8.2 Identify and apply security controls in development environments

  • Programming languages
  • Libraries
  • Tool Sets
  • Integrated Development Environment (IDE)
  • Runtime
  • Continuous Integration and Continuous Delivery (CI/CD)
  • Security Orchestration, Automation, and Response (SOAR)
  • Software Configuration Management (SCM)
  • Code repositories
  • Application security testing (Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST))

Remember that computer understands only one language – machine code – and that we can convert a programming language into machine code.  It is not possible to list all the programming languages here, but I will try to list the most popular ones

  • Assembly Language – this is the most primitive language.  It was difficult to understand and very few people use it, but many of the earlier applications were built with it.

  • C – this is an old programming language created in the 1970s.  It is rudimentary but still in use by many drivers, operating systems, and low-level applications.  Engineers are usually taught C in their first year of University because the fundamental logic has been incorporated into many other languages.

  • C++ – an improvement on C that includes the use of classes, and support for system programming and imbedded systems.

  • C# – an improvement on C but incorporating the Microsoft .NET framework.  .NET is a framework developed by Microsoft.  There are many languages that work with .NET.  .NET makes it easier for developers to create applications for Windows machines.  It provides support for the common Windows user interface, databases, cryptography, web application development, and network connectivity.

  • Visual Basic for Applications – VBA is a language that is integrated with Microsoft Office applications.  We can write a VBA app that runs inside a Microsoft Office document.

  • Java – Java is an object-oriented language based on C++.  It is semi-compiled, but technically, it runs inside the Java Virtual Machine.

  • Swift – Swift is a programming language for creating applications on Apple devices.  It is based on Objective-C, which itself is based on C.

  • Python – Python is a high-level language that is objected oriented.  It is designed for good readability.

  • R – R is a programming language used to process statistics and create graphs.

  • HTML – HTML is a language used to create web pages.  It is interpreted by the user’s web browser.  HTML works with CSS and JavaScript.  

  • PHP – PHP is a language that is used to create web applications, but we can use it for many other scripts.  PHP runs on the back end and can be used to generate HTML pages.  Many people hate PHP, but I like it.  I use PHP scripts to process data directly from the command line.

  • CSS – CSS, or Cascading Style Sheets, is a language used to style web pages.  CSS controls the web page layout, fonts, and appearance.

  • JavaScript – JavaScript is a language that runs in the web browser.  It allows us to add additional functionality to a web page.  Over 97% of websites use JavaScript.  JavaScript has many available libraries (we will discuss libraries soon).

Object Oriented Programming

  • In programming, there are two types of programming languages: object-oriented and procedure-oriented

  • An object is an abstract idea

  • Each object has certain functions that we can do with it.  We call these things methods.

  • When they create an object, programmers need to know the inputs and outputs of the object, but they don’t need to know how it works internally.

  • For example, we might create an object like a clock.  We can ask the clock what time it is, and the clock will tell us. 

    We can also ask the clock to add an amount of time to the current time and return the result.  For example, we can ask the clock to add 15 minutes to the current time.

    We don’t need to know how the clock works.  We just need to know what to ask it and what to do with the response.

  • Object oriented programming is considered to be more secure because we can hide the data.

Procedure Oriented Programming

  • In procedure-oriented programming, we need to specify all the steps that the program must follow.  We must write out the procedure.

  • If we perform a set of steps often, we might create a function.  A function is a set of steps.  We can call the function by its name.  The function has an input and an output.  We give the function some data, the function executes steps on that data, and then it returns an output.

  • Procedure oriented programming is less secure.

Class

Within Object Oriented Programming, we have a Class.  A Class is a structure that we use to create an object.  Going back to my earlier example, we have an object called a Clock.  The Clock Class defines how a Clock object will behave.  We can create many different clocks by summoning the Clock Class.  Each Clock is a separate object.  We call this an instance.

The Class defines the initial values of the instance’s variables.  For example, our clock has three variables

  • Time Zone – default is Mountain Time

  • Start Time – 0:00AM

  • 12- or 24-hour clock – 24-hour clock

When we create a new instance of the clock, it will start at 0:00AM, Mountain Time, and be in a 24-hour format.  These are the only details of the clock that we can modify.

A class has four properties

  • Encapsulation – the methods and data that operate within the class are all bundled inside the class.

  • Inheritance – a subclass can gain the properties of a parent class.  For example,

    • We could have a parent class known as vehicles.  The vehicles class defines vehicles in general.  It would have properties like license plate number, color, engine size, number of seats, etc.  Every vehicle needs these properties.

    • We could have child classes such as motorcycle, car, bus, SUV, van, truck, etc..  Each child class inherits the properties from the parent class but could have additional properties, such as trailer hitch size, number of floor mats, trunk size, etc..  Not every vehicle type has a trailer hitch, floor mats, or trunk.

  • Polymorphism – we can access different types of objects via the same interface.  Why?  Because the class takes care of the data and the code.

  • Polyinstantiation – we can create multiple copies of an object.

Many object-oriented languages have classes built in.  The benefit of a class is that we can reference the class to create a useful object without having to reinvent the wheel and create the code for the object ourselves.

Some ideas about programming

The Runtime is the combination of hardware and software needed to run our application.  It has many layers including the hardware firmware, drivers, and operating system.

Remember too that the application is not usually permitted to talk directly to the hardware.  For example, if Skype or Teams wants to use your webcam, it asks Windows for permission.  Windows uses the driver to talk to the firmware in the webcam and convey the video feed.  Skype or Teams does not talk to your webcam directly.

When you create a basic application, you might not consider all the factors that affect the application’s behavior or user interface.  But when the application is complex and widely used, there are millions of combinations of user devices.  It is impossible to test every possible scenario.

The Trusted Computing Base is a combination of hardware, software, and controls that enforce a security policy.

The TCB is the part of the system that is trusted to enforce the policy.  We should remember that other parts of the system are not trusted to enforce the policy.  The TCB controls access to the system and to provide access inside and outside the TCB

Continuous Integration is a DevOps idea where we automatically deploy our code to the code repository as soon as testing is complete.  Continuous Delivery takes it another step and releases the code directly to the end users as soon as testing is complete.  We write the code.  We test the code.  If it works, then the users automatically receive an update.

A Library is a tool that keeps us from having to write code.  Developers create libraries full of functions.  For example, a person created a Calendar Library in JavaScript.  If I want to add a calendar feature to my website, I could either build my own calendar application from scratch, which would take hundreds of hours, or I could incorporate the calendar library.

If the library is open source, then I can read and modify the code to add additional features as I wish.  When we release our application, we must also bundle the libraries with it.

The most popular libraries are written for JavaScript.

  • dojo
  • jQuery
  • React

Tool Sets.  There are many different tool sets that we can use to help us write code.  When combined, they might make up an IDE.

An Integrated Development Environment (IDE) is a tool for writing code.  Old school programmers wrote all their code in Notepad (or nano or vi).  When our application is thousands or millions of lines of code spread across multiple files, and includes libraries, notepad becomes impossible.

Some of the tools that an IDE can provide

  • Text Editor

    • Automatically color code our code based on its function or type

    • Automatically make suggestions when we are typing or auto complete what we are typing

    • Automatically verify syntax and highlight common errors

    • Keep track of our variables

    • Intelligent find and replace across multiple files

    • Provide templates for common file types

  • Code Repository

    • Each time we make a change to the code, we should save the update to a code repository.  The save contains the source code up to the point of the change, the date and time of the change, and a description of the change.

      We can go back into the code repository and compare the code before and after the changes.  We can also roll back the code to a point in time if changes were not acceptable.  We can also fork the software – that means that another team copies our source code and adds features to take the software development in a different direction.

    • We must protect the software in the repository so that unauthorized people can’t view, modify, or delete the source code.  The repository must be backed up well because a failure of the repository could be a failure of the organization.

  • Debugger

    • The text editor can automatically detect common errors such as missing punctuation, functions that are not spelled correctly, and variables that have not been declared.

    • More complicated errors can only be detected after the code is executed.  The debugger can show us where in our code each error is, what caused it, and how to fix it.

    • There are three types of errors

      • A syntax error – we spelled something wrong, or we forgot some punctuation.  The text editor can detect it quickly.

      • A runtime error – this is only detected after the program executes.  Sometimes, it is not detected because the portion of the code that contains the error is not run.  Sometimes, it is only detected after we receive an input that our program is not capable of handling.

      • A logic error – there is no error per se, but the program doesn’t do what we want it to do.  For example, we hardcode the conversion of yards to feet, but we specify that one yard is equal to six feet (three feet is accurate).

        NASA has lost billions of dollars due to logic errors because software on their rockets could not calculate the trajectory.

  • Compiler
    • The compiler converts the code into machine code.

Security Orchestration, Automation, and Response (SOAR).  SOAR is an application that combines multiple types of threat response.  It includes an SIEM, a security incident response system, and security automation.

When the SIEM detects a threat, it automatically notifies an administrator and creates an incident.  It can also launch an automatic response; the type of response depends on the type of incident and its severity.  We can program the SOAR to respond the way that we want.

Some examples

  • The SIEM detects that a user has accessed too many shared files in a short time.  SOAR notifies an administrator or the user’s manager to investigate further.  SOAR takes no further action.

  • The SIEM detects that ransomware has infected a user’s computer through an e-mail.  SOAR automatically shuts down the user’s computer and isolates it from the network.  SOAR notifies an administrator of the issue and begins an in-depth scan of other devices on the network.  SOAR also takes a fingerprint of the ransomware and adds it to its threat database so that it can be blocked if it attempts to enter through another mechanism.

Software Configuration Management (SCM).  Going back to our earlier discussion, remember that the organization needs to keep track of changes.  One of the items that needs to be tracked is the software configuration.  The basic level of the software is a baseline.  That includes the software version and any patches applied to it.

Each time we make a change to the software, we must apply to the change control board or follow the organization’s change management process.  We might integrate the change control into the software development workflow.

Some test types

  • A Static test is when we test the software without executing the code.  We review the code and documentation.  We might perform static tests frequently during the development process so that we can catch errors before we have a final product.  It is also known as Static Application Security Testing (SAST).

  • A Dynamic test is when we test the software while executing the code.  It is not possible to perform a dynamic test on code that is not complete because the code will not execute.  It is also known as Dynamic Application Security Testing (DAST).