CCSK Domain 10: Application Security

10.1 Secure Development Lifecycle (SSDLC)

SSDLC Stages:
1. Secure Design and Architecture: Integrate security early in design to avoid costly fixes and bottlenecks later.
2. Secure Coding: Use automated tools to identify vulnerabilities during coding; fixing issues early is less expensive.
3. Continuous Build, Integration, and Testing: Security testing during integration prevents exploitation and data breaches.
4. Continuous Delivery and Deployment: Pre-deployment safety checks ensure secure infrastructure and prevent vulnerabilities in production.
5. Runtime Defence and Monitoring: Post-release practices for incident response and continuous improvement.
Threat Modelling:
- Structured risk management to identify, assess, and address threats.
- STRIDE framework: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), Elevation of Privilege.
Testing:
- Pre-deployment:
  - Static Application Security Testing (SAST): Automated code review for vulnerabilities.
  - Software Composition Analysis (SCA): Audit open-source components, create Software Bill of Materials (SBOM).
  - Secrets, images, and IaC template scanning.
- Post-deployment:
  - Dynamic Application Security Testing (DAST): Black-box testing of running applications.
  - Interactive Application Security Testing (IAST): Combines SAST and DAST.
  - Penetration Testing: Simulated attacks to find vulnerabilities.
  - Bug Bounty Programmes: Rewards for ethical hackers who find vulnerabilities.

Cloud impacts on architecture-level security:
- Integration of infrastructure and applications (e.g., federated identities, distributed databases).
- Application component credentials: Secure management of microservice permissions.
- Infrastructure as Code (IaC) and pipelines: Consistent, efficient deployments.
- Immutable infrastructure: Instances are replaced, not modified, for resiliency.
Architectural resilience:
- Use redundancy, load balancing, and auto-scaling for reliability.
- Site Reliability Engineering (SRE) ensures reliability and efficiency at scale.

IAM manages identities and regulates user access.
Secrets management:
- Secure handling of digital credentials (passwords, keys, tokens).
- Use IAM roles/identities for services where possible.
- Secure storage services for secrets (integrated with IAM).
- Third-party solutions for multi-cloud/on-premises deployments.

DevOps: Combines development and IT operations for rapid, frequent updates; focuses on collaboration and automation.
DevSecOps: Integrates security throughout the SDLC; security is embedded from the start.
Automated deployment pipelines:
- Continuous Integration/Continuous Delivery (CI/CD) automates security checks and tests.
- “Shift Left” means moving security to earlier phases for proactive, cost-effective protection.
- CI: Frequent code merges with pre-deployment security tests (e.g., SAST).
- CD: Automated deployment with post-deployment security tests (e.g., DAST).
- Secure image deployment pipeline: IaC, image/container config, source code, version control, CI server, security testing, master image, acceptance, production deployment.

WAF: Secures HTTP traffic against known attacks.
API Gateway: Manages API security (authentication, authorisation, rate limiting).
Deployment scenarios:
1. Agent deployment on IaaS VMs
2. Cloud provider service (integrated WAF/DDOS protection)
3. Third-party marketplace service (dedicated VMs)
4. WAF/DDOS as a Service (DNS redirect to third-party service)

Subscribe to get the latest posts sent to your email.