The pursuit of AI expertise has reached staggering heights in the cybersecurity world. Meta reportedly offering "billion-dollar salaries" and $100 million sign-on bonuses to lure OpenAI talent reveals just how valuable the intersection of AI and security has become. This episode explores why security professionals should seriously consider developing AI skills while highlighting that most organizations are still figuring out their AI security strategy – creating massive opportunity for those who can help bridge the knowledge gap.
Transitioning to our main feature, we dive deep into Domain 8.5 of the CISSP with 15 critical questions covering secure coding practices. From preventing XML External Entity attacks to understanding race conditions in concurrent applications, each question unpacks vital security concepts through practical scenarios. Learn why disabling DTDs in XML parsers, implementing proper input validation for APIs, and using prepared statements with parameterized queries are fundamental to building secure applications.
The episode explores modern security challenges including infrastructure as code, OAuth 2.0 implementation, and the importance of implementing proper code review processes. Whether you're preparing for the CISSP exam or expanding your practical security knowledge, these questions provide valuable insight into how security vulnerabilities manifest and how to properly mitigate them. Each explanation goes beyond simple answers to help you understand the underlying principles that make certain practices more effective than others.
Ready to accelerate your CISSP journey? Visit CISSP Cyber Training for access to hundreds of practice questions, video content, and resources designed to help you pass the exam on your first attempt. Leave a review and let us know what topics you'd like covered next!
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey all, Sean Gerber, withCISSP Cyber Trading, and hope
you all are having a beautifullyblessed day today.
Today is what?
Yeah, it's CISSP QuestionThursday and we are going to be
going over a multitude ofquestions actually 15 to be
exact questions that are relatedto Domain 8.5 of the CISSP.
(00:46):
But before we do, I had a quickarticle I wanted to bring to
your attention.
I thought was very telling andvery interesting, especially for
you security folks that reallywant to get into AI and try to
understand a little bit aroundthat.
This is from Computer World andthis is OpenAI's CEO.
Was mentioned that some of hispeople have been trying to be
recruited.
So Sam Altman, obviously theCEO of OpenAI, has said that
(01:08):
Meta, obviously Facebook, triedto lure OpenAI employees with
air quotes, billion dollarsalaries.
So for you all that areaspiring to be AI aficionados,
you may want to consider beingan AI aficionado, because you're
talking some serious cash.
I mean holy cow, I mean thatblows my mind.
(01:30):
But basically, this articlefrom Computer World came out and
said that Meta tried to poachemployees from AI and Google
DeepMinds by giving them hugecompensation packages, and these
compensation packages were like$100 million sign-on bonus,
with more than that in annualcompensation.
So you're talking freaky, crazymoney for being the AI god and
(01:54):
goddesses that would they needto have within their
organization.
Now, obviously, this isn'tgoing to be the intern that just
came out of the local college,at your local JCO, but it is a
great understanding of what dothey value when it comes to
understanding AI and they willthrow a lot of money at it.
(02:14):
Sam Alton basically said that alot of these attempts have
failed largely.
That doesn't mean they haven'tall failed, but the point I'm
trying to make in all of this isit's pretty crazy on what you
may need for being what you maybe able to get from a
compensation package related toAI.
So, as we talk about security,one of the things I wanted to
just quickly touch on is whatdoes it take to be an AI kind of
(02:37):
person?
Now, obviously, we're talkingcybersecurity in this space, so,
realistically, I'm just goingto focus on that aspect of it.
So, being a CISSP, obviouslyyou have to have the experience
to get some level of experience,or you have to have the
experience to be able to get thepass to test, but at the end of
the day, you're going to haveto have a lot of knowledge
around security to really beeffective in any sort of AI
(02:59):
cybersecurity role.
But one of the other aspectsthat I think is really important
and I was just kind of curiouswhat out there in the world,
what the world thinks of it isunderstanding.
Obviously, ai and machinelearning expertise is a big part
of this.
So having a good knowledgearound AI and machine learning
and how it works would be a veryvaluable tool, and if you have
some of that experience and youreally enjoy security, then I
(03:22):
would highly recommend that youfocus pretty strongly on
hitching onto that AI bus anddon't let go.
But you're really going to needto have some strong
cybersecurity knowledge as well,and that's some of the big
articles that kind of popped upas I was looking for.
This is you can't just be, I'mgoing to go pass the test and
move on.
I had one of my students that Ihave my mentoring that I provide
(03:45):
to my students, and one of mystudents had mentioned to me
that he likes the podcastbecause the fact that he can
gain knowledge beyond just whatthe test will give him.
And that's what actually one ofthe huge benefits of this
podcast is.
It's going to provide youknowledge from industry leaders,
and I mean the informationyou're getting is I'm working
with all kinds of very largeorganizations down to actually,
(04:06):
some very small nonprofits, soyou're getting a really good
broad brush of security.
And I'm not telling you that tobasically say because oh, we're
an awesome podcast.
No, I mean, we are awesome.
There's no doubt about that.
But the thing is I wanted tobring up is the ultimate goal of
this is to help you get theknowledge you need to be one
very successful in your career.
Two well, first off, pass theCISSP.
(04:27):
Then second is to be able to bevery successful in your career
and provide really good insightand knowledge to the decision
makers within your organization,and just trying to help you out
there.
And this is a really goodexample around AI, in that, if
you take this information, youbuild upon it and then you start
looking for differentopportunities within, especially
(04:47):
the AI space, you're going tostumble across things, and one
thing you may want to also thinkabout as a security
professional is the fact thatguess what?
Very few people have it figuredout, and I'd be willing to
guess that probably 99.9% of thepeople out there really don't
have it figured out, and anybodywho tells you they do, they're
lying to you, because mostpeople don't.
(05:09):
And we stumble into thesethings as we go forward, and so
it's an important part of yourcybersecurity career is that you
take this knowledge, you growon it, you be a consistent and
constant learner, and that willtake you to places that you may
have never even imagined youwould be to.
So, again, that's a big nuggetright there for you all.
(05:30):
If you're listening to this andyou want to figure out your
career, that is an option foryou to really consider, because,
especially in these burgeoningareas such as AI but there's
many, many more I will come backto manufacturing.
People don't think it's verysexy at times, but I'll tell you
right now there's money to bemade there, especially as it
relates to criticalinfrastructure.
They don't have high margins,but if you bring to the table
(05:52):
especially if they've been pwnedat any point in time you bring
knowledge to the table.
You can command a very strongsalary out of that.
So, again, some great tidbits,some great nuggets for you to
look at from a career standpoint.
Great article, again, it's veryquick read it's about two and a
half minutes but what it comesdown to is that AI is here to
stay, and I would recommend that, if you don't have some
(06:15):
knowledge in this right now,start getting some basic
knowledge so that you can atleast talk logically to folks
when they start asking youquestions.
You can at least talk logicallyto folks when they start asking
you questions, especially as Ideal with Nextpeak.
We actually have a reallystrong AI framework, a risk
framework that we've built forcompanies, and it's honestly,
I'm really impressed with whatwe've created there and it's
(06:38):
going to be something that'sgoing to be very helpful and
very useful for many companies,especially as you're deploying
AI within the overall ecosystembig $10 word within your company
, and so, again, ai is awesome.
We'll see where it goes fromhere.
All right, let's move on to thequestions of the day.
Okay, as you know, thesequestions are all on CISSP,
(07:00):
cyber Training.
They're all available to you.
You just buy a news, go out andyou purchase one of the
packages I have and you will getthem.
If you don't want to do that,that's fine as well.
You can get these through thepodcast, and then I do post some
of these on my blog at timefrom time to time.
So all of this stuff will beavailable to you in some form or
fashion.
It just may take a little whilefor you to see it if you're
going down the free version, butit is, it's all available to
(07:20):
you.
So, again, cissp, cyberTraining.
You can go check out what Ihave and you can get access to
all of these questions.
Okay.
So question number one Again,these are over 8.5 of CISSP and
we're going to get into questionone.
It's the development team isrefactoring a legacy application
that uses XML for dataexchanging To mitigate a risk of
(07:42):
an XXE XML, basically externalentity attacks, which secure
coding practice is most criticalto implement.
So you got XML and there'sbasically the risk of an XXE,
which is an XML external entityattack.
What is the best secure codingpractice that is most critical
(08:03):
for you to implement?
A disabling DTDs that's Delta,tango Delta that's basically
called a document typedeclaration or external entity
processing in the XML parserconfiguration.
B implementing a client-sideinput validation on all XML
fields.
C utilizing web applicationfirewalls to filter out XML
(08:24):
traffic.
D encoding all specialcharacters within XML content.
Okay, so this question you maygo.
I don't know anything aboutthis.
How can I narrow it down?
So you both.
If you just read this question,you'll know that you're not
going to deal with XML at theWAF.
You're just not going to dealwith it.
And then encoding specialcharacters within XML content,
that's just not even feasiblefor something you're trying to
(08:47):
accomplish on this, especiallywhen you're dealing with the
most critical thing to do, mostcritical thing to implement.
So you really narrow it down toDTDs and then implementing
client-side input validations onall XML fields, which even that
would be a challenge, right.
So this XXE specificallyexploits vulnerabilities in how
the XML parser handles externalentities.
(09:08):
These are called DTDs, and thisis therefore by disabling these
or restricting external entityprocessing.
You then have a situation whereit helps prevent the parser
from processing external entityreferences.
Now the point it comes down tois, if you don't know and you
see external entity processingand you don't see it anywhere
else, and it's in the question,maybe again, if you don't know,
(09:30):
maybe grab onto that and makethat as your best guess.
That won't always be the case,but ideally you want to kind of
narrow it down one to the firsttwo that you feel relatively
confident with and then look forlittle tells that are inside
the question that may help youwith the actual answer.
So that one's a tough one, noquestion about it.
Question two a microservicesarchitecture uses RESTful APIs
(09:54):
to communicate between services.
Okay so, if you dealt withmicroservices, that definitely
happens.
An attacker discovers that byrapidly sending requests to a
user's registration endpointwith a unique long strings for
username and password fields,they can cause a database
connection to pull to exhaust,leading it from a denial of
service.
So basically, it's just, itbarfs all over itself.
(10:17):
It fails right.
Which API security controlwould have the best prevented
this type of attack?
Okay so, again it.
So again you're DDoSing asituation and they're sending
information In this case it wasusername, not actually password
that causes the databaseconnection to pool to exhaust.
Okay so what's going to happen?
You're creating a denial ofservice, a API gateway with
(10:41):
manual TLS.
B input validation, limitingstring length and character sets
for username.
C output encoding on thedatabase, response to the
application.
Or D centralized logging andmonitoring for API calls.
So the question is best preventthis type of attack?
So you're not going to be ableto prevent it through adding TLS
(11:01):
, right, the API connection isgoing to be there.
Output encoding of the database, response to the application
not so much is really going tohelp you a whole lot on that.
And then logging, yeah, you'regoing to know something's
happening, but that's about theextent of it.
The biggest thing here is whatlong strings for usernames you
want to have, input validationlimiting the string length and
the character sets for theusername.
(11:21):
Now, an easy way to trick youup on this would be the
character sets for the username.
Now, an easy way to trick youup on this would be the
character sets for the password.
Well, if there's no password inthe actual question, you may
glob onto that.
So just kind of keep that inmind.
Question three During asecurity audit, it is discovered
that an application handlesuser-uploaded profile pictures
by storing them in theiroriginal file names on a
(11:43):
web-accessible server.
Not good.
Without proper sanitization, anattacker successfully uploads a
file named malicious scriptphpthat executes on the server.
This is primarily an example ofwhat type of vulnerability
Again.
So what's happening is itallows uploads of pretty much
anything you want, and in thiscase here malicious scriptphp
(12:06):
was uploaded.
So what type of vulnerabilityis it dealing with?
A insecure direct objectreferences.
B cross-site scripting.
C unrestricted upload ofdangerous file types, or D
server-side request forgery?
And the answer is Cunrestricted upload of dangerous
file types.
(12:27):
Right, so we've got a dangerousfile type known as malicious
scriptphp.
So that's be dangerous.
You don't want that to beuploaded.
That would be bad.
So having the ability tounderstand one it's accessible
by the web and then having theability to scrape that, and
understanding that you don'twant someone to upload a PHP
file that has got, say,malicious script, that would be
bad.
So you're trying to.
(12:47):
Again, it's trying to help youthink and walk through this
overall process.
If you have to narrow it down,that would be one to narrow it
down too.
Question four a critical bankingapplication performs credit
card or credit score checks bydirectly concentrating a user's
provided account number into aSQL query.
To securely mitigate the riskof SQL injection, which secure
(13:08):
coding practice is the mostrobust and recommended approach?
So again, you've got creditscore checks, you've got account
numbers put into SQL and youwant to worry.
You're worried about a SQLinjection.
Okay.
So the answers A implementing astrong web application firewall
in front of the application.
B escaping all single quotes inthe user-provided input string.
(13:31):
B applying the principle ofleast privilege to the database
user account.
Or D using prepared statementswith parameterized queries.
Okay, so that is a lot of stuff, big $10.
Actually, that's probably a $20word.
So again, a WAF can help tosome level, but again, it's not
the best approach and it'scommon, but it's really an
(13:53):
insufficient defense againstthis type of activity.
Prepared statements withparameterized queries are the
most robust.
It's the best recommendedmethod of preventing a SQL
injection.
And they do this by theyseparate the SQL code from the
user-provided data, ensuringthat the input that is coming in
is not executable code.
So, again, prepared statementswith parameterized queries.
(14:16):
And so again, it'sunderstandable that you don't
want to have some input that youput in and it's got some sort
of randomized code that's inthere.
It will reject that in thissituation.
Question five a softwaredevelopment team adopts a
security as code methodology.
Which of the following is mostlikely to be an increased risk
or challenge in this newparadigm compared to the
(14:38):
traditional security managementplan?
Okay, again, softwaredevelopment teams looks at
security as code methodology.
How is this different than thenormal plan?
So, a, difficulty in automatingsecurity policy enforcement.
B increased potential for humanerror in manual security
configurations.
C introduction of versioncontrol and configuration drift
(15:00):
issues for security policies.
And then D reduced visibilityinto the security posture of the
infrastructure Again.
So the question is the securityposture of the infrastructure
Again.
So the question is asking whichof the following is most likely
to be an increased risk orchallenge in this new paradigm
of security as code, compared towhat they used to basically do
in the past?
And the answer is Cintroduction of version control
(15:22):
and configuration drift issuesfor security policies.
So what is securities code?
Right, it's a component ofsoftware-defined security, but
basically it helps you bymanaging security policy
configurations, controls.
All of that is done by code.
If you're dealing with any sortof things online or in the
cloud, that is how it's all done.
It's all done through code.
This offers a lot of benefitsfor automation, consistency,
(15:46):
repeatability.
However, it does reduce thechallenges, or increases
challenges, of managing the code.
Specifically, one is versioncontrol.
Two is configuration drift.
That ensures basically that thedeployed infrastructure
(16:06):
accurately reflects the policyof the code and doesn't deviate.
Testing, obviously, that'sanother thing is you're testing.
You don't have a chance toalways do that and then increase
potential for human error inmanual configurations.
Those are all challenges thatare part of this.
So, an introduction of versioncontrol and configuration drift
issues this could be somethingyou'd have to potentially deal
with.
Question six an API endpointallows for users to retrieve
(16:29):
their own account details usingan account ID parameter of slash
API version one.
Users question mark account IDone, two, three.
Okay, basically, just whatwould that API look like?
If you enter that in thatparameter?
In the attacker discovers theycan change the account ID to
four, five, six and accesssomebody else's account.
Right, so you're 123, but if Iput in 456, I now can access
(16:54):
somebody else.
This is an example of what Across-site scripting, cross-site
request forgery, b brokenauthentication, c server-side
request forgery, or D insecuredirect object reference
reference, or otherwise known asidor.
Okay, so which one is it?
You're basically transposingone, two, three into four, five,
(17:15):
six, and now, from being minewas one, two, three, my account,
my id, and now I can get intobills at four, five, six.
So what is that?
That is, d insecure directobject reference.
Okay, this occurs when theapplication exposes a direct
reference to an internalimplementation object such as
your account, and that would beSean is one, two, three, but
(17:37):
Bill or Dave or Fred is four,five, six.
It does not properly verify theuser requesting the object is
authorized to access it.
So, if you've ever tried thatbefore, you can get into the,
the, your web browser, and youcan start making changes to it
and see what it does.
Does it give you backinformation or does it barf on
itself?
That is something you'll haveto work through, but this would
(17:57):
be a situation where you'd haveinsecure direct object reference
is where it's giving youinformation on somebody else
without authenticating.
Question set when developingsecurity apis, which standard or
framework is primarily focusedon enabling secure delegated
authorization for web and mobileapplications, this allows for
limited access to user accountson a https or just http device.
(18:21):
So, again, when developingsecure ap apis, which standard
or framework is primarilyfocused on enabling secure
delegated authorization for weband mobile applications, this
allows for limited access touser accounts on a HTTP service.
Okay, a OAuth 2.0.
B SAML, c OpenID Connect or DWS Security.
(18:45):
Okay, we had this on a couplepodcasts ago.
We kind of talked about this alittle bit and the answer is a
OAuth 2.0.
This we've talked about onCISSP, cyber Training, multiple
times, but OAuth 2.0 is anindustry standard protocol for
delegated authorization.
It allows users to grantthird-party applications limited
access to resources on anotherservice, right?
(19:08):
So if you're using Google.
It allows that kind of activityand it does this without
sharing your credentialsdirectly, right?
Saml, which we talked about aswell, is primarily for federated
authentication using SSO.
And then you got OpenID is anauthentication layer built on
top of OAuth 2.0, and thenyou're dealing with what WS
security deals with.
(19:28):
So bottom line is it is a OAuth2.0.
Question eight an applicationinput validation logic for user
comment field correctly filtersout common script tags such as
bracket script.
However, a penetration testersuccessfully injects malicious
code using encoded HTML entry ofyeah script with a lot of other
(19:50):
stuff in there which securecoding practice was likely
overlooked.
A whitelist input validation.
B proper output encoding.
C context-aware output encodingor, d implemented content
security policies.
So bottom line comes down to isthat the scenario highlights,
(20:10):
in this case, weaknesses in yourblacklist input validation.
Right, so you're trying toblock known bad characters.
So when you're dealing withthis, the whitelist input
validation is a more securepractice.
So this is what was possiblyoverlooked in this case here.
So it explicitly defines andallows only what should be good
and safe, such as alphanumericnumbers, a set of HTML tags,
(20:34):
whatever that might be.
That is your white put listinput validation.
Question nine a potential racecondition.
Vulnerability is identified inan application where two
concurrent threads attempt toupdate the same customer balance
without proper synchronization.
Which secure coding standard ismost directly violated?
(20:55):
Again, what's a potential racecondition?
Things running away.
Vulnerability is identified inan application where two
concurrent threads attempt toupdate the same customer balance
without proper synchronization.
Which secure coding standard ismost directly violated?
A input validation standards, bconcurrency control standards,
(21:18):
c secure error handlingstandards or D output encoding
standards.
So if you don't really know,you're like I don't know Could
be input validation.
Yeah, I would probably head tothat.
Let's do that right.
Well, that would be wrong.
So the answer is B concurrencycontrol statements and
concurrency control statements.
You'd want to kind of look atconcurrent threads If you don't
(21:39):
know up in the question thatmight give you a hint, might
kind of guide you down this path.
But a race condition willtypically arise when you have
concurrent program.
Environments are trying thetiming.
They're trying to interleaveoperations with different
threads.
You see this happen with yourclouds, or your word.
That's connecting with multiplepeople.
They're all accessing at thesame time.
When you have peopleconcurrently getting access to
(22:00):
it, it can potentially haveissues, and so therefore, this
is what this vulnerability istalking about is that it allows
for a race condition.
They're getting ahead of itself, it's working faster than it
should and it's causing issuesbetween the concurrent
connections between the two.
So concurrency controlstandards is the answer.
(22:21):
Question 10, a modern CICDpipeline leverages
infrastructure as code or IAC toprovision cloud environments.
To ensure security is embeddedinto these automated deployments
.
Which of the following is themost effective secure deployment
practice, or I should say,development practice?
Again, question 10 is a modernCICD pipeline, which is your
(22:42):
continuous integration,continuous delivery pipelines.
They will leverageinfrastructure as code.
So again, that's what ishappening here it's provisioning
to a cloud environment and youwant to ensure the security is
embedded in this automateddeployments.
Which of the following is themost effective secure deployment
practices A manual securityreview of the deployed
(23:02):
infrastructure afterprovisioning.
B running static analysissecurity testing tools or SAST
tools against the IAC orinfrastructure as a code
templates.
B implementing dynamicapplication security testing
against running applications.
Or.
D relying solely on cloudproviders built-in security
features.
So we're trying to evaluatethis infrastructure as code and
(23:26):
what is the most effective wayof looking at automated
deployments.
We talked about this a fewtimes back on CISSP Cyber
Training and you would want touse a static analysis, security
testing or SAST tool against thetemplates themselves.
Again, your dynamic aspects ofit is when it's being already
deployed.
You're just trying tounderstand are there issues in
(23:46):
it right now?
So the most effective way tosecure the development practice
is SAS, because it usuallyhappens before you even think
about doing DAST and so you'dlook at all of your text files
and your templates just like anapplication code.
You'd want to make sure theydon't have any vulnerabilities,
and these SAS tools will analyzethese templates before they
actually deploy.
So it's an important part ofthat.
(24:07):
Question 11.
When designing RESTful APIs, anarchitect specifies that the
all client requests must includea unique short-lived token
generated by a trusted identityprovider, used only for
authentication.
It's a good architect, good job.
This design choice primarilyhelps mitigate which
API-specific security concern.
(24:29):
Now, if you listen to CISPCyber Training, you know I love
APIs.
Apis are amazing, but they canbe fraught with danger.
So the RESTful API thatArchitect specifies all client
requests must include a uniqueshort-lived token generated by a
trusted identity provider.
That's a good thing.
So the design choice primarilyhelps to mitigate which security
(24:50):
concern A insecure directobject references which we've
talked about, and you knowthat's not it.
B excessive data exposure.
C resource exhaustion or Dreplay attacks exhaustion or D
replay attacks.
So the answer is D right, ashort-lived token that is used
only once.
Right, a very short expirationdate is typically referred to as
(25:12):
a nonce, n-o-n-c-e.
Unless you're in the bankingindustry, you have a tranche,
and a tranche is a French trench.
No, it's not, I'm joking, but Istill love that.
It's so cool.
A tranche, no a nonce.
A nonce is a token with limitedvalidity.
Basically, it doesn't last verylong.
That's the ultimate point andthis helps mitigate the replay
(25:36):
attack.
Right?
So someone intercepts a token.
It's single use, they try touse the API and because that
token is single use, they gotnowhere.
They're dead, nothing happening.
So again, that's what wouldhelp avoid a replay attack.
Question 12, a securityrequirement states that critical
applications code must undergoindependent peer review by a
security trained developersbefore going to deployment.
(25:56):
That's good, very goodstatement.
This practice primarilyaddresses security weaknesses
related to what, again, securityrequirement, which you all
should be working to buildcritical application code must
undergo independent peer reviewby security-trained developers
before deployment.
Which practice primarilyaddresses this security weakness
?
A lack of automated securitytools.
(26:18):
B inadequate vulnerabilitydisclosure process.
C logic flaws and complexcoding errors.
Or D insufficient threatintelligence integration.
Okay, so this practiceaddresses what concern or what
security weaknesses Logic flawsand complex coding errors.
Again, having another set ofeyes that is not part of the
process will help find some ofthese issues.
(26:40):
They don't find them all, butif you are in the development
space and you've been working onsome sort of project, you kind
of go blind to where some of theareas are at.
Give it to an independent thirdparty and they can look at your
security and they can look athow it's coded and therefore
give you options on what to do.
Question three in asoftware-defined security
(27:01):
environment or SDS, wheresecurity policies are managed as
code.
In a software-defined securityenvironment or SDS, where
security policies are managed ascode in a Git repository, which
of the following is the mostcritical?
Secure development practice toprevent unauthorized or
malicious policy changes frombeing deployed.
So again, you got people thatare using Git and you're
basically utilizing securedevelopment practices.
What do you want to do to helpkeep that from happening?
(27:24):
So what do you do?
A implement a strict ratelimiting on API calls to the SDS
controller Okay, so it'slimiting what can go, what APIs
can go to it.
B mandating multi-factorauthentication for user login to
the application.
Well, apis don't always usesome sort of multi-factor C
enforcing pull request reviewsand approval workflows before
merging policy code.
Well, apis don't always usesome sort of multi-factor C
enforcing pull request reviewsand approval workflows before
(27:46):
merging policy code.
Okay, that has merit.
And then D regularly scanningdeployed cloud resources for
misconfigurations Okay, the mostcritical secure development
practice would be C.
Now when you're dealing withpull requests so it's enforcing
pull requests, reviews andapproval workflows before
merging any policy code.
(28:07):
What does that specificallymean?
Well, you have stuff that's inGET and you're going to merge
these different branchestogether.
Well, before they can be mergedtogether and maybe you're using
API to do this you want to makesure that there's an approval
process saying, okay, it'sautomated, but before it happens
, I've got a mash on the buttonsaying I agree.
So there's a lot of benefit ofdoing that.
(28:28):
Now, the downside, obviously,is it adds time and it adds
complexity and bureaucracy.
So you need to really considerhow you want to go forward with
it.
I think it's a great idea froma coding standpoint and it does
allow oversight into what you'redoing, especially when some of
these things you're dealing withcritical infrastructure, like
chemicals, where it'll eat yourface off, or you're dealing with
(28:48):
financial industry, where theyhave all your money.
So those are just things youwant to consider.
Question 14, a financialapplication processes customer
requests concurrently.
A vulnerability is identifiedwhere, due to imprecise timing
of multiple threads oh, we'veheard this before accessing a
shared variable, the customer'saccount balance could be
incorrectly updated.
(29:09):
Oh, that would be bad,especially if it goes to the
good that would be.
You'd think that would be good,but then when they start
clawing back their money, that'snot good.
This scenario describes aclassic time of check to time of
use vulnerability, orT-O-C-T-O-U B, a broken
authentication, c, server-siderequest forgery or D, xml
(29:32):
external entity attack or XXE.
So again, the process is itlooks like you have some timing
issues.
So if you've got timing issues,what could that be?
Well, I don't know anythingelse that's on this page.
So, time to check and time touse let's go with that.
That would be the logical pointif you do not actually know
what any of these mean.
So what it comes down to isthis is an example of time to
(29:54):
check, time to use.
Vulnerability, which basicallyis a specific race condition and
occurs when the system checksfor the state of the resource,
which we kind of talked aboutearlier.
Based on that, it performs anaction, which is your time of
use.
But if the state of theresource changes between the
check and the use, this couldhave an imbalance and this could
(30:14):
cause issues.
So you want to try to avoidthat at all costs, especially if
there's a vulnerability aroundthat.
Question 15, the last melon whendesigning API endpoints that
handle sensitive customer data,what is the most critical secure
coding guideline to followregarding the data returned in
API responses?
Again, when designing APIendpoints that handle sensitive
(30:37):
customer data important what isthe most critical secure coding
guideline to follow regardingthe data's return in the API
responses?
A always return all variabledata for convenience, as long as
it's encrypted.
Convenience always gets you.
B ensure all sensitive fieldsare masked or redacted by
(30:58):
default, returning only thenecessary information.
That sounds positive.
B rely on client-side I shouldsay C.
I should say C rely onclient-side filtering to display
only relevant data to the userOkay, that could be, but it's
still out there and stillavailable.
C or D implement strict ratelimiting on API responses to
prevent data exfiltration.
(31:19):
The answer is B, ensuring allsensitive data fields are marked
or masked or redacted bydefault, again, only providing
the information necessary forthe request.
And again, this aligns with theprinciple of excessive data
exposure, which is part ofOWASP's top 10 API security
risks.
(31:39):
You want to understand all ofthose before you're going out
and going forward.
Apis again they're awesome, butthey do have some challenges.
Okay, that is all I have foryou today at cissp cyber
training.
Head on over to cissp.
Get some free content.
You'll love it.
Check out what some of thepeople have said on the podcast.
If you listen to the podcast,please leave a review.
(32:01):
Let me know.
Is it good, bad, ugly?
What do you think?
I got a lot of positive.
I've also got a couple ofnegative, which is great.
I think that I appreciate thenegative to give me some more
feedback on some things that wecan change for you, man.
We've made some changes basedon that feedback.
But go to CISSP Cyber Training.
Get access to all my freecontent.
There's a lot of it out there.
Also, go to access to my paidcontact.
(32:22):
There's even more of it outthere, and all of that is
available to you to help youpass the CISSP exam.
What do we say the first time?
If not, that's okay.
We're here for the second andthird if you need to, but let us
focus on the first time, allright?
Again, thanks for everythingand thank you so much for
listening to this podcast.
Thank you so much for listeningto this podcast and we will
(32:45):
catch you all on the flip side,see you.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(33:08):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey all, Sean Gerber, withCISSP Cyber Trading, and hope
you all are having a beautifullyblessed day today.
Today is what?
Yeah, it's CISSP QuestionThursday and we are going to be
going over a multitude ofquestions actually 15 to be
exact questions that are relatedto Domain 8.5 of the CISSP.
(00:46):
But before we do, I had a quickarticle I wanted to bring to
your attention.
I thought was very telling andvery interesting, especially for
you security folks that reallywant to get into AI and try to
understand a little bit aroundthat.
This is from Computer World andthis is OpenAI's CEO.
Was mentioned that some of hispeople have been trying to be
recruited.
So Sam Altman, obviously theCEO of OpenAI, has said that
(01:08):
Meta, obviously Facebook, triedto lure OpenAI employees with
air quotes, billion dollarsalaries.
So for you all that areaspiring to be AI aficionados,
you may want to consider beingan AI aficionado, because you're
talking some serious cash.
I mean holy cow, I mean thatblows my mind.
(01:30):
But basically, this articlefrom Computer World came out and
said that Meta tried to poachemployees from AI and Google
DeepMinds by giving them hugecompensation packages, and these
compensation packages were like$100 million sign-on bonus,
with more than that in annualcompensation.
So you're talking freaky, crazymoney for being the AI god and
(01:54):
goddesses that would they needto have within their
organization.
Now, obviously, this isn'tgoing to be the intern that just
came out of the local college,at your local JCO, but it is a
great understanding of what dothey value when it comes to
understanding AI and they willthrow a lot of money at it.
(02:14):
Sam Alton basically said that alot of these attempts have
failed largely.
That doesn't mean they haven'tall failed, but the point I'm
trying to make in all of this isit's pretty crazy on what you
may need for being what you maybe able to get from a
compensation package related toAI.
So, as we talk about security,one of the things I wanted to
just quickly touch on is whatdoes it take to be an AI kind of
(02:37):
person?
Now, obviously, we're talkingcybersecurity in this space, so,
realistically, I'm just goingto focus on that aspect of it.
So, being a CISSP, obviouslyyou have to have the experience
to get some level of experience,or you have to have the
experience to be able to get thepass to test, but at the end of
the day, you're going to haveto have a lot of knowledge
around security to really beeffective in any sort of AI
(02:59):
cybersecurity role.
But one of the other aspectsthat I think is really important
and I was just kind of curiouswhat out there in the world,
what the world thinks of it isunderstanding.
Obviously, ai and machinelearning expertise is a big part
of this.
So having a good knowledgearound AI and machine learning
and how it works would be a veryvaluable tool, and if you have
some of that experience and youreally enjoy security, then I
(03:22):
would highly recommend that youfocus pretty strongly on
hitching onto that AI bus anddon't let go.
But you're really going to needto have some strong
cybersecurity knowledge as well,and that's some of the big
articles that kind of popped upas I was looking for.
This is you can't just be, I'mgoing to go pass the test and
move on.
I had one of my students that Ihave my mentoring that I provide
(03:45):
to my students, and one of mystudents had mentioned to me
that he likes the podcastbecause the fact that he can
gain knowledge beyond just whatthe test will give him.
And that's what actually one ofthe huge benefits of this
podcast is.
It's going to provide youknowledge from industry leaders,
and I mean the informationyou're getting is I'm working
with all kinds of very largeorganizations down to actually,
(04:06):
some very small nonprofits, soyou're getting a really good
broad brush of security.
And I'm not telling you that tobasically say because oh, we're
an awesome podcast.
No, I mean, we are awesome.
There's no doubt about that.
But the thing is I wanted tobring up is the ultimate goal of
this is to help you get theknowledge you need to be one
very successful in your career.
Two well, first off, pass theCISSP.
(04:27):
Then second is to be able to bevery successful in your career
and provide really good insightand knowledge to the decision
makers within your organization,and just trying to help you out
there.
And this is a really goodexample around AI, in that, if
you take this information, youbuild upon it and then you start
looking for differentopportunities within, especially
(04:47):
the AI space, you're going tostumble across things, and one
thing you may want to also thinkabout as a security
professional is the fact thatguess what?
Very few people have it figuredout, and I'd be willing to
guess that probably 99.9% of thepeople out there really don't
have it figured out, and anybodywho tells you they do, they're
lying to you, because mostpeople don't.
(05:09):
And we stumble into thesethings as we go forward, and so
it's an important part of yourcybersecurity career is that you
take this knowledge, you growon it, you be a consistent and
constant learner, and that willtake you to places that you may
have never even imagined youwould be to.
So, again, that's a big nuggetright there for you all.
(05:30):
If you're listening to this andyou want to figure out your
career, that is an option foryou to really consider, because,
especially in these burgeoningareas such as AI but there's
many, many more I will come backto manufacturing.
People don't think it's verysexy at times, but I'll tell you
right now there's money to bemade there, especially as it
relates to criticalinfrastructure.
They don't have high margins,but if you bring to the table
(05:52):
especially if they've been pwnedat any point in time you bring
knowledge to the table.
You can command a very strongsalary out of that.
So, again, some great tidbits,some great nuggets for you to
look at from a career standpoint.
Great article, again, it's veryquick read it's about two and a
half minutes but what it comesdown to is that AI is here to
stay, and I would recommend that, if you don't have some
(06:15):
knowledge in this right now,start getting some basic
knowledge so that you can atleast talk logically to folks
when they start asking youquestions.
You can at least talk logicallyto folks when they start asking
you questions, especially as Ideal with Nextpeak.
We actually have a reallystrong AI framework, a risk
framework that we've built forcompanies, and it's honestly,
I'm really impressed with whatwe've created there and it's
(06:38):
going to be something that'sgoing to be very helpful and
very useful for many companies,especially as you're deploying
AI within the overall ecosystembig $10 word within your company
, and so, again, ai is awesome.
We'll see where it goes fromhere.
All right, let's move on to thequestions of the day.
Okay, as you know, thesequestions are all on CISSP,
(07:00):
cyber Training.
They're all available to you.
You just buy a news, go out andyou purchase one of the
packages I have and you will getthem.
If you don't want to do that,that's fine as well.
You can get these through thepodcast, and then I do post some
of these on my blog at timefrom time to time.
So all of this stuff will beavailable to you in some form or
fashion.
It just may take a little whilefor you to see it if you're
going down the free version, butit is, it's all available to
(07:20):
you.
So, again, cissp, cyberTraining.
You can go check out what Ihave and you can get access to
all of these questions.
Okay.
So question number one Again,these are over 8.5 of CISSP and
we're going to get into questionone.
It's the development team isrefactoring a legacy application
that uses XML for dataexchanging To mitigate a risk of
(07:42):
an XXE XML, basically externalentity attacks, which secure
coding practice is most criticalto implement.
So you got XML and there'sbasically the risk of an XXE,
which is an XML external entityattack.
What is the best secure codingpractice that is most critical
(08:03):
for you to implement?
A disabling DTDs that's Delta,tango Delta that's basically
called a document typedeclaration or external entity
processing in the XML parserconfiguration.
B implementing a client-sideinput validation on all XML
fields.
C utilizing web applicationfirewalls to filter out XML
(08:24):
traffic.
D encoding all specialcharacters within XML content.
Okay, so this question you maygo.
I don't know anything aboutthis.
How can I narrow it down?
So you both.
If you just read this question,you'll know that you're not
going to deal with XML at theWAF.
You're just not going to dealwith it.
And then encoding specialcharacters within XML content,
that's just not even feasiblefor something you're trying to
(08:47):
accomplish on this, especiallywhen you're dealing with the
most critical thing to do, mostcritical thing to implement.
So you really narrow it down toDTDs and then implementing
client-side input validations onall XML fields, which even that
would be a challenge, right.
So this XXE specificallyexploits vulnerabilities in how
the XML parser handles externalentities.
(09:08):
These are called DTDs, and thisis therefore by disabling these
or restricting external entityprocessing.
You then have a situation whereit helps prevent the parser
from processing external entityreferences.
Now the point it comes down tois, if you don't know and you
see external entity processingand you don't see it anywhere
else, and it's in the question,maybe again, if you don't know,
(09:30):
maybe grab onto that and makethat as your best guess.
That won't always be the case,but ideally you want to kind of
narrow it down one to the firsttwo that you feel relatively
confident with and then look forlittle tells that are inside
the question that may help youwith the actual answer.
So that one's a tough one, noquestion about it.
Question two a microservicesarchitecture uses RESTful APIs
(09:54):
to communicate between services.
Okay so, if you dealt withmicroservices, that definitely
happens.
An attacker discovers that byrapidly sending requests to a
user's registration endpointwith a unique long strings for
username and password fields,they can cause a database
connection to pull to exhaust,leading it from a denial of
service.
So basically, it's just, itbarfs all over itself.
(10:17):
It fails right.
Which API security controlwould have the best prevented
this type of attack?
Okay so, again it.
So again you're DDoSing asituation and they're sending
information In this case it wasusername, not actually password
that causes the databaseconnection to pool to exhaust.
Okay so what's going to happen?
You're creating a denial ofservice, a API gateway with
(10:41):
manual TLS.
B input validation, limitingstring length and character sets
for username.
C output encoding on thedatabase, response to the
application.
Or D centralized logging andmonitoring for API calls.
So the question is best preventthis type of attack?
So you're not going to be ableto prevent it through adding TLS
(11:01):
, right, the API connection isgoing to be there.
Output encoding of the database, response to the application
not so much is really going tohelp you a whole lot on that.
And then logging, yeah, you'regoing to know something's
happening, but that's about theextent of it.
The biggest thing here is whatlong strings for usernames you
want to have, input validationlimiting the string length and
the character sets for theusername.
(11:21):
Now, an easy way to trick youup on this would be the
character sets for the username.
Now, an easy way to trick youup on this would be the
character sets for the password.
Well, if there's no password inthe actual question, you may
glob onto that.
So just kind of keep that inmind.
Question three During asecurity audit, it is discovered
that an application handlesuser-uploaded profile pictures
by storing them in theiroriginal file names on a
(11:43):
web-accessible server.
Not good.
Without proper sanitization, anattacker successfully uploads a
file named malicious scriptphpthat executes on the server.
This is primarily an example ofwhat type of vulnerability
Again.
So what's happening is itallows uploads of pretty much
anything you want, and in thiscase here malicious scriptphp
(12:06):
was uploaded.
So what type of vulnerabilityis it dealing with?
A insecure direct objectreferences.
B cross-site scripting.
C unrestricted upload ofdangerous file types, or D
server-side request forgery?
And the answer is Cunrestricted upload of dangerous
file types.
(12:27):
Right, so we've got a dangerousfile type known as malicious
scriptphp.
So that's be dangerous.
You don't want that to beuploaded.
That would be bad.
So having the ability tounderstand one it's accessible
by the web and then having theability to scrape that, and
understanding that you don'twant someone to upload a PHP
file that has got, say,malicious script, that would be
bad.
So you're trying to.
(12:47):
Again, it's trying to help youthink and walk through this
overall process.
If you have to narrow it down,that would be one to narrow it
down too.
Question four a critical bankingapplication performs credit
card or credit score checks bydirectly concentrating a user's
provided account number into aSQL query.
To securely mitigate the riskof SQL injection, which secure
(13:08):
coding practice is the mostrobust and recommended approach?
So again, you've got creditscore checks, you've got account
numbers put into SQL and youwant to worry.
You're worried about a SQLinjection.
Okay.
So the answers A implementing astrong web application firewall
in front of the application.
B escaping all single quotes inthe user-provided input string.
(13:31):
B applying the principle ofleast privilege to the database
user account.
Or D using prepared statementswith parameterized queries.
Okay, so that is a lot of stuff, big $10.
Actually, that's probably a $20word.
So again, a WAF can help tosome level, but again, it's not
the best approach and it'scommon, but it's really an
(13:53):
insufficient defense againstthis type of activity.
Prepared statements withparameterized queries are the
most robust.
It's the best recommendedmethod of preventing a SQL
injection.
And they do this by theyseparate the SQL code from the
user-provided data, ensuringthat the input that is coming in
is not executable code.
So, again, prepared statementswith parameterized queries.
(14:16):
And so again, it'sunderstandable that you don't
want to have some input that youput in and it's got some sort
of randomized code that's inthere.
It will reject that in thissituation.
Question five a softwaredevelopment team adopts a
security as code methodology.
Which of the following is mostlikely to be an increased risk
or challenge in this newparadigm compared to the
(14:38):
traditional security managementplan?
Okay, again, softwaredevelopment teams looks at
security as code methodology.
How is this different than thenormal plan?
So, a, difficulty in automatingsecurity policy enforcement.
B increased potential for humanerror in manual security
configurations.
C introduction of versioncontrol and configuration drift
(15:00):
issues for security policies.
And then D reduced visibilityinto the security posture of the
infrastructure Again.
So the question is the securityposture of the infrastructure
Again.
So the question is asking whichof the following is most likely
to be an increased risk orchallenge in this new paradigm
of security as code, compared towhat they used to basically do
in the past?
And the answer is Cintroduction of version control
(15:22):
and configuration drift issuesfor security policies.
So what is securities code?
Right, it's a component ofsoftware-defined security, but
basically it helps you bymanaging security policy
configurations, controls.
All of that is done by code.
If you're dealing with any sortof things online or in the
cloud, that is how it's all done.
It's all done through code.
This offers a lot of benefitsfor automation, consistency,
(15:46):
repeatability.
However, it does reduce thechallenges, or increases
challenges, of managing the code.
Specifically, one is versioncontrol.
Two is configuration drift.
That ensures basically that thedeployed infrastructure
(16:06):
accurately reflects the policyof the code and doesn't deviate.
Testing, obviously, that'sanother thing is you're testing.
You don't have a chance toalways do that and then increase
potential for human error inmanual configurations.
Those are all challenges thatare part of this.
So, an introduction of versioncontrol and configuration drift
issues this could be somethingyou'd have to potentially deal
with.
Question six an API endpointallows for users to retrieve
(16:29):
their own account details usingan account ID parameter of slash
API version one.
Users question mark account IDone, two, three.
Okay, basically, just whatwould that API look like?
If you enter that in thatparameter?
In the attacker discovers theycan change the account ID to
four, five, six and accesssomebody else's account.
Right, so you're 123, but if Iput in 456, I now can access
(16:54):
somebody else.
This is an example of what Across-site scripting, cross-site
request forgery, b brokenauthentication, c server-side
request forgery, or D insecuredirect object reference
reference, or otherwise known asidor.
Okay, so which one is it?
You're basically transposingone, two, three into four, five,
(17:15):
six, and now, from being minewas one, two, three, my account,
my id, and now I can get intobills at four, five, six.
So what is that?
That is, d insecure directobject reference.
Okay, this occurs when theapplication exposes a direct
reference to an internalimplementation object such as
your account, and that would beSean is one, two, three, but
(17:37):
Bill or Dave or Fred is four,five, six.
It does not properly verify theuser requesting the object is
authorized to access it.
So, if you've ever tried thatbefore, you can get into the,
the, your web browser, and youcan start making changes to it
and see what it does.
Does it give you backinformation or does it barf on
itself?
That is something you'll haveto work through, but this would
(17:57):
be a situation where you'd haveinsecure direct object reference
is where it's giving youinformation on somebody else
without authenticating.
Question set when developingsecurity apis, which standard or
framework is primarily focusedon enabling secure delegated
authorization for web and mobileapplications, this allows for
limited access to user accountson a https or just http device.
(18:21):
So, again, when developingsecure ap apis, which standard
or framework is primarilyfocused on enabling secure
delegated authorization for weband mobile applications, this
allows for limited access touser accounts on a HTTP service.
Okay, a OAuth 2.0.
B SAML, c OpenID Connect or DWS Security.
(18:45):
Okay, we had this on a couplepodcasts ago.
We kind of talked about this alittle bit and the answer is a
OAuth 2.0.
This we've talked about onCISSP, cyber Training, multiple
times, but OAuth 2.0 is anindustry standard protocol for
delegated authorization.
It allows users to grantthird-party applications limited
access to resources on anotherservice, right?
(19:08):
So if you're using Google.
It allows that kind of activityand it does this without
sharing your credentialsdirectly, right?
Saml, which we talked about aswell, is primarily for federated
authentication using SSO.
And then you got OpenID is anauthentication layer built on
top of OAuth 2.0, and thenyou're dealing with what WS
security deals with.
(19:28):
So bottom line is it is a OAuth2.0.
Question eight an applicationinput validation logic for user
comment field correctly filtersout common script tags such as
bracket script.
However, a penetration testersuccessfully injects malicious
code using encoded HTML entry ofyeah script with a lot of other
(19:50):
stuff in there which securecoding practice was likely
overlooked.
A whitelist input validation.
B proper output encoding.
C context-aware output encodingor, d implemented content
security policies.
So bottom line comes down to isthat the scenario highlights,
(20:10):
in this case, weaknesses in yourblacklist input validation.
Right, so you're trying toblock known bad characters.
So when you're dealing withthis, the whitelist input
validation is a more securepractice.
So this is what was possiblyoverlooked in this case here.
So it explicitly defines andallows only what should be good
and safe, such as alphanumericnumbers, a set of HTML tags,
(20:34):
whatever that might be.
That is your white put listinput validation.
Question nine a potential racecondition.
Vulnerability is identified inan application where two
concurrent threads attempt toupdate the same customer balance
without proper synchronization.
Which secure coding standard ismost directly violated?
(20:55):
Again, what's a potential racecondition?
Things running away.
Vulnerability is identified inan application where two
concurrent threads attempt toupdate the same customer balance
without proper synchronization.
Which secure coding standard ismost directly violated?
A input validation standards, bconcurrency control standards,
(21:18):
c secure error handlingstandards or D output encoding
standards.
So if you don't really know,you're like I don't know Could
be input validation.
Yeah, I would probably head tothat.
Let's do that right.
Well, that would be wrong.
So the answer is B concurrencycontrol statements and
concurrency control statements.
You'd want to kind of look atconcurrent threads If you don't
(21:39):
know up in the question thatmight give you a hint, might
kind of guide you down this path.
But a race condition willtypically arise when you have
concurrent program.
Environments are trying thetiming.
They're trying to interleaveoperations with different
threads.
You see this happen with yourclouds, or your word.
That's connecting with multiplepeople.
They're all accessing at thesame time.
When you have peopleconcurrently getting access to
(22:00):
it, it can potentially haveissues, and so therefore, this
is what this vulnerability istalking about is that it allows
for a race condition.
They're getting ahead of itself, it's working faster than it
should and it's causing issuesbetween the concurrent
connections between the two.
So concurrency controlstandards is the answer.
(22:21):
Question 10, a modern CICDpipeline leverages
infrastructure as code or IAC toprovision cloud environments.
To ensure security is embeddedinto these automated deployments
.
Which of the following is themost effective secure deployment
practice, or I should say,development practice?
Again, question 10 is a modernCICD pipeline, which is your
(22:42):
continuous integration,continuous delivery pipelines.
They will leverageinfrastructure as code.
So again, that's what ishappening here it's provisioning
to a cloud environment and youwant to ensure the security is
embedded in this automateddeployments.
Which of the following is themost effective secure deployment
practices A manual securityreview of the deployed
(23:02):
infrastructure afterprovisioning.
B running static analysissecurity testing tools or SAST
tools against the IAC orinfrastructure as a code
templates.
B implementing dynamicapplication security testing
against running applications.
Or.
D relying solely on cloudproviders built-in security
features.
So we're trying to evaluatethis infrastructure as code and
(23:26):
what is the most effective wayof looking at automated
deployments.
We talked about this a fewtimes back on CISSP Cyber
Training and you would want touse a static analysis, security
testing or SAST tool against thetemplates themselves.
Again, your dynamic aspects ofit is when it's being already
deployed.
You're just trying tounderstand are there issues in
(23:46):
it right now?
So the most effective way tosecure the development practice
is SAS, because it usuallyhappens before you even think
about doing DAST and so you'dlook at all of your text files
and your templates just like anapplication code.
You'd want to make sure theydon't have any vulnerabilities,
and these SAS tools will analyzethese templates before they
actually deploy.
So it's an important part ofthat.
(24:07):
Question 11.
When designing RESTful APIs, anarchitect specifies that the
all client requests must includea unique short-lived token
generated by a trusted identityprovider, used only for
authentication.
It's a good architect, good job.
This design choice primarilyhelps mitigate which
API-specific security concern.
(24:29):
Now, if you listen to CISPCyber Training, you know I love
APIs.
Apis are amazing, but they canbe fraught with danger.
So the RESTful API thatArchitect specifies all client
requests must include a uniqueshort-lived token generated by a
trusted identity provider.
That's a good thing.
So the design choice primarilyhelps to mitigate which security
(24:50):
concern A insecure directobject references which we've
talked about, and you knowthat's not it.
B excessive data exposure.
C resource exhaustion or Dreplay attacks exhaustion or D
replay attacks.
So the answer is D right, ashort-lived token that is used
only once.
Right, a very short expirationdate is typically referred to as
(25:12):
a nonce, n-o-n-c-e.
Unless you're in the bankingindustry, you have a tranche,
and a tranche is a French trench.
No, it's not, I'm joking, but Istill love that.
It's so cool.
A tranche, no a nonce.
A nonce is a token with limitedvalidity.
Basically, it doesn't last verylong.
That's the ultimate point andthis helps mitigate the replay
(25:36):
attack.
Right?
So someone intercepts a token.
It's single use, they try touse the API and because that
token is single use, they gotnowhere.
They're dead, nothing happening.
So again, that's what wouldhelp avoid a replay attack.
Question 12, a securityrequirement states that critical
applications code must undergoindependent peer review by a
security trained developersbefore going to deployment.
(25:56):
That's good, very goodstatement.
This practice primarilyaddresses security weaknesses
related to what, again, securityrequirement, which you all
should be working to buildcritical application code must
undergo independent peer reviewby security-trained developers
before deployment.
Which practice primarilyaddresses this security weakness
?
A lack of automated securitytools.
(26:18):
B inadequate vulnerabilitydisclosure process.
C logic flaws and complexcoding errors.
Or D insufficient threatintelligence integration.
Okay, so this practiceaddresses what concern or what
security weaknesses Logic flawsand complex coding errors.
Again, having another set ofeyes that is not part of the
process will help find some ofthese issues.
(26:40):
They don't find them all, butif you are in the development
space and you've been working onsome sort of project, you kind
of go blind to where some of theareas are at.
Give it to an independent thirdparty and they can look at your
security and they can look athow it's coded and therefore
give you options on what to do.
Question three in asoftware-defined security
(27:01):
environment or SDS, wheresecurity policies are managed as
code.
In a software-defined securityenvironment or SDS, where
security policies are managed ascode in a Git repository, which
of the following is the mostcritical?
Secure development practice toprevent unauthorized or
malicious policy changes frombeing deployed.
So again, you got people thatare using Git and you're
basically utilizing securedevelopment practices.
What do you want to do to helpkeep that from happening?
(27:24):
So what do you do?
A implement a strict ratelimiting on API calls to the SDS
controller Okay, so it'slimiting what can go, what APIs
can go to it.
B mandating multi-factorauthentication for user login to
the application.
Well, apis don't always usesome sort of multi-factor C
enforcing pull request reviewsand approval workflows before
merging policy code.
Well, apis don't always usesome sort of multi-factor C
enforcing pull request reviewsand approval workflows before
(27:46):
merging policy code.
Okay, that has merit.
And then D regularly scanningdeployed cloud resources for
misconfigurations Okay, the mostcritical secure development
practice would be C.
Now when you're dealing withpull requests so it's enforcing
pull requests, reviews andapproval workflows before
merging any policy code.
(28:07):
What does that specificallymean?
Well, you have stuff that's inGET and you're going to merge
these different branchestogether.
Well, before they can be mergedtogether and maybe you're using
API to do this you want to makesure that there's an approval
process saying, okay, it'sautomated, but before it happens
, I've got a mash on the buttonsaying I agree.
So there's a lot of benefit ofdoing that.
(28:28):
Now, the downside, obviously,is it adds time and it adds
complexity and bureaucracy.
So you need to really considerhow you want to go forward with
it.
I think it's a great idea froma coding standpoint and it does
allow oversight into what you'redoing, especially when some of
these things you're dealing withcritical infrastructure, like
chemicals, where it'll eat yourface off, or you're dealing with
(28:48):
financial industry, where theyhave all your money.
So those are just things youwant to consider.
Question 14, a financialapplication processes customer
requests concurrently.
A vulnerability is identifiedwhere, due to imprecise timing
of multiple threads oh, we'veheard this before accessing a
shared variable, the customer'saccount balance could be
incorrectly updated.
(29:09):
Oh, that would be bad,especially if it goes to the
good that would be.
You'd think that would be good,but then when they start
clawing back their money, that'snot good.
This scenario describes aclassic time of check to time of
use vulnerability, orT-O-C-T-O-U B, a broken
authentication, c, server-siderequest forgery or D, xml
(29:32):
external entity attack or XXE.
So again, the process is itlooks like you have some timing
issues.
So if you've got timing issues,what could that be?
Well, I don't know anythingelse that's on this page.
So, time to check and time touse let's go with that.
That would be the logical pointif you do not actually know
what any of these mean.
So what it comes down to isthis is an example of time to
(29:54):
check, time to use.
Vulnerability, which basicallyis a specific race condition and
occurs when the system checksfor the state of the resource,
which we kind of talked aboutearlier.
Based on that, it performs anaction, which is your time of
use.
But if the state of theresource changes between the
check and the use, this couldhave an imbalance and this could
(30:14):
cause issues.
So you want to try to avoidthat at all costs, especially if
there's a vulnerability aroundthat.
Question 15, the last melon whendesigning API endpoints that
handle sensitive customer data,what is the most critical secure
coding guideline to followregarding the data returned in
API responses?
Again, when designing APIendpoints that handle sensitive
(30:37):
customer data important what isthe most critical secure coding
guideline to follow regardingthe data's return in the API
responses?
A always return all variabledata for convenience, as long as
it's encrypted.
Convenience always gets you.
B ensure all sensitive fieldsare masked or redacted by
(30:58):
default, returning only thenecessary information.
That sounds positive.
B rely on client-side I shouldsay C.
I should say C rely onclient-side filtering to display
only relevant data to the userOkay, that could be, but it's
still out there and stillavailable.
C or D implement strict ratelimiting on API responses to
prevent data exfiltration.
(31:19):
The answer is B, ensuring allsensitive data fields are marked
or masked or redacted bydefault, again, only providing
the information necessary forthe request.
And again, this aligns with theprinciple of excessive data
exposure, which is part ofOWASP's top 10 API security
risks.
(31:39):
You want to understand all ofthose before you're going out
and going forward.
Apis again they're awesome, butthey do have some challenges.
Okay, that is all I have foryou today at cissp cyber
training.
Head on over to cissp.
Get some free content.
You'll love it.
Check out what some of thepeople have said on the podcast.
If you listen to the podcast,please leave a review.
(32:01):
Let me know.
Is it good, bad, ugly?
What do you think?
I got a lot of positive.
I've also got a couple ofnegative, which is great.
I think that I appreciate thenegative to give me some more
feedback on some things that wecan change for you, man.
We've made some changes basedon that feedback.
But go to CISSP Cyber Training.
Get access to all my freecontent.
There's a lot of it out there.
Also, go to access to my paidcontact.
(32:22):
There's even more of it outthere, and all of that is
available to you to help youpass the CISSP exam.
What do we say the first time?
If not, that's okay.
We're here for the second andthird if you need to, but let us
focus on the first time, allright?
Again, thanks for everythingand thank you so much for
listening to this podcast.
Thank you so much for listeningto this podcast and we will
(32:45):
catch you all on the flip side,see you.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(33:08):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.