If you’re planning to take the SY0-501 version of the Security+ exam, you should understand secure application development and deployment concepts. This includes common methods used to create secure applications such as development life-cycle models and using testing to ensure code quality.
For example, can you answer this question?
Q. Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project?
A. Waterfall
B. SDLC
C. Agile
D. Secure DevOps
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Testing for Code Quality
Many organizations that create applications also employ testers to verify the quality of the code. Testers use a variety of different methods to put the code through its paces. Ideally, they will detect problems with the code before it goes live.
Some of the common methods of testing code include:
• Static code analyzers. Static code analysis examines the code without executing it. Automated tools can analyze code and mark potential defects. Some tools work as the developer creates the code, similar to a spell checker. Other tools can examine the code once it is semifinalized.
• Dynamic analysis. Dynamic analysis checks the code as it is running. A common method is to use fuzzing. Fuzzing uses a computer program to send random data to an application. In some cases, the random data can crash the program or create unexpected results, indicating a vulnerability. Problems discovered during a dynamic analysis can be fixed before releasing the application.
• Stress testing. Stress testing methods attempt to simulate a live environment and determine how effective or efficient an application operates with a load. As an example, a web application is susceptible to a DDoS attack. A stress test can simulate a DDoS attack and determine its impact on the web application.
• Sandboxing. A sandbox is an isolated area used for testing programs. The term comes from a sandbox in a playground. Children can play in the sandbox where they are relatively safe (and parents can easily keep their eyes on them). Similarly, application developers can test applications in a sandbox, knowing that any changes they make will not affect anything outside the sandbox. Virtual machines (VMs) are often used for sandboxing. For example, Java virtual machines include a sandbox to restrict untrusted applications.
• Model verification. Testing helps identify and remove bugs. However, it’s also important that the software does what it’s meant to do. Model verification is the process of ensuring that software meets specifications and fulfills its intended purpose.
Development Life-Cycle Models
Software development life cycle (SDLC) models attempt to give structure to software development projects. Two popular models are waterfall and agile.
Waterfall Model
The waterfall model includes multiple stages going from top to bottom. Each stage feeds the next stage, so when you finish one stage, you move on to the next stage. When following the waterfall model strictly, you don’t go back to a stage after finishing it. There are multiple variations of the waterfall model, but they all use stages. However, the names of these stages vary from one model to another.
Some typical stages used with the waterfall model include:
• Requirements. The developers work with the customer to understand the requirements. The output of this stage is a requirements document, which provides clear guidance on what the application will do.
• Design. Developers begin to design the software architecture in this stage. This is similar to creating the blueprints for a building. The design stage doesn’t include any detailed coding, but instead focuses on the overall structure of the project.
• Implementation. Developers write the code at this stage, based on the requirements and design.
• Verification. The verification stage ensures the code meets the requirements.
• Maintenance. The maintenance stage implements changes and updates as desired.
A challenge with the waterfall model is that it lacks flexibility. It is difficult to revise anything from previous stages. For example, if a customer realizes a change in the requirements is needed, it isn’t possible to implement this change until the maintenance stage.
Agile Model
The agile model uses a set of principles shared by cross-functional teams. These principles stress interaction, creating a working application, collaborating with the customer, and responding to change.
Instead of strict phases, the agile model uses iterative cycles. Each cycle creates a working, if not complete, product. Testers verify the product works with the current features and then developers move on to the next cycle. The next cycle adds additional features, often adding small, incremental changes from the previous cycle.
A key difference of the agile model (compared with the waterfall model) is that it emphasizes interaction between customers, developers, and testers during each cycle. In contrast, the waterfall model encourages interaction with customers during the requirements stage, but not during the design and implementation stages.
The agile model can be very effective if the customer has a clear idea of the requirements. If not, the customer might ask for changes during each cycle, extending the project’s timeline.
Q. Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project?
A. Waterfall
B. SDLC
C. Agile
D. Secure DevOps
Answer is C. The agile software development model is flexible, ensures that personnel interact with each other throughout a project, and is the best of the available choices.
The waterfall model isn’t as flexible and focuses instead on completing the project in stages.
Both agile and waterfall are software development life cycle (SDLC) models, which is a generic concept designed to provide structure for software development projects.
Secure DevOps is an agile-aligned development methodology that focuses on security considerations throughout a project.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on secure coding concepts.