If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of secure coding practices. Secure application development and deployment concepts are important for application developers to understand. Additionally, IT security managers who manage development projects should understand these concepts, too, even if they aren’t writing the code.
For example, can you answer this question?
Q. You are overseeing a large software development project. Ideally, developers will not add any unauthorized changes to the code. If they do, you want to ensure that it is easy to identify the developer who made the change. Which of the following provides the BEST solution for this need?
A. Agile SDLC
B. Version control
C. Secure DevOps
D. Static code analysis
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Secure DevOps
DevOps combines the words development and operations and it is an agile-aligned software development methodology. Secure DevOps is a software development process that includes extensive communication between software developers and operations personnel. It also includes security considerations throughout the project. When applied to a software development project, it can allow developers to push out multiple updates a day in response to changing business needs.
Some of the concepts included within a secure DevOps project are summarized in the following bullets:
• Security automation uses automated tests to check code. When modifying code, it’s important to test it and ensure that the code doesn’t introduce software bugs or security flaws. It’s common to include a mirror image of the production environment and run automated tests on each update to ensure it is error free.
• Continuous integration refers to the process of merging code changes into a central repository. Software is then built and tested from this central repository. The central repository includes a version control system, and the version control system typically supports rolling back code changes when they cause a problem.
• Baselining refers to applying changes to the baseline code every day and building the code from these changes. For example, imagine five developers are working on different elements of the same project. Each of them have modified and verified some code on their computers. At the end of the day, each of these five developers uploads and commits their changes. Someone then builds the code with these changes and then automation techniques check the code. The benefit is that bugs are identified and corrected quicker. In contrast, if all the developers applied their changes once a week, the bugs can multiply and be harder to correct.
• Immutable systems cannot be changed. Within the context of secure DevOps, it’s possible to create and test systems in a controlled environment. Once they are created, they can be deployed into a production environment. As an example, it’s possible to create a secure image of a server for a specific purpose. This image can be deployed as an immutable system to ensure it stays secure.
• Infrastructure as code refers to managing and provisioning data centers with code that defines virtual machines (VMs). Once the script is created, new VMs can be created just by running the script.
Version Control and Change Management
The primary purpose of change management policies is to ensure that changes to systems do not cause unintended outages. Secure coding practices use version control and change management practices for the same reason—to prevent unintended outages.
Change management helps ensure that developers do not make unauthorized changes. As an example, if a customer wants a change or addition to the application, a developer doesn’t just implement it, no matter how easy it might be to do so. Instead, any changes to the application go through a specific, predefined process.
The change management process allows several people to examine the change to ensure it won’t cause unintended consequences. Also, any change to the application becomes an added responsibility. If the customer discovers a bug due to this change after it’s delivered, the developer may be responsible for fixing it, even if it wasn’t authorized.
In addition to preventing unauthorized changes and related problems, a change management process also provides an accounting structure to document the changes. Once a change is authorized and implemented, the change is documented in a version control document.
Version control tracks the versions of software as it is updated, including who made the update and when. Many advanced software development tools include sophisticated version control systems. Developers check out the code to work on it and check it back into the system when they’re done. The version control system can then document every single change made by the developer. Even better, this version control process typically allows developers to roll back changes to a previous version when necessary.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Q. You are overseeing a large software development project. Ideally, developers will not add any unauthorized changes to the code. If they do, you want to ensure that it is easy to identify the developer who made the change. Which of the following provides the BEST solution for this need?
A. Agile SDLC
B. Version control
C. Secure DevOps
D. Static code analysis
Answer is B. A version control system will track all changes to a system, including who made the change and when. Change management processes (not available as a possible answer) typically provide the same solution.
An agile software development life cycle (SDLC) model focuses on interaction from all players in a project, but doesn’t necessarily include a version control system.
Secure DevOps is an agile-aligned software development methodology that focuses on security throughout the process.
Static code analysis examines the code without executing it as a method of code testing.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on secure coding concepts.
