One of the weakest links in cyber-security are the attack vectors that sometimes get created with applications. In this course, you'll learn how to evaluate and integrate security and software development to protect your environment.
Most companies have a well-oiled machine with the sole purpose to create, release, and maintain functional software. Still, the growing concerns and risks related with insecure software have brought increased attention to the need to mix security into the development process. In this course, Secure Software Development, you will gain an understanding of the Software Development Life Cycle (SDLC) and the security implications that can arise to ensure that the software your organization uses is well written and secure through its lifespan. First, you will learn about the different options when it comes to following a SDLC. Next, you will delve into the 5 phases that software runs through as it is being developed. Last, you will dive into how vulnerabilities creep into your environment in ways you may have not considered. By the end of this course, you will be able to apply a proper SDLC and ensure that additional attack vectors aren't created by mistake (or on purpose) to expose your resources and networks.
Dale Meredith received his Certified Ethical Hacker and Certified EC-Counsel Instructor certifications back in 2006, as well as being a Microsoft Certified Trainer since 1998 (yes we had computers back then). Dale takes great pride in helping students comprehend and simplify complex IT concepts.
Course Overview Hey everyone, my name is Dale Meredith, and I'd like to welcome you to my course, Secure Software Development. Now I've been a Microsoft trainer since 1998, as well as a cyber security trainer and consultant. And I've worked with several Corporate 500 companies as well as the Department of Homeland Security on several projects. I'd tell you about them, but then I'd have to kill you. I got to ask you, have you ever said to yourself, how are attackers getting into our networks even though we've spent all this money on new appliances, and new devices? Well, to be honest with you, from an attackers perspective, it is so much easier for an attacker to scan for vulnerabilities with the software that you're using, or that you've created. The reason this happens, is because either security professionals or developers themselves, forget to look at security during the software development life cycle or the SDLC is what we call it. And this is where this course actually comes into play. I've created this course to help you make sure that you've dotted your I's, crossed your T's when it comes to creating software and applications without ignoring the security risks that, guess what? You might actually be creating. This course is also a part of a series of courses that cover the certifications for GCIH, ECIH, and CSA+. See? I can help you kill three birds with one stone there. Oh no, all the bird lovers are going to hate me. (laughs) Now some of the major topic that we'll cover in this course, is I'm going to make sure that you have a grasp of a couple of different options when it comes to following any type of SDLC. There's several models that we'll look at. Also, make sure that you gt a great understanding of the five phases that software runs through as it's being developed. We'll also focus on exactly how vulnerabilities creep into our environment, in ways that you may not have considered. Trust me, by the end of this course, you'll be able to look at your applications in a different mindset, you'll be able to share different methods with those that you work with, and you'll look at some of the best practices when it comes to including security as the major focus during the development of any and all applications. Now before beginning this course, I want you to make sure that you have a familiarity with basic network typologies as well as some programming concepts. Kind of from a 10, 000 foot view. You'll also want to have watched some of the other courses within this path. I hope that you'll join me in this adventure in learning. With secure software development here at Pluralsight.
Software Development Phases Okay so let's talk about the software development phases that we go through, or you can think of them as steps as well. In this particular module, we're going to go through and take a look at each one of those steps in detail. We'll first start off with the planning phase, what we need to be looking at here. We'll then go through and take a look at the requirements phase. This is where we really focus in on the requirements for security. After that we'll take a look at the design phase, in which we start looking at things that are taking place in the background. Are we hooked into an SQL server? Are we using a third-party service? What service accounts are being utilized? The design of the application, or I should say the deep design of a application. We'll then take a look at the implementation phase, which is where we start looking at the application from a white box perspective. Then we'll take a look at a testing phase. Testing phase is very similar to the implementation except for testing, we look at it from a black box perspective, and if you're not familiar with the white box or the black box reference, don't worry, I'll cover that for you. After we do the testing phase, we'll look at the deployment phase, meaning how are we going to push this out? What accounts are utilized? What requirements are needed on the client machines? And then of course we'll look at the maintenance phase followed by the end of life phase. So if you're ready to go, let's get going.
Software Development Models Okay, so in this module, we're going to go through and take a look at some software development models. Now, there are various types of models out there. There's Tyra Banks, Cheryl Tiegs. Yeah, you may have to Google that name. That takes me back to my high school days. Anyway, and I swear, that was my last model joke, unless you want me to break out my Blue Steel gaze. So there's several different software development life cycle models, and each one of them will follow some of the phases that we saw in the previous clip, but they do it in their own way or their own mechanism. When we talk about the models, we'll be looking at some of the more popular ones that are out there. There's more than what I'm going to list here, but these are the ones that are going to be more, shall I say, highlighted for your immediate future. If you're not familiar with that phrase from me, as a trainer, I'm now allowed to tell you what may or may not be on an exam. So I might make reference to your immediate future. You might see something about code-and-fix models. We also might see something about waterfalls and agile as well as iterative and spiral. Yeah, this course is spiraling out of control, isn't it? Now, each one of these models, again, you can use them, and they all have their advantages and disadvantages. I'll take you through those so you understand when we might use a waterfall versus code-and-fix versus an iterative. Okay, so let's get a closer look at these models here. Okay, I swear that's my last one.
Software Vulnerabilities So let's talk about software vulnerabilities. You know, a recent study, and this is in 2017, shows that three out of four applications produced by software vendors failed to meet OWASP's top ten standards and for those of you who don't know, OWASP, which is short for Open Web Application Security Project, is an online community that creates freely available articles, methodologies, and documentation as well as some pretty cool tools. One of them, we'll take a look at in one of our other modules coming up here pretty soon. But these guys are the ones who really do know how to create secure applications and it is an industry standard. So it's kind of interesting that we have, and that's software vendors, so as I was about to say, it's kind of shocking that it's still an issue, that we still have security breaches taking place because of software. So in this module, we're going to go through and take a look at a couple things. We're going to first talk about how does vulnerabilities actually work their way into software? We'll then go through and take a look at some of the most common vulnerabilities, mostly being input validation issues as well as command injection issues. So let me see if I can make you feel vulnerable. Heh, heh, vulnerable.
Coding Best Practices Okay, so let's talk about some coding best practices. This module's got a lot of clips in it. But don't worry, I'm going to make it really painless and some clips are relatively short. We're going to go through and we're going to talk about things like what is the goal when it comes to our best practices. We'll then go through and start creating our own best practice checklist. We'll start off with taking a look at input validation, what type of things we should allow, what we should be looking out for. We'll also take a look at output encoding. And whatever goes in's got to come out. And anything that comes out we need to make sure that it's encoded correctly. We'll then take a look at authentication and password management. As well as session management. We'll then move on to access control, making sure we cover all of our bases or creating a neat checklist for giving users or servicers access. We'll then talk about cryptographic practices. When do we use it? Where do we use it? We'll then go through and take a look at error handling and logging. Believe it or not, from that perspective, we need to make sure that we've locked things down. We'll also take a look at data protection as well as communication security. We'll then take a look at some security configuration options, or features, that we need to include in our security check. As well as database security. And because we're dealing with files, what did we say in the previous module? Sometimes things go into memory so we're going to take a look at some memory best practices. And then we'll end up with look at some general coding best practices. I know, it looks like a lot, but trust me, I will help you create a fantastic checklist to make sure that you're taking security into consideration. So, let's get going.
Code Reviews Let's talk about code reviews. Reviewing code that's written for an application provides a number of advantages for us. One obviously it helps us to share knowledge of the code and the experience gained in writing is better than a simple documentation alone. So, let's talk about code reviews. Reviewing code that's written for an application actually provides us with a huge number of advantages. It helps us share knowledge of the code. And the experienced gained in writing is better than simple documentation alone since it provides a personal understanding of the code and its functions. It also helps detect problems while we're trying to enforce the best practices and standards for security, but most importantly, it ensures that multiple members of the team are aware of the code, what it's suppose to do, and how it accomplishes the task. In this module, we're going to go through and talk about the following subjects. We'll first talk about why we do code review. Then we'll get into the different types of reviews that we can implement and then I'm going to highlight three different outlines that you need to make sure that you incorporate in your reviews, as well as some common sense tips. So, let's get going here.