Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Modern Software Engineering Read chapter Read first chapter

2020 | OriginalPaper | Chapter

3. Writing Secure Apps

Author : Afzaal Ahmad Zeeshan

Published in: DevSecOps for .NET Core

Publisher: Apress

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

With a normal pipeline of DevOps, teams leave the code building and package management responsibilities to the DevOps tool, such as GitLab or Azure DevOps. DevSecOps expects more than that and requires that every developer and IT personnel take responsibility for code security, quality, and reviews. The collaborative nature of open source communities provides a good quality code review and constructive criticism to code changes. A small organization might not be able to enjoy the benefits of hundreds of collaborators online, but they can use their own engineers and architects and develop the initial versions of their product without peer reviews. Regardless of the automation platform, scripts and packages can be introduced in the pipeline that require a merge request to be peer-reviewed. Even before a merge request is created, a well-defined DevOps pipeline can notify the contributor about the potential problems that a change might have.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter DevOps with Security
next chapter Automating Everything as Code
Footnotes
1
A merge request is a Git concept that lets contributors request owners of a repository “accept” the changes made by people from outside the organization. This helps people without access to the repository make the changes and helps the organization keep the repository safe from spam. Some platforms call it a “pull request,” but the concept is same. Read more about this concept at https://git-scm.com/docs/git-request-pull.
 
2
We are talking about DevOps and DevSecOps pipelines as one in this context.
 
3
Provided the amount of software engineers per project, and how the “number of years” of experience quantifies the “quality” of the code produced, it is easier to say that buggy code is possible. We do not claim this absolutely will happen, but is a possibility.
 
4
The cloud-native approach of development takes service orchestration into consideration. Most applications are packaged as containers by Docker or containerization runtimes and are managed and orchestrated by orchestration tools like Kubernetes. The literal meaning of the term is that the application makes good use of the cloud platform, including resources and cloud services such as high-availability, elastic scaling, and global replication.
 
5
This example is applicable to mobile apps, games, and other platforms, but for a web application it has maximum impact, as data loss affects every user.
 
6
Our database query performs well in term of searching because database tables contain indexes that speed up the search process. Once the records are found, transferring smaller chunks of data on the network is fast. Application does not need to process the incoming data, as it is already filtered by database engine. This indeed increases overall network trips to database for each customer.
 
7
You can read an impressive SQL best practices guide on Essential SQL, by Kris Wenzel, a fellow CodeProject member, at https://www.essentialsql.com. You can find tips/tricks and best practices for database administration.
 
8
Entity Framework Core uses LINQ to Entities, a specialization of LINQ to SQL. Learn how Entity Framework Core executes a query at https://docs.microsoft.com/en-us/ef/core/querying/how-query-works.
 
10
Staging environments are specially designed environments that cater to a specific need in your DevOps lifecycle, with software built for a special purpose.
 
11
Learn more about Clair on GitHub at https://github.com/quay/clair.
 
12
Microsoft’s .NET Core Docker images are available at https://hub.docker.com/_/microsoft-dotnet-core.
 
13
You should use the platform provided configuration settings and environment variable mappers instead of configuration files. Configuration files can be read by anyone with access to the source code and they are plain-text file with no encryption.
 
14
Tianfu Cup happened on November 16 and 17, 2019 in city of Chengdu, China.
 
15
Microsoft’s EdgeHTML engine-based Edge, not the new Chromium-based Edge. Although the Chromium-based Chrome was also hacked.
 
19
You can read more about Redis and other distributed caching options available for ASP.NET Core on Microsoft’s official documentation at https://docs.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-3.1.
 
20
Visit Kubernetes documentation to explore an in-depth explanation of StatefulSets at https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/.
 
21
A message pipeline is a common method of interprocess communication in UNIX platforms. Messages are shared as streams and the pipes are created by programs. The pipes are removed when the programs are terminated (unnamed) or they can persist if the system remains active (named).
 
22
Protocol Buffers is a protocol developed and open sourced by Google. Read more at https://developers.google.com/protocol-buffers.
 
23
You might be inclined to disable the HTTPS requirement to do the development, and that is possible. You can read more at https://docs.microsoft.com/en-us/aspnet/core/grpc/troubleshoot?view=aspnetcore-3.0#call-insecure-grpc-services-with-net-core-client, but the recommended approach is to use a custom certificate on your machine. This ensures that your code will be HTTPS-enabled on production.
 
24
This code is taken from Microsoft’s open source sample for gRPC application that comes as a boilerplate sample, https://docs.microsoft.com/en-us/aspnet/core/tutorials/grpc/grpc-start?view=aspnetcore-3.1&tabs=visual-studio-code.
 
26
Hashing functions are one-way functions, so data is not exposed by any means.
 
27
See this tutorial on Digital Ocean for an example, www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04.
 
30
You can use HTTP-based localhost for development. For production environments, you will need a domain with SSL certificate applied and HTTPS enabled.
 
31
Read this blog by Google Security Team for an announcement of using SSL as a ranking factor, https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html.
 
33
Read this blog by Chris Love to understand what it means to move from native to PWA, https://love2dev.com/pwa/adsense/.
 
Metadata
Title
Writing Secure Apps
Author
Afzaal Ahmad Zeeshan
Copyright Year
2020
Publisher
Apress
Book
DevSecOps for .NET Core

Print ISBN: 978-1-4842-5849-1

Electronic ISBN: 978-1-4842-5850-7

Copyright Year: 2020

DOI
https://doi.org/10.1007/978-1-4842-5850-7_3

Premium Partner

    Image Credits