CompTIA Security+ SY0-601 Topic: 2.3 Secure Application Development, Deployment, and Automation Concepts.
December 13, 2022
  1. Software Development Environment

In this video, I’m going to be talking about development environments. Well, let’s talk about what exactly these environments are about. So when programmers are working inside of an organization, they are going to be using a whole separate network to do things such as develop the code, test the code, and stage the code before the code goes into production. So that’s what this video is about. These are different environments that we’re going to be using.

To begin with, when developers are programming, they may be on a separate network from the production network because they do not want production traffic, which may contain malware, cause various issues, or even slow down their application. They prefer to be in a more secure environment that they can control because they may be performing various types of testing or anything else within that environment.

Now let’s take a look at some of these terms that we need to know. For example, the first one we have is a development environment. The development environment is where they’re going to write the codes. So in the development environment, they’re going to be writing the codes for the application on that network. Now this is going to go on for a while as they actually write the codes for it. But when they’re done, they’re going to have to test the codes.

So then they put it in; the next thing is to test the code. So the testing environment is where they will put the codes they wrote to the test. Now there’s a variety of different tests that they can run. There is static testing when they actually test the source code itself. There’s another thing called “dynamic testing,” when they actually run the code and see how it works. So there are a variety of different tests that they’re going to have to do.

Now once they have finished testing the code, they’re going to set it up in what looks like a production environment. This is called staging. Staging is when they’re going to push it into an environment that mimics the production environment. But it’s not. It’s set up with the same software versions and hardware router switches as they do, as well as any different versions of Windows they may have, such as the type of Java they’re running on their machine.

Microsoft Office is running in order to test all of the different variables that can affect the application. Eventually it goes into production, and this is going to be the live environment. The live environment So in production, it’s the live environment. It’s hitting the users, who are starting to use the application. And the last thing here is quality assurance.

So the quality assurance environment, well, as they are using the application, they have to verify that the application is working correctly. They have to verify that the application meets the customer’s needs, and customers are basically happy with the application. That would be in quality assurance. Okay, so these are some of the different environments that we should be familiar with, for example, and what they do when it comes to developing software.

2. Secure Coding Techniques

In this video, I’m going to be going over some different secure software coding practices that we should know for our exams. So let’s get started. Okay? And this video is going to go through a whole bunch of terms. So I do recommend that you get out some paper and make some notes as I’m going through it. Don’t forget, this comes right out of your exam objectives. Okay? So let’s take a look at some terms here. The first thing I have up my sleeve is provisioning and deprivation. Making data available to users is what provisioning entails.

DE provisioning will mean that something is not available anymore. See? Not AV, right? Not available. So provisioning an application is when you say it can be used and then push it out to the end user. So, for example, let’s say somebody makes an Android app, and when they finish making the app, the company tests it. Apple evaluates it. They like it. It’s not malware. They provision it. It hits the app store. You can download the Android store and then download it. However, after a while, they may determine that the application is of poor quality, and you will most likely want to release a new version of it. So they DE provision it, and it’s out of service. It is no longer available to users. Another term we want to know about is integrity measurement. Integrity testing ensures that an application is coded correctly and that its functionality remains consistent. So first of all, you have to understand the term “integrity.”

So integrity means checking changes, right? Integrity is about modification. If something has an unexpected modification, you would say it loses its integrity. So what happens is that while applications are being used by users, their codes may be changed. So we need to have software or ways to measure the changes within the application to ensure that the changes don’t affect the functionality of the application. This is called integrity measurement. We’re measuring the changes in the application to see if there are any changes, and if there are, we can revert it, reinstall new versions of it, or check to see why that’s happening.

So it’s called integrity measurement. Okay. So now we embark on a pretty large set of topics. This is known as secure coding technique, and we have a lot of it here at COVID. Now, I don’t anticipate your exam delving too deeply into these topics. So you really only need to know what they are and have some examples of what they are.

Okay, let’s start off the first term. We’re going to need to know something called “normalization.” Normalization is generally performed on databases. Okay? Typically applied to databases So database normalization is what they do. They go through the database and find redundant, repetitive information, and they get rid of it. They basically break up the database or remove fields that are not needed in order to remove redundant data. So normalization: when databases are finished normalizing, they will run a whole lot faster and cleaner without all this repetitive information.

I’m going to draw a database for you, and I’ll show you what I mean by this. So before I get into this, remember that databases, whether it’s Oracle, MySQL, MS SQL, or something else, are based on tables. So I’m going to draw you guys a quick diagram of what they look like. And then you’ll see how, without normalization, I’m going to be repeating data. And then I’m going to create a relationship. I’ll break up the database, and I’ll normalize it. And then we also talk about storage procedures. All right? So let’s get started. I’m going to leave and basically draw some tables. Remember the table structure. So in a database, you’re going to have tables, right? So a table will now have fields on them. So let’s say you have a tool that tracks your customers. So let’s say you’re going to have an ID field, the customer ID.

This is a unique field that uniquely identifies the customer. This is going to be known as the “PK,” or primary key. The primary key in the table basically specifies that that field uniquely identifies each record. This field cannot have any repeated values, like your Social Security number. And let’s say we have the first name, the last name, and the address of the person. And I’m going to create a bad database here. Let’s say we have a database that tracks sales. So let’s say we sell books. Okay? Now I’m not going to add more. You may want to add the price and the date that they paid for the book. For the time being, just put sales. OK, so this is my table. And let’s say I have my first record. Let’s say my first record is ID number one.

His name is Bob. Bob Jones. His address is 1, 1, 1. And he bought a book for Excel. And then number two, I have Mary, Mary J. Alright, did you get it, Mary J.? Let’s put in number two here. And we’re putting together a PowerPoint book. Okay, so here’s the problem, though. What happens if Bob comes back? Bob wants to buy a PowerPoint book like Mary Jay has. So what happens now? Well, now I have to repeat the data. I have to make a whole new record again. So I’m going to add record number three. We already have Bob, but there’s no other way to do this in this database. This is a really bad database, right? Because I now have to add Bob Jay with the same address to a PowerPoint presentation. Now look at this database. This database here, this table, has repeated information.

So what I’m going to do is normalize it. I’m going to remove the sales field from here, all right? Oops, I don’t want to take that line out of there, but we’ll remove the sales view from here. And you know what we’ll add back in—we’ll see addresses. We’ll put it on CD this time, all right? So put some data in, some data in, some data in. All right. So we don’t have the address information in there. We don’t need to store Bob’s record again. So let’s take out the author, right? So we don’t need Bob’s information. So what I’m going to do is make another table. And in this table, we’re going to have the order ID. We’ll use a customer ID to create a link to the other one. Then I’ll have the sale information. So watch this. Now, so this is going to create a relationship between the customer ID here and the customer ID here.

So this is actually what database designers do, all right? What they do is come up with all the data, and then they have to sort it into tables. They must connect them. This one here, we’re going to say, is a one. Let us place a one-to-infinite sign, indicating a one-to-many relationship. So what this is saying is that one customer can have many orders. So, Bob, let’s do it again. So we’re going to see that order number one was from customer Bob, and he bought an Excel book. Order number two was Mary’s.

She bought a PowerPoint book. And then we can say order number three was Bob again, and he bought an Excel book. Now, I don’t need to keep repeating the data over and over and over. Why? Well, because now I have another table to store that. And just to keep the customer ID straight, all I’m repeating here is the customer ID. It’s all I’ve been repeating, all that data. So this would be like normalising your database, right? removing all that redundant data. We don’t require anything we do. This is good database design. To return here, where am I doing coding techniques? This would be normalization. The next thing we want to talk about is stored procedures. So a stored procedure would be when you extract data from different tables. Now that stored procedures are good code in practice, never give access to the entire table.

Let’s say the application has to have a report, and all the application needs to know is how many customers live in a particular city, right? So you have an application that needs a report. Now the report wants just this field of cities. So what you could do is give access to this report to this table, right? No, you don’t want to do that because you know why? Now the reporter has access to all the fields in the table. So what you’re going to do is make a stored procedure. A stored procedure is similar to a database query. You’re going to make it a stored procedure that basically just has access to the cityfield, then give the report access to that while the procedure has access to the table.

So stored procedures allow you to query the database, pulling out only certain information that you want. This is better coding practice. You don’t want to give applications or specific parts of applications access to the tables because the tables contain all the data. So you create a query or a stored procedure that extracts specific information from it and then pass it to the report or that section of the application. Okay, going back here, let’s take a look. Now, obfuscation or camouflage. Obfuscation now consists primarily of hiding and remaining silent. It’s best for me to show you this. Watch spelling this word.

You guys know I can’t spell. I know; everybody knows I can’t spell. I’m going to show you guys what this is. So what this means is that when coders write applications, they want to hide their code. So what they can do is obfuscate the code. And what this does is that it basically hides the code from other people. Now, it’s not 100% fail-proof, but it helps. So I have a free tool that does this. So let’s say you have code, and they give you an example here.

So Officiator IO is the link here. So I would go in here, and you will notice that this is just plain JavaScript code. Notice the function. Basically, when you run this code, it says “hello world.” So it’s a function that says “Hello,” and it just basically pops up and says “Hello world.” If you ever want to run some JavaScript, you could just type JavaScript Online Editor or Compiler. Here we go. And you can just click on one of these links here, say Open Editor. By the way, the name of the link here is playcode IO. And by the way, they have it here too. I mean, it’s a very famous code. Here, I’m going to copy this and show you that this is an actual code. So, if I come in here and run it, you won’t notice anything because all this thing does is return Hello World. But this is just some simple JavaScript code that’s there.

So I want to show you what happens when we obfuscate it. Let’s see, right, so when you obfuscate the code, it basically somewhat hides it, right? So then you can download it, and I’ll tell you exactly what it is. It can obfuscate it to make it more complex, depending on what you’re doing, right? It becomes more complex if you do a quick refresher. So now keep in mind that it’s trying its best to hide it, but it’s not 100% fail-proof. I mean, if you closely look at it, you can still see a little bit of the code tied in there, like “hello, world.” But it makes it harder, right? It makes it harder for people to find And that’s all this thing does. Okay? Code reuse and dead code So code reuse means reusing codes again.

Now, in order for codes to be reused, you want to make sure that the code itself is good. You want to make sure that the code itself has been tested and is secure. You just don’t want to keep reusing that code. Now, programmers are famous for doing this. Who wants to keep writing the same code over and over? So it’s a very famous practise to reuse code. And there’s nothing wrong with reusing code as long as the code is good. Another concept is dead code. Dead code means it serves no purpose in the application.

Remember, the opposite of dead code is live code—living code that’s actually been used in the app. Sometimes they may write functions in an application that were never used or were never linked to anything, and the code just sits there doing absolutely nothing in the application. It’s considered dead code. So with dead code, you want to review your code and remove dead code from your application. Now the other thing here is going to be server-side versus client-side execution and validation. When you are doing coding techniques, one of the things you have to do is have two sets of execution.

The server side may be executing on the database and handling some of the processing. And then, on the client side, you also have the execution of the data. Now you want to be able to validate how the code is running. If there’s any type of error or problem, maybe the server can generate those errors and display them to the user. same thing with the client. The client can see the errors, and then maybe you can report them yourself to the application manufacturer. There could be an error on the front end of an application that the manufacturers don’t know about or haven’t seen because you’ve done something unique to the application that most people haven’t done yet.

Another thing is that when you are programming your application, you have to be careful how you do your memory management. If the memory management isn’t correct in the application, this could lead to things like buffer overflow, something we spoke about earlier in the class. So programmers have to know how to allocate the programme into memory, ensuring that it doesn’t overtake all the parts of memory, which can lead to a buffer overflow.

The other thing we have here is the use of third-party libraries and software development kits. Third-party libraries are going to be places where you can go and get additional codes for your application. Software development kits are essentially what you can download to assist you in developing software. A famous one is the software development kit for Android. So you can go here and download the entire Android Studio, which is the software development kit. And you could download this right now. If you want to programme Android apps, this kit includes everything you’ll need.

So you download this and install it. It has all the environments for you to run and test your code. You have a visual layout of what you’re making on your application. It has emulators. When you’re done, you can run it to see how well it works. So this would be an example of a software development kit. Okay. And finally, data exposure One of the things you should do is secure your data in the application. Now, the way to do this is going to be to encrypt Rytt, right? You’re going to want to make sure that the data is not overly exposed in the application. That means we don’t want the data in plain text.

When you write applications, you want to make sure your data is secure. How do you do that? by encrypting the data. Data address data in motion, for example, by writing the application to support SSL, will not be exposed if the data is encrypted. In that scenario, the data leaving the application and going to the client would be secure. Then you want to utilize data storage encryption. As a result, the data stored by the rest of the application is fully encrypted and not accessible to anyone using the system or having access to the database. OK, and the last thing here we want to talk about is going to be the Open Web Application Security Project, also known as Asp. Now, I brought this up last year because OSP is a community where web application programmers go in order to help advance the web application profession.

I should say that OSP is not a coding thing. OSP is an organization, more specifically a foundation (the Oasp Foundation, now the Oasis), that does a lot of publicizing and provides a lot of tools and training for the Web development profession. One of the things that you used earlier in the classroom was called Web Gold. When I was showing you guys input injection attacks and so on, they provided all these great tools that we could use to help learn about web security and to help promote web security. One of their most well-known features is their top ten list. The last one that came out with it was in 17 this year. They told us the top ten. And this is what I was using when I was teaching this course earlier. When I was teaching this course earlier in this particular class, we were talking about attacks.

This is what I was using for the different attacks that we learned. So they’re saying that the top attack against Web applications in 2017 was injection attacks, which is something we covered earlier in the class. So this is an organization that promotes and pushes the development and future of web application security. Okay, in this video, guys, we covered a lot. In fact, there is a lot I forgot. Let’s go through them again. So we talked about provisioning and DE provisioning, which is allowing applications to be installed and removing them when they’re not needed. Integrity measurements are used to manage and measure if the application codes or the application configurations have changed.

Secure coding techniques are what we talk about. Normalization is the process of removing redundant information and databases. Stored procedures just extract certain information from the tables. Obfuscation is the act of hiding or camouflaging your code. Recode reuse is okay. Just make sure that it’s cleaned up and secure. Debt code should be removed from the application. When it comes to server-client side execution and validation, we want to ensure that it happens on both sides, the server and the client. Memory management is done by programmers to manage the memory within applications. This is only going to be done by programmers. If not, this can lead to a buffer overflow attack. To create software, you would use a software development kit. We looked at the Android version of that data exposure. Make sure to encrypt your data, and Lost is a web security organization. 

3. DevOps and Automation

In this video, I’m going to be talking about software diversity, automation and scripting elasticity, scalability, and version control—quite a lot of terms. And I’m going to introduce some other new terms that you should be familiar with when working in this industry. Industry. Okay, so let’s get started. The first thing we have here are some general terms that we should be familiar with, such as “software diversity.” So in particular, a compiler and binary So what exactly is this?

A compiler is basically software that takes a high-level programming language and converts it into a language that is generally readable by a computer, such as machine code that is taken and compiled into machine language that is readable by the computer, such as C or C.

So when they say that code has to be compiled, that means it’s still in some kind of readable format that was made by a high-level programming language. So you’ll hear some programmers say we still have to compile the code, which means they still need to turn it into code that’s readable by the computer. Now, binary is what’s readable by the computer. Binary is what the computer reads. A computer cannot read our own code; it is only human readable. Computers read ones and zeros.

So these codes would have to be turned into binary in order to be read. Okay, the next topic here is one that we should be very familiar with as this world is progressing towards what is not known as “DevOps.” And let me go into DevOps, where I cover all of these things here. So this is a term that you guys are going to see. And you know what? Let me just sort of write it down to show it to you. I have a certification in this, actually. I just got a certification, and it’s generated with a dev and then a big D and a big O, and it’s called DevOps. So what exactly is DevOps? Well, DevOps brings together software development and operations, particularly IT operations. That’s what DevOps does.

Let’s talk about traditional software development, and then let’s talk about this new environment of DevOps. So if we go back, and DevOps is very popular, if you go back just a few years ago—five, six years ago—there was a disconnection between operations, IT operations, and software development. I worked in IT operations and had to do software development. They needed a problem; they had a computer problem. We would go over there and help them out. But DevOps is when we merge them together and everybody works as one. Now, why do we want to do this? Well, we do this so we can consistently update the applications in the production environment. We could change the applications in the production environment quickly. Because, after the developers have finished programming an application, we are the ones who deploy it. It has to go through our infrastructure.

If operations is in charge of managing hardware like servers, routers, switches, and workstations, When development is finished, they have to come, they have to test their codes, they have to give it to us, and then we deploy it straight out into the production environment. Well, DevOps merges this together. So now we’re all working as one team. This enables us to implement changes relatively quickly. In today’s world, you can see how quickly things change. Applications need changes very quickly. The environment, the application environment, and the whole programming environment need to change very fast.

Sometimes there’s a shift in the market for businesses, and we need to update our products or our services in order to meet those demands. But we need to do it relatively quickly. So this is where DevOps comes in and shortens the life cycle that it takes to get applications from programming into the hands of the users. Remember something? We create applications. Businesses create applications to help improve the way they do business. We have an accounting system to make it more efficient to produce financial reports. We have a sales CRM system to make it more efficient to follow up with leads and book her. Sales software is what we use to make our business more efficient and automate our business.

And if the software development cycle is too long, the business is always waiting for productivity to come out of it. So if we can merge them, we can get it done quickly. Let’s see some terms that are associated with this. So first of all, the automated course of action And basically, we have to automate any kind of action it will take to get this software developed and pushed out. That’s what that is. One of the things we have to do is consistently monitor the environment for any particular changes that may be needed. Now note that the word “continuous” means you don’t stop because everything is working together. Those things are still useful if there is any type of change in the application, if there is any kind of modification to revalidate that. Okay? Now comes something that sounds really similar.

Continuous integration, delivery, and deployment So when programmers are finished building the application—I’m sorry, finished writing the code—I should say they’re going to then integrate the code. Now, integrating the code means taking it from this development environment into this production environment. Continuous delivery means that we are going to be able to take the codes that they have written and give them to the end user. All right, actually give it to the end users and deliver that code to them on a continuous basis. If we decide to automate that delivery, we are talking about continuous deployment. So the continuous deployment really is continuous delivery, but it’s more of an automated process. Keep pushing it out. So imagine them writing the code, and then we can deliver that code instantly. And when they’re done, it goes out right there.

So any changes, any bugs, or any new features within the software are pushed out very quickly. When it comes to software, one of the qualities we must strive for is that it be elastic and scalable. Elasticity, elasticity, and software development That allows the software to expand and contract as needed. This is a term used in cloud computing. Basically, as people use the software, you want the software to be able to expand. So let’s say in the morning there’s a big load of users. Now the software has to have the ability to expand to be able to hold that, and then when it’s done, it contracts. when there aren’t many users left.

Websites, in particular, should have this feature. The next term we saw was scalability. Now, as the organization is growing, we want to be able to scale the application up. Right now, the application is running on a single database server. Maybe we want to expand the number of databases it’s using. You want to expand the number of web servers it’s running on for scalability. If you build an application, it’s not scalable. Maybe there are limitations on the size of its database. If you do that, then the application may not be very useful. And as the business grows, we have to throw out the application and start again. So as we programmer it, we have to think about how scalable this thing can get. And the last term we saw here is version control.

Well, as the application is changing, they’re going to come up with different versions, so they can say version and put it there. Version one has these features. Version one has these other features. Then there might be a whole new version. Version two has these features. So version control helps us keep track of the different changes, modifications, additions, or removals of features or fixes for errors within applications. Version controls are critical. You see it all the time. When you go download an application from somewhere, it will be like, “Oh, this is version 10; this is like the macOS.” I don’t know what version they’re up to—version ten, nine, or 1012, whatever they’re up to.

Now you’ll see the different version, but it doesn’t tell you what features or functionality are in that version. It’s critical because we need to manage and see what’s happening with the code over its lifecycle. Okay, so in this video, we covered a lot. We talked with compilers and with binary. We talked about DevOps and how we said you have to consistently monitor, validate, integrate, deliver, and deploy applications. We discussed its elasticity and ability to expand and contract automatically as needed. Scalability. We’ve got to be able to scale up our applications. We can’t build applications that can only stay small. And finally, we talked about version control.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!