December 2020 - Applied Information Sciences

A Level of Certification to Consider

Obtaining a Secuirty+ certification allows individuals that are pursuing a career in an information technology field many opportunities. A good portion of DoD jobs requires this level of certification to maintain secure systems utilized daily. This training ensures that the minimum-security requirements convey. The exam is difficult because it covers an extensive range of topics under Information Technology Security.

There are multiple ways to study for the Security+ exam. This article demonstrates one way to follow. It has been a proven method to achieve a passing score the first time taking the exam. When this article was written, the SYO-501 was the current exam offered.

What You Need

Below are suggested materials to guide you towards the exam, with specific examples outlined in the subsequent sections:

Books (there are two specific titles mentioned in this blog)
Additional Subscription Study materials (this is not required, but suggested)
Friends to study with (or to keep you awake when you are supposed to be studying)
A well-rested mind
One month to prepare (suggested if you are new to the material)

Step 1: Read the Fun Manual (RTFM)

First of all, the best way to get a good grasp of the material is to take a class offered by qualified and licensed entities. These courses usually last five days and will follow a book, or multiple books, for education material. Attendance is either via an online course taken at your leisure or in person at a facility. If you can have a company host the professional to teach an on-site/virtual class, that is the best way to get involved in a course. You can purchase two useful books at many major retailers that sell course material for CompTIA:

CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide by Darril Gibson
CompTIA Security+ SY0-501 Cert Guide by David L. Prowse.

Reading these books is recommended, regardless of if you take the course or not. Allow plenty of time to get through both of them. Both cover topics in length on different subjects and give you an excellent grasp of all the exam material. Ensure that the proper books purchased are for the current exam that is offered. Failure to do so will result in information missed that may be on the exam. If time is of the essence, reading the book by Darril Gibson would be recommended. Then use the David Prowse book and skim through the sections that expand a bit more on the topics not covered in the first book.

Step 2: Online Videos (they are free!)

An excellent online resource to use is Professor Messer’s CompTIA SY0-501 Security+ Course. The videos are a completely free way to cram a lot of information quickly after reading the books. I’d recommend doing so in this order. You can do the reverse if you like. However, listening to the videos as you are driving or going about your day after reading the material makes it easier to retain the information. There are also other study materials offered for sale to help aid in the passing of the exam. Listening to all the videos after reading the material is thoroughly suggested to help retain the information. There is also information covered in these videos that had not been discovered in the books recommended to use.

Step 3: Get Certified and Get Ahead Study Material

If you can afford to do so, purchase the full study guide at GCGAPremiumPass. There is a package that is great to use after completing the books and videos. The study package follows Darril Gibson’s book recommended above. A package is offered that contains the book and the study guide to save some money. This is the recommended way to get both if you have not taken a course that includes the book in the purchase. The full study guide includes:

Multiple-choice Security+ practice test questions
Performance-based questions
Audio from the Study Guide
Online flashcards

The audio “Remember This” material is one of the best things you can use to retain the information in this book’s chapters. Reading a chapter and listening to the accompanying audio file for it will help immensely. If there is something in the audio file that you do not understand, go back and read the section in question. Then, listen to the remember this audio file again. Each of these files is ten minutes or less. Using these to listen to while you are driving or folding laundry will help you retain what you have read from each chapter. These short audio clips are handy to keep the information fresh in your mind. Using the flashcards in this manner will also help you remember specific details like ports and acronyms useful for the test. Acronyms are the most significant thing to commit to memory. The exam will not spell these out for you. If you do not know all of them, you will spend a lot of your time on questions trying to figure out their context.

The practice questions are a great way to get yourself prepared for the exam. With one caveat: do not just memorize where the answer is in the order of the list. The order of the answers will change between chapter exams and full exams. Taking these in order of the chapters, then taking the complete exams is the best course of action. This helps eliminate your brain tricking you into choosing the answer’s letter rather than identifying the correct answer by knowledge. Please note that no matter how many times you will take these practice exams, the real exam will not have questions on it that are the same.

Step 4: Test Day

Prepare yourself by taking some time off before the exam to let the information sink in. Cramming right up until the test time will only confuse you for the information you need to know. A fresh mind and a calm attitude will go a long way. The exam is timed, so you will see the time the whole way through. Try not to pay too much attention to it without ignoring it. There are scenario-based questions included in the exam. These questions will take much set up time to figure out an answer. Building networks or figuring out access points will be common questions. The rest will be multiple choice. The best plan of action will be to answer all the questions you know as quickly as possible, allowing time to go back through to think about the questions you are not sure of. Usually, your first answer that you put down will be the correct one if you studied enough. Spending too much time on a question will lead you to second guess yourself, and you may settle on the wrong answer. There is an option to flag questions you are unsure of so that you can return to them at a later time. The best advice here is to make sure you answer the question you are unsure of and flag it when you move on. This way, if you run out of time, the question is answered. It may be wrong, but it is better than leaving a question empty.

After the exam time has run out the clock, a survey will be presented for you to take. You will not see your score before your survey is complete. Don’t worry that some technical glitch may be happening. If you passed the test, a certificate would be mailed to you. You can then present this to your organization. If not, you will be able to retake the exam. It is suggested that you give yourself some more study time and focus on the areas the summary lets you know where you are not strong in your knowledge.

Conclusion

The suggestions stated here are just that: suggestions that have worked for some people. Others require less time to prepare and study, and some require a lot. If you put enough work into preparing for the exam and ensure you have a positive attitude about it, you will do great. Don’t worry if you do not pass the first time. The exam is challenging to prepare for in a limited amount of time. No matter how much preparation you have put in, there will still be questions presented to you that you feel you have not covered. The exam is tailored that way to collect statistics and catch cheaters. Getting with a group of people for the exam prep is the best way to study for this. Instructors can be hired to teach you the exam’s ins and outs and the history of the questions presented. Good luck!

Selvi Kalaiselvi

Before you start deep dive for implementing DevSecOps in this blog post, please review the fundamentals of DevSecOps in my first blog post. It will help understand the ‘Sec’ in DevSecOps and get up to speed on various security tools for implementing DevSecOps in your CI/CD pipeline. Although there are many code repositories tools with CI/CD built-in, this blog walks through GitHub and its security scanning tools for DevSecOps implementations.

This blog post provides a GitHub repo for you to fork and try it on your own. The repo has an out of the box .NET core application, docker file to containerize the application. GitHub actions workflow YML code to build and deploy the containerized application to Azure. Further steps below will help understand introducing code scanning and container scanning tools. While I have used CodeQL for code scanning and Anchore for container scanning, can easily be replaced with other security scanning tools.

This repo/blog does not have all DevSecOps pipeline security features but integrates code scanning and container scanning tools. It shows how to get started on a GitHub Actions workflow and add these tools for security scanning. DevSecOps fundamentals are to understand and integrate these security tools in your pipeline. Source code is the single source of truth, and adding CI/CD pipeline automation is the first step. The security tools integrated into the pipeline scan your source code, scan the dependency packages/software, and will be added to your code.

GitHub Actions CI/CD

As we saw in the previous blog post, we will use the below high-level DevSecOps CI/CD pipeline workflow. I am not covering ‘artifactory’ functionality in this blog post and covering it in the next blog post!

Pic: Simple DevSecOps pipeline workflow.

A .NET core application is then added to the GitHub repo. The docker file is added to containerize the .NET Core application using docker build. A GitHub actions workflow is added to run the CI/CD pipeline. The actions will contain code for build/deploy and integrating security tools within the pipeline. The GitHub Actions workflow in the repo has the following steps:

Starts the workflow manually which helps with debugging/testing. It can be changed to run when a branch is pushed or to main, and when a Pull Request is submitted.
Azure related variables are declared as workflow environment variables
Build the .NET code
Parallelly CodeQL scans the code. CodeQL action can be added to the main pipeline YML.
Anchore container scanning before the container deployed to ACR
Log in to Azure
Create an Azure Container Registry (ACR) and log into ACR.
Docker build and push the application container to ACR
GitHub container scan, scans the container in ACR
Create a new Azure Container Instance to host the application running in a container
Log out from Azure after completing the pipeline workflow

Now log into the Application is successfully running in Azure. Log in & verify your application running.

To learn more about GitHub Actions workflow and how to leverage your projects, follow the links:

CodeQL

Code scanning is essential even before security scanning is applied in the pipeline, as this is the first defense line. GitHub blog, GitHub code scanning is a developer-first, GitHub-native approach to find security vulnerabilities before they reach production easily. We’re thrilled to announce the general availability of code scanning. You can enable it on your public repository today!

The code scanning is completed using CodeQL, which is GitHub native approach to scan the code to identify the security vulnerabilities while the code is still being built. Other third-party code scanning workflows can also be added, as you see from the below screenshots. To set CodeQL code scanning, click on ‘Security’ from your repo. Then select ‘Code Scanning’ to add CodeQL workflow.

Pic: Add Code Scanning to your code in GitHub repo.

Pic: Add CodeQL workflow to your code. Third-party code scanning can be added as well.

Pic: CodeQL Code scanning results.

CodeQL code scanning workflow runs parallel to the main workflow. It can be changed to run at the beginning of the main workflow also. CodeQL identifies what type of language is in the repo and runs the scanning accordingly. As this repo contains C# and JavaScript, code scanning is done for those languages. If there are significant errors/vulnerabilities found, then the code scanning workflow will fail. But for general warnings, alerts are available for review and fix the warnings.

Pic: View the code scanning alerts.

Pic: Code scanning results.

CodeQL scanning warnings can be analyzed and decide whether it is needed to fix the errors/warning and if it is safe to ignore. As this is the out of box .NET application, there are not many alerts/warnings. But if its production code and especially any migration-related codes might have more security vulnerabilities that need a fix before proceeding in the CI pipeline.

GitHub Container Scanning

This container scanning is native GitHub action to scan Docker containers in the CI pipeline. This identifies any vulnerabilities before the container is published to an application instance. More information can be found here, and this action uses Trivy and Dockle for running container scans on these images. They follow CIS Container Benchmarks for a baseline to secure the container images.

Pic: GitHub Container Scan is added to the main workflow.

Having this action in the repo and running the main workflow failed due to these vulnerabilities findings. Any of the vulnerability findings can be ignored if it is in acceptable criteria. They can be added to ‘allowedlist.yaml’ file. The container action will then ignore those vulnerabilities. For more information, read here. Container scanning in GitHub is robust in scanning for vulnerabilities before the containers are deployed to the customer environment. But a closer review of these vulnerabilities needs to be done so appropriate scanning is performed in the repo. An analysis will yield better evaluations to find if the findings are indeed from code or from any dependencies. The container scan provides scantizer results like this.

Pic: Vulnerability findings.

Pic: CIS Container baseline violations warning & info.

Pic: Added vulnerabilities to ignore list.

Anchore Container Scanning

Anchore is an open-source container scanning tool added to the GitHub Actions pipeline. More than one container scanning actions can be added to a repo workflow—more information on how Anchore container scanning works.

Pic: Anchore container scanning action added to main pipeline workflow.

Pic: Anchore container scan also identified the same vulnerabilities as GitHub container scan.

According to NVD (National Vulnerability Database) in NIST, CVE (Common Vulnerabilities Exposures)
CVE defines vulnerability as:
“A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).”
All vulnerabilities in the NVD have been assigned a CVE identifier and thus, abide by this definition.

I took one of the CVE identified in both GitHub & Anchore container scan actions, CVE-2019-3843. According to NVD database in NIST, this is related to systems service-specific running in the container instances. As this repo is out of the box .NET core application, no additional code has been added. Further analysis must be done to understand the CVE depth to mitigate or override.

Pic: https://nvd.nist.gov/vuln/detail/CVE-2019-3843#vulnCurrentDescriptionTitle

The vulnerabilities could be coming from the dependency container image used for building the docker image for the application. Hence it is essential to make sure dependencies are scanned as well.

Application Container Deployed in Azure

If all scanning goes well, then the pipeline is ready to deploy the application to Azure. Here the Azure CLI is used in the pipeline to deploy the containerized application to Azure Container Instance (ACI)!

Pic: Resource group for Azure resources.

Pic: Azure resources (ACR & ACI).

Pic: Container in ACR.

Pic: Container deployed to Azure Container Instance (ACI)

Pic: Application up and running in Azure.

I hope the DevSecOps implementation walk-through with GitHub repo to try it out on your own adds value in understanding ‘Sec’ in DevSecOps and how to protect the codebase from vulnerabilities before deployed into production. While the blog post walked through GitHub CI/CD, all the other DevOps tools such as Azure DevOps, GitLab, Jenkins, etc. provide similar security tools implementations in their CI/CD pipeline. So, make sure to integrate security tools and shift the security to the left in whichever DevOps tool your organization decides to implement for your CI/CD pipelines. Follow up back here for the next blog post in this series for artifactory, running security tools from containers, the importance of containers, Kubernetes, and how to consume hardened container images from IronBank offered by DoD DevSecOps!

AISblog

@aisteam

As part of our ongoing commitment to providing superior-level service to our customers and partners, AIS successfully continued our ISO certifications. Our certifications include ISO 9001, which relates to Quality Management, and ISO 27001, which relates to Information Security.

AIS senior management sees these certifications as an opportunity to provide value to our customers through the use of the globally-recognized processes and procedures required for a Quality Management System and to drive better quality and consistency in our service delivery. The processes and procedures required for an Information Security Management System will improve our threat protection posture — a high priority these days, given the omnipresent risk of hacks and other security breaches.

Through these efforts, AIS will benefit from the continual improvement of these processes, better performance and enhanced customer satisfaction for our customers, and improve our competitive position across all sectors of our business.

Andrea Pinillos

@AndreaPinillos4

This video demo and blog provide a step-by-step walkthrough of adding related subgrids to a Power Apps portal for a Trip Planner Application.

You may consider adding a related subgrid to your portal if you have tables associated with each other. For example, you have a Trip table that is your main table and a Traveler table. You want your traveler table to be directly related to your trip table so that any data you add to your traveler table for a specific trip will be added to that trip and not all.

The steps to achieving this include creating the relationship between tables, modifying the forms and views, adding the related subgrid to the main Trip form, and configuring the Portal Management App and portal designer.

I have created a Trip Planner application where Trip is the main table and Traveler is the related table in this walkthrough. By the end, we will have one Trip to many travelers and ensure the travelers for one Trip don’t get added to a different trip.

This example image is what the Traveler subgrid will look like inside the beach trip.

Steps:

In your solution, create a Trip table with custom columns
Create a Lodging Table
Create a 1:M relationship between Trip and Travelers
Customize the view for both Trip and Traveler
Add a new Main form inside the Trip table
1. Add custom columns by dragging or clicking it from the left panel
2. Add a related subgrid in the same tab
3. Save and Publish the form, Click Back
Navigate to the Portal Management App
1. Create 2 new Entity Forms
2. One for “New Traveler”
3. One for “Update Traveler”
Create a new entity form called “Update Main Form”
1. Navigate to Entity Form Metadata tab, click New Entity Form Metadata
Select Subgrid from Type
Select the correct subgrid from the drop-down
Select the New Traveler form for Create
Select Update Traveler form for all other actions
Create an Entity form called “New Main Form” and follow the same steps for the subgrid configuration but ensure the Mode is Insert in the General tab
Your Entity Forms should look like this
Navigate to Entity Lists inside the Portal Management App and create a new list called “Main List”
Under the Options tab, Add Main Form to Grid Configuration
Navigate to the Portal Designer editor
Add a List from Components
Select Use Existing, since we already created an Entity List in the Portal Management app
1. Select Main List
Click Sync Configuration, then Browse Website
You’ll see your Trip view and you’ll be able to Create New or Update an existing Trip
Notice your related Traveler subgrid is added to both forms for editing

As you can see, adding a related subgrid to your Power Apps Portal can be done out of the box with no code needed! The purpose of this is to be able to link multiple tables to each other and have them displayed in Power Apps Portals. Feel free to follow along using my instructional video for more detailed instructions.

BlogMonthly Archives: December 2020