Overview
We’ve learned about security concerns on systems software; now it’s time to move on the applications software. Applications represent a large portion of the attack surface area, since this is typically the component of infrastructure most accessible from both inside and outside the organization.
In this unit, we will review some of the services typically offered through IT infrastructure, and will look at the vulnerabilities and attacks. One of the methods of preventing software vulnerabilities is through secure coding; we will look at software development methodologies, and best practices for developing secure applications, including testing methodologies such as fuzzing.
The (ISC)2 Common Body of Knowledge (CBK) defines the key areas of knowledge for software development security in this way:
Software Development Security domain refers to the controls that are included within systems and applications software and the steps used in their development (e.g., SDLC).
Software refers to system software (operating systems) and application programs such as agents, applets, software, databases, data warehouses, and knowledge-based systems. These applications may be used in distributed or centralized environments.
The candidate should fully understand the security and controls of the systems development process, system life cycle, application controls, change controls, data warehousing, data mining, knowledge-based systems, program interfaces, and concepts used to ensure data and application integrity, security, and availability.
Key areas of knowledge:
- Understand and apply security in the software development life cycle
- Understand the environment and security controls
- Assess the effectiveness of software security
This week’s topics:
- Client/Server Applications Security
- Web Security
- Email Security
- Client/Server Applications Security
- Application Models and Technologies
- Software Development Life Cycle / Secure Coding
- Applications Security Controls
- Databases and Data Warehouses
- Threats and Countermeasures
In this unit, plan to:
- Read: pages 255-427 in the Network Security text
- Read: pages 95-123 in the Security Essentials text
- Complete: this week’s written assignment
- Complete: this week’s practical assignment
- Participate: in the weekly discussion forum
- Prepare: for the Case Study Review