WEBVTT

00:00.000 --> 00:04.020
>> Integrating software
applications, part 1.

00:04.020 --> 00:06.960
The learning objectives
for this lesson are

00:06.960 --> 00:10.395
to describe secure coding
and design patterns,

00:10.395 --> 00:13.185
describe software
assurance concepts,

00:13.185 --> 00:14.655
and to differentiate

00:14.655 --> 00:17.025
various software
components in integration.

00:17.025 --> 00:20.940
Let's get started. Let's go

00:20.940 --> 00:22.620
over some of the different parts

00:22.620 --> 00:24.825
and components of
web technology.

00:24.825 --> 00:26.910
First, we have web servers,

00:26.910 --> 00:30.345
Microsoft Internet
Information Server or IIS,

00:30.345 --> 00:32.925
Apache, NGINX and WordPress.

00:32.925 --> 00:34.890
Then we have database software,

00:34.890 --> 00:37.215
Maria DB, postgres SQL,

00:37.215 --> 00:39.430
and Microsoft SQL,

00:39.440 --> 00:42.495
next we have web
development frameworks,

00:42.495 --> 00:45.780
Ruby on Rails,
Angular, and Django,

00:45.780 --> 00:47.770
then we have markup languages,

00:47.770 --> 00:50.620
XML, CSS, HTML, and JSON,

00:50.620 --> 00:52.150
and finally we have

00:52.150 --> 00:54.625
the actual programming
languages, Python,

00:54.625 --> 00:59.750
Ruby, Perl, C-Sharp, Java,
JavaScript, and.Net.

01:00.470 --> 01:03.140
Secure coding standards.

01:03.140 --> 01:07.030
Secure coding standards
are similar to templates,

01:07.030 --> 01:08.350
and they allow for

01:08.350 --> 01:11.915
a structured approach to
creating secure applications.

01:11.915 --> 01:14.560
The goal was to prevent coding
vulnerabilities from being

01:14.560 --> 01:17.815
introduced into
your actual code.

01:17.815 --> 01:20.050
This also reduces
the upfront costs

01:20.050 --> 01:21.490
by preventing the
vulnerabilities

01:21.490 --> 01:23.200
rather than having to fix

01:23.200 --> 01:25.910
them after you've
released a product.

01:27.150 --> 01:30.625
Here are some sources for
secure coding standards.

01:30.625 --> 01:31.810
The first is Carnegie

01:31.810 --> 01:34.015
Mellon Software
Engineering Institute,

01:34.015 --> 01:36.480
and the second is
OWASP Secure Coding

01:36.480 --> 01:39.200
Practices Quick Reference Guide.

01:39.200 --> 01:41.140
Also don't forget
the links are in

01:41.140 --> 01:44.030
the supplemental material
for this course.

01:45.200 --> 01:50.499
Here are some examples from
OWASP, input validation,

01:50.499 --> 01:52.915
authentication and
password management,

01:52.915 --> 01:56.470
session management,
database security,

01:56.470 --> 01:59.275
file management, and
memory management.

01:59.275 --> 02:01.180
These are areas that
programmers need to

02:01.180 --> 02:03.460
take a special care
with when they're

02:03.460 --> 02:05.470
creating their
applications because this

02:05.470 --> 02:08.280
is where the most common
vulnerabilities occur.

02:08.280 --> 02:10.925
These are very common
attack vectors

02:10.925 --> 02:12.980
and they're well-known,
and because of that,

02:12.980 --> 02:14.645
there have been many
vulnerabilities

02:14.645 --> 02:17.885
discovered in many different
products across the web.

02:17.885 --> 02:20.195
If you'd like a more
detailed explanation

02:20.195 --> 02:22.730
of any of these from
the OWASP Top 10,

02:22.730 --> 02:26.700
you can check out Cybrarians
Series on OWASP Top 10.

02:27.940 --> 02:30.605
Secure design patterns.

02:30.605 --> 02:33.710
These are a template for
a general solution for

02:33.710 --> 02:35.030
a security issue that can be

02:35.030 --> 02:37.100
utilized in different
situations.

02:37.100 --> 02:39.710
For example, you may
need something that

02:39.710 --> 02:42.720
covers federated identities,

02:42.720 --> 02:44.375
and by using this,

02:44.375 --> 02:45.740
you can ensure that

02:45.740 --> 02:50.105
your federated identity matches
up to secured standards.

02:50.105 --> 02:52.280
These can be plug and play,

02:52.280 --> 02:55.400
you drop one in and
use that to ensure to

02:55.400 --> 02:56.990
that you're at
best practices for

02:56.990 --> 02:59.270
that particular
component of your app.

02:59.270 --> 03:02.270
They cover a wide ranging parts

03:02.270 --> 03:03.680
of programming components such

03:03.680 --> 03:05.210
as identity and
access management,

03:05.210 --> 03:07.805
federated identities,
cryptography,

03:07.805 --> 03:11.010
public facing websites,
and many others.

03:11.860 --> 03:14.270
Let's talk about the concerns

03:14.270 --> 03:16.145
we might have with integration.

03:16.145 --> 03:18.365
First, we have container APIs.

03:18.365 --> 03:20.165
These extend the capabilities

03:20.165 --> 03:22.150
of containerized applications.

03:22.150 --> 03:24.165
Then we have API Management.

03:24.165 --> 03:26.865
APIs are often targets
from attackers,

03:26.865 --> 03:28.220
and because of that,

03:28.220 --> 03:30.830
we have to take special care

03:30.830 --> 03:32.240
to make sure they're protected

03:32.240 --> 03:34.045
and that they're documented.

03:34.045 --> 03:36.090
We also have Middleware.

03:36.090 --> 03:38.870
These are software
applications that are designed

03:38.870 --> 03:42.600
to be integrated
between two systems.

03:46.330 --> 03:49.205
When you're looking
for a new application,

03:49.205 --> 03:51.799
you go through an
application vetting process.

03:51.799 --> 03:55.190
The first step is to do not
assume that the software was

03:55.190 --> 03:57.230
created in a secure manner

03:57.230 --> 03:58.955
and is free of vulnerabilities.

03:58.955 --> 04:02.090
Before you implement any
software in your organization,

04:02.090 --> 04:03.245
in a production environment,

04:03.245 --> 04:06.725
you have to test it, and
testing should validate

04:06.725 --> 04:08.510
all of your security
requirements

04:08.510 --> 04:11.520
for the organization
before you implement it.

04:13.040 --> 04:16.655
Let's summarize what we
went over in this video.

04:16.655 --> 04:20.345
We went over the different
types of web technologies.

04:20.345 --> 04:22.610
We discussed secure
coding standards

04:22.610 --> 04:24.710
and the application
vetting process.

04:24.710 --> 04:27.290
We also whenever
secure design patterns

04:27.290 --> 04:29.520
and software used
in integrations.

04:29.520 --> 04:32.470
Let's go over some
example questions.

04:32.470 --> 04:36.680
Question 1, what is the
process of ensuring that

04:36.680 --> 04:38.390
a deployed application meets

04:38.390 --> 04:41.340
security standards
for an organization?

04:42.130 --> 04:47.960
Application vetting
process. Question 2,

04:47.960 --> 04:50.300
what is the type of
software that is

04:50.300 --> 04:53.760
designed to integrate
two systems together?

04:53.800 --> 04:58.750
Middleware. Question 3,

04:58.750 --> 05:00.200
blank are templates for

05:00.200 --> 05:01.340
general solutions for

05:01.340 --> 05:03.260
security problems
that can be used in

05:03.260 --> 05:08.775
software design, secure
design patterns.

05:08.775 --> 05:11.335
Finally, question 4,

05:11.335 --> 05:14.210
these are templates that offer
a structured approach to

05:14.210 --> 05:15.815
coding to prevent
the introduction

05:15.815 --> 05:18.140
of security vulnerabilities.

05:18.140 --> 05:20.735
Secure coding standards.

05:20.735 --> 05:22.340
I hope that lesson
was helpful to

05:22.340 --> 05:24.660
you and I'll see you
in the next one.