Secure Development Operations
Please note the knowledge domains and topics outlined here are for guidance only and subject to change.
Can identify and advise on issues relating to weakly protected code repositories, for example:
• Openly exposed repositories containing closed source code
• Weak or insufficiently protected credentials
–
Understands the security implications of storing sensitive information in source code repositories, e.g. passwords, private cryptographic keys or API keys
Can identify and advise on common security misconfigurations of these tools: Puppet • Ansible • Chef
Understands the role of automated security testing tools as part of the development process, including:
• Static analysis tools (SAST)
• Dependency checking tools
• Dynamic analysis tools (DAST)
–
Understands how automated tooling can safely and effectively be incorporated into the development pipeline
–
Can identify and advise on common security misconfigurations of these tools
Understands common insecure programming practices, including:
• Use of dangerous functions
• Insufficient sanitisation of user-supplied data
• Use of outdated third party components
• Logic errors
Understands how (Distributed) Denial of Service attacks are performed and the protective measures available in cloud environments
–
Understands the financial implications of excessive resource consumption
Can analyse logging configuration within a cloud environment and advise on improvements
–
Can analyse the configuration of resource monitoring and alarm generation and advise on improvements
Can analyse logging configuration within a cloud environment and advise on improvements
–
Can analyse the configuration of resource monitoring and alarm generation and advise on improvements
Understands the concepts of a VPC and the implications on performing security assessments
–
Can competently assess resources within a private cloud-hosted environment, advising on any necessary temporary changes that may be needed (e.g. creation of bastion hosts, changes to Security Groups / firewalls)
Understands common pitfalls associated with the design and implementation of application authorisation mechanisms