Security+: Secure Application Development and Deployment Concepts
Currently, the CompTIA Security+ Exam has two active versions: SY0-401 and SY0-501. The SY0-501 version was launched October 4, 2017 and is the most recent version of the exam. As of May 25, it is the only recognized version of the exam going forward.
Secure Application Development and Deployment is one of the subdomains covered under Domain 3 (Architecture and Design) of the Security+ Exam. Of the exam’s 90 questions, 15% (13.5 on average) of questions are targeted at this domain and the domain has 9 subdomains, meaning that each concept should feature in one or two questions on average.
The rest of this article is dedicated to describing the content of the Secure Application Development and Deployment subdomain. The subdomain includes seven major concepts, some of which have specific subpoints.
The Secure Application Development and Deployment section of the Security+ Exam includes several topics, some of which are divided further into subtopics. Here, we’ll provide a brief introduction to the concepts covered by this section of the Security+ exam.
Development Life-Cycle Models
The first concept covered within the Secure Application Development and Deployment section is development life-cycle models. The focus of this concept is comparing the Waterfall and Agile models for the software development life-cycle.
DevOps is a development philosophy that attempts to cut out unnecessary overhead in order to allow software to be developed more quickly and efficiently. The Security+ exam covers several topics related to the security and logistics of DevOps.
Human beings are very slow compared to computers, which is a weakness when dealing with potential cyber threats. Security Automation involves automating tasks commonly performed by security analysts to reduce their workload (freeing them up to handle tasks that cannot be automated) and improve response time.
Continuous Integration is a process by which developers integrate the code that they are working on into a shared repository at frequent intervals (multiple times a day) rather than at completion or prior to a release.
Baselining refers to measuring and recording the starting state of something. For example, the baseline configuration of a company computer is the set of programs, permissions, etc. that it has after IT is done with it and before the end user touches it.
Immutable Systems are systems that are replaced rather than changed. For example, rather than updating a server, the entire server would be replaced.
The concept of Infrastructure as Code refers to treating physical components like servers as if they were logical components like code. Servers would be set up and controlled using machine-readable files that completely described it should operate. These definition files could then be modified and managed using known best practices for software.
Version Control and Change Management
Version control and change management are a crucial part of the software development lifecycle. Organizations need to be able to track the edit history of software including major milestones like releases and manage when changes are made to baselines and releases. Security+ candidates should be familiar with the concepts and common tools for version control and change management.
Provisioning and Deprovisioning
Provisioning and deprovisioning is the practice of giving users or applications the levels of access they need to do their job and then taking them away when their job is complete. A familiarity with the basics of provisioning and deprovisioning is one of the topics on the Security+ exam.
Secure Coding Techniques
Secure Coding Techniques is the largest topic within the Secure Application Deployment and Development domain. It considers every aspect of the secure coding process from ensuring that memory is properly managed within an application to discussing potential vulnerabilities introduced via the supply chain by use of third-party libraries and SDKs. Security+ candidates should be familiar with concepts, tools, and techniques for each of the following applications.
Proper Error Handling is an important component of secure coding. Program crashes are an indicator of potentially exploitable code, so appropriate error handling helps protect applications both by ensuring correct functionality and revealing indicators of potential coding flaws.
The injection family of attacks (SQL, LDAP, etc.) involves users deliberately providing input that the program is not designed to handle. Proper Input Validation involves confirming that user input is of a type and in a format expected by the program and, if not, handling the error appropriately.
Multiple different formats for data exist for the purpose of storing data (ASCII, Unicode, etc.). A program may expect user input to be provided in a certain format and Normalization refers to transforming user input into the expected format before processing it.
Stored Procedures are a group of SQL statements stored in a Relational Database Management System that make functionality available to users of the database. Users should only have access to the minimum set of stored procedures necessary to do their job.
Public key cryptography allows someone to create a digital signature that can be easily verified by anyone else. Code Signing refers to the generation of a digital signature for a piece of code so that users can verify that it originates from a legitimate party and has not been modified in transit.
Not all data should be available to the user, other programs, etc. on a system or network. Encryption allows a program to require a secret key for access to certain data.
Obfuscation and Camouflage are a less powerful method of protecting the privacy of data than encryption. Anyone who knows where or how the data is concealed can read it without needing a secret key.
Code Reuse is a common method of efficiently handling a case where two applications require similar functionality. However, the second application may not require all of the functionality of the first, creating Dead Code segments which are never used in normal operation. This dead code increases the attack surface of the application and should be removed.
Programs running with a client-server relationship (like web sites) have the option of running code on the server’s computer or the client’s computer. Both options have their pros and cons; for example, offloading execution to the client may decrease the requirements for a server but also increases the level of trust placed with the client. Server-side vs. Client-side Execution and Validation is an important consideration for secure coding since due to the tradeoff between efficiency and security.
Proper Memory Management is an important aspect of secure coding. Mistakes like freeing the memory associated with a pointer twice can open an application up to attack.
No one wants to spend the time to reinvent the wheel by rewriting code that is available elsewhere. Using Third-Party Libraries and SDKs is a common solution to this problem but may introduce vulnerabilities into an application if they are not securely coded or are improperly used.
Not all data is created equal and not everyone should have access to any piece of data. In secure coding, Data Exposure refers to ensuring that data is only available to those with a “need to know”.
Code Quality and Testing
After code development is complete, a Security+ practitioner should be capable of testing code quality and correctness. This includes the use of static code checking tools and dynamic code analyzers like fuzzers. CompTIA recommends studying the following topics for the Security+ examination:
Static Code Analyzers check the logic of applications without actually running the code. This is a more difficult but less risky of determining the functionality of code.
Dynamic Code Analyzers are the opposite, determining what code does by running it. If the code is malicious, this runs the risk of infecting the host machine.
Stress Testing is exactly what it sounds like: a tester does everything that they can to make an application run improperly and verifies that it handles all use cases properly.
When performing dynamic code analysis, most people don’t want to infect their computer if the code turns out to be malicious. Sandboxing refers to running code in an isolated environment (like a Virtual Machine) that protects the host machine from the code’s functionality.
Most computer applications are developed to perform specific functions in a certain way (i.e. the model). Model Verification involves testing or proving that an application actually functions in the way that the model says that it should.
Compiled vs. Runtime Code
Not all programming languages and applications are created equal. Compiled languages are designed to have all of the instructions completed at development time to be packaged and translated into machine code for later execution. Runtime or “interpreted” code, on the other hand, is saved in its high-level language and translated to machine code at runtime by an interpreter. For the Security+ exam, it’s important to know the pros and cons of both compiled and runtime code.
The Secure Application Development and Deployment section covers a variety of concepts. Despite the volume of the material covered, it is likely to only account for a few questions on the exam. Test takers should understand the concepts covered and be familiar with the most common tools to achieve the goals but are not expected to be experts in each subfield.