If you’re planning to take the SY0-501 version of the Security+ exam, you should understand secure application development and deployment concepts. This includes common methods used to create secure applications such as development life-cycle models and using testing to ensure code quality.
For example, can you answer this question?
Q. Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project?
A. Waterfall
B. SDLC
C. Agile
D. Secure DevOps
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Testing for Code Quality
Many organizations that create applications also employ testers to verify the quality of the code. Testers use a variety of different methods to put the code through its paces. Ideally, they will detect problems with the code before it goes live.
Some of the common methods of testing code include:
• Static code analyzers. Static code analysis examines the code without executing it. Automated tools can analyze code and mark potential defects. Some tools work as the developer creates the code, similar to a spell checker. Other tools can examine the code once it is semifinalized.
• Dynamic analysis. Dynamic analysis checks the code as it is running. A common method is to use fuzzing. Fuzzing uses a computer program to send random data to an application. In some cases, the random data can crash the program or create unexpected results, indicating a vulnerability. Problems discovered during a dynamic analysis can be fixed before releasing the application.
• Stress testing. Stress testing methods attempt to simulate a live environment and determine how effective or efficient an application operates with a load. As an example, a web application is susceptible to a DDoS attack. A stress test can simulate a DDoS attack and determine its impact on the web application.
• Sandboxing. A sandbox is an isolated area used for testing programs. The term comes from a sandbox in a playground. Children can play in the sandbox where they are relatively safe (and parents can easily keep their eyes on them). Similarly, application developers can test applications in a sandbox, knowing that any changes they make will not affect anything outside the sandbox. Virtual machines (VMs) are often used for sandboxing. For example, Java virtual machines include a sandbox to restrict untrusted applications.
• Model verification. Testing helps identify and remove bugs. However, it’s also important that the software does what it’s meant to do. Model verification is the process of ensuring that software meets specifications and fulfills its intended purpose.
Development Life-Cycle Models
Software development life cycle (SDLC) models attempt to give structure to software development projects. Two popular models are waterfall and agile.
Waterfall Model
The waterfall model includes multiple stages going from top to bottom. Each stage feeds the next stage, so when you finish one stage, you move on to the next stage. When following the waterfall model strictly, you don’t go back to a stage after finishing it. There are multiple variations of the waterfall model, but they all use stages. However, the names of these stages vary from one model to another.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Some typical stages used with the waterfall model include:
• Requirements. The developers work with the customer to understand the requirements. The output of this stage is a requirements document, which provides clear guidance on what the application will do.
• Design. Developers begin to design the software architecture in this stage. This is similar to creating the blueprints for a building. The design stage doesn’t include any detailed coding, but instead focuses on the overall structure of the project.
• Implementation. Developers write the code at this stage, based on the requirements and design.
• Verification. The verification stage ensures the code meets the requirements.
• Maintenance. The maintenance stage implements changes and updates as desired.
A challenge with the waterfall model is that it lacks flexibility. It is difficult to revise anything from previous stages. For example, if a customer realizes a change in the requirements is needed, it isn’t possible to implement this change until the maintenance stage.
Agile Model
The agile model uses a set of principles shared by cross-functional teams. These principles stress interaction, creating a working application, collaborating with the customer, and responding to change.
Instead of strict phases, the agile model uses iterative cycles. Each cycle creates a working, if not complete, product. Testers verify the product works with the current features and then developers move on to the next cycle. The next cycle adds additional features, often adding small, incremental changes from the previous cycle.
A key difference of the agile model (compared with the waterfall model) is that it emphasizes interaction between customers, developers, and testers during each cycle. In contrast, the waterfall model encourages interaction with customers during the requirements stage, but not during the design and implementation stages.
The agile model can be very effective if the customer has a clear idea of the requirements. If not, the customer might ask for changes during each cycle, extending the project’s timeline.
Q. Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project?
A. Waterfall
B. SDLC
C. Agile
D. Secure DevOps
Answer is C. The agile software development model is flexible, ensures that personnel interact with each other throughout a project, and is the best of the available choices.
The waterfall model isn’t as flexible and focuses instead on completing the project in stages.
Both agile and waterfall are software development life cycle (SDLC) models, which is a generic concept designed to provide structure for software development projects.
Secure DevOps is an agile-aligned development methodology that focuses on security considerations throughout a project.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on secure coding concepts.
