requirements
- Perform change management and configuration management/replacement
Security Requirements Definition
During the gather requirements step, the security requirements should also be gathered in additional to the functional requirements. Potential vulnerabilities and threats should be identified in the requirements. The data that will be produced by the application should also be evaluated for sensitivity.
Security Testing Phases
- Static Code Analysis: Done without executing the code.
- Data flow analysis: Looks at runtime information in a static state.
- Control flow graph: Graph components and their relationships including entry and exit points.
- Taint analysis: Identifies variables that are tainted with user-controllable input.
- Lexical analysis: parses the code into tokens to abstract it and make it easier to manipulate for testing.
- Web App Vulnerability Scanning: Scan web applications using either synthetic transactions or real user monitoring (RUM). Examples include Nessus, Nexpose and Nikto.
- Fuzzing: Injects invalid or unexpected input into applications to see how it reacts. Usually an automated process.
- Mutation fuzzing: Changes the existing input values blindly.
- Generation-based fuzzing: generates new inputs from scratch
- Use Interception Proxy to Crawl Application: An example is the OWASP Sed Attack Proxy (ZAP) , analyzes requests and responses to the application
Manual Peer Reviews
- Over-the-shoulder: Developer looks over the author’s shoulder while walking through the code.
- E-mail pass-around: New code commits are e-mailed to the team for review
- Pair programming: Two authors work together to create the code.
- Tool-assisted code review: Peer code review facilitated by tools.
User Acceptance Testing
Make sure that the application is both secure and still usable
- Mirror the testing environment with the live environment.
- Identify use cases for execution
- Select UAT staff from various departments
Stress Test Application
Determine the load that an application can withstand.
- Identify test objectives by the desired outcomes.
- Identify key scenarios to test
- Identify the workload
- Identify the metrics for testing
- Create test cases
- Simulate the load
- Analyze the results
Security Regression Testing
Any changes to software should be regression tested to make sure the changes have not reduced the security of the software.
- Unit Regression: Tests the new code as a single unit
- Partial regression: New code is used with the old code.
- Complete regression: Final type of regression testing.
Many attacks use a lack of input validation as a way to exploit an application. Input validation checks all inputs to make sure it is the proper format and length. Input validation will look for certain characters that should not be in the input and things like SQL injections.
Secure Coding Best Practices
The Open Web Application Security Project (OWASP) is a group that maintains a list of the top 10 attacks on web applications. It provides resources and tools for testing, code review and development.
- Software Assurance Maturity Model: Guidance on continuous improvement for software development
- Development Guide: Tips on secure coding practices
- Testing Guide: Framework for pentesting
- Guide to Building Secure Web Applications: Best practices for secure web applications.
- Code Review Guide: Advice on code review
- Testing Guide: Code test guidelines
- Application Security Verification Standards: basis for testing security controls for web applications
The SysAdmin, Audit, Network and Security Institute (SANS) provides guidelines for secure development and sponsors the Global Information Assurance Certification (GIAC). GIAC helps train and certify developers in secure coding practices.
Center for Internet Security
CIS is funded in part by SANS and is a non-for-profit organization. It compiles the CIS Security Controls and organizes them into the top 20. They also provide benchmarks for technical settings for OS, software and network devices.