Scenario
You are working as a developer for a software company called Green Pace. It is an engineering company that specializes in custom software design and development for environmentally responsible entrepreneurs worldwide. At Green Pace, the security mission is defense in depth. In order to ensure that all applications comply with the same security policies, you have been tasked with documenting, categorizing, and providing examples for coding and architectural vulnerabilities. Green Pace wants to maximize automation to ensure compliance and keep costs down. Essentially, the company is moving its DevOps practice to a DevSecOps to make it more secure, and the company wants to be well prepared for the security audit. The image below shows how, in DevSecOps, security is a separate and equally veiled function supporting development, operations, and application delivery. In order to complete this project, you need to understand potential vulnerabilities and weaknesses in code and coding best practices. In addition, you will need to be able to understand how to develop secure code to counteract threats.
An auditor will be performing a policy compliance audit to ensure the DevSecOps teams can implement automation, best practices, and continuous testing. You have been tasked with preparing the Green Pace security policy for the auditor. Using what you know about Green Pace practices, you will take the implicit best practices and standardize them in a new security policy. In addition, you will use principles, best practices, and industry standards to support the overarching Triple-A security framework that uses a defense-in-depth best practice as its foundation. Once this is complete, you will be prepared to make recommendations regarding implementation and how to maintain and update the policy in the future. The image below shows the developers’ security pipeline. You will be using this diagram to illustrate where and how automation fits into the development process.
Directions
You have been tasked with standardizing security vulnerabilities in code and policy in systems architecture. Specifically, you will open the security policy template and use the instructions outlined below to complete the coding standards based on SEI CERT. The completed security policy will be used to ensure compliance in DevSecOps as part of your defense-in-depth strategy and Triple-A framework.
- Complete the definitions of the 10 security principles. In the Security Policy Template, you will see a section called “Ten Core Security Principles” and another called “Coding Standards.” Each of these principles applies to your coding activities.
- Complete the fields in each of the 10 coding standards tables in the template. Fill out each piece of the template for the seven coding standards provided and three additional standards of your choice. For instance, you may add to the category of data or memory. Any of the seven categories may be expanded by adding additional coding standards. You will enter these additional coding standards into coding standards 8, 9, and 10 in the template.
- Be sure to use SEI CERT C++ Coding Standard as a reference throughout your work on the security policy. Make sure you fill in the following fields in the template. You will be completing the remaining fields for each standard in Project One.
- Label: All coding standards will be labeled in STD-nnn-LLL, where nnn will be a unique, three-digit padded number starting from 001 of the standard, and LLL will be a three-letter acronym representing the language.
- Name of Standard: Provide the name of the standard.
- Rationalize the Standard: Provide a logical rationale for each using each standard.
- Noncompliant Code Blocks: Show noncompliant examples.
- Noncompliant Code Descriptions: Provide a 1- to 2-sentence description of the code block.
- Compliant Code Blocks: Show compliant examples. Add two rows to the individual Coding Standard table for each coding example, so you can provide both the description and the code in separate consecutive rows.
- Compliant Code Descriptions: Provide a 1- to 2-sentence description of the code block. Add two rows for each example, so you can provide the description and the code in separate consecutive rows.
Coding Standards: This section of the security policy is used to recognize coding vulnerabilities, create standards, and ensure policy compliance for coding within your organization. You will use the same security policy template you used in the Module Three milestone to complete each of the standards templates by adding principles, threat level, and tools. At the completion of this project, you will have a finished security policy. Your security policy should have 10 standards. Several of the vulnerabilities listed may have more than one standard.
- Data type
- Data value
- String correctness
- SQL injection
- Memory protection
- Assertions
- Exceptions
- C/C++ Standards in the Coding Standards
Use the SEI CERT C++ Coding Standard resource in Supporting Materials to collect the information needed to complete your standards. There are 49 rules and 500 coding standards. You will need to narrow down the rules that apply. You will improve your coding policy standard rationale and examples based on instructor feedback. If you had nothing to improve, then focus on the new information that should be added to complete each of the 10 standards by continuing to task two.
- Risk Assessment
Complete this for each of the coding standards. You will fill in the columns of the Risk Assessment table that read Severity, Likelihood, Remediation Cost, Priority, and Level.
- Automated Detection
Complete this for each of the coding standards. You will complete the Automation section by determining which tool or tools to use for each of the coding standards. You may choose tools from the list found in the appendix, or you may propose alternative tools that will detect issues in each of the standards. You may list one or more tools that can automatically detect an issue. Include the name with a version number, the name of the rule or check (preferably with a link), and any relevant comments or description.
- Automation
Provide a written explanation of where in the process the automation should take place. This section of the template is not part of the coding standards tables. It is a separate section to allow for a paragraph or two of writing. Here you will write and summarize, in general, how automation (tools) will be used for the enforcement of and compliance to the standards defined in this policy. Green Pace already has a well-established DevOps process and infrastructure. Define guidance on where and how to modify the existing DevOps process to automate enforcement of the standards in this policy. Use the DevSecOps diagram provided in the template for your context. You may use the SonarSource resource in Supporting Materials to help locate and justify automation in the DevSecOps pipeline.
- Summary of Risk Assessments
In task two, you added a threat assessment to each of the 10 standards. Now you will consolidate all risk assessments into one table to have a comprehensive list, including all coding standards, ordered by standard number. The table in the security policy appears as shown below.
Rule Severity Likelihood Remediation Cost Priority Level STD-001-CPP High Unlikely Medium High 2
- Next you will write policies for encryption and Triple A.
- Create policies for the three types of encryption (in flight, at rest, and in use) and each of the three elements of the Triple-A framework using the tables provided.
- Explain each type of encryption, how it is used, and why and when the policy applies.
- Explain each type of Triple-A framework strategy, how it is used, and why and when the policy applies.
Note: Look for and complete this section in the template. (The security policy template contains the complete list.)
Policy Names | Explain what it is and how and why the policy applies. |
Encryption in rest |
- Map the principles to each of the standards and provide a justification for the connection between the two. In the Module Three milestone, you added definitions for each of the 10 principles provided. Now it’s time to connect the standards to principles to show how they are supported by principles. You may have more than one principle for each standard, and the principles may be used more than once. Principles are numbered 1 through 10. You will list the number or numbers that apply to each standard, then explain how each of these principles supports the standard. This exercise demonstrates that you have based your security policy on widely accepted principles. Linking principles to standards is a best practice.
0 comments