2.2 Explain software assurance best practices

Platforms:
Mobile:
Web application
Client/server
Embedded
SoC
Firmware
SDLC integration: requirements/criteria definition; secure design; static analysis and peer code review; testing & analysis + user acceptance testing
DevSecOps: identify vulnerabilities; find & prioritise risk remediation; secure workflow
Software assessment methods:
- User acceptance testing: ensures software users are satisfied with the functionalities
- Stress test application: ensure application availability and scalability; maximum load
- Security regression testing: ensure no new vulnerabilities/misconfigurations are introduced by patches/updates (e.g. change control, VCS, SCM)
- Code review: pair programming; over-the-shoulder; pass-around; tool-assisted
Secure coding best practices:
- Input validation: validate all untrusted data; specify character sets + data types/length; whitelist allowed characters; additional controls for hazardous characters
- Output encoding: encode all unsafe characters; sanitise SQL, XML queries & OS cmds
- Session management: short session inactivity timeout; new session identifier generation; logout available from any authorised page; secure session ID algorithms
- Authentication: central, segregated authentication; POST requests; unspecific error codes; encrypted & securely stored (salted hash) credentials
- Data protection: least privilege; protect/purge sensitive caches; secure encryption; no plaintext password storage; disable client-side caching; access controls for sensitive data
- Parameterised queries: use placeholders to separate query and data => prevents SQL query altering (SQLi)
Static analysis tools: thorough white-box code review to identify programming errors
Dynamic analysis tools: test inputs during code execution for complex vulnerabilities
Formal methods for verification of critical software: Fagan inspection (planning -> overview -> preparation -> meeting -> rework -> follow-up)
Service-oriented architecture:
- SAML: message confidentiality & integrity (TLS); validate protocol, signatures etc.
- SOAP: exchange structured info for web services (extensibility [extensions] + neutrality [over any app/transport layer protocol] + independence [any programming model])
  - Token-based/digest authentication; validate digital signatures; encrypt data with keys
- REST: access & manipulate textual representations of web resources with HTTP
  - HTTPS; access control; API keys; whitelist HTTP methods; input validation
- Microservices: app is a collection of loosely coupled services; lightweight protocols
  - IAM with OAuth; defense in depth; use open source crypto libraries; automatic security updates; distributed monitoring/scanning; single point of entry (API gateway)

Previous1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities Next2.1 Given a scenario, apply security solutions for infrastructure management

Last updated 2 years ago

2.2 Explain software assurance best practices

Platforms:
Mobile:
Web application
Client/server
Embedded
SoC
Firmware
SDLC integration: requirements/criteria definition; secure design; static analysis and peer code review; testing & analysis + user acceptance testing
DevSecOps: identify vulnerabilities; find & prioritise risk remediation; secure workflow
Software assessment methods:
- User acceptance testing: ensures software users are satisfied with the functionalities
- Stress test application: ensure application availability and scalability; maximum load
- Security regression testing: ensure no new vulnerabilities/misconfigurations are introduced by patches/updates (e.g. change control, VCS, SCM)
- Code review: pair programming; over-the-shoulder; pass-around; tool-assisted
Secure coding best practices:
- Input validation: validate all untrusted data; specify character sets + data types/length; whitelist allowed characters; additional controls for hazardous characters
- Output encoding: encode all unsafe characters; sanitise SQL, XML queries & OS cmds
- Session management: short session inactivity timeout; new session identifier generation; logout available from any authorised page; secure session ID algorithms
- Authentication: central, segregated authentication; POST requests; unspecific error codes; encrypted & securely stored (salted hash) credentials
- Data protection: least privilege; protect/purge sensitive caches; secure encryption; no plaintext password storage; disable client-side caching; access controls for sensitive data
- Parameterised queries: use placeholders to separate query and data => prevents SQL query altering (SQLi)
Static analysis tools: thorough white-box code review to identify programming errors
Dynamic analysis tools: test inputs during code execution for complex vulnerabilities
Formal methods for verification of critical software: Fagan inspection (planning -> overview -> preparation -> meeting -> rework -> follow-up)
Service-oriented architecture:
- SAML: message confidentiality & integrity (TLS); validate protocol, signatures etc.
- SOAP: exchange structured info for web services (extensibility [extensions] + neutrality [over any app/transport layer protocol] + independence [any programming model])
  - Token-based/digest authentication; validate digital signatures; encrypt data with keys
- REST: access & manipulate textual representations of web resources with HTTP
  - HTTPS; access control; API keys; whitelist HTTP methods; input validation
- Microservices: app is a collection of loosely coupled services; lightweight protocols
  - IAM with OAuth; defense in depth; use open source crypto libraries; automatic security updates; distributed monitoring/scanning; single point of entry (API gateway)

Previous1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities Next2.1 Given a scenario, apply security solutions for infrastructure management

Last updated 2 years ago