***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/cap-software-and-systems-security/blob/main/README.md) >

## CompTIA Cybersecurity Analyst (CySA+) - Course Material 2022
###### Topic: ``Software Assurance``
***

Course material for the ``CompTIA Cybersecurity Analyst (CySA+)`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Software Assurance](#a) <br/><br/>

- [Software Assurance Best Practices](#b) ``Secure Coding`` <br/><br/> 
    - [Open Web Application Security Project](#b) <br/><br/> 
        - [``OWASP``](#b) <br/><br/> 
    - [SysAdmin Network and Security Institute](#b) <br/><br/> 
        - [``SANS``](#b) <br/><br/> 
- [Platform-Specific Best Practices](#c) <br/><br/> 
    - [Client/Server](#c) <br/><br/> 
        - [ [OWASP Secure Coding Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/migrated_content) ] <br/><br/>
    - [Web Applications](#c) ``Extension to Client/Server Structure`` <br/><br/> 
    - [Mobile Applications](#c) <br/><br/> 
        - [ [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) ] <br/><br/> 
    - [Embedded Applications](#c) <br/><br/> 
        - [Firmware](#c) <br/><br/> 
            - [System on Chip](#c) ``SoC`` <br/><br/> 
                - [ [OWASP Embedded Application Development](https://owasp.org/www-project-embedded-application-security/) ] <br/><br/> 
- [Secure Coding Best Practices](#d) <br/><br/> 
    - [Input Validation](#d) <br/><br/> 
        - Input Handled Appropriately by that Application <br/><br/> 
            - [ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) ] <br/><br/> 
    - [Output Encoding](#d) <br/><br/> 
        - Sanitise Output Created from User Input <br/><br/> 
            - [ [OWASP](https://wiki.owasp.org/index.php/Category:Encoding) ] <br/><br/>
            - [ [W3 Schools](https://www.w3schools.com/html/html_entities.asp) ] <br/><br/>
    - [Parameterized Queries](#d) <br/><br/> 
        - [``SQL Injection``](#d) <br/><br/> 
            - [``"Placeholders"``](#d) ``SQL Query`` <br/><br/> 
                - [ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html) ] <br/><br/>
- [Sensitive Data Protection](#e) ``Bypass Access Controls``/``Retrieve Confidential/Sensitive Data`` <br/><br/> 
    - [Best Practices](#e) <br/><br/>
        - [ [Review the OWASP Top 10 List](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure) ] ``Web Application`` <br/><br/>
        - [Avoid Hardcoded Credentials](#e) <br/><br/> 
        - [Control Cached Data](#e) ``Controlled in a Client/Server Environment`` <br/><br/> 
            - [Disable](#e) | [Autocomplete](#e) | [Cookie Feature](#e) <br/><br/> 
- [Software Assessment Methods](#f) ``Vulnerability Scan Critical`` <br/><br/> 
    - [Static Analysis and Code Review](#g) <br/><br/> 
        - [Uncompiled](#g) ``Source Code`` <br/><br/>     
            - [Static Code Analysis](#g) <br/><br/> 
                - [Manually](#g) | [Automated Tools](#g) <br/><br/> 
            - [Code Review](#g) ``Human Code Review`` <br/><br/> 
                - [Peer Review](#g) ``Combination with Static Analysis`` <br/><br/> 
    - [Verification of Critical Software](#h) ``Validating Software Design`` <br/><br/> 
        - [Mathematical Modeling](#h) <br/><br/> 
            - [Expected I/O](#h) <br/><br/> 
    - [User Acceptance Testing](#i) ``Last Stages < Release``/``Human Feedback`` <br/><br/> 
        - [``UAT``](#i) ``Test Performance in a Live Environment`` <br/><br/> 
            - [Fit for Purpose](#i) <br/><br/> 
    - [Security Regression Testing](#j) ``Comparing Security Fixes against Applications as a Baseline`` <br/><br/> 
        - [Updates ~~Compromise~~ Existing Security](#j) <br/><br/> 
- [Service-Oriented Architecture](#k) ``Streamline / Secure Service Development Process`` <br/><br/> 
    - [``SOA``](#k) <br/><br/> 
        - [Best Practices](#k) <br/><br/> 
            - [Microservices](#l) <br/><br/> 
                - Solution Components Conceived as Highly Separated Services ~~Dependent on a Single Platform Technology~~ <br/><br/> 
            - [Simple Object Access Protocol](#m) ``SOAP``/``Messaging Protocol`` <br/><br/> 
                - [Exchange Messages](#m) ``XML`` <br/><br/> 
                    - Supports | Authentication - Security in Transport - Asynchronous Messaging <br/><br/> 
                    - Integrity | ``Rule of Least Privilege`` <br/><br/>
            - [Security Assertions Markup Language](#n) ``SAML``/``Often Used with SOAP`` <br/><br/> 
                - [Exchange Authentication Information between Client / Service](#n) ``XML`` <br/><br/> 
                    - [Communicated via HTML Assertion Form](#n) <br/><br/> 
            - [Representational State Transfer](#o) | [``REST``](#o) | [``API``](#o) <br/><br/> 
                - [Authentication/Authorization](#o) | [``Oauth``](#o) <br/><br/> 
                    - Share User Data between Sites / Applications <br/><br/> 
            - [OpenID Connect](#p) ``OIDC`` <br/><br/> 
                - [Protocol to Handle Authorizing Claims](#p) ~~Authenticating Actual User Accounts~~ <br/><br/>
- [Automation Best Practices](#q) `` Preserve the Spirit of Security`` <br/><br/> 
    - [DevSecOps](#r) <br/><br/> 
        - [Static Code Analysis](#r) ``Remediate before Live in Production`` <br/><br/> 
    - [Infrastructure as Code](#s) <br/><br/> 
        - [``IaC``](#s) <br/><br/> 
            - [Provisioning Architecture](#s) <br/><br/> 
                - [Scripted Automation / Orchestration](#s) ``Deployment`` <br/><br/> 
            - [Ensure Proper Access/Resource Controls](#s) <br/><br/> 
                - Who / What can Create which Types of Resources <br/><br/>
            - [Golden Image Standard](#s) <br/><br/> 
                - [Template](#s) <br/><br/> 
                    - [Boundaries](#s) <br/><br/> 
    - [Security Orchestration Automation and Response](#t) ``SOAR`` <br/><br/> 
        - [Security Tools](#t) ``Orchestrating Automated Runbooks``/``Delivering Data Enrichment`` <br/><br/> 
            - [Incident Response](#t) <br/><br/> 
            - [Threat Hunting](#t) <br/><br/> 
            - [Security Configuration](#t) <br/><br/>
        - Implementing SOAR Solution  <br/><br/>
            - [Streamline Automation](#t) <br/><br/> 
                - [Machine Learning Techniques](#t) <br/><br/> 
                    - [Automated Malware Signature Creation](#t) <br/><br/> 
                    - [Data Enrichment](#t) <br/><br/> 
                    - [``AI``](#t) <br/><br/> 
            - [Orchestrate Response / Remediation](#t) <br/><br/> 
                - [Playbook](#t) <br/><br/>        
                    - [Checklist](#t) <br/><br/>        
                - [Runbook](#t) <br/><br/>                             
                    - [Automated Playbook](#t)
                     
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Software Assurance
***

> Determine SDLC and secure coding best practices

> Determine web application best practices

> Utilize software assurance tools

> Communicate service-oriented best practices

> Explain automation best practices

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Software Assurance Best Practices
***

When developing an application, it is important to incorporate secure coding best practices into your overall software development lifecycle. 

The following resources are great places to start evaluating your application and at least attempt to identify and remove some low-hanging fruit vulnerabilities in the process.

> Open Web Application Security Project - ``OWASP``

A non-profit organization and community publishing a number of secure application development resources.

> SysAdmin Network and Security Institute - ``SANS``

A company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (``GIAC``).

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Platform-Specific Best Practices
***

Code development best practices are not limited - apply to many platforms across your enterprise. 

It is important to understand the best practices for each type of platform as follows:

> Client/Server

The [ [OWASP Secure Coding Practices-Quick Reference Guide](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/migrated_content) ] is a great place to focus.

> Web Applications

Web apps are an extension of that ``Client/Server`` structure - the ``OWASP`` best practices for ``Client/Server`` apply here as well.

> Mobile Applications

[ [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) ]

> Embedded Applications/Firmware/SoC (System on Chip)

[ [OWASP Embedded Application Development](https://owasp.org/www-project-embedded-application-security/) ]

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### Secure Coding Best Practices
***

Secure coding best practices include:

> Input Validation

- Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.


- Resource: [ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) ]

> Output Encoding

- Coding methods that sanitize output created from user input.


- Resource 1: [ [OWASP](https://wiki.owasp.org/index.php/Category:Encoding) ]


- Resource 2: [ [W3 Schools](https://www.w3schools.com/html/html_entities.asp) ]

> Parameterized Queries

- A technique that defends against ``SQL Injection`` by incorporating ``placeholders`` in a SQL query.


- Resource: [ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html) ]

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Sensitive Data Protection Best Practices
***

Sensitive Data Exposure is a software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.

Sensitive Data Exposure on a web application can be avoided with proper planning and security in mind - the following are some high-level ways to control sensitive data leakage:

- [ [Review the OWASP Top 10 List](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure) ]


- Avoid using hardcoded credentials.


- Cached data should be controlled in a ``Client/Server`` environment, including disabling autocomplete and cookie features.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Software Assessment Methods
***

Ensuring software is scanned by a vulnerability scanner is critical for security - even more important is understanding each method of the software assessment to better implement it within your organization.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Software Assessment Methods - Static Analysis and Code Review
***

> Static Code Analysis

Static code analysis is the process of reviewing uncompiled source code either manually or using automated tools. Performing some form of static analysis is one of the only ways to discover certain vulnerabilities before they are introduced into production.

> Code Review

Code review is the process of peer review of uncompiled source code by other developers. In combination with static analysis, human code review should be performed as well to ensure both security and coding best practices are being adhered to.

< [Table of Contents](#top) | [References](#references) >
<a id="h"></a>
***
###### Software Assessment Methods - Verification of Critical Software
***

> Mathematical Modeling - Expected I/O

A formal method is the process of validating software design through mathematical modeling of expected inputs and outputs.

In some instances, it may be necessary to perform a formal review on critical software to identify isolated issues in the software - the formal method of review is very time consuming and difficult to justify.

< [Table of Contents](#top) | [References](#references) >
<a id="i"></a>
***
###### Software Assessment Methods - User Acceptance Testing - ``UAT``
***

Usually one of the last stages in software development before release - ``UAT`` proves that a program is usable and fit for purpose in real world conditions.

- ``UAT`` is more of a test to get a human's feedback on how a certain feature performs in a live environment. 

``UAT`` can be performed on application features or even security improvement, like for testing how well the ``MFA`` works.

< [Table of Contents](#top) | [References](#references) >
<a id="j"></a>
***
###### Software Assessment Methods - Security Regression Testing
***

This is the process of checking that updates to code do not compromise existing security functionality or capability.

Ultimately, regression testing is comparing working security fixes against the applications as a baseline - ensures that if any new code updates are pushed that break this or reopen a previously closed vulnerability, it can be addressed in real time.

< [Table of Contents](#top) | [References](#references) >
<a id="k"></a>
***
###### ServIce-Oriented Architecture - ``SOA`` - Best Practices
***

The following are some common [ [``SOA``](https://www.ibm.com/cloud/learn/soa) ] principles and features that help to both streamline and secure the service development process.

< [Table of Contents](#top) | [References](#references) >
<a id="l"></a>
***
###### ServIce-Oriented Architecture - ``SOA`` - Best Practices - Microservices
***

Microservices are a software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type of technology.

< [Table of Contents](#top) | [References](#references) >
<a id="m"></a>
***
###### ServIce-Oriented Architecture - ``SOA`` - Best Practices - Simple Object Access Protocol - ``SOAP``
***

``SOAP`` is a heavy XML-formatted messaging protocol that is used to exchange messages. 

It supports authentication, security in transport, and asynchronous messaging, which all can be very beneficial in an ``SOA`` environment.

Since ``SOAP`` is vulnerable to exploits like probing, coercive parsing, malware, and SQL injection, it is crucial that you apply the rule of least privilege to ensure its integrity.

< [Table of Contents](#top) | [References](#references) >
<a id="n"></a>
***
###### ServIce-Oriented Architecture - ``SOA`` - Best Practices - Security Assertions Markup Language - ``SAML``
***

``SAML`` is an XML-based data format used to exchange authentication information between a client and a service.

Often used with ``SOAP``, ``SAML`` data is communicated in the form of a HTML assertion form. The form contains both authentication and user identity information about the session. 

``SAML`` implementations should be constantly validated and also encrypted.

< [Table of Contents](#top) | [References](#references) >
<a id="o"></a>
***
###### ServIce-Oriented Architecture - ``SOA`` - Best Practices - Representational State Transfer - ``REST``
***

Compared to ``SOAP``, ``REST`` is a more loosely based protocol that is often used with an ``API`` to allow flexibility in its application. 

> Authentication/Authorization - ``Oauth``

- ``REST`` implementation is called ``Oauth``.

``Oauth`` main purpose is to share user data between sites and applications.

To recap, Application Programming Interfaces (APIs) are a library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular OS.

< [Table of Contents](#top) | [References](#references) >
<a id="p"></a>
***
###### ServIce-Oriented Architecture - ``SOA`` - Best Practices - OpenID Connect - ``OIDC``
***

``OIDC`` is a special protocol designed to handle authorizing claims and not some much authenticating actual user accounts. 

Both ``REST`` and ``OIDC`` pertain to the authentication and authorization on APIs specifically.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="q"></a>
***
###### Automation Best Practices
***

Automation is a great way to speed up tedious tasks and increase workflows in a business setting. 

When implementing automation, it is important to consider the following best practices to preserve the spirit of security along the way.

< [Table of Contents](#top) | [References](#references) >
<a id="r"></a>
***
###### DevSecOps
***

Integrating security into the ``DevOps`` pipeline as soon as possible is the best way to ensure that ``Static Code Analysis`` has ample time to execute and be remediated before the code goes live in production.

< [Table of Contents](#top) | [References](#references) >
<a id="s"></a>
***
###### Infrastructure as Code - ``IaC``
***

``IaC`` is a provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.

Utilizing ``IaC`` allows for production and development teams to have the flexibility to spin up resources as needed and helps to speed up the overall development process. 

> Ensure Proper Access/Resource Controls

One very important best practice to implement with ``IaC`` is to ensure that proper access and resource controls are in place on who and what can create which types of resources. 

> Golden Image Standard 

The use of a [ [Golden Image](https://www.techopedia.com/definition/29456/golden-image) ] Standard is advised as well to give the users freedom, but within a set list of boundaries.

< [Table of Contents](#top) | [References](#references) >
<a id="t"></a>
***
###### Security Orchestration Automation and Response - ``SOAR``
***

``SOAR`` is a class of security tools that facilitates (via orchestrating automated runbooks and delivering data enrichment):


- Incident Response


- Threat Hunting


- Security Configuration 

> Streamline Automation

Implementing a ``SOAR`` solution in your enterprise can help streamline all the automation efforts surrounding your security stance. This includes combining machine learning techniques, with automated malware signature creation, data enrichment, and artificial intelligence. 

> Orchestrate Response/Remediation

Bundling these all into a tool that will also orchestrate the response and remediation of certain items once triggered by using playbooks and runbooks.

- Playbook

A checklist of actions to perform to detect and respond to a specific type of incident.

- Runbook

An automated version of a playbook that leaves clearly defined interaction points for human analysis.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cybrary, "Software Assurance," [cybrary.it](https://web.archive.org/web/20220724081418/https://www.cybrary.it/), n.d..

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK