2.2 Explain software assurance best practices

  • Platforms:

  • Mobile:

  • Web application

  • Client/server

  • Embedded

  • SoC

  • Firmware

  • SDLC integration: requirements/criteria definition; secure design; static analysis and peer code review; testing & analysis + user acceptance testing

  • DevSecOps: identify vulnerabilities; find & prioritise risk remediation; secure workflow

  • Software assessment methods:

    • User acceptance testing: ensures software users are satisfied with the functionalities

    • Stress test application: ensure application availability and scalability; maximum load

    • Security regression testing: ensure no new vulnerabilities/misconfigurations are introduced by patches/updates (e.g. change control, VCS, SCM)

    • Code review: pair programming; over-the-shoulder; pass-around; tool-assisted

  • Secure coding best practices:

    • Input validation: validate all untrusted data; specify character sets + data types/length; whitelist allowed characters; additional controls for hazardous characters

    • Output encoding: encode all unsafe characters; sanitise SQL, XML queries & OS cmds

    • Session management: short session inactivity timeout; new session identifier generation; logout available from any authorised page; secure session ID algorithms

    • Authentication: central, segregated authentication; POST requests; unspecific error codes; encrypted & securely stored (salted hash) credentials

    • Data protection: least privilege; protect/purge sensitive caches; secure encryption; no plaintext password storage; disable client-side caching; access controls for sensitive data

    • Parameterised queries: use placeholders to separate query and data => prevents SQL query altering (SQLi)

  • Static analysis tools: thorough white-box code review to identify programming errors

  • Dynamic analysis tools: test inputs during code execution for complex vulnerabilities

  • Formal methods for verification of critical software: Fagan inspection (planning -> overview -> preparation -> meeting -> rework -> follow-up)

  • Service-oriented architecture:

    • SAML: message confidentiality & integrity (TLS); validate protocol, signatures etc.

    • SOAP: exchange structured info for web services (extensibility [extensions] + neutrality [over any app/transport layer protocol] + independence [any programming model])

      • Token-based/digest authentication; validate digital signatures; encrypt data with keys

    • REST: access & manipulate textual representations of web resources with HTTP

      • HTTPS; access control; API keys; whitelist HTTP methods; input validation

    • Microservices: app is a collection of loosely coupled services; lightweight protocols

      • IAM with OAuth; defense in depth; use open source crypto libraries; automatic security updates; distributed monitoring/scanning; single point of entry (API gateway)

Previous1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilitiesNext2.1 Given a scenario, apply security solutions for infrastructure management

Last updated