WEBVTT

00:00.139 --> 00:04.170
>> Integrating software
applications, Part 2.

00:04.170 --> 00:06.820
The learning objectives
for this lesson are

00:06.820 --> 00:09.145
to describe software
assurance concepts,

00:09.145 --> 00:11.650
to define software
testing approaches,

00:11.650 --> 00:14.365
and to evaluate
integration services.

00:14.365 --> 00:18.480
Let's get started. The first
software assurance concept

00:18.480 --> 00:20.425
we're going to discuss
is sandboxing.

00:20.425 --> 00:22.780
Sandboxing allows
for you to test

00:22.780 --> 00:25.780
your applications away from
your production environment.

00:25.780 --> 00:27.430
This way if there are any issues

00:27.430 --> 00:29.050
with the app that
you're creating,

00:29.050 --> 00:30.160
it doesn't spill over and

00:30.160 --> 00:32.425
cause issues in your
production environment.

00:32.425 --> 00:35.635
Your sandbox can be
created to match

00:35.635 --> 00:36.940
as little or as much of

00:36.940 --> 00:38.964
your production
environment as necessary.

00:38.964 --> 00:40.270
For example, if you just need

00:40.270 --> 00:42.025
an end-user workstation
environment,

00:42.025 --> 00:43.735
that can be added
to your sandbox.

00:43.735 --> 00:45.770
But perhaps you're
developing something that

00:45.770 --> 00:47.840
requires servers and end-users

00:47.840 --> 00:49.265
interacting with that server,

00:49.265 --> 00:52.645
you can then add all of that
to a sandbox environment.

00:52.645 --> 00:55.700
Each process is completely
separated from each other,

00:55.700 --> 00:57.770
and this makes sure
that each part of

00:57.770 --> 00:59.150
the development process doesn't

00:59.150 --> 01:01.440
cause changes in the others.

01:02.270 --> 01:05.340
Development environments. First,

01:05.340 --> 01:06.675
we start with development.

01:06.675 --> 01:09.890
This is where the app is created
and the code is written.

01:09.890 --> 01:12.320
Then it moves to test
and integration.

01:12.320 --> 01:14.090
This is where we make
sure that everything

01:14.090 --> 01:15.920
works the way it's supposed to,

01:15.920 --> 01:18.200
and are there any
unforeseen issues that

01:18.200 --> 01:20.795
maybe we didn't notice in
the development process?

01:20.795 --> 01:23.665
Then we move to staging
or quality assurance.

01:23.665 --> 01:26.440
After that, we move
to production.

01:27.620 --> 01:31.080
Third-party library validation.

01:31.080 --> 01:33.405
In modular programming today,

01:33.405 --> 01:35.830
it's very easy to
use library supplied

01:35.830 --> 01:38.965
by other software
vendors or individuals.

01:38.965 --> 01:40.810
However, before we integrate

01:40.810 --> 01:42.420
these libraries
into our own apps,

01:42.420 --> 01:44.350
we have to validate
that they don't bring

01:44.350 --> 01:46.885
in their own security
vulnerabilities.

01:46.885 --> 01:48.700
In fact, third-party libraries

01:48.700 --> 01:51.534
themselves may also have
third-party libraries.

01:51.534 --> 01:54.265
Oftentimes, these libraries
aren't maintained,

01:54.265 --> 01:56.440
and by doing this it introduces

01:56.440 --> 01:58.734
security vulnerabilities
into our application.

01:58.734 --> 02:00.115
Before allowing

02:00.115 --> 02:02.320
any third-party library
into an application,

02:02.320 --> 02:04.510
it has to be
thoroughly vetted and

02:04.510 --> 02:07.790
ensured not to have any
security vulnerabilities.

02:08.600 --> 02:11.175
The DevOps pipeline.

02:11.175 --> 02:14.615
Regardless of how an
organization programs

02:14.615 --> 02:16.620
or creates its own applications,

02:16.620 --> 02:18.825
it follows this basic guide.

02:18.825 --> 02:21.980
It's more of an assembly
line type situation

02:21.980 --> 02:23.285
where it starts with planning,

02:23.285 --> 02:25.695
moves to coding, then to build,

02:25.695 --> 02:28.050
then to test. That's
the dev side.

02:28.050 --> 02:31.110
After that,it moves over
to ops with the release,

02:31.110 --> 02:33.715
the deploy, the operate,
and the monitor,

02:33.715 --> 02:35.450
and then it starts
itself over again with

02:35.450 --> 02:37.235
planning because of new issues,

02:37.235 --> 02:39.080
new features, new things

02:39.080 --> 02:41.690
that need to be
integrated into the app.

02:42.640 --> 02:45.965
Code signing. This is using

02:45.965 --> 02:48.140
a certificate to establish

02:48.140 --> 02:50.630
proof of where the
code came from.

02:50.630 --> 02:53.300
When you download
updates from Microsoft,

02:53.300 --> 02:54.590
each of those updates is

02:54.590 --> 02:57.410
signed with Microsoft's
certificate.

02:57.410 --> 03:00.935
This is a very important part
of software development.

03:00.935 --> 03:04.325
It does not guarantee that
the app works correctly,

03:04.325 --> 03:06.680
it only guarantees that it

03:06.680 --> 03:10.170
is from the source it
claims to be from.

03:10.940 --> 03:14.690
However, attackers have learned

03:14.690 --> 03:16.795
how to forge code signing.

03:16.795 --> 03:18.870
An example of this was Stuxnet.

03:18.870 --> 03:20.955
It used forged
digital certificates

03:20.955 --> 03:23.750
to bypass malware
detection software.

03:23.750 --> 03:26.330
Parts of the payload were
signed with certificates

03:26.330 --> 03:29.090
from semiconductor
manufacturing companies.

03:29.090 --> 03:32.660
Because of that, they
were allowed in and did

03:32.660 --> 03:34.010
not get picked up
because they were

03:34.010 --> 03:36.930
signed and thought
to be authentic.

03:38.450 --> 03:41.590
Application security testing.

03:41.590 --> 03:43.865
The first style is static

03:43.865 --> 03:47.035
application security
testing or SAST.

03:47.035 --> 03:50.600
This is when we review the
code when it isn't running.

03:50.600 --> 03:54.725
The next is dynamic
application security testing.

03:54.725 --> 03:57.050
This is reviewing
code while it is

03:57.050 --> 04:00.455
running and used as
a final product.

04:00.455 --> 04:04.385
The final one is interactive
application security testing

04:04.385 --> 04:06.290
which analyzes the
code while it's

04:06.290 --> 04:08.000
running for security issues.

04:08.000 --> 04:09.560
Also, it looks for problems

04:09.560 --> 04:12.780
when different functions
of the app are triggered.

04:14.500 --> 04:18.250
Enterprise application
integration.

04:18.250 --> 04:20.540
First, we're going
to discuss customer

04:20.540 --> 04:23.165
relationship management
software or CRM.

04:23.165 --> 04:26.120
This contains customer
information, sales,

04:26.120 --> 04:29.000
communication, and many
other sensitive items.

04:29.000 --> 04:30.905
Companies use this to manage

04:30.905 --> 04:33.140
how they interact with
their own customers.

04:33.140 --> 04:35.810
A good example of this
would be Salesforce.

04:35.810 --> 04:40.045
The next would be enterprise
resource planning or ERP.

04:40.045 --> 04:42.545
This monitors the
day-to-day operations

04:42.545 --> 04:44.240
of an enterprise
and it can provide

04:44.240 --> 04:45.935
reports on the resources and

04:45.935 --> 04:49.890
activities inside the
enterprise itself.

04:51.260 --> 04:55.200
Configuration management
database, CMDB.

04:55.200 --> 04:57.620
This contains the information
on the assets and

04:57.620 --> 05:01.555
components of an enterprise's
IT infrastructure.

05:01.555 --> 05:05.540
Finally, we have content
management system or CMS.

05:05.540 --> 05:07.970
This enables
non-technical users to

05:07.970 --> 05:11.210
create and publish
content to a website.

05:11.210 --> 05:15.180
Good examples of these are
WordPress and SharePoint.

05:16.040 --> 05:19.305
Configuration
management database.

05:19.305 --> 05:21.500
This database contains all of

05:21.500 --> 05:25.080
the information about an
enterprise's IT assets.

05:25.080 --> 05:27.360
It could be how your email

05:27.360 --> 05:29.790
client configurations
are stored.

05:29.790 --> 05:32.075
Different dashboards
can be created to

05:32.075 --> 05:34.610
show how this data is viewed.

05:34.610 --> 05:37.705
We also have individual
system configuration

05:37.705 --> 05:39.820
stored applications,

05:39.820 --> 05:44.375
databases, telephony configurations,
desktop information.

05:44.375 --> 05:46.610
The purpose of this
is to ensure that we

05:46.610 --> 05:48.695
have one place to go to look for

05:48.695 --> 05:50.660
all of our configurations and

05:50.660 --> 05:54.000
details about all
of our IT assets.

05:54.800 --> 05:57.480
Integration services.

05:57.480 --> 05:59.490
While we're developing
applications,

05:59.490 --> 06:02.135
we sometimes have to integrate
with other services.

06:02.135 --> 06:05.070
The first is directory services.

06:05.180 --> 06:08.060
Active directory is a
good example of this,

06:08.060 --> 06:12.410
it contains all the information
about users and objects,

06:12.410 --> 06:14.195
and devices on a network.

06:14.195 --> 06:16.040
Sometimes we need to
be able to connect to

06:16.040 --> 06:18.070
this for authentication
purposes.

06:18.070 --> 06:21.255
The next, we have Domain
Name System or DNS.

06:21.255 --> 06:26.640
This is where we change a
domain name into an IP address.

06:26.960 --> 06:29.510
Applications often
need to be able to

06:29.510 --> 06:31.790
go online or utilize

06:31.790 --> 06:33.620
resources on our
internal network by

06:33.620 --> 06:36.475
a DNS name rather
than an IP address.

06:36.475 --> 06:39.990
Service-oriented
architecture or SOA.

06:39.990 --> 06:42.380
This is a method of
designing apps in

06:42.380 --> 06:45.860
a form of interoperable
services.

06:45.860 --> 06:49.190
The purpose of this is to create

06:49.190 --> 06:52.610
individual apps that perform
individual services,

06:52.610 --> 06:55.880
then those apps can be
connected together to perform

06:55.880 --> 06:57.680
services together and

06:57.680 --> 06:59.780
thereby creating
additional services.

06:59.780 --> 07:01.850
This allows for a
modular approach

07:01.850 --> 07:03.700
for creating an application.

07:03.700 --> 07:07.595
Then finally, we have
enterprise service bus or ESB.

07:07.595 --> 07:10.130
These are the middleware
apps that integrate

07:10.130 --> 07:14.550
the communications for SOA
apps in an enterprise.

07:17.870 --> 07:20.790
Summary. In this video,

07:20.790 --> 07:22.520
we discussed the methods

07:22.520 --> 07:24.535
of software security
integration.

07:24.535 --> 07:28.605
We also discussed software
testing approaches.

07:28.605 --> 07:30.360
Finally, we discussed

07:30.360 --> 07:32.070
software integration
services and

07:32.070 --> 07:34.470
integrating enterprise
applications.

07:34.470 --> 07:37.150
Let's go over some
review questions.

07:37.240 --> 07:40.130
Which testing process reviews

07:40.130 --> 07:43.680
the application code
while it isn't running?

07:44.950 --> 07:53.220
Static application security
testing or SAST. Question 2.

07:53.220 --> 07:56.825
Blank monitors the
day-to-day operations

07:56.825 --> 08:00.870
and reports on the status of
resources in an enterprise.

08:02.050 --> 08:09.510
Enterprise resource planning
or ERP. Question 3.

08:09.510 --> 08:12.350
What describes how each
type of environment is

08:12.350 --> 08:16.080
separated from each other
during application development?

08:16.870 --> 08:22.875
Sandboxing. Finally,
in question 4.

08:22.875 --> 08:25.580
A software application
has been tested

08:25.580 --> 08:28.580
and is ready for customers
to start using it.

08:28.580 --> 08:30.935
What stage of the
DevOps pipeline

08:30.935 --> 08:33.240
is the application in now?

08:33.800 --> 08:36.840
Release. I hope this lesson

08:36.840 --> 08:40.170
was helpful for you, and I'll
see you in the next one.