April 21, 2025 • 36 mins
Software security assessment can make or break your organization's defense posture, yet many professionals struggle with implementing effective evaluation strategies. This deep dive into CISSP Domain 8.3 reveals critical approaches to software security that balance technical requirements with business realities.
The recent funding crisis surrounding CVEs (Common Vulnerability Exposures) serves as a perfect case study of how fragile our security infrastructure can be. When the standardized system for cataloging vulnerabilities faced defunding, it highlighted our dependence on these foundational systems and raised questions about sustainable models for critical security infrastructure.
Database security presents unique challenges, particularly when managing multi-level classifications within a single environment. We explore how proper implementation requires strict separation between classification levels and how technologies like ODBC serve as intermediaries for legacy applications. The key takeaway? Data separation isn't just a technical best practice—it's an essential security control.
Documentation emerges as a surprisingly critical element in effective security. Beyond regulatory compliance, proper documentation protects security professionals when incidents inevitably occur. As one security leader candidly explains, when breaches happen, fingers point toward security teams first—comprehensive documentation proves you implemented appropriate controls and communicated risks effectively.
The most successful security professionals step outside their comfort zones, collaborating across organizational boundaries to integrate security throughout the development lifecycle. Static analysis, dynamic testing, vulnerability assessments, and penetration testing all provide complementary insights, but only when security and development teams maintain open communication channels.
Ready to strengthen your software security assessment capabilities? Join us weekly for more insights that help you pass the CISSP exam and build practical security knowledge that makes a difference in your organization.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get startedcybersecurity knowledge.
Speaker 2 (00:26):
All right, let's get started, hey all, sean Gribber,
with CISSP Cyber Training andhope you all are having a
beautifully blessed day today.
Today we're going to be talkingabout Domain 8, Domain 8.3,
assessing the effectiveness ofsoftware security in the CISSP
training.
So today's goal is to get oversome of that information and
then on Thursday, as you guysall know, we will be having out
the questions for the CISSP overDomain 8.3.
(00:49):
So the goal is to kind of gothrough this, give you some
great information If you've.
All this is new to you from thelistening to this podcast.
As you can see, our podcast issmoking.
I mean, I'm being totallyhonest.
I'm amazed at the growth thatwe've had, which is awesome
because there's a lot of peopleout there demonstrating the fact
that they really, truly want tounderstand the CISSP and they
(01:10):
really want to pass the test.
So pass the test and understandit is the key goals.
So today we're going to begetting into Wayne 8.3 of the
ISC squared book and the manualrelated to taking the CISSP exam
.
But before we do, we're goingto be getting to an article that
I saw today.
I don't know if you all sawthis news, just the.
I think it was yesterday ormaybe it was on Thursday.
(01:32):
You know the defunding part inthe United States government.
One of the big pieces that camearound this was related to CVEs
and if you're all connectedwith CVEs, cves are what they
call the common vulnerabilityexposures, and we've talked
about this a lot in CISSP CyberTraining in this podcast
numerous times, and the goalaround this is to truly try to
understand.
It's a programized or, I shouldsay, standardized way of naming
(01:55):
systems for publicly knownsecurity vulnerabilities that
are out there, right, and theyhave unique identifiers with
each of them, and this is fromthe government.
They come down and they say,well, if there's a vulnerability
, it ties it to a CVE number,which makes it easy to reference
and also helps companiesunderstand what are the
vulnerabilities out there.
Now it's really a truefoundational aspect of security
(02:15):
efforts that we do out on theweb, and one of the key factors
that goes along with that isdeals with vulnerability
management, patching and overallsecurity efforts across the
entire industry.
So it was a program that wasput together by the US
government, been funded by thegovernment and during some of
the doge aspects of the USgovernment, one of the things
was to start cutting funding ofthese areas.
(02:37):
Now, politically, whether it'sright, wrong and different, it
doesn't really matter at thispoint, because you know what
politically stuff I don't likegetting into, because,
realistically, everybody's gotan opinion.
I was in an article, that ornot an article.
I was talking to a lawyer onetime, and the lawyer said if you
get a room full of lawyers,eight or nine lawyers, just say
nine lawyers in a room andyou're all going to discuss a
(02:58):
topic, you'll get 10 differentopinions.
And it is so true because, whenit comes to politics, everybody
has a thought.
So, that being said, we'll stayout of that mess.
The bottom line, though, is isthat the cve funding was turned
off, which was total shock to me.
I was doing a presentation atour local isc square chapter
meeting on friday and it came upand I was like, uh yeah, I
(03:19):
didn't even know that was outthere, and a lot of other folks
that were on the chapter meetingdid not know it either.
So the point of it is is thathow do we deal with the
situation now?
I guess there was some fundingthat was done last minute that
made this all kind of come backaround, and there is an aspect
where it's in place.
But the ultimate goal is isthat they have to come up with a
plan around how they're goingto deal with this, because when
(03:41):
it deals with one company or onecountry focused specifically on
providing this information,things can happen and then it
can cause disruptions.
Well, the government's beenfunding this US government for
about 25 years and thereforethey were looking at ways to
kind of change it and theythought, well, let's just go cut
funding.
That caused all kinds ofkerfuffle within the security
(04:03):
folks' space, all kinds ofkerfuffle within the security
folks' space, and as a result,it was at the last minute.
Funding was provided and stillbrought back online.
But the ultimate goal is thisarticle kind of talks about what
are some different optionsaround that.
One of the proposed optionsincludes transitioning the
governance to a non-profitfoundation.
One of the guys on the ISCSquared meeting said we could do
(04:23):
a GoFundMe.
So there's different types ofoptions out there.
But another one of the optionshe suggested was a decentralized
system, which potentially couldcause some level of confusion.
I think at the minimum acountry probably needs to own it
, but in reality, probably anonprofit is probably the best
thing, and then it gets fundingfrom outside sources.
(04:43):
Now will the outside sourcesall pony up to pay for this?
I don't know, but realisticallyit's something to kind of
figure out what needs to happen.
Now, when these things occurthese funding fights that as
they are, and some of the issuesthat roll with it, it does
force people to actually bringthis up in a conversation,
versus let's just ignore it andkeep kicking the can down the
road.
So there's positivity aroundthat aspect of it forcing people
(05:10):
to decide what do they want tokeep, what do they not want to
keep.
I think obviously the CVEprogram is of vital importance
to the security of the globe.
I mean, I think it's really,really important.
So now they just got to figureout how they're going to fund it
and how they're going to payfor it.
So interesting things that aregoing on in our world that we
deal with on a daily basis, andyou know when you're dealing
with security, you just never,ever know.
So we're going to go ahead andwe're going to get into now
(05:31):
Domain 8.3.
Okay, domain 8, 8.3, assessingthe effectiveness of software
security.
So, as we talk about one of thebig things that we're dealing
with when security is the new,the growth of development and
its capabilities within theenvironment.
So what I mean by that is thatwe are constantly in the state
(05:51):
of more development that'soccurring way beyond when I
first started getting into cybera few years ago we joke, a few
years ago it was more like about20.
But the point of it is that thesecurity has, requirements have
changed, the development haschanged.
Much of this is really justkind of growing extremely fast,
almost exponentially, as weincorporate new AI, ml.
(06:14):
You've got now rockets thatland themselves.
I mean, all this stuff did notoccur 20 years ago when I was
first getting into this.
So development security wasconsidering.
You know it was there, but itwasn't a forefront of what
people need to be concernedabout.
So, as we deal with securityand assessing risk, one of the
aspects you're going to need tounderstand is auditing and
logging of the changes thatoccur.
(06:34):
Now we're going to talk aboutdatabases and some different
aspects here, but at the end ofall of this, you really need to
consider how are you going toaudit and how are you going to
log the different changes thatoccur within your environment,
especially when it comes todevelopment, because, as we know
domain 8 we are focusedstrongly on overall development,
the overall developmentenvironment.
So when you're dealing withmulti-level database security,
(06:55):
it does contain information withdifferent classification levels
and we've talked about thedifferent classification levels
in various podcasts we've had invarious trainings with CISSP,
cyber Training.
So you need to strive to keepthe data separate within these
different classification levelsand it's imperative that as
you're architecting your overallsolution, that you do work hard
(07:16):
to keep them separate anddistinct.
Mixing data classificationswill cause you issues guaranteed
and I also know that if youdon't have a good plan going
into it, they will get mixed up.
I deal with companies right nowas a consultant and there's all
kinds of data everywhere.
I mean you name it and it andit's not anything new.
All companies deal with thisspecific issue.
(07:38):
Now you're dealing withconcurrency.
This can be applied to a singleor multi-level databases and it
utilizes a way to lock out onlyusers to make a specific change.
So once the change is complete,the unlock occurs, and this is
an area where my developerswould go in the past.
They would go in and make achange within an environment and
only they could make thatspecific change.
(07:59):
It wouldn't allow anybody elseto be in there at the same time,
they are making theirmodifications to the code.
Now this comes down to thepoint where you have to have a
really good strong againinfrastructure around how you're
going to manage this, and it'snot just having the technology,
it's also having the processes,followed by the documentation of
each of these steps.
(08:20):
So it's really important thatyou kind of look at this as a
holistic view, a big pictureview, that you started off at
the beginning, that you have agood plan.
If you haven't done this tothis point and you have a
software development team, youmay want to take a step back and
then kind of figure out how doI want to approach this so that
I don't have, so I haveconsistency in my development
(08:40):
cycles and that I ensure that Ihave a good handle from a
security standpoint in each ofthese areas.
So we're going to use, as anexample, odbc.
Now this is open databaseconnectivity.
Now the purpose of this is itallows applications to interact
with various databases atdifferent types.
That's the ultimate goal.
It has a connector that canconnect to NoSQL, mysql, oracle,
(09:04):
different types of databasesand the open database
connectivity.
It acts as a proxy betweenthese applications.
So it witnesses basically usinga lot of legacy applications
will use an ODBC connection andit just acts as the intermediary
between that.
So we're going to break thisdown a little bit.
So you have an ODBC drivermanager.
Now this acts as the centralpoint of contact and air quotes,
(09:26):
as a potential traffic cop, theone that's going to guide and
direct which way the data isgoing to go.
Now it receives a connectionrequest from the specific
application in that it'sconnecting with and then it
looks up their data source nameor the connection string, but
basically that the point thatties them together and it's
looking at that.
It's similar to like what we'dconsider an API.
(09:47):
It's using this data sourcename to help tie these different
databases together.
Now then it loads the specificdriver.
So if you have an Oracledatabase, it would load the
driver for Oracle and then forthat specific target database,
and then it forwards theapplication requests to the
specific driver and we're goingto get into that in just a
minute of what the driver is.
So again, it's working withthese older databases.
(10:09):
It's allowing an interactionbetween them.
I dealt with this in themanufacturing space.
There was a lot of legacy typedatabases that didn't have real
good connectivity, so we woulduse an ODBC type connection to
help with that.
So there's a lot of great waysyou can use these kind of tools.
Now there's also somechallenges that come with that,
but we'll get into those later.
Now an ODBC driver this is thespecific software components
(10:33):
provided by the database vendor,okay, or a specific third party
.
But realistically the vendorwill give you that driver.
Now it understands both theODBC API calls and the specific
language and protocols of thatdatabase.
So it's helping those differentcommunications in place.
Now the ultimate goal is thatyou want to have this
communication so that it'srelatively seamless between both
(10:55):
aspects, and it will then takethe results from the database,
translate those back and forthinto the application so it
understands it, and it's justthis communication that occurs
between these differentconnections.
Now, as an example, we use NoSQL.
So you have MySQL, you haveNoSQL.
Nosql is the non-version.
I should say not thenon-version.
(11:16):
Mysql is very expensive from alicensing standpoint.
Nosql is not.
It's no longer a relationaltype database, it's more of a
tabular relationship and itallows for simple design between
these.
It allows for quick queriesbetween the groups.
So the ultimate goal is is thatthe just to kind of put it in
perspective, the odbc is theconnection between the various
(11:36):
databases.
It allows you to connect olderdatabases and it will have the
drivers in most cases, aroundwhat allow you to connect to
these older databases that areout there.
So if you're going to be havingan older system, make sure you
consider is there an ODBCconnection for it?
Now, when you're dealing withNoSQL, there's three major
classes.
There's a key value store, adocument store and a graph.
(11:58):
So, of the three classes, thekey value store is the simplest
non-trivial data model and itcan be used with RAM and SSDs,
so it's a very simple key valuestore.
The document store offers APIsto retrieve documents based on
the specific contents that arein those different tabs.
These could be collections,tags, metadata and so forth is
(12:19):
all stored within the documentstore.
And then the graph.
This is designed for datarepresentation, such as graphs,
maps, network topologies.
All of that is tied into thethree major classes.
When you deal with audit andlogging changes, one of the
things you want to reallyconsider is log everything you
can within reason.
Why do I say within reason?
Well, if you log everything one, it's a huge nightmare.
(12:40):
Two, it's a lot of informationyou may never, ever need Three.
It also costs you a lot ofmoney in many cases to be
storing all of this data.
So you want to keep the mostcritical things you possibly can
, but you do want to log thethings as much as you possibly
can within reason.
So capturing user activity,system events, application
access, configuration changes,all of those things are really
(13:02):
important things that you needto consider.
Depending upon the organizationthat you're in, depending upon
the overall business that youare in, you may need to record
these logs for a long orextended period of time.
Highly regulated environmentsyou got to keep a lot of logs,
not as much regulation you don'tnecessarily need to keep as
many logs, however.
(13:23):
You may want to keep those forfuture reference.
So, again, keep as muchinformation as you possibly can.
You also want to tamper proofyour logs.
You want to store those logs ina central, secure location that
prevents unauthorizedaltercation or access, so such
as a worm right Write once, readmany.
Storage that's one of thosethings where you want to make
sure that you write it once butthen you can read as much as you
(13:46):
need to.
Again, you want to avoid thembeing tampered with.
You want to define logretention periods determine how
long to keep the logs, based onthe compliance needs and the
investigation timelines that areassociated with it.
You do need to balance thesecurity with the storage space
limitations, and that is a truefactor.
You are going to be looked at byyour senior leaders of going.
(14:06):
If you have all these logs thatyou're being stored, they're
going to go.
I have this really, really highbill that I need to pay.
Do you really need all of that?
You need to be business-mindedand have enough acumen to go.
You know what we don'tnecessarily need that they're
going to come to you as theexpert, so you therefore need to
be prepared to deal with thatas an expert.
See these stuff.
I tell you this is stuff youwon't get it on other kind of
(14:28):
podcasts from guys that havenever been doing this for years.
Those are big key factors youneed to remember, especially if
you're taking the cissp andyou're going to take the test.
They may ask you a questionsimilar to that.
User accountability implementstrong user authentication and
authorization controls.
Logs should record the user whomade the change, the time and
what was modified.
(14:48):
User accountability Implementstrong user authentication and
authorization controls.
Logs should record the user,who made the change, the time
and what was modified.
Monitoring and alerting Alwayslook for suspicious activity
within your logs.
You should have alerts withinyour SIEM that tie to that,
looking for any unauthorizedaccess, configuration changes,
anything outside the baselineparameters or other types of
anomalies, and that's a reallyimportant part in overall log
retention and log security.
(15:09):
So I put an example out here onthe slides and it implements
this.
The whole example is this youhave a centralized logging
system that captures all useractivity on a specific web
application.
The log will record that userID, timestamp, action performed.
Obviously they click a link,whatever that is, download files
or any modified data.
(15:29):
These are all stored in atamper-proof server for one year
and monitored for unauthorizedaccess attempts or unusual
modification patterns.
That would be a nirvanasituation.
That being said, you want toconsider the point of is that
really necessary for allapplications?
For specific criticalapplications, you bet, but for
(15:52):
all applications probably not.
So you need to kind of considerthat when you're looking at
this.
If it's a forward-facing on theinternet and it's something
they have critical data, that issomething you may want to
really truly consider.
If it's something internal withyour environment and it doesn't
hold any critical data, you maywant to think of twice about
doing something that maybe loginattempts you may want to keep,
(16:12):
but all this other data maybeprobably not.
Again something to consider foryou and your organization.
So when you're dealing withother parts of risk analysis and
mitigation, you want toidentify security risks with a
development plan.
Take the time to complete arisk analysis of your software.
This can take time.
It also forces you to getoutside of your comfort zone and
(16:32):
go talk to other people.
So I see this in security.
A lot.
People are in silos.
They work in security.
I like security.
I stay in security.
I don't get outside security.
I know that's really a bad kindof Italian kind of thing.
I don't know what that was, but, being said, the ultimate point
is that it's outside ofsecurity.
You want, you have, to get outof it.
(16:53):
You cannot stay within yourlittle bubble and you also need
to know the threat and act likethe adversary.
Think about what the adversaryis doing.
So when you're looking at youroverall development plan and
you're understanding risk, whatwould the adversary do to your
organization?
You need to document thehighest risk.
Also Put those in a riskregister.
That needs to be defined.
(17:13):
Again, it's a methodicalapproach to ensuring that you
have security within yourorganization.
You need to focus on yourhigh-risk items first.
Good example Troy Hunt hackyour site first.
He mentions that you want tolook at how could I hack my site
and what would that find for me?
You want to utilize documentedrisk items and verify the
stakeholders and then develop aplan to remediate the highest
(17:34):
risk items.
You possibly can Document anyaccepted risk and ensure you
have best knowledge around allparties that are there.
So again, it's an importantpart Look at yourself first.
Figure out how, if I was a badguy or girl trying to hack my
site, how would they do it?
Make sure you verify thestakeholders, develop a plan to
remediate these issues.
Again, this is the strategicview.
(17:56):
You, as a security professional, especially if you're in a
specific leadership position,need to truly think hard and
hard, long and hard about Now.
Integrate with your developmentmethodology to achieve the
results you want.
Again, you need to work withyour development team.
If you do not have thatrelationship, you're in your
silo.
Get out of your silo, go talkto your development team.
(18:17):
You need to integrate with themas much as you possibly can.
Now, if they have a leaderthat's big into security,
awesome.
You then need to work with thatdevelopment leader to ensure
that everybody's on the samepage.
Everybody understands what's tobe expected.
All of that is defined, and,again, you ensure your
development team is connectedwith the remediation strategy.
(18:39):
They may not be aware of therisk.
My development team did notunderstand the risk in cyber.
I was therefore the one thathad to help educate them on that
, and then you need to track anddocument any remediation
processes.
This is from an evidentiaryperspective.
If you are in a highlyregulated environment, you've
got to document everything.
I was talking with anotherindividual, very smart security
(19:00):
individual, but he doesn't.
Him and his organization.
He's got a very largeorganization, but they've grown
from a small organization to avery large one a lot of
influence.
The point is, though, is hedoesn't believe that they need
to document all of these things,and in many cases, you don't
necessarily have to, especiallyif you're a small organization.
However, when you are a bigcompany, you have to document
(19:23):
these things.
One, from a couple of differentways.
One, you are the person thathas the information.
Other people need to know it.
Two is that the evidence that'sout there has proved that.
The fact is, you have thoughtthrough this.
It's not just in your head.
You probably thought through it, but it's not in your head,
it's on a piece of paper.
And then three I come back to,and this is one that people
don't really think about CYACover your yeah, cover your
(19:48):
hiney, because the point of itis is that, in the event,
something goes sideways and theygo.
The first thing they're goingto do is they're going to look
at the security leader, because,on the C-suite, if you go in
the C-suite, the CIO, ceo, ciso,the CISO is pretty low on the
totem pole as it relates to theC-suite.
Why?
Well, because it has relativelynew introduction to the C-suite
(20:09):
.
That being said, if all of asudden you get hacked, fingers
are going to start pointing andthey're going to start coming
right back to you as the seniorleader.
One, from a regulatorystandpoint, you can go to jail.
Two is you could lose your job.
Three, you probably will loseyour job, but most likely you
want to avoid the jail thing.
People are going to startpointing fingers and so you
therefore have to consider howdo I CYA?
(20:32):
And that's not just been a badway of going well, I want to
make sure I'm protected.
It's the fact that you havethought through this process.
So if it all falls apart andyou have thought through all of
these different things, it willat least put you in a much
better position.
Give you an example and I'mstressing this hard.
Give you an example of the factthat I had a situation where a
third party tried to hack intosome very important documents.
(20:52):
I had put in place all of thesecurity controls, working with
a third party, to ensure thatthis outside entity didn't get
this information Documented.
Everything, said my seniorleaders.
What happened?
Come to find out.
The hack tried to occur.
The moment, the moment thatthat hack occurred, my CFO was
pointing fingers at me, goingwhat did you do?
How did you protect thisinformation?
(21:14):
And guess what?
We did everything we weresupposed to.
We had all the protections inplace and you know, at the end
of the day, I didn't get fired.
Now the bad part is, it's not.
They don't get you a pat on theback saying awesome job, you're
amazing.
No, they didn't do that,they're just like.
That's expected.
So the point is you betterdocument this stuff and ensure
(21:35):
that you are protecting yourcompany and yourself.
Two plan for risk andcommunicate with stakeholders.
Compete with constantcommunication with your
stakeholders.
Stakeholders may or may not beconnected with the risk.
You're dealing with businessleaders.
They're probably not connectedwith the security risk.
Just saying the risk could beacceptable, but proper knowledge
(21:55):
is required.
What does that mean?
It basically means is that theymay accept this risk, that
they're going okay.
Well, I accept the fact that wehave this wireless access point
sitting in our most criticalsystem on the planet.
I'm okay with it.
But if they don't truly knowthe risk behind leaving that out
there, then they're just goingto go oh yeah, sounds good.
And then at the end of itthey're going to come back and
they're going to have your headon a guillotine.
(22:17):
So you got to make sure you arecovering everything and you
ensure that all of this risk iscommunicated to the correct
partners.
So again, this is one of theuse case that you can think of.
The security is recommended bymulti-factor for all users at a
specific site.
Right, this is what security isrecommending.
(22:40):
The development team requires acomplex password rotation and a
variable history to ensure thatthe information is best
protected.
The cost for adding multifactoris high, both in an opportunity
cost, time spent doing it andthe overall capital required to
implement it right.
So that's a big deal.
Now, no financial data is beingshared and limited personal
information is available.
So this case, the stakeholdersare willing to accept the risk
with no multi-factor, becausethey're like, eh, the exposure
(23:03):
is small, not worried about, it,costs a lot of money.
Don't want to do it that case.
But you've gone through all ofthose steps.
Now the shareholders or thestakeholders understand what
their risk is.
They're actually accepting.
Now, one thing that isn't inthis use case is the fact that
is there a reputational aspectto it?
If it gets pwned, is that goingto hit your reputational side
(23:26):
of the house?
You got to ask yourself thatquestion too.
But again, you as a seniorleader, have to communicate this
with all of your stakeholders.
You're not going to get thatanywhere else.
I'll tell you that Riskanalysis and mitigation Track
the progress and documentacceptable risk scenarios.
Track with developmentmethodology.
You want to document all of theaccepted risk scenarios and
reevaluate acceptable riskscenarios based on the yearly
(23:47):
basis, at least yearly.
You got to have this defined inyour policy and standards what
you're going to do.
But you want to track theprogress and what things you're
going to be willing to accept.
But they all need to bedocumented.
Why?
Because you need to come backand reevaluate them on a annual
or semi-annual basis, dependingupon your company, and then at
the end of this, you rinse andrepeat.
(24:08):
You just keep going over andover again, repeat the process
with variable agile sprints.
Some sprints may requireupdates and some may allow for
acceptance of the risk.
So again, risk analysis andmitigation is an important part
of all of this.
Okay, so risk analysis andmitigation techniques so we've
got a few.
We're going to kind of gothrough and bullet by bullet.
So you need to understand theattack surface.
(24:29):
You need to understand all ofthe entry points into your
organization Interfaces,applications, apis my favorite
If you've listened to thispodcast for any period of time,
you will know that APIs I loveand I despise APIs any sort of
dependencies, operating systems,you name it All of the entry
points into your organization.
You need to know, minimize andcontrol the attack surface for
(24:50):
better security.
Why?
Because if you're minimizing,who can control that attack
surface, who can control theseAPIs, interfaces and so forth,
you now increase the security ofyour organization.
Threat modeling important factor.
You need to really trulyidentify potential threats and
vulnerabilities and then utilizethe stride technique which we
have talked about in the podcastin numerous ways and on my
(25:12):
training on cissp cyber training.
Uh, the stride is how do youanticipate specific weaknesses?
And so it's an important partyou deal with threat modeling.
Go to the section in my contentunder cissSP Cyber Training,
under Threat Modeling, andyou'll see the overall goal to
Stride and how Stride works.
Really good content out thereabout that.
At CISSP Cyber Training.
(25:33):
Just sign up for the bronzepackage and get access to all of
that.
So again, understand yourattack surface.
Threat modeling is foundational.
Secure Software DevelopmentLifecycle SSDLC.
You'll see it called SDLC,ssdlc.
At the end of the day, yourSDLC, which is your software
development lifecycle, needs toincur in.
That's not it incorporate,that's it better word,
(25:56):
incorporate security into it.
But you may see it as SSDLC.
Just kind of keep that in theback of your mind that they kind
of go synonymousonymous, aslong as they're synonymous only
if you've incorporated securityinto your sdlc environment.
But in today's world thatshould be a given.
Integrate security into everypart of the development stage
would depend on which way you'redoing.
(26:17):
If you're an agile.
However you're doing, you'veincorporated security within
your entire software developmentlife Employ secure design
principles and then implementsecure coding practices.
That's an imperative part andit requires your folks to
understand secure coding,conduct regular code reviews
manual and automated Ensure thatthose are done and then perform
(26:37):
security testing throughout theentire process.
You want to ensure that you areactually doing security testing
throughout all of it and that'swhat will allow for you to
catch vulnerabilities earlierand easier, when it allows for
much more effective andcost-effective fixes.
But if you could put this in aCICD pipeline and you can
automate it, it's a much betterprocess.
(26:59):
It's a more automated process.
Cicd pipelines go out there andresearch them, or go to CISSP
Cyber Training and you can gothrough the entire pipeline
process.
Cicd pipelines go out there andresearch them, or go to CISSP
Cyber Training and you can gothrough the entire pipeline
process.
You can then understand howthose work.
Now, vulnerability assessment,penetration testing, vapt right.
These regularly assess softwarefor known vulnerabilities.
(27:19):
They simulate attacks and thesecan be automated as well.
They provide inputs onimproving mitigation efforts and
then they look for whatevertypes of security enhancements
you may need.
But a vulnerability assessmentand penetration testings are
really good.
If you have a vulnerabilityassessment type of methodology
in your environment, you shoulduse it.
(27:40):
You should also, if you havered teamers that are within your
environment that you've createdyour own maybe red team package
, they can go out and do pentesting on various aspects.
I still recommend, even if youhave red teams within your
organization and they are builtinto your company, that you go
out and actually bring in thirdparties to do a pen test against
you on certain applications.
(28:01):
One, you may be required to byregulatory standards, but two,
it also bringing in a thirdparty gives you a much better
perspective of that Static anddynamic application security
testing.
We've kind of talked throughthis in multiple ways, but you
have static, and this is codeanalysis without execution,
right, so it's just basicallyanalyzing it specifically and
then DAST this is actuallyrunning the app testing
(28:22):
environment.
This will help you get a goodview of any potential weaknesses
you may have in your softwareand it also helps identify early
coding flaws that you may ormay not have within your
environment.
So that's when it comes to allof this is an important part,
each of those.
You need to act on the findingsof both types of testing and
make changes immediately.
Now we talk about I shouldn'tsay immediately.
(28:44):
You may not want to, you maywant to accept the risk,
depending on the situation, butin reality it's nice to have.
In most cases, or I should sayin the past, developers would
actually get this information atthe end.
Or I should say security folkswould get it at the end and say
here's a finished product.
What do you think?
Security?
And security goes well.
I finds all kinds of holes andit has to go back to the
(29:05):
beginning of this entire process.
Incorporating it in thedevelopment lifecycle is an
important part of securitybecause now that security is
developed at the beginning, youcan now, at the end, run into
the risk of when you get aproduct that comes out, it has
been thoroughly tested and a lotof the vulnerabilities as known
today are removed from theapplication.
(29:27):
Third-party component securityyou need to recognize the
security.
That's critical.
Criticality of libraries andframeworks Again, libraries are
a huge deal.
Lots of good stuff in themcould also be lots of bad stuff.
So you need to understand thecriticality of the libraries
that you're using, understandthe vulnerabilities and the
dependencies with these andimplement a strategy for timely
patching and updates.
(29:48):
Again, this is strategicthought process.
You have to go into this,utilize software composition
analysis tools, sca tools.
And then another one isconfiguration management and
hardening.
You need to secure the softwaredeployment and the
configuration of anything youare deploying.
Why?
Because this is what controlsthe application.
If you don't have good,positive control over your
(30:10):
configuration management, thiscan be a problem where someone
can gain access to it and thencause all kinds of issues with
your application.
So this is hardening theoperating system, the web
servers, the databases, and thenit also reduces the risk of
exploitation through secureconfigurations.
Again, lock it down, tighten itdown.
A lot of times people don'twant to do that because they
want to be able to go in andhave the ability to configure
(30:32):
things quickly and on the fly.
Yeah, so do the hackers likethat too, and so you've got to
really truly think about this.
Before you implement somethingto make your life easy, you're
also making the hacker's lifeeasy.
Now, another one is incidentresponse.
You need to prepare forsecurity incidents.
Despite preventable measures,it's gonna happen.
(30:53):
It's not a matter of if, it's amatter of when, and you need to
establish a plan for detecting,responding and recovering.
Resiliency is an important part, met with plenty of security
leaders and they get it, butthey have not communicated this
onto their senior leaders of whythe resiliency piece of this is
so important.
It's not just backup andrecovery, it's resiliency.
(31:14):
You've got to stress resiliencyto your senior leaders and
explain to them the reasoningbehind it, because they get it
financially.
So now you need to get itfinancially and communicate to
them why the resilience piece issuch an important part in the
overall financial structure ofyour organization.
Again, you won't get thatsomeplace else.
Security awareness training fordevelopers you need to educate
(31:36):
developers on security bestpractices.
Train them on OWASP top 10,ensure secure coding and
importance of security testing.
If they've never done it,you're going to have to teach
them.
If they're outsourced rightthey are air quotes offshore
someplace else you need to makesure that they have a good
program in place.
If you're hiring an offshoreasset, you, as a security
(31:56):
professional, need to.
One of the questions you needto ask them is what is your SDLC
environment?
What is your SSDLC?
However you want to slice it,what is it?
How do you deal with securedevelopment life cycles?
Walk me through the process andthen again you need to go back
if they're third party and auditthem and make sure they're
doing exactly what they saythey're going to do.
You've got to empower yourdevelopers to build this secure
(32:18):
software and give them the toolsthey need, but you also need to
set up with expectations withsenior leaders to know that if
they're utilizing secureprinciples, it could take more
time to develop the softwarethat these people want.
Again, it's you acting as thecommunication.
You are the conduit between thetwo organizations.
And then last thing iscontinuous monitoring and
(32:39):
improvement.
You always want to keep youreye on it because the threat
landscape is continuouslychanging, constantly changing.
You want to monitor newvulnerabilities and threats at
all times and then regularlyreview and update risk analysis
and mitigation strategies basedon these threats.
So, again, you've got to keep astrong and adaptive security
posture when you're dealing withsecurity in the development
(33:01):
space.
I cannot stress this enough.
I know a lot of folks that takethe CISSP domain.
Aid is probably one of theirweaker areas because they don't
totally get it.
Not because they're not smart,it's because they haven't really
done it.
This is an important part.
If you are having developers,you, as a security professional,
need to understand the riskmitigation and the security
(33:22):
posture associated with it Againimperative that you get this
stuff.
I mean it, I can't stress itenough.
Okay, that's all I have for youtoday.
Head on over to CISSP CyberTraining.
You can get access to my freevideos that I have that I put
out there weekly.
Sometimes I fall a little bitbehind, but they're out there
about weekly.
One of the things that you cando is purchase my content from
CISSP Cyber Training.
(33:43):
It's the cheapest way you'regoing to study for your CISSP.
I'm just going to be pointblank honest.
It costs you very little moneyto get my bronze package.
You can get the mentorship.
I saw a guy out there onlinethat he's got some mentorship
program, did something, got ajob in three months and was
doing some security and now he'sproviding mentorship to people.
That's great.
You want to follow the guy likethat.
I can give you mentorship froma CISO, from a security
(34:06):
architect, from all kinds of.
I even got a friend of minethat I'm incorporating into this
whole mentorship program.
That's a pen tester and we'regoing to be mentoring and
helping people that want to getinto security but also give you
more than just hey, if you go dowhat I did, you'll be rich.
I see some of these argumentsout there with guys that are
saying if you do what I do,you'll go from making $50,000 to
$270,000.
(34:27):
That's bunk.
I'm sorry it's bunk.
It's total, something that youmight find some rabbit that will
do that, but in many, manycases that does not happen.
Mentorship is what you need tohelp guide you in this process.
But with the right mentorship,those kinds of aspirations and
financial impacts that you wouldlike to have can definitely
happen, but it takes a littlebit of time and a lot of
(34:49):
dedication.
You can do it, but it takesdedication and work.
The point of it comes down to isis go to cissp, cyber training.
I've got mentorship.
I've got training again.
You're studying for the cissp.
You can go out and spend ten tofifteen thousand dollars, or
you can go to my program ifyou're into self-study, and it
can help you with it.
That being said, the programisn't for everybody.
If you don't like self-study,then this program isn't for you.
(35:11):
If you want someone to walk youthrough step by step by step
and feed you this informationover a period of time and answer
all your questions, this is notthe program for you.
This program is specificallydesigned for people that want to
do self-study and are busyprofessionals that don't have
time to go to a self-studyprogram or don't have the funds
and financial resources to do so.
This will give you all you needto get what you want to pass
(35:33):
the CISSP exam and move on inyour career and in your future.
A good example about consult orabout an individual with doing
mentorship talk to an individualfrom Japan.
He's walking me through howhe's in the GRC environment and
how important it is for him tobe into security and what are
the things he has to do.
That's the kind of mentorshipyou get with CISSP Cyber
(35:56):
Training.
Okay, I know I've went on thata little bit long, but the point
of it is is I'm here to helpyou get your goals and your
dreams and incorporate youaround the people that are in my
network To help you with thatas well.
Alright, have a wonderful dayand we will catch you all on the
flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get startedcybersecurity knowledge.
Speaker 2 (00:26):
All right, let's get started, hey all, sean Gribber,
with CISSP Cyber Training andhope you all are having a
beautifully blessed day today.
Today we're going to be talkingabout Domain 8, Domain 8.3,
assessing the effectiveness ofsoftware security in the CISSP
training.
So today's goal is to get oversome of that information and
then on Thursday, as you guysall know, we will be having out
the questions for the CISSP overDomain 8.3.
(00:49):
So the goal is to kind of gothrough this, give you some
great information If you've.
All this is new to you from thelistening to this podcast.
As you can see, our podcast issmoking.
I mean, I'm being totallyhonest.
I'm amazed at the growth thatwe've had, which is awesome
because there's a lot of peopleout there demonstrating the fact
that they really, truly want tounderstand the CISSP and they
(01:10):
really want to pass the test.
So pass the test and understandit is the key goals.
So today we're going to begetting into Wayne 8.3 of the
ISC squared book and the manualrelated to taking the CISSP exam
.
But before we do, we're goingto be getting to an article that
I saw today.
I don't know if you all sawthis news, just the.
I think it was yesterday ormaybe it was on Thursday.
(01:32):
You know the defunding part inthe United States government.
One of the big pieces that camearound this was related to CVEs
and if you're all connectedwith CVEs, cves are what they
call the common vulnerabilityexposures, and we've talked
about this a lot in CISSP CyberTraining in this podcast
numerous times, and the goalaround this is to truly try to
understand.
It's a programized or, I shouldsay, standardized way of naming
(01:55):
systems for publicly knownsecurity vulnerabilities that
are out there, right, and theyhave unique identifiers with
each of them, and this is fromthe government.
They come down and they say,well, if there's a vulnerability
, it ties it to a CVE number,which makes it easy to reference
and also helps companiesunderstand what are the
vulnerabilities out there.
Now it's really a truefoundational aspect of security
(02:15):
efforts that we do out on theweb, and one of the key factors
that goes along with that isdeals with vulnerability
management, patching and overallsecurity efforts across the
entire industry.
So it was a program that wasput together by the US
government, been funded by thegovernment and during some of
the doge aspects of the USgovernment, one of the things
was to start cutting funding ofthese areas.
(02:37):
Now, politically, whether it'sright, wrong and different, it
doesn't really matter at thispoint, because you know what
politically stuff I don't likegetting into, because,
realistically, everybody's gotan opinion.
I was in an article, that ornot an article.
I was talking to a lawyer onetime, and the lawyer said if you
get a room full of lawyers,eight or nine lawyers, just say
nine lawyers in a room andyou're all going to discuss a
(02:58):
topic, you'll get 10 differentopinions.
And it is so true because, whenit comes to politics, everybody
has a thought.
So, that being said, we'll stayout of that mess.
The bottom line, though, is isthat the cve funding was turned
off, which was total shock to me.
I was doing a presentation atour local isc square chapter
meeting on friday and it came upand I was like, uh yeah, I
(03:19):
didn't even know that was outthere, and a lot of other folks
that were on the chapter meetingdid not know it either.
So the point of it is is thathow do we deal with the
situation now?
I guess there was some fundingthat was done last minute that
made this all kind of come backaround, and there is an aspect
where it's in place.
But the ultimate goal is isthat they have to come up with a
plan around how they're goingto deal with this, because when
(03:41):
it deals with one company or onecountry focused specifically on
providing this information,things can happen and then it
can cause disruptions.
Well, the government's beenfunding this US government for
about 25 years and thereforethey were looking at ways to
kind of change it and theythought, well, let's just go cut
funding.
That caused all kinds ofkerfuffle within the security
(04:03):
folks' space, all kinds ofkerfuffle within the security
folks' space, and as a result,it was at the last minute.
Funding was provided and stillbrought back online.
But the ultimate goal is thisarticle kind of talks about what
are some different optionsaround that.
One of the proposed optionsincludes transitioning the
governance to a non-profitfoundation.
One of the guys on the ISCSquared meeting said we could do
(04:23):
a GoFundMe.
So there's different types ofoptions out there.
But another one of the optionshe suggested was a decentralized
system, which potentially couldcause some level of confusion.
I think at the minimum acountry probably needs to own it
, but in reality, probably anonprofit is probably the best
thing, and then it gets fundingfrom outside sources.
(04:43):
Now will the outside sourcesall pony up to pay for this?
I don't know, but realisticallyit's something to kind of
figure out what needs to happen.
Now, when these things occurthese funding fights that as
they are, and some of the issuesthat roll with it, it does
force people to actually bringthis up in a conversation,
versus let's just ignore it andkeep kicking the can down the
road.
So there's positivity aroundthat aspect of it forcing people
(05:10):
to decide what do they want tokeep, what do they not want to
keep.
I think obviously the CVEprogram is of vital importance
to the security of the globe.
I mean, I think it's really,really important.
So now they just got to figureout how they're going to fund it
and how they're going to payfor it.
So interesting things that aregoing on in our world that we
deal with on a daily basis, andyou know when you're dealing
with security, you just never,ever know.
So we're going to go ahead andwe're going to get into now
(05:31):
Domain 8.3.
Okay, domain 8, 8.3, assessingthe effectiveness of software
security.
So, as we talk about one of thebig things that we're dealing
with when security is the new,the growth of development and
its capabilities within theenvironment.
So what I mean by that is thatwe are constantly in the state
(05:51):
of more development that'soccurring way beyond when I
first started getting into cybera few years ago we joke, a few
years ago it was more like about20.
But the point of it is that thesecurity has, requirements have
changed, the development haschanged.
Much of this is really justkind of growing extremely fast,
almost exponentially, as weincorporate new AI, ml.
(06:14):
You've got now rockets thatland themselves.
I mean, all this stuff did notoccur 20 years ago when I was
first getting into this.
So development security wasconsidering.
You know it was there, but itwasn't a forefront of what
people need to be concernedabout.
So, as we deal with securityand assessing risk, one of the
aspects you're going to need tounderstand is auditing and
logging of the changes thatoccur.
(06:34):
Now we're going to talk aboutdatabases and some different
aspects here, but at the end ofall of this, you really need to
consider how are you going toaudit and how are you going to
log the different changes thatoccur within your environment,
especially when it comes todevelopment, because, as we know
domain 8 we are focusedstrongly on overall development,
the overall developmentenvironment.
So when you're dealing withmulti-level database security,
(06:55):
it does contain information withdifferent classification levels
and we've talked about thedifferent classification levels
in various podcasts we've had invarious trainings with CISSP,
cyber Training.
So you need to strive to keepthe data separate within these
different classification levelsand it's imperative that as
you're architecting your overallsolution, that you do work hard
(07:16):
to keep them separate anddistinct.
Mixing data classificationswill cause you issues guaranteed
and I also know that if youdon't have a good plan going
into it, they will get mixed up.
I deal with companies right nowas a consultant and there's all
kinds of data everywhere.
I mean you name it and it andit's not anything new.
All companies deal with thisspecific issue.
(07:38):
Now you're dealing withconcurrency.
This can be applied to a singleor multi-level databases and it
utilizes a way to lock out onlyusers to make a specific change.
So once the change is complete,the unlock occurs, and this is
an area where my developerswould go in the past.
They would go in and make achange within an environment and
only they could make thatspecific change.
(07:59):
It wouldn't allow anybody elseto be in there at the same time,
they are making theirmodifications to the code.
Now this comes down to thepoint where you have to have a
really good strong againinfrastructure around how you're
going to manage this, and it'snot just having the technology,
it's also having the processes,followed by the documentation of
each of these steps.
(08:20):
So it's really important thatyou kind of look at this as a
holistic view, a big pictureview, that you started off at
the beginning, that you have agood plan.
If you haven't done this tothis point and you have a
software development team, youmay want to take a step back and
then kind of figure out how doI want to approach this so that
I don't have, so I haveconsistency in my development
(08:40):
cycles and that I ensure that Ihave a good handle from a
security standpoint in each ofthese areas.
So we're going to use, as anexample, odbc.
Now this is open databaseconnectivity.
Now the purpose of this is itallows applications to interact
with various databases atdifferent types.
That's the ultimate goal.
It has a connector that canconnect to NoSQL, mysql, oracle,
(09:04):
different types of databasesand the open database
connectivity.
It acts as a proxy betweenthese applications.
So it witnesses basically usinga lot of legacy applications
will use an ODBC connection andit just acts as the intermediary
between that.
So we're going to break thisdown a little bit.
So you have an ODBC drivermanager.
Now this acts as the centralpoint of contact and air quotes,
(09:26):
as a potential traffic cop, theone that's going to guide and
direct which way the data isgoing to go.
Now it receives a connectionrequest from the specific
application in that it'sconnecting with and then it
looks up their data source nameor the connection string, but
basically that the point thatties them together and it's
looking at that.
It's similar to like what we'dconsider an API.
(09:47):
It's using this data sourcename to help tie these different
databases together.
Now then it loads the specificdriver.
So if you have an Oracledatabase, it would load the
driver for Oracle and then forthat specific target database,
and then it forwards theapplication requests to the
specific driver and we're goingto get into that in just a
minute of what the driver is.
So again, it's working withthese older databases.
(10:09):
It's allowing an interactionbetween them.
I dealt with this in themanufacturing space.
There was a lot of legacy typedatabases that didn't have real
good connectivity, so we woulduse an ODBC type connection to
help with that.
So there's a lot of great waysyou can use these kind of tools.
Now there's also somechallenges that come with that,
but we'll get into those later.
Now an ODBC driver this is thespecific software components
(10:33):
provided by the database vendor,okay, or a specific third party
.
But realistically the vendorwill give you that driver.
Now it understands both theODBC API calls and the specific
language and protocols of thatdatabase.
So it's helping those differentcommunications in place.
Now the ultimate goal is thatyou want to have this
communication so that it'srelatively seamless between both
(10:55):
aspects, and it will then takethe results from the database,
translate those back and forthinto the application so it
understands it, and it's justthis communication that occurs
between these differentconnections.
Now, as an example, we use NoSQL.
So you have MySQL, you haveNoSQL.
Nosql is the non-version.
I should say not thenon-version.
(11:16):
Mysql is very expensive from alicensing standpoint.
Nosql is not.
It's no longer a relationaltype database, it's more of a
tabular relationship and itallows for simple design between
these.
It allows for quick queriesbetween the groups.
So the ultimate goal is is thatthe just to kind of put it in
perspective, the odbc is theconnection between the various
(11:36):
databases.
It allows you to connect olderdatabases and it will have the
drivers in most cases, aroundwhat allow you to connect to
these older databases that areout there.
So if you're going to be havingan older system, make sure you
consider is there an ODBCconnection for it?
Now, when you're dealing withNoSQL, there's three major
classes.
There's a key value store, adocument store and a graph.
(11:58):
So, of the three classes, thekey value store is the simplest
non-trivial data model and itcan be used with RAM and SSDs,
so it's a very simple key valuestore.
The document store offers APIsto retrieve documents based on
the specific contents that arein those different tabs.
These could be collections,tags, metadata and so forth is
(12:19):
all stored within the documentstore.
And then the graph.
This is designed for datarepresentation, such as graphs,
maps, network topologies.
All of that is tied into thethree major classes.
When you deal with audit andlogging changes, one of the
things you want to reallyconsider is log everything you
can within reason.
Why do I say within reason?
Well, if you log everything one, it's a huge nightmare.
(12:40):
Two, it's a lot of informationyou may never, ever need Three.
It also costs you a lot ofmoney in many cases to be
storing all of this data.
So you want to keep the mostcritical things you possibly can
, but you do want to log thethings as much as you possibly
can within reason.
So capturing user activity,system events, application
access, configuration changes,all of those things are really
(13:02):
important things that you needto consider.
Depending upon the organizationthat you're in, depending upon
the overall business that youare in, you may need to record
these logs for a long orextended period of time.
Highly regulated environmentsyou got to keep a lot of logs,
not as much regulation you don'tnecessarily need to keep as
many logs, however.
(13:23):
You may want to keep those forfuture reference.
So, again, keep as muchinformation as you possibly can.
You also want to tamper proofyour logs.
You want to store those logs ina central, secure location that
prevents unauthorizedaltercation or access, so such
as a worm right Write once, readmany.
Storage that's one of thosethings where you want to make
sure that you write it once butthen you can read as much as you
(13:46):
need to.
Again, you want to avoid thembeing tampered with.
You want to define logretention periods determine how
long to keep the logs, based onthe compliance needs and the
investigation timelines that areassociated with it.
You do need to balance thesecurity with the storage space
limitations, and that is a truefactor.
You are going to be looked at byyour senior leaders of going.
(14:06):
If you have all these logs thatyou're being stored, they're
going to go.
I have this really, really highbill that I need to pay.
Do you really need all of that?
You need to be business-mindedand have enough acumen to go.
You know what we don'tnecessarily need that they're
going to come to you as theexpert, so you therefore need to
be prepared to deal with thatas an expert.
See these stuff.
I tell you this is stuff youwon't get it on other kind of
(14:28):
podcasts from guys that havenever been doing this for years.
Those are big key factors youneed to remember, especially if
you're taking the cissp andyou're going to take the test.
They may ask you a questionsimilar to that.
User accountability implementstrong user authentication and
authorization controls.
Logs should record the user whomade the change, the time and
what was modified.
(14:48):
User accountability Implementstrong user authentication and
authorization controls.
Logs should record the user,who made the change, the time
and what was modified.
Monitoring and alerting Alwayslook for suspicious activity
within your logs.
You should have alerts withinyour SIEM that tie to that,
looking for any unauthorizedaccess, configuration changes,
anything outside the baselineparameters or other types of
anomalies, and that's a reallyimportant part in overall log
retention and log security.
(15:09):
So I put an example out here onthe slides and it implements
this.
The whole example is this youhave a centralized logging
system that captures all useractivity on a specific web
application.
The log will record that userID, timestamp, action performed.
Obviously they click a link,whatever that is, download files
or any modified data.
(15:29):
These are all stored in atamper-proof server for one year
and monitored for unauthorizedaccess attempts or unusual
modification patterns.
That would be a nirvanasituation.
That being said, you want toconsider the point of is that
really necessary for allapplications?
For specific criticalapplications, you bet, but for
(15:52):
all applications probably not.
So you need to kind of considerthat when you're looking at
this.
If it's a forward-facing on theinternet and it's something
they have critical data, that issomething you may want to
really truly consider.
If it's something internal withyour environment and it doesn't
hold any critical data, you maywant to think of twice about
doing something that maybe loginattempts you may want to keep,
(16:12):
but all this other data maybeprobably not.
Again something to consider foryou and your organization.
So when you're dealing withother parts of risk analysis and
mitigation, you want toidentify security risks with a
development plan.
Take the time to complete arisk analysis of your software.
This can take time.
It also forces you to getoutside of your comfort zone and
(16:32):
go talk to other people.
So I see this in security.
A lot.
People are in silos.
They work in security.
I like security.
I stay in security.
I don't get outside security.
I know that's really a bad kindof Italian kind of thing.
I don't know what that was, but, being said, the ultimate point
is that it's outside ofsecurity.
You want, you have, to get outof it.
(16:53):
You cannot stay within yourlittle bubble and you also need
to know the threat and act likethe adversary.
Think about what the adversaryis doing.
So when you're looking at youroverall development plan and
you're understanding risk, whatwould the adversary do to your
organization?
You need to document thehighest risk.
Also Put those in a riskregister.
That needs to be defined.
(17:13):
Again, it's a methodicalapproach to ensuring that you
have security within yourorganization.
You need to focus on yourhigh-risk items first.
Good example Troy Hunt hackyour site first.
He mentions that you want tolook at how could I hack my site
and what would that find for me?
You want to utilize documentedrisk items and verify the
stakeholders and then develop aplan to remediate the highest
(17:34):
risk items.
You possibly can Document anyaccepted risk and ensure you
have best knowledge around allparties that are there.
So again, it's an importantpart Look at yourself first.
Figure out how, if I was a badguy or girl trying to hack my
site, how would they do it?
Make sure you verify thestakeholders, develop a plan to
remediate these issues.
Again, this is the strategicview.
(17:56):
You, as a security professional, especially if you're in a
specific leadership position,need to truly think hard and
hard, long and hard about Now.
Integrate with your developmentmethodology to achieve the
results you want.
Again, you need to work withyour development team.
If you do not have thatrelationship, you're in your
silo.
Get out of your silo, go talkto your development team.
(18:17):
You need to integrate with themas much as you possibly can.
Now, if they have a leaderthat's big into security,
awesome.
You then need to work with thatdevelopment leader to ensure
that everybody's on the samepage.
Everybody understands what's tobe expected.
All of that is defined, and,again, you ensure your
development team is connectedwith the remediation strategy.
(18:39):
They may not be aware of therisk.
My development team did notunderstand the risk in cyber.
I was therefore the one thathad to help educate them on that
, and then you need to track anddocument any remediation
processes.
This is from an evidentiaryperspective.
If you are in a highlyregulated environment, you've
got to document everything.
I was talking with anotherindividual, very smart security
(19:00):
individual, but he doesn't.
Him and his organization.
He's got a very largeorganization, but they've grown
from a small organization to avery large one a lot of
influence.
The point is, though, is hedoesn't believe that they need
to document all of these things,and in many cases, you don't
necessarily have to, especiallyif you're a small organization.
However, when you are a bigcompany, you have to document
(19:23):
these things.
One, from a couple of differentways.
One, you are the person thathas the information.
Other people need to know it.
Two is that the evidence that'sout there has proved that.
The fact is, you have thoughtthrough this.
It's not just in your head.
You probably thought through it, but it's not in your head,
it's on a piece of paper.
And then three I come back to,and this is one that people
don't really think about CYACover your yeah, cover your
(19:48):
hiney, because the point of itis is that, in the event,
something goes sideways and theygo.
The first thing they're goingto do is they're going to look
at the security leader, because,on the C-suite, if you go in
the C-suite, the CIO, ceo, ciso,the CISO is pretty low on the
totem pole as it relates to theC-suite.
Why?
Well, because it has relativelynew introduction to the C-suite
(20:09):
.
That being said, if all of asudden you get hacked, fingers
are going to start pointing andthey're going to start coming
right back to you as the seniorleader.
One, from a regulatorystandpoint, you can go to jail.
Two is you could lose your job.
Three, you probably will loseyour job, but most likely you
want to avoid the jail thing.
People are going to startpointing fingers and so you
therefore have to consider howdo I CYA?
(20:32):
And that's not just been a badway of going well, I want to
make sure I'm protected.
It's the fact that you havethought through this process.
So if it all falls apart andyou have thought through all of
these different things, it willat least put you in a much
better position.
Give you an example and I'mstressing this hard.
Give you an example of the factthat I had a situation where a
third party tried to hack intosome very important documents.
(20:52):
I had put in place all of thesecurity controls, working with
a third party, to ensure thatthis outside entity didn't get
this information Documented.
Everything, said my seniorleaders.
What happened?
Come to find out.
The hack tried to occur.
The moment, the moment thatthat hack occurred, my CFO was
pointing fingers at me, goingwhat did you do?
How did you protect thisinformation?
(21:14):
And guess what?
We did everything we weresupposed to.
We had all the protections inplace and you know, at the end
of the day, I didn't get fired.
Now the bad part is, it's not.
They don't get you a pat on theback saying awesome job, you're
amazing.
No, they didn't do that,they're just like.
That's expected.
So the point is you betterdocument this stuff and ensure
(21:35):
that you are protecting yourcompany and yourself.
Two plan for risk andcommunicate with stakeholders.
Compete with constantcommunication with your
stakeholders.
Stakeholders may or may not beconnected with the risk.
You're dealing with businessleaders.
They're probably not connectedwith the security risk.
Just saying the risk could beacceptable, but proper knowledge
(21:55):
is required.
What does that mean?
It basically means is that theymay accept this risk, that
they're going okay.
Well, I accept the fact that wehave this wireless access point
sitting in our most criticalsystem on the planet.
I'm okay with it.
But if they don't truly knowthe risk behind leaving that out
there, then they're just goingto go oh yeah, sounds good.
And then at the end of itthey're going to come back and
they're going to have your headon a guillotine.
(22:17):
So you got to make sure you arecovering everything and you
ensure that all of this risk iscommunicated to the correct
partners.
So again, this is one of theuse case that you can think of.
The security is recommended bymulti-factor for all users at a
specific site.
Right, this is what security isrecommending.
(22:40):
The development team requires acomplex password rotation and a
variable history to ensure thatthe information is best
protected.
The cost for adding multifactoris high, both in an opportunity
cost, time spent doing it andthe overall capital required to
implement it right.
So that's a big deal.
Now, no financial data is beingshared and limited personal
information is available.
So this case, the stakeholdersare willing to accept the risk
with no multi-factor, becausethey're like, eh, the exposure
(23:03):
is small, not worried about, it,costs a lot of money.
Don't want to do it that case.
But you've gone through all ofthose steps.
Now the shareholders or thestakeholders understand what
their risk is.
They're actually accepting.
Now, one thing that isn't inthis use case is the fact that
is there a reputational aspectto it?
If it gets pwned, is that goingto hit your reputational side
(23:26):
of the house?
You got to ask yourself thatquestion too.
But again, you as a seniorleader, have to communicate this
with all of your stakeholders.
You're not going to get thatanywhere else.
I'll tell you that Riskanalysis and mitigation Track
the progress and documentacceptable risk scenarios.
Track with developmentmethodology.
You want to document all of theaccepted risk scenarios and
reevaluate acceptable riskscenarios based on the yearly
(23:47):
basis, at least yearly.
You got to have this defined inyour policy and standards what
you're going to do.
But you want to track theprogress and what things you're
going to be willing to accept.
But they all need to bedocumented.
Why?
Because you need to come backand reevaluate them on a annual
or semi-annual basis, dependingupon your company, and then at
the end of this, you rinse andrepeat.
(24:08):
You just keep going over andover again, repeat the process
with variable agile sprints.
Some sprints may requireupdates and some may allow for
acceptance of the risk.
So again, risk analysis andmitigation is an important part
of all of this.
Okay, so risk analysis andmitigation techniques so we've
got a few.
We're going to kind of gothrough and bullet by bullet.
So you need to understand theattack surface.
(24:29):
You need to understand all ofthe entry points into your
organization Interfaces,applications, apis my favorite
If you've listened to thispodcast for any period of time,
you will know that APIs I loveand I despise APIs any sort of
dependencies, operating systems,you name it All of the entry
points into your organization.
You need to know, minimize andcontrol the attack surface for
(24:50):
better security.
Why?
Because if you're minimizing,who can control that attack
surface, who can control theseAPIs, interfaces and so forth,
you now increase the security ofyour organization.
Threat modeling important factor.
You need to really trulyidentify potential threats and
vulnerabilities and then utilizethe stride technique which we
have talked about in the podcastin numerous ways and on my
(25:12):
training on cissp cyber training.
Uh, the stride is how do youanticipate specific weaknesses?
And so it's an important partyou deal with threat modeling.
Go to the section in my contentunder cissSP Cyber Training,
under Threat Modeling, andyou'll see the overall goal to
Stride and how Stride works.
Really good content out thereabout that.
At CISSP Cyber Training.
(25:33):
Just sign up for the bronzepackage and get access to all of
that.
So again, understand yourattack surface.
Threat modeling is foundational.
Secure Software DevelopmentLifecycle SSDLC.
You'll see it called SDLC,ssdlc.
At the end of the day, yourSDLC, which is your software
development lifecycle, needs toincur in.
That's not it incorporate,that's it better word,
(25:56):
incorporate security into it.
But you may see it as SSDLC.
Just kind of keep that in theback of your mind that they kind
of go synonymousonymous, aslong as they're synonymous only
if you've incorporated securityinto your sdlc environment.
But in today's world thatshould be a given.
Integrate security into everypart of the development stage
would depend on which way you'redoing.
(26:17):
If you're an agile.
However you're doing, you'veincorporated security within
your entire software developmentlife Employ secure design
principles and then implementsecure coding practices.
That's an imperative part andit requires your folks to
understand secure coding,conduct regular code reviews
manual and automated Ensure thatthose are done and then perform
(26:37):
security testing throughout theentire process.
You want to ensure that you areactually doing security testing
throughout all of it and that'swhat will allow for you to
catch vulnerabilities earlierand easier, when it allows for
much more effective andcost-effective fixes.
But if you could put this in aCICD pipeline and you can
automate it, it's a much betterprocess.
(26:59):
It's a more automated process.
Cicd pipelines go out there andresearch them, or go to CISSP
Cyber Training and you can gothrough the entire pipeline
process.
Cicd pipelines go out there andresearch them, or go to CISSP
Cyber Training and you can gothrough the entire pipeline
process.
You can then understand howthose work.
Now, vulnerability assessment,penetration testing, vapt right.
These regularly assess softwarefor known vulnerabilities.
(27:19):
They simulate attacks and thesecan be automated as well.
They provide inputs onimproving mitigation efforts and
then they look for whatevertypes of security enhancements
you may need.
But a vulnerability assessmentand penetration testings are
really good.
If you have a vulnerabilityassessment type of methodology
in your environment, you shoulduse it.
(27:40):
You should also, if you havered teamers that are within your
environment that you've createdyour own maybe red team package
, they can go out and do pentesting on various aspects.
I still recommend, even if youhave red teams within your
organization and they are builtinto your company, that you go
out and actually bring in thirdparties to do a pen test against
you on certain applications.
(28:01):
One, you may be required to byregulatory standards, but two,
it also bringing in a thirdparty gives you a much better
perspective of that Static anddynamic application security
testing.
We've kind of talked throughthis in multiple ways, but you
have static, and this is codeanalysis without execution,
right, so it's just basicallyanalyzing it specifically and
then DAST this is actuallyrunning the app testing
(28:22):
environment.
This will help you get a goodview of any potential weaknesses
you may have in your softwareand it also helps identify early
coding flaws that you may ormay not have within your
environment.
So that's when it comes to allof this is an important part,
each of those.
You need to act on the findingsof both types of testing and
make changes immediately.
Now we talk about I shouldn'tsay immediately.
(28:44):
You may not want to, you maywant to accept the risk,
depending on the situation, butin reality it's nice to have.
In most cases, or I should sayin the past, developers would
actually get this information atthe end.
Or I should say security folkswould get it at the end and say
here's a finished product.
What do you think?
Security?
And security goes well.
I finds all kinds of holes andit has to go back to the
(29:05):
beginning of this entire process.
Incorporating it in thedevelopment lifecycle is an
important part of securitybecause now that security is
developed at the beginning, youcan now, at the end, run into
the risk of when you get aproduct that comes out, it has
been thoroughly tested and a lotof the vulnerabilities as known
today are removed from theapplication.
(29:27):
Third-party component securityyou need to recognize the
security.
That's critical.
Criticality of libraries andframeworks Again, libraries are
a huge deal.
Lots of good stuff in themcould also be lots of bad stuff.
So you need to understand thecriticality of the libraries
that you're using, understandthe vulnerabilities and the
dependencies with these andimplement a strategy for timely
patching and updates.
(29:48):
Again, this is strategicthought process.
You have to go into this,utilize software composition
analysis tools, sca tools.
And then another one isconfiguration management and
hardening.
You need to secure the softwaredeployment and the
configuration of anything youare deploying.
Why?
Because this is what controlsthe application.
If you don't have good,positive control over your
(30:10):
configuration management, thiscan be a problem where someone
can gain access to it and thencause all kinds of issues with
your application.
So this is hardening theoperating system, the web
servers, the databases, and thenit also reduces the risk of
exploitation through secureconfigurations.
Again, lock it down, tighten itdown.
A lot of times people don'twant to do that because they
want to be able to go in andhave the ability to configure
(30:32):
things quickly and on the fly.
Yeah, so do the hackers likethat too, and so you've got to
really truly think about this.
Before you implement somethingto make your life easy, you're
also making the hacker's lifeeasy.
Now, another one is incidentresponse.
You need to prepare forsecurity incidents.
Despite preventable measures,it's gonna happen.
(30:53):
It's not a matter of if, it's amatter of when, and you need to
establish a plan for detecting,responding and recovering.
Resiliency is an important part, met with plenty of security
leaders and they get it, butthey have not communicated this
onto their senior leaders of whythe resiliency piece of this is
so important.
It's not just backup andrecovery, it's resiliency.
(31:14):
You've got to stress resiliencyto your senior leaders and
explain to them the reasoningbehind it, because they get it
financially.
So now you need to get itfinancially and communicate to
them why the resilience piece issuch an important part in the
overall financial structure ofyour organization.
Again, you won't get thatsomeplace else.
Security awareness training fordevelopers you need to educate
(31:36):
developers on security bestpractices.
Train them on OWASP top 10,ensure secure coding and
importance of security testing.
If they've never done it,you're going to have to teach
them.
If they're outsourced rightthey are air quotes offshore
someplace else you need to makesure that they have a good
program in place.
If you're hiring an offshoreasset, you, as a security
(31:56):
professional, need to.
One of the questions you needto ask them is what is your SDLC
environment?
What is your SSDLC?
However you want to slice it,what is it?
How do you deal with securedevelopment life cycles?
Walk me through the process andthen again you need to go back
if they're third party and auditthem and make sure they're
doing exactly what they saythey're going to do.
You've got to empower yourdevelopers to build this secure
(32:18):
software and give them the toolsthey need, but you also need to
set up with expectations withsenior leaders to know that if
they're utilizing secureprinciples, it could take more
time to develop the softwarethat these people want.
Again, it's you acting as thecommunication.
You are the conduit between thetwo organizations.
And then last thing iscontinuous monitoring and
(32:39):
improvement.
You always want to keep youreye on it because the threat
landscape is continuouslychanging, constantly changing.
You want to monitor newvulnerabilities and threats at
all times and then regularlyreview and update risk analysis
and mitigation strategies basedon these threats.
So, again, you've got to keep astrong and adaptive security
posture when you're dealing withsecurity in the development
(33:01):
space.
I cannot stress this enough.
I know a lot of folks that takethe CISSP domain.
Aid is probably one of theirweaker areas because they don't
totally get it.
Not because they're not smart,it's because they haven't really
done it.
This is an important part.
If you are having developers,you, as a security professional,
need to understand the riskmitigation and the security
(33:22):
posture associated with it Againimperative that you get this
stuff.
I mean it, I can't stress itenough.
Okay, that's all I have for youtoday.
Head on over to CISSP CyberTraining.
You can get access to my freevideos that I have that I put
out there weekly.
Sometimes I fall a little bitbehind, but they're out there
about weekly.
One of the things that you cando is purchase my content from
CISSP Cyber Training.
(33:43):
It's the cheapest way you'regoing to study for your CISSP.
I'm just going to be pointblank honest.
It costs you very little moneyto get my bronze package.
You can get the mentorship.
I saw a guy out there onlinethat he's got some mentorship
program, did something, got ajob in three months and was
doing some security and now he'sproviding mentorship to people.
That's great.
You want to follow the guy likethat.
I can give you mentorship froma CISO, from a security
(34:06):
architect, from all kinds of.
I even got a friend of minethat I'm incorporating into this
whole mentorship program.
That's a pen tester and we'regoing to be mentoring and
helping people that want to getinto security but also give you
more than just hey, if you go dowhat I did, you'll be rich.
I see some of these argumentsout there with guys that are
saying if you do what I do,you'll go from making $50,000 to
$270,000.
(34:27):
That's bunk.
I'm sorry it's bunk.
It's total, something that youmight find some rabbit that will
do that, but in many, manycases that does not happen.
Mentorship is what you need tohelp guide you in this process.
But with the right mentorship,those kinds of aspirations and
financial impacts that you wouldlike to have can definitely
happen, but it takes a littlebit of time and a lot of
(34:49):
dedication.
You can do it, but it takesdedication and work.
The point of it comes down to isis go to cissp, cyber training.
I've got mentorship.
I've got training again.
You're studying for the cissp.
You can go out and spend ten tofifteen thousand dollars, or
you can go to my program ifyou're into self-study, and it
can help you with it.
That being said, the programisn't for everybody.
If you don't like self-study,then this program isn't for you.
(35:11):
If you want someone to walk youthrough step by step by step
and feed you this informationover a period of time and answer
all your questions, this is notthe program for you.
This program is specificallydesigned for people that want to
do self-study and are busyprofessionals that don't have
time to go to a self-studyprogram or don't have the funds
and financial resources to do so.
This will give you all you needto get what you want to pass
(35:33):
the CISSP exam and move on inyour career and in your future.
A good example about consult orabout an individual with doing
mentorship talk to an individualfrom Japan.
He's walking me through howhe's in the GRC environment and
how important it is for him tobe into security and what are
the things he has to do.
That's the kind of mentorshipyou get with CISSP Cyber
(35:56):
Training.
Okay, I know I've went on thata little bit long, but the point
of it is is I'm here to helpyou get your goals and your
dreams and incorporate youaround the people that are in my
network To help you with thatas well.
Alright, have a wonderful dayand we will catch you all on the
flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com