Security+

Security+: secure application development and deployment concepts [updated 2021]

June 21, 2021 by Howard Poston

Currently, the CompTIA Security+ exam has one active version: SY0-601. The SY0-501 version was retired in the Spring of 2021. Currently, SY0-601 is the only recognized version of the exam going forward.

One of the topics on the exam is secure application development and deployment, which falls under the current Security+ Domain 2 (architecture and design) in SY0-601. As such, subdomain 2.3 now includes 10 major application and deployment concepts, some of which have specific subpoints. 

What’s covered

The secure application development and deployment section of the Security+ exam includes several topics, some of which are divided further into subtopics. 

Development life-cycle models

The first concept covered within the secure application development and deployment section is development life-cycle models. The focus of this concept is comparing the Waterfall and Agile models for the software development life-cycle.

Secure DevOps

DevOps is a development philosophy that attempts to cut out unnecessary overhead to allow the software to be developed more quickly and efficiently. The Security+ exam covers several topics related to the security and logistics of DevOps.

Human beings are very slow compared to computers, which is a weakness when dealing with potential cyberthreats. Security automation involves automating tasks commonly performed by security analysts to reduce their workload (freeing them up to handle tasks that cannot be automated) and improve response time.

Continuous integration is a process by which developers integrate the code that they are working on into a shared repository at frequent intervals (multiple times a day) rather than at completion or before a release.

Baselining refers to measuring and recording the starting state of something. For example, the baseline configuration of a company computer is the set of programs, permissions and more. that it has after IT is done with it and before the end-user touches it.

Immutable systems are systems that are replaced rather than changed. For example, rather than updating a server, the entire server would be replaced.

The concept of Infrastructure as Code refers to treating physical components like servers as if they were logical components like code. Servers would be set up and controlled using machine-readable files that completely described how they should operate. These definition files could then be modified and managed using known best practices for software.

Version control and change management

Version control and change management are crucial parts of the software development lifecycle. Organizations need to be able to track the edit history of software including major milestones like releases and manage when changes are made to baselines and releases. Security+ candidates should be familiar with the concepts and common tools for version control and change management.

Provisioning and deprovisioning

Provisioning and deprovisioning is the practice of giving users or applications the levels of access they need to do their job and then taking them away when their job is complete. Familiarity with the basics of provisioning and deprovisioning is one of the topics on the Security+ exam.

Secure coding techniques

Secure coding techniques are the largest topic within the secure application deployment and development domain. It considers every aspect of the secure coding process from ensuring that memory is properly managed within an application to discussing potential vulnerabilities introduced via the supply chain by the use of third-party libraries and SDKs. Security+ candidates should be familiar with concepts, tools and techniques for each of the following applications.

Proper error handling is an important component of secure coding. Program crashes are an indicator of potentially exploitable code, so appropriate error handling helps protect applications both by ensuring correct functionality and revealing indicators of potential coding flaws.

The injection family of attacks (SQL, LDAP and more.) involves users deliberately providing input that the program is not designed to handle. Proper input validation involves confirming that user input is of a type and in a format expected by the program and, if not, handling the error appropriately.

Multiple different formats for data exist to store data (ASCII, Unicode etc.). A program may expect user input to be provided in a certain format and normalization refers to transforming user input into the expected format before processing it.

Stored procedures are a group of SQL statements stored in a relational database management system that makes functionality available to users of the database. Users should only have access to the minimum set of stored procedures necessary to do their job.

Public key cryptography allows someone to create a digital signature that can be easily verified by anyone else. Code signing refers to the generation of a digital signature for a piece of code so that users can verify that it originates from a legitimate party and has not been modified in transit.

Not all data should be available to the user, other programs etc. on a system or network. Encryption allows a program to require a secret key for access to certain data.

Obfuscation and camouflage are a less powerful method of protecting the privacy of data than encryption. Anyone who knows where or how the data is concealed can read it without needing a secret key.

Code reuse is a common method of efficiently handling a case where two applications require similar functionality. However, the second application may not require all of the functionality of the first, creating dead code segments which are never used in normal operation. This dead code increases the attack surface of the application and should be removed.

Programs running with a client-server relationship (like websites) have the option of running code on the server’s computer or the client’s computer. Both options have their pros and cons; for example, offloading execution to the client may decrease the requirements for a server but also increases the level of trust placed with the client. Server-side vs. client-side execution and validation is an important consideration for secure coding due to the tradeoff between efficiency and security.

Proper memory management is an important aspect of secure coding. Mistakes like freeing the memory associated with a pointer twice can open an application up to attack.

No one wants to spend the time to reinvent the wheel by rewriting code that is available elsewhere. Using third-party libraries and SDKs is a common solution to this problem but may introduce vulnerabilities into an application if they are not securely coded or are improperly used.

Not all data is created equal and not everyone should have access to any piece of data. With secure coding, data exposure refers to ensuring that data is only available to those with a need to know.

Code quality and testing

After code development is complete, a Security+ practitioner should be capable of testing code quality and correctness. This includes the use of static code checking tools and dynamic code analyzers like fuzzers. CompTIA recommends studying the following topics for the Security+ examination:

Static code analyzers check the logic of applications without actually running the code. This is a more difficult but less risky way of determining the functionality of code.

Dynamic code analyzers are the opposite, determining what code does by running it. If the code is malicious, this runs the risk of infecting the host machine.

Stress testing is exactly what it sounds like: a tester does everything that they can to make an application run improperly and verifies that it handles all use cases properly.

When performing dynamic code analysis, most people don’t want to infect their computer if the code turns out to be malicious. Sandboxing refers to running code in an isolated environment (like a virtual machine) that protects the host machine from the code’s functionality.

Most computer applications are developed to perform specific functions in a certain way (the model). Model verification involves testing or proving that an application functions in the way that the model says that it should.

Compiled vs. runtime code

Not all programming languages and applications are created equal. Compiled languages are designed to have all of the instructions completed at development time to be packaged and translated into machine code for later execution. Runtime or interpreted code, on the other hand, is saved in its high-level language and translated to machine code at runtime by an interpreter. For the Security+ exam, it’s important to know the pros and cons of both compiled and runtime code.

Utilizing secure applications and deployment concepts

The secure application development and deployment section cover a variety of concepts. Despite the volume of the material covered, it is likely to only account for a few questions on the exam. Test takers should understand the concepts covered and be familiar with the most common tools to achieve the goals but are not expected to be experts in each subfield.

 

Sources

Overview, CompTIA Security+

CompTIA exam objectives, Comptia.org

Posted: June 21, 2021
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published. Required fields are marked *