"Career Paths in IT and Security"

migzs
Chapter14.pdf

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

CHAPTER 14

Security Training, Education, and Certification

AAN AWARENESS OF WHAT YOU WANT AND NEED from a job and a work environment is essential when you’re deciding on a career in IT. IT jobs offer many types of different working conditions. Some require working long hours alone, some require working exclusively with clients, and others are very social, requiring ongoing collaboration with coworkers. The number and diversity of these work environments within IT allow those entering the industry the opportunity to choose an area that best suits their personality and skill set.

One thing most or all of these IT jobs have in common is a need for security training and an awareness of the role they play in overall Web and network security. For example, database administrators are responsible for information security in the database, programmers for secure coding, network administrators for communication and hardware security, and IT managers for policies. Regardless of the area within IT, it will have a role in the overall security strategy.

When selecting the area you think is right for you, you must consider such factors as your ability to deal with stress and the variety of work you want to do. You must also consider other factors, such as whether you crave interaction with others and whether your communications skills or other skills needed are suited for that position. Of course the only way to really know whether a job is right for you is to do it. But by looking at what kind of things you can expect from a certain job, and considering the experiences and observations of others, you can narrow the possible fields in terms of which job you believe suits you best.

This chapter looks at four areas of IT: computer programming, networking, Internet technologies and Web design, and database design and administration. The technical areas introduced in this chapter are by no means inclusive of all areas within IT. However, these areas represent the current “hot spots” of the IT industry. This chapter gives an idea of the role each plays in creating a secure IT environment.

Chapter 14 Topics

This chapter covers the following topics and concepts:

• What the different roles of a database designer and database administrator are and

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

what certifications are available for each

• What the roles of a programmer and an application developer are and what certifications are available for each

• What is involved in secure network management and what certifications are available

• What the responsibilities of a Web designer and a Web administrator are and what training is available for each

Chapter 14 Goals

When you complete this chapter, you will be able to:

• Identify the tasks and security responsibilities for those managing databases

• Review common certification paths for database administration

• Describe the day-to-day tasks and security requirements for programmers and app developers

• Identify the role security plays in network management

• Review common network management certifications

• Identify the security considerations for a job as a Web administrator

• Describe common industry security certifications

Security and Careers—Database Design and Administration Companies must keep track of information, whether it’s customer records, production statistics, financial results, demographic data, or something else. In this information age, a lot of data is accumulated, and someone or something has to manage it in a way that allows it to be useful. For example, if you had a lot of money, you’d want an accountant to keep track of it and be able to tell you, when you ask, where it is and how much there is. You wouldn’t necessarily want him or her to point to a pile and say, “it’s everything in there.” You would want more precision.

FYI

In the IT world, the terms information and data are sometimes used interchangeably. There is, however, a distinction between the two. Data typically refers to raw unorganized facts. In a production environment data comes from multiple sources, which may include machinery, asset management systems, and tracking systems. Once this raw data is organized and structured, it can be presented in meaningful ways. This is information. One of the challenges for IT managers working in manufacturing

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

environments and other large companies is to isolate all data sources and correlate this data into meaningful information on which to base decisions. In today’s world, this is often referred to as business intelligence (BI).

In a sense, putting data into a database does the same thing a good accountant would do— organizing a collection of data into information that is useful to those who care about it. E- commerce sites use databases to track their orders and inventory. The phone company uses databases to track the physical location attached to phone number 253-555-5504. Just about every large collection of information in a company is stored in a database—meaning there are many professional opportunities for those who create and maintain those databases.

The classic definition of a database says that a database has three pieces: files, records, and fields. A file can be thought of as a grouped collection of information. The set of your city’s White Pages and Yellow Pages telephone books could be considered a database, consisting of at least two primary collections of information. Your city’s White Pages would be considered a file in this analogy. An example of a record would be the entry with your name, address, and phone number. Each other person’s telephone book entry would be considered a record in the “telephone book” file as well. So, as you can see, a file can contain many hundreds of thousands of records—far more than can be organized and sorted easily by hand. Continuing with this example, there would be three individual fields where the various types of information are entered. In this case, the names of the fields would be name, address, and phone number. However, a database is not limited to these specific three fields. In virtually any modern database, fields may be added or subtracted at will, depending on what data the organization needs (or wants) to store. In the case of older databases, it’s sometimes necessary to create a new database and import the information into it, because the structure of some older databases cannot be changed once created.

There are different types of databases, and each major database system software product is based on a specific type. Today you are likely to find the database world has emphasized a particular type of database known as a relational database management system (RDBMS). A relational database is one in which the required information is organized into tables that are related to each other by specific rules established during the database design.

Most databases in use today, such as Microsoft SQL Server and Oracle, are relational, so it’s important for those in the database field to be familiar with relational database terminology and concepts. In an RDBMS, data is organized as a table, and a database is considered to be a collection of these tables. An entry of data in a table is called a record or a tuple, and is organized in rows in a table. Attributes about those records are organized in columns.

This more closely describes the concept of a database to most people, because if you picture any sort of written table, such as a transit schedule, you can easily see the table’s actual rows and columns. The way in which that table would be implemented in a relational database is sometimes as simple as making the table’s column headings into the names of fields in the table, and then adding each row of the written table to the database table, as data. A spreadsheet is a simple example of a table, with rows and columns; however, the records and attributes in an RDBMS table can hold much larger data than commonly found in a

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

spreadsheet. What’s a database good for? In addition to providing a single, secure location for storing an

organization’s valuable data, it also provides useful ways to access that data. For example, you can ask a database that contains a list of tens of thousands of customers to display the names of customers whose accounts receivable balance is more than $1,000, and it can provide the list in seconds. A database request of this sort is referred to as a query, and the process of asking the database for this information is referred to as querying the database. When you ask a database for information like this, you can also ask it to list the results in a particular order, such as in alphabetical order by name, or in order by balance, from highest to lowest. In this way, databases can efficiently keep track of even very large quantities of information.

Another benefit of using a database is that most modern databases typically provide support for transactions. Transactions are logical groupings of related activities involving a database’s data. For example, if you are entering a product order with 10 line items, you want to make sure that the overall order information, such as customer number, date, and sales rep, is correctly added to the Order table, and that each of the 10 line items of information, such as product number and quantity, is added correctly to the Order Item table. The order is not considered “complete” until all 10 items have been added, because (for example) you wouldn’t want the warehouse shipping out the first seven items to the customer at 11 a.m. and marking the order as filled, because someone looked at the order database just a minute before the data entry clerk finished entering the last three items into the order. Transaction support makes it possible for database designers and programmers to ensure that such confusion is less likely to occur.

Comparing Database Administrator and Designer

Many career paths in IT have two sides or descriptions to them. This is true of database management as well. You will find that the difference between a database designer and a database administrator is actually a fine line because in the database world you can wear many “hats” at one time. One week you might be doing management on one database and another you might be helping with design as well as the management of the database.

In knowledge and ability, there’s a clear difference between the roles of a designer and an administrator. Additionally, the larger an organization is, the more specialized your responsibilities will be, and the more likely it is that you’ll need to choose whether to emphasize database design or database administration in your career. Regardless of which you choose, you’ll need to understand specific security strategies and best practices.

Knowing the daily tasks involved in such a career is important and can help identify the job- specific security considerations. Not every task typically done by a database designer is performed daily by a specific person. This is partly because larger organizations typically have a team of database designers or administrators, and on any given day one of several qualified people may perform a particular task. Similarly, not every important database task (such as creating a new database from scratch) is done every day—but it’s still a vital task that both database administrators and designers must know how to perform. Because tasks may be shared, all database administrators must understand and adhere to security policies and best

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

practices.

Database Administrator

A database administrator is responsible for databases used in the business environment, much as a network administrator is responsible for an organization’s file and print servers. A database administrator’s duties might include the following:

• Performing database updates required by the development staff on test and live systems • Tuning database performance on the basis of statistics accumulated during use of the live

system • Coordinating with IT staff regarding server hardware and OS issues • Defining backup and restore strategies • Importing third-party data into the database, • Resolving errors reported by the database software, such as full log files

The database administrator also maintains security for the database, determining which groups of users can have access to which data stored in the database. He or she also sets policies for how that data can be accessed—for instance, certain data can be viewed over the Internet; other, more sensitive data is available only on the company’s intranet. The database administrator may provide input to the database designer on such questions as how frequently certain database contents are used and which parts of the application might benefit from performance improvement. Organizationally, the database administrator may report to the director of technical support, and his or her workgroup peers may include system administrators and network administrators.

Database Designer

A database designer is a business analyst or software developer rather than a production- support technician. A database administrator can likely speak knowledgeably on the fastest way to organize the indexes on a specific large, complex table. A database designer, on the other hand, will know how to efficiently organize an application’s required data into related tables, specifying the most appropriate characteristics for each data item being stored. A database designer is concerned with creating a database whose architecture meets the user community’s current and future needs, to the degree they can be foreseen, for data storage and reporting. The designer also must create a database that can be used effectively by project development staff that creates the programs to store data in, and retrieve data from, the database.

In doing this, designers interact with the user community and development staff, maintain the database model (usually a combination of diagrams and written documentation), and create the development database used by project staff. The database designer sets standards for data access. The designer may specify, for example, that a particular procedure always be used to move an order from “data entry” to “fulfillment” status, to maintain system efficiency and data consistency. The database designer also serves as a resource for the database

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

administrator in resolving production issues. Organizationally, the database designer may report to the director of systems development, and his or her workgroup peers may include business systems analysts, application programmers, and application project leaders.

The database administrator is the person whose primary responsibility tends to be the “production” version of the database, whereas the database designer is the person whose primary responsibility tends to be the “development” version of the database. In general, the database designer will be more skilled in the precise considerations involved in database design (such as deciding whether a particular piece of data belongs in one table or another) and programming. The database administrator will be more skilled at troubleshooting random problems that occur day to day (such as what to do when the database runs out of disk space) and choosing the best way to perform administrative tasks such as database backups. However, each normally has some familiarity with the other’s duties, because on any given day, he or she may have to perform those tasks.

Database Management Tasks

Database projects go through stages, and designers in particular will find their daily job tasks evolving as the project progresses and the database itself evolves. Similarly, an administrator’s daily tasks will depend on whether there are urgent system problems to resolve that day or whether the day can be dedicated to improving the database or system performance. The daily tasks for this job are important, because the database is often the center of a business application project. A well-designed, well-maintained database can make a project successful. A less carefully designed or poorly maintained database can cause a project to fail. The daily tasks listed below are not a complete list of all the tasks you might encounter when working in this field. But they are common in jobs concerned with a database’s upkeep and design.

• Meet with the application project team and end users to discuss the data required in the database, its characteristics, and the activities the end users want to perform with this data.

• Administer database security, such as by monitoring the list of users who have access to all or part of the database, and the security rights they have. (For example, some users are allowed only to view inventory information, and others are allowed to change it.)

• Keep the database software current (with patches and service packs) to protect against new forms of attacks.

• Ensure that appropriate security measures are followed during development. • Monitor user access and maintain system security. • Develop and test implementation of conceptual models, using specific database software

such as Microsoft SQL Server or Oracle, on the development server. Update related project documentation.

• Develop database-specific secure program code to access and update database objects, and ensure that proper relationships among database objects are maintained.

• Recommend to programmers efficient ways to access specific sets of data stored in the

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

database. • Implement secure strategies for backup and recovery of database information. • Install database system software (and perhaps operating system software) on the database

server, according to project requirements and organizational policies. • Restore a test database that was accidentally written over due to an error in a new

program. • Work with application project staff to move application upgrades from the development

server to test servers and production servers as required. • Test new versions of the third-party database software being used to implement projects. • Keep up to date on database technology, and research new threats to database security.

Database Security Training and Certification

Because databases hold sensitive information, it’s critical to implement and manage them securely. Professional management of databases requires hands-on practice as well as formal training. Many colleges and private education organizations offer diplomas and certificates in database management. While they may approach the curriculum in different manners, upon completion their students will be expected to know:

• Industry standards for data modeling and database design and maintenance • Development and design of database management systems (DBMS) • Relational database theory, data modeling, industry standards, SQL programming, and

day-to-day administration, including security configurations • How to set polices for users and ensure that the entire information system is protected

from any loss, compromise, or failure • How to implement administrative policies and security measures, and develop plans for

disaster recovery • Techniques used by malicious users to exploit database flaws and vulnerabilities

This is just a sample of the types of database and security information that well-designed postsecondary programs provide. In addition to postsecondary training options, vendor- specific certification training offers opportunities to learn product-specific management strategies.

Microsoft SQL Training

Microsoft has a virtual academy online offering SQL training and various certifications for creating reliable, secure, and robust database systems. The following are some of the Microsoft certifications that include SQL training:

• Microsoft Technology Associate (MTA)—This is an entry-level Microsoft certification with three education tracks: Developer, IT Infrastructure, and Database. Students who complete the Database exam will earn the MTA certification.

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

• Microsoft Certified Solutions Associate (MCSA)—Completion of this certification requires the student to pass three exams: Querying Microsoft SQL Server 2012, Administering Microsoft SQL Server 2012 Databases, and Implementing a Data Warehouse with Microsoft SQL Server 2012. According to Microsoft, earning the MCSA will qualify the student for a position as a database developer or database analyst.

• Microsoft Certified Solutions Expert (MCSE): Data Platform—The MCSE certification requires the successful passing of five exams and will prepare the student for jobs such as database analyst and database designer. This certification requires you to show continued ability to perform in your chosen solution area by completing a recertification exam every three years.

Refer to https://www.microsoft.com/learning/default.aspx for more information on Microsoft certifications.

Oracle University

Oracle offers extensive training and certifications for Oracle database management and other applications. They are four categories of certification paths for Oracle certifications. These include:

FYI

For a general overview of security concepts and approaches, CompTIA offers its Security+ course. It introduces students to a wide range of security basics. Refer to the certification site at http://certification.comptia.org/getCertified/certifications/security.aspx.

• Applications—Oracle applications are a broad collection of business solutions, from asset management to customer relationship management (CRM), Web commerce, and more.

• Database—There are three streams of certifications for Oracle database management: Database Application Development, MySQL, and Oracle Database. Each of these will prepare candidates for day-to-day management of a database, including security considerations.

• Enterprise Management—Studying Oracle’s Enterprise Management will prepare students to test and manage large-scale enterprise solutions, as well as cloud and Web applications.

• Foundation—This entry-level Oracle certification provides an overview of Oracle solutions and products, including an introduction to database management.

For more information about Oracle and the database management certification, refer to Oracle’s online certification portal at http://education.oracle.com/.

Security and Careers—Programming and Application Development

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

Essentially, a program is a set of instructions or directions understood by the computer, allowing it to perform predetermined functions. These instructions are given to the computer with the use of specific programming languages. A computer language is basically a form of communication understood by both programmers and machines.

Deciding to become a programmer is just the first step. Identifying and choosing a programming language or languages to learn is the next step. Like most technologies, computer languages are developed through a transitional process. New programming languages are created, and old ones enhanced, by examining the shortcomings of previous languages and making the necessary improvements.

Larger and more complex computer programs demand the continued development and evolution of programming languages able to take full advantage of current technology. If these languages aren’t continually modified and developed, programs may be unable to meet user’s current and future. For this reason, the future for programmers looks very good. The IT industry relies on skilled programmers able to securely create, modify, and expand programming languages and the programs that they create.

The development of a simple program may take a skilled programmer just a few hours to complete. Other programs—such as operating systems that require complex detailed instructions—can take a group of programmers more than a year of work. Even though programmers often work behind the scenes, far removed from the eyes of the end user, their influence on daily computer use is keenly felt.

Today it isn’t enough to just know how to program; it’s essential to know how to program securely. Secure programming, sometimes referred to as defensive programming, is really just a mindset whereby programmers work with a clear understanding of current threats and how they may affect the program today and in the future. For example, this means that programmer is fully aware of the potential vulnerabilities and prepares for injection attacks to validate input. It’s difficult to imagine that programmers today would not familiarize themselves with current vulnerabilities, such as those presented by OWASP in their Top 10 lists, and adjust their programming accordingly.

Common Programming Tasks

Programmers will mostly find themselves working in highly creative and technical environments. Often programmers must work independently, while at the same time maintaining a strong sense of teamwork and a collaborative spirit. It’s essential that programmers be reliable, dependable, and self-motivated and be able to cope with the stress of inflexible deadlines. Once these conditions are met, the programmer will be called upon to perform a variety of jobs and responsibilities. These different duties may include the following:

• Developing, testing, and debugging client/server applications—Debugging applications is critical for ongoing security, as program bugs may be exploited as vulnerabilities.

• Converting designs and specifications into secure computer code—This means working with a specification or design that someone else has produced. Your task is to turn the concept into a programmed reality. If the design is very detailed, you may not have any

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

room for creative flourishes, but security design must be a priority. • Analyzing program code to discover the causes of errors and revising as necessary—

Programmers of any language must be able to do this. The process of running down errors in a program, known as debugging, is an essential programmer skill. This means that you must have a thorough knowledge of your chosen programming language.

• Delivering high-quality, usable code in a timely fashion, without sacrificing appropriate testing—Programmers are often faced with inflexible timelines, so they must be able to work quickly and flexibly.

• Developing code in order to implement well-structured and reusable design—Code must follow technology standards and take into account known vulnerabilities.

• Analyzing, installing, and testing upgrades of externally developed application programs • Monitoring programs’ performance after implementation to keep up to date with users’

needs and software bugs—A programmer’s work does not finish when the program is passed to the user. Even if there are no errors in the program, continued monitoring and updating may be required.

• Writing or reviewing documentation that describes installation and operating procedures —This may be dull, but it’s absolutely essential.

• Designing and coding screen layouts, graphical user interfaces, printed outputs, and interfaces with other systems—Sometimes the a program’s appearance can be like an electronic signature that a programmer leaves behind. Creating a usable and effective user interface can heavily influence the user’s opinion of a program’s usability.

• Compiling programs and correcting errors detected in the compilation process— Programmers must be able to do this. Looking for your own mistakes is perhaps not the most encouraging of pastimes, but it’s essential nevertheless. This is part of the defensive programming mindset.

• Providing technical assistance by responding to inquiries regarding errors, problems, or questions with a program—Sometimes what’s needed will be as simple as helping a user to install the program. At other times it will involve troubleshooting a major problem with an application.

Overall, the programmer is typically responsible for software design, coding, compiling, debugging, program testing, and revision. Programmers generally work in an office setting and may have to work evenings or weekends to meet deadlines or debug programs. With advancing technology, however, programmers can now work outside the office. In fact, it’s completely possible and often required for programmers to write and trouble-shoot programs and perform daily tasks in their off hours and away from the office.

Programming Training and Certification

It’s not difficult to search the Internet and find an employer looking to hire skilled programmers. In these advertised jobs, there seems to be little variation on the tasks and responsibilities employers require from their programmers. There is, however, a confusing

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

level of variation of job qualifications and educational requirements. Interestingly, some employers demand an overwhelming, and seemingly impossible,

amount of education and experience from potential candidates. These employers require extensive knowledge in numerous operating systems, languages, and a bachelor’s degree or higher. Other employers are far less concerned with formal education and focus their requirements on a programmer’s level of experience. Some companies so desperately need programmers that they actively try to recruit them away from other companies.

This range of qualifications an employer will accept from candidates can leave those interested in programming as a career confused as to what level of knowledge and training is required to get a job. It’s no secret that the IT industry as a whole is experiencing a shortage of skilled professionals, and programming is no exception. It’s because of this shortage that employers will take a programmer with no formal education and hire solely on experience and a proven ability to program.

Companies requiring that candidates have bachelor’s degrees specify that degrees should ideally be in computer science, mathematics, or information systems. Computer science degrees are preferred, as they give training in a number of specific computer areas, including best practices for programming security.

But degrees and diplomas are not the only form of training in the IT world. Students widely seek and employers widely recognize IT certifications. Certifications have the following key advantages over degree or diploma programs:

• Certification programs take less time, meaning that students are typically ready to enter the job market faster.

• Certification courseware and training materials are focused and directed, whereas degree programs often require elective courses that are not always related to the specific area of IT.

• Hardware and software change at a very rapid pace. Shorter, more-focused certification programs are better able to accommodate retraining for changing technology.

Training and Certification

Like many other areas of the IT industry, training options and opportunities for those interested in becoming programmers are varied and diverse. This diversity allows you to choose which training method best suits your learning style and provides you with the necessary training to be competitive in the labor market.

It’s important to keep in mind that regardless of which training method you choose, employers will have their own preferences with regard to training. Today, employers will look more favorably upon someone who has completed training in a college or university. Degrees and diplomas obtained from a respected post-secondary institutions are a definite asset and do attest to quality instruction. This instruction, however, does not come cheaply. Certifications are also widely sought, but these certifications are more valuable when obtained from a recognized source.

A number of options are available for specific computer language and product training. Microsoft, for example, offers its Microsoft Certified Solutions Developer (MCSD) certification

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

system. The following are four popular certifications:

• Windows Store Apps—For this certification, users learn Programming in HTML5 with JavaScript and CSS3, Essentials of Developing Windows Store Apps Using HTML5 and JavaScript, Advanced Windows Store App Development Using HTML5 and JavaScript, Programming in C#, Essentials Developing Windows Store Apps Using C#, and Advanced Windows Store App Development Using C#.

• Web Applications—Completion of the Web applications certification requires three courses—Programming in HTML5 with JavaScript and CSS3, Developing ASP.NET MVC Web Applications, and Developing Microsoft Azure and Web Services.

• SharePoint Applications—To be certified as a SharePoint administrator or programmer, you need the following courses: Programming in HTML5 with JavaScript and CSS3, Developing ASP.NET MVC Web Applications, Developing Microsoft SharePoint Server 2013 Core Solutions, and Developing Microsoft SharePoint Server 2013 Advanced Solutions.

• Application Lifecycle Management Solutions Developer—The courses for this certification are Administering Microsoft Visual Studio Team Foundation Server, Software Testing with Visual Studio, and Delivering Continuous Value with Visual Studio Application Lifecycle Management.

Microsoft isn’t the only large vendor to offer programming certification. The following is a list of other online programming opportunities.

• C++ Institute—The C++ Institute focuses on the computer languages of C and C++. Training certifications include Associate (entry level), Professional (advanced level of programming understanding), and Senior (master-level understanding). (http://www.cppinstitute.org/?p=5)

• Oracle Certified Professional Java SE 7 Programmer—Oracle offers a certification for Java SE 7, a widely used object-oriented development platform. (http://education .oracle.com/)

• Certified Secure Software Lifecycle Professional (CSSLP)—Application vulnerabilities are a significant concern for organizational security. The CSSLP certification from (ISC)2 prepares students to understand application security from a software development life cycle perspective. (https://www.isc2.org/csslp/default.aspx)

Reviewing Security Documentation

There are many computer languages from which to choose to develop a particular application. A programmer may need to know several to meet different programming requirements. No matter what language is used, it’s important to review the latest documentation to see which new vulnerabilities have been detected. As an example, a programmer using Ruby would likely search the Web site https://www.ruby- lang.org/en/security/ for known and new vulnerabilities. In the case of Ruby, the newly

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

listed security considerations include the following:

• Ruby OpenSSL Hostname Verification (2015-04-13)

• Another Denial of Service XML Expansion (2014-11-13)

• Denial of Service XML Expansion (2014-10-27)

• Changed default settings of ext/openssl (2014-10-27)

• Dispute of Vulnerability CVE-2014-2734 (2014-05-09)

• OpenSSL Severe Vulnerability in TLS Heartbeat Extension (2014-04-10)

It’s a best practice to review the latest news and documentation and consider any security vulnerabilities in program development.

Security and Careers—Network Management

Of all the IT career fields currently available, few can offer the diversity that computer networking provides. First, the networking industry is huge, encompassing hundreds of companies and a massive range of technologies. Second, the sheer demand for skilled individuals means that opportunities with companies of all sorts and sizes abound.

The reason for this high level of demand is simple. Practically every company has a network, and almost all have the need for a skilled individual to manage it. Even if companies cannot justify the cost of having a full-time administrator of their own, they are likely to have an arrangement with a computer company that does. For the past few years, computer networking has been one of the primary growth areas of the IT industry and is forecast to remain so in years to come.

In the early days of networking, the two main uses of a computer network were the sharing of data and the shared use of expensive peripherals, such as printers. Today, these two tasks still form the basis of most networks. But networks are now used in many other ways as well. Without a doubt, the defining point in the history of networking was the creation and explosive growth of the Internet. Although it’s difficult to convey in just a few lines, the Internet is basically a massive network. In fact, the term Internet is derived from the term internetwork, meaning a group of connected networks. Although it’s obvious that the scale of the Internet makes for differences in the technology used, the basis for the Internet is the same as that of many of the networks used in businesses around the world. All these networks must create and maintain a secure environment.

Essentially, networking is a concept or principle that requires a few core components including hardware (routers, servers, cabling etc.), software (applications, server operating systems), and protocols (TCP, UDP, IP etc.). These are the core components that make up the network and the components that network administrators must know inside and out in order to secure them adequately.

There is a great need for individuals to work on and secure the hardware aspect of

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

networking (sometimes called the infrastructure). Equally, there is a demand for those that are skilled in securing the software and protocols that networks require. An in-depth understanding of how a network operates and communicates is critical for designing security strategies.

One of the most attractive features that a career in networking offers is sheer diversity— there are so many different aspects to the networking field. As a network administrator, you must have an understanding of the network operating systems that are in use, the products that provide backup capabilities, and (at least to some extent) the products that run on the servers you are supporting. You must have an understanding of network infrastructure issues, cabling, machine locating, and so on. In addition to these skills, there are a number of other areas in which you must have experience, such as business objectives, project planning, governance and much more.

Common Network Administration Tasks

Networking is a truly diverse field. Network administrators will find themselves in a variety of situations during a working day, which is part of the job’s attraction. Much of their time will be spent working with systems, including securing those systems. The following list contains some of their most common tasks:

• Performing general system maintenance—Even the most basic computer network is a complicated device. The primary task of a network administrator is to ensure the overall health of the network. For this to be the case, continuous attention to all systems is necessary, although many companies use a management system to make the monitoring easier. Even so, the data supplied by the monitoring systems must be interpreted, and if necessary, acted upon. All of this can keep the network administrator busy.

• Dealing with system failures—The words a network administrator never likes to hear are “the system’s down.” Unfortunately, even the most diligently maintained network is likely to experience occasional problems. In many cases, the problems will be minor and isolated, but every so often a major problem will come along that will test not only your troubleshooting skills, but also your patience and ability to deal with stress. These are the times when network administrators really earn their salary. Every minute that the system is unavailable can potentially cost a company money. When the systems are down, the meter is running, and everyone’s eyes are on the person who can make everything work again.

• Applying software updates and fixes—The complexity of software packages, coupled with the need for them to work securely, requires manufacturers to release updates to their software. The installation of these updates is essential to ensure that systems run smoothly and consistently. In addition, certain software programs, particularly programs such as virus checkers, require frequent updating. Though most updates are easily applied, network administrators must always consider what effect the updates may have on other software products. If suitable equipment is available, they must test the products before implementation.

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

• Evaluating new solutions—Just because an administrator has the network up and running smoothly does not mean that the job is done. The versatility of computer networks means that there will always be some other enhancement to add to the network or a new security vulnerability to address. This extra functionality often involves products that will change the layout of the network, could potentially affect the other components, and present new security implications. For this reason, any solution must be tested fully, and the results of those tests documented. Many larger companies provide a dummy test network for these purposes, although not all do. Because implementation of new solutions can require the network to be taken offline, a great deal of this kind of work takes place in the evenings or on weekends, so users are not disrupted. Network administrators must be flexible in this respect.

• Documenting systems—One of the most overlooked and neglected of all network administration tasks is that of documentation. Documentation provides a reference point for configuring the network. It’s an invaluable resource when troubleshooting problems or investigating network-related issues. It also is very useful when planning upgrades to the system or when deciding to introduce new products. Unfortunately, the ever- changing nature of the network means that the process of updating the system documentation can be endless. The good news is that no one is awarding prizes for creativity, either. An easy-to-read, concise, and above all, accurate rundown on the specifics of the system is more than sufficient.

• Performing and securing backups—Sometimes referred to as a disaster recovery measure, backing up system data is probably one of the most important tasks performed each day. Most modern backup systems are highly automated, but the maintenance and checking of the system is very important. In addition, network administrators will periodically restore data from a backup to test that the system is working as it should, and that the data being restored can be used in the event of a failure. All backup data should be encrypted and stored in a physically secure location.

• Maintaining hardware—Much of a network administrator’s work is software related, but because the software runs on hardware, a good knowledge of computer hardware is also required. Tasks that a network administrator may perform will range from upgrading or replacing individual components to replacing entire network segments. Maintaining hardware also includes firmware updates to ensure equipment is operating optimally and securely.

• Maintaining cabling and network devices—Cabling is the medium that makes computer networking happen. Even though a cabling contractor may install the main cabling system, there will always be computers needing relocation, new systems to be added, and equipment faults needing diagnosis and correction. In addition, many modern networks use hardware devices to connect systems together. Although novice network administrators may be excused from knowing all about these devices, those with even a few months’ experience will almost certainly have to deal with them, even if infrequently.

• Preparing for audits—In corporate and other business environments, the entire IT infrastructure may be audited by a third party. If deficiencies in the management or

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

security of the network are found, they may be reported to the board of directors and shareholders. Audits are annual events that are sure to cause network administrators much stress. Adherence to internal policies and general security best practices is the best way to complete a successful audit.

Network Administration Training and Certification

Some argue that networking cannot be learned from a book or in a classroom and must be learned through real-world, on-the-job experience. The problem is, as elsewhere, getting the experience before you can get a job invokes the old chicken-and-egg situation: You need a job to get experience, but if you don’t have experience, you sometimes can’t find a job. Given the importance of network security, companies are naturally reluctant to allow those without significant real-world experience to manage their systems.

From an academic perspective, any college or university degree in a computer-related field is likely to be a valuable tool. For many graduates, the path to a given company will be via a graduate intake program, where the company recruits graduates, and then grooms them for certain positions. Without a graduate intake program, many graduates will find it necessary to display some specific knowledge in their chosen area of technology.

So how do employers choose the people for their vacant positions? Often, they use vendor certification programs, of which there are many. Currently, some of the most popular certification programs are the Microsoft Certified Solutions Expert (MCSE) program, the VMWare virtualization certification, Citrix and CompTIA. The relative popularity of these programs is no mystery—they closely reflect demand (and reward) in the marketplace.

From a personal perspective, those in the networking field must possess a wide range of skills: an ability to deal with stress, excellent communication skills, and the ability to remember (and at the appropriate moment retrieve) a wide range of facts on an even wider range of products.

Popular Network Management and Security Certifications

The number of networking related certifications can be overwhelming to those looking for a credential. Many vendor and vendor-neutral options are available. This section reviews some of the certifications, with a brief description of each.

• Microsoft Certified Solutions Expert (MCSE)—The MCSE program is recognized throughout the world as a measurement of an individual’s knowledge of Windows operating systems and applications. There are nine MCSE specializations from which a student can choose. These include Server Infrastructure, Desktop Infrastructure, Private Cloud, Enterprise Devices and Apps, Data Platform, Business Intelligence, Messaging, Communication, and SharePoint. To become an MCSE, candidates must pass a series of Microsoft Certified Professional (MCP) exams. However, how an individual prepares for each exam is up to him or her. Once the required exams are successfully completed, Microsoft grants the designation of MCSE, allowing the holder to use the credentials and accompanying logo on résumés and business cards. For more information on the MCSE

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

program, visit the Microsoft training Web site at https://www.microsoft.com/learning/en- us/mcse-certification.aspx.

• CompTIA Security+—The Security+ certification is a vendor-neutral security designation offered by CompTIA. The Security+ objectives cover a broad range of foundational security concepts without focusing on any specific vendor’s technology. For more information and detailed exam objectives refer to CompTIA’s Web site at http://certification.comptia.org/getCertified/certifications/security.aspx.

• Certified Computer Examiner (CCE)—The CCE certification is from the International Society of Forensic Computer Examiners (ISFCE). It’s a vendor-neutral certification providing training around network infrastructure and network communications. For more information on the CEE refer to https://www.isfce.com/certification.htm.

• EC-Council Certified Security Analyst (ECSA)—Managing security is a complicated requirement for network administrators and IT security managers. The EC-Council Certified Security Analyst provides an intense training program focusing in three areas: Ethical Hacking (discovering vulnerabilities), Security Analysis (methodology of penetration testing), and Penetration Testing (security report and document control). More information on these certifications can be found at http://www.eccouncil.org/about- ec-council-certified-security-analyst.

• Certified in the Governance of Enterprise IT (CGEIT)—IT governance refers to the systems and processes used to ensure technology helps meet an organization’s goals. Someone with this certification has the training to align technology with business goals. For more information on CGEIT certification refer to http://www.isaca.org/certification/.

• Cisco Certified Design Associate (CCDA)—This certification indicates detailed training in network design and efficient network implementation. It’s primarily for network design engineers, technicians, and support engineers, who enable efficient network environments with an understanding of network design fundamentals. A CCDA professional demonstrates the skills required to design basic campus, data center, security, voice, and wireless networks. The CCDA training covers many elements of networking including design, data centers, and security. More information can be found at http://www.cisco.com/web/learning/certifications/associate/ccda/index.html.

• Citrix Virtualization Certification—Citrix Education offers two tracks for virtualization training: Citrix Certified Enterprise Engineer (CCEE) for Virtualization, and Citrix Certified Integration Architect (CCIA) for Virtualization. Both provide detailed information on the implementation and management of a network-wide virtualization infrastructure. More information can be found at http://training.citrix.com/cms/education/certification-links/ccee- and-ccia-for-virtualization/.

• VMWare Certified Design Expert—Virtualization is common in both large and small networks. VMware is commonly used for both desktop virtualization and in server rooms. Given the popularity of virtualization, there is a huge need for IT professionals able to securely implement and manage virtual infrastructure. VMWare offers a number of courses, which can be viewed at http://mylearn.vmware.com/portals/certification/.

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

These certifications and courses represent just a small sample of the courses that are available online. Finding training is really not difficult, but finding the right course for your needs and work environment can take a little time.

Security and Careers—Web Design and Administration Of all the career paths available in IT today, working with Internet-related technologies is the broadest in scope and the most significant in demand. Corporations and businesses of all sizes require an integrated online strategy. External-facing Web sites collecting customer data, fulfilling orders, and marketing are commonplace. Internal-facing Internet and intranet sites are equally important. In order to understand how the Internet came to be what it’s today, a bit of history may be helpful.

The focus of this section is on three specific job roles in Internet technology, which are closely related and often filled by the same person: Web developer, site designer, and webmaster.

The terms Web developer and Web designer are sometimes used interchangeably. They are similar roles with some differences. A Web developer is perhaps more of a specialist concentrating on the back-end development of a Web site. A developer will incorporate appropriate security measures from initial concept to completion. Web developers will often be part of writing the actual code that makes Web pages work. Site designers, on the other hand, formulate how the site is structured. This includes the organizational flow, navigational design, and usability features.

Finally, webmasters perform many of the administrative duties of maintaining the site, including upgrading the Web server hardware, adding newly created Web pages, performing security audits, managing permissions, updating documentation, and troubleshooting hardware challenges. Quite often, usually in smaller companies, these three job roles are combined into one. Although such a multifaceted position can offer you varied experiences, the division of focus and attention that you might encounter on a daily basis may be difficult to manage and may cause other challenges at times. Regardless, these three job roles come with their own individual set of responsibilities.

People in these three positions are no longer responsible for traditional Web sites only. The increasing popularity of touchscreen phones and tablet devices has forced a new knowledge and implementation requirement. Web developers need the ability, not only to develop sites for mobile devices, but to do it securely. Client-side input and client-side authentication on mobile devices are more complex to manage and control. Essentially today’s Web developers, designers, and webmasters must ensure that Web sites are accessible and securely meets the needs of business. Perhaps now more than ever, testing, patching, and updating Web sites is mandatory. Data integrity and the public’s privacy are in the hands of these Internet technologies.

The Deep Web

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

Have you ever wondered where all those Web sites are that are not indexed in Google or other search engines? In fact, only a small percentage of Web sites are actually indexed and therefore searchable. The large majority of Web sites are hidden from Google in what is known as the Deep Web or Dark Web. The Web familiar to you is what is known as the surface Web. It includes millions of sites, such as Amazon, Facebook, CNN, and others you commonly use. Beneath the surface, however are sites not found by the search-engine crawlers. These sites don’t want or need search engines. In fact, it’s estimated that like the tip of an iceberg, the surface Web represents only a small percentage of Internet content. The majority of Internet content is below the surface in the Deep Web.

The Deep Web is a place of anonymity and beyond the reach of regular search engines. Perhaps the best-known way of accessing the Deep Web is known as The Onion Router (TOR). The onion refers to the way encryption layers are stripped of Deep Web communications as they pass through Deep Web relays. This makes accessing the Deep Web much slower than the regular Web. In general, the Deep Web is not a place for Web developers to spend a lot of time, as it’s full of threats and of all manner of illegal activity. While there are many legitimate uses for the Deep Web, the anonymity it provides creates a perfect environment for criminals of all sorts. The Silk Road black- market drug site was a well-known Deep Web site recently shut down—but not before creating a massive Deep Web drug portal. Also, it’s suggested that the 2014 hack of Sony servers used a virus readily available on the Deep Web. Security professionals, programmers and developers need to have an idea of the threats that lie underneath the surface.

Securing Programming Languages for Web Developers

As stated earlier, the field of Web development consists of many technologies and skill sets that depend on a company’s or a client’s specific needs. These skills can include HTML authoring, programming Web applications, creating artwork optimized for the Internet, performing usability testing, and so on. In general, most Web developers are responsible for coding Web site content into HTML. Often this involves creating custom scripts in JavaScript or Active Server Pages (ASP) to enhance the functionality of the Web site.

Today, it isn’t enough that Web developers and designers know various computer languages and platforms. They must know them well enough to ensure that coding and Web implementations are secure. In addition, each of the languages used requires maintenance and updates to ensure there are no vulnerabilities in the Web development process. Many of these languages come from large vendors who provide documentation and downloads, and their Web sites provide strong vendor support. Other Web development languages are available through GNU Public License, offering no paid support but a significant amount of online community help and support. The following is a short list of some of the programming languages Web developers use:

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

• Adobe ColdFusion—ColdFusion is a scripting language based on standard HTML. It’s commonly used to create both standard Web sites and mobile applications. As with any other application, there are security updates and service packs to address potential development vulnerabilities. Security information and updates for ColdFusion can be found at https://www.adobe.com/support/coldfusion/downloads_updates.html.

• Hypertext Preprocessor (PHP)—PHP is a common open-source Web-development language commonly used within HTML to create Web forms, surveys, picture galleries, sign-in pages, and more. PHP is used to enhance HTML with additional features and interactivity. Because of the interactivity PHP provides, secure programming is essential. Updates for PHP can be downloaded at http://php.net. To ensure PHP programming is secure and follows best practices, refer to OWASP’s PHP programming cheat sheet at https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet.

• Java—Java is a widely used programming language used to create objects within standard and mobile Web sites. Java is used within Web sites to create integrated Web programs such as games, calculators and more. Details on Java security can be found at https://www.java.com/en/security/.

• Perl—Perl is an open source programming language used, among other things, to make dynamic Web pages and interactive Web elements. Updates and security information for Perl can be found at https://www.perl.org/docs.html.

• Active Server Pages (ASP)—ASP.NET represents Microsoft’s training option for Active Server Pages (ASP). ASP is a programming language used for creating Web sites. It’s great for building standards-based Web sites with HTML5, CSS3, and JavaScript. Details and security information can be found at http://www.asp.net/.

Many other programming languages are used in the creation of Web ad mobile apps. Regardless of which one you choose, the best practice is to make sure that you apply security updates and periodically review vendor Web sites and community pages for security developments.

Daily Tasks for Web Developers

If an organization’s primary revenue stream is from online sales transactions, quite often there is an extensive team of developers, content writers, graphic artists, and programmers collaborating on creating the various parts and pieces that make up a large e-commerce Web site.

In such situations, a Web developer might specialize in one or more of the areas that make up Web development. For example, you may be required to code ASP to integrate a database into the Web site. You could then find yourself working with database architects to create your code, and then handing the code off to another Web developer to write the HTML code around it for presentation to the end user over the Internet.

However, to truly master an area such as creating ASPs, you must also be somewhat proficient at HTML coding and database technologies. You should also know a programming

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

language, such as Visual Basic. Because these technologies are so interrelated, you must familiarize yourself with the various areas that relate to your specialty in order to truly master it.

If you work for a smaller organization or one that uses a Web site as a sales tool to bring customers to a retail location, you will quickly find yourself handling many of these tasks or working with a group of developers having similar skills. The reason for this is that the Web site may not necessarily be generating a high volume of income for the company and therefore not have the budget to hire staff who specialize in one area or another. The upside is that the site itself will not be required to perform very sophisticated tasks that require experienced specialists.

Regardless of the employment environment, most of a Web developer’s day is spent in front of a computer generating the code for Web pages on the site. A more challenging aspect of being a Web developer is working with all the other individuals who create the Web site’s content and. Generally, you will find yourself taking content from a copy editor and artwork from the art director, and combining it into the design that the site designer has specified. The challenge arises when each department has a specific idea of how its elements should be implemented into the final design. It’s easy to find yourself being an ambassador of sorts to all of the departments. However, many Web developers feel this is the most fulfilling part of their job. The following list contains some of the more common day-to-day tasks of a Web developer:

• Develop secure end user interfaces—This task involves working with a site designer who has determined how the Web site will look and function. It’s the developer’s responsibility to write the secure code that makes the design happen. An additional challenge is keeping the code compatible with both traditional Web sites and mobile applications.

• Write supporting client- or server-side code—In addition to writing HTML or any other code, many Web developers find themselves writing scripting code that enhances user interactivity, for example using JavaScript (client-side) and ASP (server-side). Secure interactive coding requires strict validation of user input.

• Integrate supporting applications—On many e-commerce sites, the programs that check inventory, process orders, and complete credit card transactions are written in compiled languages, such as Java or C++. It’s the duty of the Web developer to securely integrate these applications into the HTML code used on the Web site.

• Integrate supporting databases—Many sophisticated Web sites use databases for collecting and storing customer and inventory information, as well as user authentication. As with applications, it’s up to the Web developer to securely integrate a database into the Web site. This usually involves writing scripts to parse the data and formatting it into HTML.

• Write or update content—The most common task of a Web developer is to write content in HTML, the Web’s standard programming language. Furthermore, that content must be kept fresh and up-to-date with the latest security developments in mind. Therefore, updating current pages with new content becomes routine for a Web developer.

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

Training and Certification

To be truly qualified in Web development, you need not only proficiency in languages such as HTML, JavaScript, PHP, and ASP, but also some extensive skills in graphic design and page layout. These skills are not limited to image manipulation only, with a program like Photoshop. They also include the ability to combine images and content in such a way that is useful and engaging to the site’s visitors. The best Web developers have backgrounds in communication media, graphic arts, and computer science.

With the increased demand for Web developers, many continuing education schools and universities are offering courses in Web development. You should look for a training program that teaches you not only about HTML and Internet technologies, but also more intermediate- and advanced-level topics, such as JavaScript, ASP, database integration, and of course, security. Additionally, some basic programming skills would be beneficial as well. Many of these programs offer graduate recruitment and internship offerings. Thereafter, the particular company that hires you will most likely provide you with any additional training in areas that are valuable to its business model.

If you don’t have the benefit of a job-placement program, you should create a personal Web site that showcases your abilities. Many Internet service providers (ISPs) give their members personal Web site space as part of their service agreement. This Web site space provides you with the capability to create an online portfolio of sorts that will give a potential employer a good idea of your skills as a developer.

There are not nearly as many certification programs available to a potential Web developer as there are for network administration. Individuals seeking to break into the Web development field will find a handful of vendor-neutral certifications available online that test for entry-level knowledge, but don’t go into detailed or specific areas of development, such as ASP or Perl.

That’s not to say these certifications are not valuable, however. They will provide you with the ability to prove to a potential employer that you know the basic skills required of a Web developer. This will greatly aid you in getting your foot in the door and working in a development environment. It’s then up to you to train yourself to specialize in a particular skill that interests you.

More and more certifications for Web development are beginning to appear regularly. The following are two of the more widely recognized and accepted certifications available today, in addition to the Microsoft Certified Solutions Developer Web Applications track touched on earlier in this chapter:

• Zend PHP Certification—Zend provides an industrywide certification demonstrating competence in PHP programming. More information can be found at http://www.zend.com/en/services/certification.

• W3Schools Online Certification—W3Schools offers a number of certifications for Web developers. These include certification for HTML, HTML5, CSS, Javascript, JQuery, PHP and XML. More information on these certifications can be located at http://www.w3schools.com/cert/.

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

CHAPTER SUMMARY

Securing Web applications is not just the responsibility of Web developers, designers, and security specialists. Creating a secure Web infrastructure involves all the professions within IT. This includes a database administrator securing the backend databases; a network administrator securing hardware, software, and network communications; the programmer keeping programming tools up-to-date; or the IT manager and CIO creating robust security policies. When it comes to security, everyone has a role to play.

There are many programming languages; some of them are supported by large vendors, while others are open source, supported by active online communities and passionate developers. Regardless of the language chosen, you must examine each language, policy, and procedure keep abreast of updates and maintenance. This is the only way to ensure IT security and to minimalize vulnerability wherever possible.

KEY CONCEPTS AND TERMS

Active Server Pages (ASP) Business intelligence (BI) Database administrator Database designer Deep Web Defensive programming Relational database

CHAPTER 14 ASSESSMENT

1. Data typically refers to raw unorganized facts.

A. True B. False

2. A SQL server database is an example of a relational database.

A. False B. True

3. The TOR browser is used to access which of the following?

A. SQL databases

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

B. Relational databases C. Deep Web D. Oracle databases

4. Which of the following represents a mindset whereby programming is done with a clear understanding of current threats and how these threats potentially impact overall security?

A. PHP secure B. ASP.Net C. Defensive programming D. CSSLP

5. Which of the following professions are concerned with the back-end development of a Web site and will incorporate appropriate security measures from initial concept to completion?

A. Network architect B. Web developer C. Webmaster D. Database designer E. None of the above

6. A(n) ______ is a set of instructions understood by the computer allowing it to perform predetermined functions.

A. Program B. Web site C. Database D. RDMS

7. Which of the following professions are open-source programming languages?

A. ASP B. Perl C. PHP D. ColdFusion

8. ______ refers to the systems and processes used to ensure technology helps meet and organizations goals.

A. Policy B. Scripting C. Governance D. Tracking

9. Certification courseware and training materials are focused and directed, but degree programs often require elective courses that are not always related to the specific area of IT.

PRINTED BY: Miguel Duran <duran.a.miguel@me.com>. Printing is for personal, private use only. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted.

A. True B. False

10. Which of the following professions are concerned with managing database security, such as the list of users who have access to all or part of the database?

A. Network architect B. Web developer C. Webmaster D. Database administrator E. Both A and D