COD 108 Software Operations and Maintenance

Software Operations and Maintenance
Table of Contents
Course Overview and Objectives .............................................................................................................................................3
Application Security Patching Process ...................................................................................................................................5
Platform Application Update Procedures and Anticipated Delays ..............................................................................7
Non-Technical Procedures .........................................................................................................................................................8
Application Security Bug Bar .....................................................................................................................................................9
Third-Party Code and Services Used by Applications ................................................................................................... 10
Alternative Patch Delivery Methods .................................................................................................................................... 11
Escalation Paths........................................................................................................................................................................... 12
Availability of On-Call Support Resources ........................................................................................................................ 13
Security Misconfiguration........................................................................................................................................................ 14
Security Misconfiguration (Cont.) ......................................................................................................................................... 15
Insufficient Logging and Monitoring .................................................................................................................................. 17
Ensuring Proper Log Contents ............................................................................................................................................... 19
Security Incident Response Plans ......................................................................................................................................... 21
Identify Security Misconfigurations ..................................................................................................................................... 23
Course Summary......................................................................................................................................................................... 24
Thank You...................................................................................................................................................................................... 25
Page 1 of 25
Narration
On screen text
COD 108
Page 2 of 25
Course Overview and Objectives
Narration
In this course, you will learn about application security patching, security misconfiguration and
insufficient logging and monitoring. You will also learn best practices for logging and the importance of
having a security incident response plan.
After you have completed this course, you will be able to explain the patching process, security
misconfiguration and its mitigation techniques, ensure that a web application provides sufficient
logging and monitoring mechanisms, especially for critical security events, and plan your response to
security incidents.
On screen text
Course Overview and Objectives
In this course, you will learn about application security patching, security misconfiguration and
insufficient logging and monitoring. You will also learn best practices for logging.
After you have completed this course, you will be able to:
Page 3 of 25
• Explain the patching process

• Describe security misconfiguration and its mitigation techniques
• Ensure sufficient logging and monitoring mechanisms
• Plan your response to security incidents
Page 4 of 25
Application Security Patching Process
Narration
The software development team should develop and document an application security patching
process.
Click each item to learn what to include in the security patching process document.
On screen text
Application Security Patching Process
Platform Application Update Procedures and Anticipated Delays

Non-Technical Procedures
Application Security Bug Bar
Third-Party Code and Services Used by Applications
Alternative Patch Delivery Methods
Escalation Paths
Page 5 of 25
Availability of On-Call Support Resources
Click each item to learn what to include in the security patching process document.
Page 6 of 25
Narration
Document the process to deploy security patches and updates for each supported platform. Include
information about anticipated delays.
On screen text
Document the process to deploy security patches and updates for each supported platform. Include
information about anticipated delays
Page 7 of 25
Narration
Document non-technical procedures related to security patching, such as how to notify customers, and
how to handle an extended delay during the patch approval process.
On screen text
Document non-technical procedures related to security patching, such as how to notify customers, and
how to handle an extended delay during the patch approval process.
Page 8 of 25
Narration
Set a security bug bar to define patching requirements for each bug severity category. For example, a
vulnerability with a low severity rating would not require immediate development and deployment of an
application patch. However, a vulnerability with a high severity rating requires a patch immediately.
On screen text
Set a security bug bar to define patching requirements for each bug severity category. For example, a
vulnerability with a low severity rating would not require immediate development and deployment of an
application patch. However, a vulnerability with a high severity rating requires a patch immediately.
Page 9 of 25
Narration
Document all third-party code, libraries, and services used by an application. Document procedures for
deploying patches for these components.
On screen text
Document all third-party code, libraries, and services used by an application. Document procedures for
deploying patches for these components.
Page 10 of 25
Narration
Document alternative methods for deploying patches in case traditional delivery methods cannot be
used. This is particularly important for time-sensitive or highly critical patches, where delays from mobile
platform application markets may introduce unacceptable risks.
On screen text
Document alternative methods for deploying patches in case traditional delivery methods cannot be
used. This is particularly important for time-sensitive or highly critical patches, where delays from mobile
platform application markets may introduce unacceptable risks.
Page 11 of 25
Escalation Paths
Narration
Document patch support and escalation paths, including contact information and procedures for
escalation.
On screen text
Escalation Paths
Escalation Paths
Document patch support and escalation paths, including contact information and procedures for
escalation.
Page 12 of 25
Narration
Document the expected availability of on-call support resources required for each type of patch, based
on severity. This facilitates enough allocation of resources for a patch release, and for addressing
support requests from partners and users during the patch release.
On screen text
Document the expected availability of on-call support resources required for each type of patch, based
on severity. This facilitates enough allocation of resources for a patch release, and for addressing
support requests from partners and users during the patch release.
Page 13 of 25
Security Misconfiguration
Narration
Although an application’s code is vital to its security, the platform it runs on is also very important.
Improperly secured operating systems, web server applications, and databases all contribute to the
overall attack surface. Most security misconfiguration mistakes are common, and these common errors
are the preferred attack vector and the easiest to exploit.
On the next few screens, we will look at the different ways in which security is misconfigured and how
you can prevent these mistakes.
On screen text
Security Misconfiguration
Overall attack surface includes improperly secured:

• Operating systems
• Web server applications
• Databases
Page 14 of 25
Security Misconfiguration (Cont.)
Narration
To understand how security misconfiguration occurs, consider the following scenario.
An application server is configured in such a manner that stack traces can be resent to users. This
setting leads to a risk of exposing underlying vulnerabilities.
This is just one example of a common security configuration mistake. Other common security
misconfigurations include:
Unpatched security flaws in the server and platform software.
Leaving default, backup, or other unused files in the web application’s content areas.
Enabling lenient file and directory permissions.
Leaving unnecessary and unused services enabled.
Retaining default accounts and default passwords.
Keeping administrative or developer features accessible to anyone, and
Revealing technical and infrastructure details in error messages.
Page 15 of 25
On screen text
Security Misconfiguration (Cont.)
Common security misconfigurations include:

• Unpatched security flaws in the server and platform software
• Leaving default, backup, or unused files in the web application’s content
• Enabling lenient file and directory permissions
• Leaving unnecessary and unused services enabled
• Retaining default accounts and default passwords
• Keeping administrative or developer features accessible
• Revealing technical and infrastructure details in error messages
Page 16 of 25
Insufficient Logging and Monitoring
Narration
Developers and administrators must ensure that a web application provides sufficient logging and
monitoring mechanisms, especially for critical security events.
Although the web application platform and underlying operating system have built-in logging
capabilities, additional application-specific logging is often necessary to meet security requirements.
Security and event logs provide a means for enhancing security by: recording security incidents and
policy violations, maintaining credible evidence for possible legal proceedings, gathering information on
application errors which might indicate abuse or system probing, detecting and alerting to possible
intrusions in progress or identifying the early stages of attack, measuring application performance to
ensure availability, and finally, maintaining an audit log for investigation and forensics, recording
enough information to reconstruct attacks.
On screen text
Insufficient Logging and Monitoring
Recording security incidents and policy violations
Page 17 of 25
Maintaining evidence for possible legal proceedings

Gathering information on application errors
Detecting and alerting to possible intrusions
Measuring application performance
Maintaining an audit log for investigation and forensics
Page 18 of 25
Ensuring Proper Log Contents
Narration
In addition to ensuring you have sufficient logging in place, there are other tips to maximize the security
value of your logging infrastructure.
First, sanitize the data you output to your logs. This step includes sanitizing any invalid characters and
neutralizing any content that might be executable, contain markup, or that otherwise might produce
undesirable results when viewing logs. Also, be sure to address content length to avoid resource
exhaustion.
Next, you should ensure the integrity of your logging system by setting proper access permissions,
regularly archiving logs on read-only media, and using checksums and digital signatures to prevent
tampering. If you transmit log events over a network, always use encryption between both endpoints.
In order to maintain credibility for legal purposes, it is best to establish a well-documented logging
process. Also, be sure that all servers have accurate timestamps by regularly and securely synchronizing
time. Use either the correct local time zones, or standardize on UTC time on all systems. Once you have
a system in place, regularly verify the logging mechanisms and policies you have established.
Finally, deploy tools to correlate log files from multiple systems to help identify attacks. Use a Security
Event and Incident Management system—or SEIM—to monitor and report on security events.
On screen text
Page 19 of 25
Ensuring Proper Log Contents
Sanitize Output
• Invalid characters, executable content, markup, excessive length
Ensure Integrity
• Least privilege, read-only archives, checksums and signatures, transmit with encryption
Maintain Credibility
• Establish a process, synchronize time, correct time zones, verify logging
Analyze Logs
• Correlate, SEIM, reporting
Page 20 of 25
Security Incident Response Plans
Narration
As part of a sound application security strategy, you must have a security incident response plan in
place prior to deployment.
This governs your organization’s response to security and privacy incidents so that they are handled as
effectively and efficiently as possible.
The plan should include a list of incident response team members, their emergency contact information,
and their roles and responsibilities.
In addition, it should include a policy for handling internal and external communications about security
incidents, an incident validation and patch development process, and provisions to ensure compliance
with applicable laws and regulations.
For more guidance on incident response planning for all development languages and platforms, see
Microsoft’s SDL Privacy Escalation Response Framework.
On screen text
Security Incident Response Plans
Page 21 of 25
Your plan should include:

• Incident response team members
• Roles and responsibilities
• Communication policies
• Process for validating incidents and developing patches
• Provisions to ensure compliance
Page 22 of 25
Identify Security Misconfigurations
Narration
Which of the following are common security configuration mistakes? Drag the correct tiles to the right
to complete.
On screen text
Identify Security Misconfigurations
Which of the following are common security configuration mistakes? Drag the correct tiles to the right
to complete.
Try Again!
Reveal technical and infrastructure details in error messages - Correct

Disable unnecessary services
Retain default accounts - Correct
Leave unused files in the web application’s content areas - Correct
Page 23 of 25
Course Summary
Narration
In this course, you learned about patching, security misconfiguration, and insufficient logging and
monitoring. You also learned best practices for logging and the importance of having a security incident
response plan.
On screen text
Course Summary
In this course, you learned about:

• Patching
• Security misconfiguration
• Insufficient logging and monitoring
• Best practices for logging
• The importance of having a security incident response plan
Page 24 of 25
Thank You
Narration
On screen text
Thank You
This concludes the Software Operations and Maintenance course. Thank you.
Click the “Take the Exam” button to proceed to the exam.
Page 25 of 25

COD 108 Software Operations and Maintenance

Uploaded by

Document Information

Copyright

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

COD 108 Software Operations and Maintenance

Uploaded by

Copyright:

Software Operations and Maintenance

Course Overview and Objectives

Course Overview and Objectives

• Explain the patching process

Application Security Patching Process

Application Security Patching Process

Platform Application Update Procedures and Anticipated Delays

Availability of On-Call Support Resources

Platform Application Update Procedures and Anticipated Delays

Platform Application Update Procedures and Anticipated Delays

Platform Application Update Procedures and Anticipated Delays

Application Security Bug Bar

Application Security Bug Bar

Application Security Bug Bar

Third-Party Code and Services Used by Applications

Third-Party Code and Services Used by Applications

Third-Party Code and Services Used by Applications

Alternative Patch Delivery Methods

Alternative Patch Delivery Methods

Alternative Patch Delivery Methods

Availability of On-Call Support Resources

Availability of On-Call Support Resources

Availability of On-Call Support Resources

Overall attack surface includes improperly secured:

Security Misconfiguration (Cont.)

Security Misconfiguration (Cont.)

Common security misconfigurations include:

Insufficient Logging and Monitoring

Insufficient Logging and Monitoring

Recording security incidents and policy violations

Maintaining evidence for possible legal proceedings

Ensuring Proper Log Contents

Ensuring Proper Log Contents

Security Incident Response Plans

Security Incident Response Plans

Your plan should include:

Identify Security Misconfigurations

Identify Security Misconfigurations

Reveal technical and infrastructure details in error messages - Correct

In this course, you learned about:

You might also like