September 25, 2025 • 18 mins
Dive into the critical world of software development security with Sean Gerber as he tackles Domain 8.3 in this knowledge-packed CISSP Question Thursday episode. We examine fifteen challenging questions that address the security controls essential for protecting code throughout the development lifecycle.
Discover why static application security testing integrated directly into your CICD pipeline stands as the gold standard for catching vulnerabilities early, and why developer arguments about "unlikely" buffer overflow exploits should never persuade you to leave vulnerabilities unaddressed. The podcast breaks down the crucial difference between partial mitigations and proper vulnerability elimination, providing you with the decision-making framework you'll need both for the CISSP exam and real-world security leadership.
The episode doesn't shy away from controversial topics, including the persistent myth of "security through obscurity" and why it fails as a protection strategy. You'll learn why security code reviews by senior developers remain irreplaceable for identifying business logic vulnerabilities, while generic security checklists prove ineffective against sophisticated threats. For those working with cloud platforms, open-source libraries, or outsourced development, Sean offers targeted guidance on the controls that matter most in each scenario.
Beyond the technical content, Sean shares his passion for helping adoptive families through the nonprofit initiative supported by purchases at CISSPCyberTraining.com. Every training package purchased contributes to providing grants and low-interest loans to families looking to adopt children who need loving homes.
Ready to strengthen your understanding of software security while preparing for your CISSP certification? This episode delivers actionable insights, exam-ready knowledge, and the confidence to tackle Domain 8.3 questions with expertise. Listen now and take another step toward mastering the crucial intersection of development and security that today's organizations desperately need.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started Good morning, sean
Gerber with CISSP Cyber Training.
Hope you all are having awonderful day today.
Today is CISSP QuestionThursday.
Today we're going to be talkingabout CISSP questions tied to
Domain 8.3.
And so we're going to focus onthe aspects of that today, and
you can get all these questionsat CISSPCyberTrainingcom.
You can get all these questionsat cisspcybertrainingcom, along
with all the video that goesalong with.
(00:49):
It is all there available,co-located for you, so it's
ready for you to use anytime youwant.
And also know that anything youpurchase at
cisspcybertrainingcom goes tocharity, as we're looking to
deploy and grow our charity foradoptive families.
So, again, anything youpurchase at CISSP Cyber Training
will go to our nonprofit foradoptive families.
(01:12):
I got to put that plug outthere.
Just do Well.
I hope you all are having agreat day and I hope you all are
staying cool.
I know it's extremely hot outthere, especially for the folks
down in Texas.
It's quite hot right now.
A lot of them still don't havepower.
So I hope you are all doingwell and staying safe, because,
yeah, that's not good.
(01:32):
Heat sucks.
It just truly does.
It's not fun.
But let's get into questionnumber one.
Again, this is over domain 8.3.
Question number one A companyutilizes a continuous
integration and continuousdelivery pipeline for its
software development plan.
Which of the following securitycontrols would be most effective
in mitigating risks associatedwith code vulnerabilities A
(01:54):
static application securitytesting integrated into your
CICD pipeline.
B dynamic application securitytesting performed during
post-deployment.
C code reviews conducted bysenior developers before merging
the code.
Or.
D application whitelisting onproduction servers.
And the most effective?
Again, what would be the mosteffective in mitigating the
(02:15):
associated code vulnerabilitieswould be a static application
security testing integrated intoyour pipeline.
The more you can integrate intoyour CICD pipeline, the much
better it's going to be.
I've seen very good results outof this.
So any way that you can lookfor vulnerabilities while it's
in the CICD pipeline, good call,really good call.
(02:37):
Question two During the codeaudit, the reviewer discovers a
critical buffer overflowvulnerability.
The developer argues that thevulnerability is not exploitable
because the specific user inputsize required to trigger it
would be highly unlikely tooccur in a real-world usage.
Which of the following is themost appropriate response?
Again, the code auto-reviewDeveloper says nah, it's not a
(02:59):
big deal because it's toounlikely that it's going to
happen.
What should you do?
A accept the developer'sexplanation and move on.
B implement input validation toprevent specific user input
size.
C refractor the code toeliminate the buffer overflow
vulnerability entirely.
Or.
D conduct a risk assessment todetermine the likelihood of the
(03:19):
impact and exploitation.
So obviously, b, c and D areall positive.
A yeah, I don't know if I'dmove it, accept it or not.
You need to understand.
Accepting it's not bad, but youalso need to have some
validation behind it.
The answer is C refractor thecode and eliminate the buffer
overflow vulnerability entirely.
That's what you want to dobecause it's the most secure
approach.
(03:39):
Now you have to talk about it.
You may decide you know what.
From a risk standpoint, youwould just add a user input size
change to that actual field,but in this case the refractor
will take care of it completely.
Question three your companyutilizes a cloud-based software
development platform, called aSaaS platform for building
(03:59):
internal applications.
Which of the following is mostimportant?
Security control to implementand to manage the risks
associated with the code storedon this SaaS provider's
infrastructure.
Okay, so again, you've gotcloud software development,
you've got a SaaS environment.
Which is the most importantsecurity control for your
environment?
A implement strong accesscontrols within the SaaS
(04:23):
platform for your developers.
B regularly perform penetrationcontrols within the SaaS
platform for your developers.
B regularly perform penetrationtesting of the SaaS provider's
infrastructure.
C requiring the SaaS providerto obtain a SOC 2 Type 2
compliance report.
Or D utilizing code obfuscationtechniques to protect the
source code on the platform.
So which of these is the mostimportant factor that you could
(04:43):
do, the most important securitycontrol you could do.
The most important securitycontrol you could do.
Again, you're going to have todefine what is best for you and
you have to determine what isthe most valuable risk.
Obviously, utilizing codeobfuscation D on that platform
would be the ideal, the mostsecure environment to reduce the
most amount of risk, because ifthe code was stolen they
(05:04):
wouldn't know.
The downside is that that has alot of drama, potentially.
So you may have to decide whichway you want to go.
Question four you're tasked withimplementing a risk management
framework for your softwaredevelopment lifecycle, for your
SDLC.
Which of the following riskassessment methodologies is most
appropriate to identify andprioritize the threats to your
code?
(05:24):
So, again, you're tasked withimplementing a risk management
framework for your software ismost appropriate to identify and
prioritize threats to your code.
So again, you're tasked withimplementing a risk management
framework for your softwaredevelopment lifecycle.
Which is the most appropriateto identify and prioritize
threats to your code?
A failure mode and effectsanalysis, that's F-M-E-A.
B stride threat modeling, cOWASP top 10 web application
(05:49):
security risks.
Or D CBSS common vulnerabilityscoring system.
So all of those are good, right, but which is the most
appropriate to identify andprioritize threats to your code?
And OWASP would be the top 10web application security risks
would be your first place tostart.
C WASP would be the top 10 webapplication security risks would
be your first place to start.
C.
(06:10):
Question five your company usesa centralized logging system to
record all user activity relatedto code changes.
However, a recent securityincident involved an attacker
compromising a developer'scredentials and modifying the
critical code.
Which of the following securitycontrols could have the most
effectively prevented thisincident from occurring?
So again, if a centralizedlogging records all user
activity to code changes,however, a security incident
involved an attackercompromising the developer's
(06:33):
credentials and modifying thecritical code, what could have
been done to most effectivelyprevent this incident?
A implement multi-factorauthentication.
B utilize role-based or RBACfor those specific code modules.
C employing code signing andverifying integrity of the code
commits.
Or.
D enabling continuous CIpipelines to automatically
(06:56):
detect and revert malicious codechanges.
And the answer is A.
Mfa would be one of the bestoptions you could do in this
situation.
It would definitely add anextra layer of security and,
even though they got access tothe credentials, hopefully they
would not have access to theperson's MFA token.
Question six your developmentteam utilizes open source
(07:16):
libraries in their code.
Which of the following securitycontrols is the most important
to mitigate risk associated withvulnerabilities in these
libraries A.
Implement least privilege modelfor developer access to the
code base.
B.
Regularly update all opensource libraries to the latest
versions.
C.
Perform static applicationsecurity testing of the entire
(07:38):
code base.
Or.
D.
Manually review the source codeof all utilized open source
libraries.
Again, your development teamutilizes open source libraries
in their code.
Which of the following securitycontrols is the most important
to mitigate the risk associatedwith these vulnerabilities?
And the answer is B.
Regularly update all opensource libraries to the latest
(07:58):
versions.
Question 7.
Which of the following securitytesting methodologies is most
effective in identifyingvulnerabilities in the business
logic of the softwareapplication?
In identifying vulnerabilitiesin the business logic of the
software application?
So which of the followingsecurity testing methodologies
is most effective in identifyingvulnerabilities in the business
logic of a software applicationA dynamic application security
(08:22):
testing DAST with fuzzingtechniques.
B penetration testing withfocused on exploiting known
vulnerabilities.
B penetration testing withfocused on exploiting known
vulnerabilities.
C static application securitytesting SAS with code analysis
capabilities.
Or.
D security code reviewsconducted by senior developers.
Okay, so which is the mosteffective in identifying
vulnerabilities in businesslogic of a software application?
(08:45):
Okay, begin business logic ofthe software application
Security code reviews conductedby senior developers.
D would be the best choice, andthe reason is is because it's
of that business logic.
They would have understandingaround the business logic and
they would be able to understandhow the software application
conducts itself.
But all the other ones arereally good.
They're all very, very good,but when you're dealing with
(09:07):
business logic, that would befor the actual business.
You need somebody with eyes onto understand it.
Question eight your company isdeveloping a new mobile
application that will storesensitive user data.
Which of the following securitycontrols should be prioritized
during the design phase tominimize risks associated with
the data breaches?
Again, your new mobile appyou're developing with sensitive
(09:28):
user data.
What should you do?
A implement strong accesscontrols for user authentication
within the app.
B.
Utilize data encryption at restin transit for all sensitive
data user data B or C and forstrong password policies on all
user accounts, or D.
Conduct penetration testing inthe completed mobile application
.
Again, all are very good, butyou want to utilize encryption
(09:53):
at rest and in transit forsensitive user data B.
There might be compliance orregulatory requirements that are
forcing you down this path aswell.
Question nine you areimplementing a vulnerability
management program for yoursoftware development process.
Which of the followingactivities is the lowest
priority when addressing newlyidentified critical
vulnerabilities in your code?
So, again, you're implementinga vulnerability management
(10:15):
program for your softwaredevelopment process.
Which of the followingactivities is the lowest
priority when addressing a newlyidentified critical
vulnerability in your code?
A immediately notify allrelevant stakeholders and
developers.
B identify the root cause ofthe vulnerability and
understanding its potentialimpact.
C.
Prioritize the vulnerabilitybased on its severity and
(10:36):
exploitability, or d.
Patch the vulnerability basedon its severity and
exploitability or D.
Patch the vulnerability in atest environment before
deploying to production.
Okay, lowest priority patchingthe vulnerability in a test
environment.
Testing is important, but it'sbecause it is a critical patch.
You need to get it out thereand let everybody know.
So again, that is aninteresting environment.
You just need to kind of thinkabout that.
A lot of people will deploy totest and patch it there first,
(10:59):
just to make sure.
But if it's that critical youmay need just to get it out
there and just see what happens.
Question 10, your companyutilizes security information
and event management systems,siem.
Okay, we talk about the SIEM alot on CISSP, cyber Training
System to aggregate and analyzelogs from various security tools
.
Which of the following is themost important consideration
when configuring log retentionof a SIM system A Maximizing log
(11:23):
storage capacity to retaindetailed logs for extended
periods.
B Balancing log retention needswith storage limitations and
regulatory compliancerequirements.
C Setting up the same logretention period for all
security tools integrated withthe SIM.
Or.
D focusing on real-timeanalysis of logs and discarding
historical data.
So the most importantconsideration when configuring
(11:45):
log retention for a SIM is Bbalancing log retention needs
with storage limitations andregulatory compliance
requirements.
Yeah, because it can get veryexpensive and your regulatory
people may have questions andthey may have additional storage
requirements that you may notwant to do but you have to do.
Question 11.
Your company is implementing aDevSecOps approach to integrate
(12:05):
security throughout the softwaredevelopment lifecycle.
Which of the following securitycontrols is the most effective
for ensuring developers receivea timely feedback on potential
vulnerabilities in their code?
Receive a timely feedback onpotential vulnerabilities in
their code.
So, again, devsecops.
They're determining thesoftware development lifecycle.
Which of the following is themost effective in ensuring
developers receive timelyfeedback on potential
vulnerabilities in their code?
(12:26):
A security code reviewsconducted at the end of the
development sprint.
B integrating staticapplication security testing
SAST tool to the continuousintegration pipeline.
Static application securitytesting SAST tool to the
continuous integration pipeline.
B or D conducting penetrationtests on pre-production
environments.
Or.
D providing developers withsecurity awareness training.
(12:47):
Okay, the most effective.
Which one is the most effective?
Again, all those are good, butthe most effective is B
integrating static applicationtesting into your CICAD pipeline
.
Question 12.
During a code audit, a reviewerdiscovers a potential security
flaw in a custom authenticationmechanism.
The developer argues that theflaw is a security through
(13:09):
obscurity, which we know worksreally well technique that is
not a real vulnerability.
Which of the following is themost appropriate response?
Okay, so security throughobscurity.
Accept the developer'sexplanation.
If no known exploits exist inthe flaw.
B explain that security throughobscurity is not a reliable
security control.
(13:29):
C refractor authenticationmechanism to eliminate any
potential security flaw.
Or.
D conduct a penetration test todetermine if a flaw can be
exploited.
And the most appropriate is hey, dude, you know what Security
through obscurity isn't reallythat good of a thing to do.
It just really isn't, doesn'twork.
Don't try it, doesn't work.
They figure it out, they'resmart.
(13:50):
Question 13.
Your company plans to outsourcethe development of a critical
software application.
Which of the following securitycontrols is most appropriate to
or most important to implementwhen it's considering a
potential vendor?
So a company plans to outsourceits development of critical
software application probablynot a good idea.
I would avoid it.
A and require the vendor toprovide a sock to type 1
(14:14):
compliance report.
B conducting a securityassessment of the vendor to
provide a SOC 2 Type 1compliance report.
B conducting a securityassessment of the vendor's
development environment.
C specifying detailed securityrequirements in the development
contract.
Or.
D implementing code reviews onall code delivered by the vendor
.
Okay, the last one good idea,but that would take way too much
work.
So, when it comes down to it,what would you do?
(14:34):
Well, if they're going to bedeveloping it for you.
You want to do a full securityassessment of their development
environment, which may includeyou going on site to understand
it.
Been there, done that, got thet-shirt.
So you may have to do that.
Something to consider,especially if they're doing
outsourcing of your code.
I do not recommend it as muchas you possibly can unless they
have a rock solid system thatyou can audit and that you know
(14:58):
feel comfortable.
Comfortable with that they willdo.
Question 14 which of thefollowing security best
practices is most relevant whendesigning software development
process that process prioritizessecure coding practices?
Okay, again, security bestpractices which is most relevant
when designing softwaredevelopment processes that
prioritize secure codingpractices?
(15:19):
That's a lot of P's.
There's a lot of P's in thatquestion.
A.
Implement the least privilegedmodel for developer access to
production environments.
B.
Utilize automated code reviewswith static application security
testing.
C.
Enforce strong passwordpolicies for developer accounts.
Or D.
Provide developers with securecoding training and resources.
(15:39):
Okay, the most relevant isutilize automated code reviews.
Again, I talked about it.
Utilize them as much as youpossibly can because, again,
they will help make your life somuch easier.
Question 15, the last melon.
If you know the movie for extracredit.
Which of the followingactivities is the least
effective approach foridentifying and prioritizing
(16:01):
security risks associated withnew software?
Again, the least effectiveapproach with identifying and
prioritizing security risks fornew software applications?
A conduct a threat modelingexercise to identify potential
attack vectors.
C perform a vulnerability scanon the completed application to
identify known vulnerabilities.
C review industry bestpractices and security
(16:23):
recommendations for similarapplications.
Or.
D utilizing a checklist ofgeneric security controls to
identify potential weaknesses.
So which one is the leasteffective?
Yeah, you got it.
D checklist of generic securitycontrols to identify potential
weaknesses.
So which one is the leasteffective?
Yeah, you got it.
D.
Checklist of generic securitycontrols.
Yeah, that's great, but it'snot going to work so well.
Again, up to you.
You decide what you want to doand all right, that's all I've
got for you today.
(16:44):
Head on over toCISSPcybertrainingcom.
Again, I got some great freematerials there.
There's awesome free stuff, butthere's also if you purchase,
like my bronze package or any ofthe other packages.
Obviously all of that fundinggoes to our local charity that
we're creating.
It's a non-profit that's set upspecifically for adoptive
families, parents who want toadopt children, and they,
(17:06):
financially, are struggling todo so.
We are offering an opportunityfor them to be able to get a
potentially low interest loan orpotentially a grant, depending
upon the need and the situation.
Again, not everybody will beable to qualify, not everybody
will qualify, not everybody willget a loan, but the bottom line
is it's designed specificallyfor families that are struggling
that may need a little bit ofextra help, to help adoptive
(17:28):
parents and bring kids intoloving and caring families.
That's the ultimate goal.
There's a lot of kids out therethat got nothing.
They got nothing at all, andhaving an adoptive family to
help them, to grow them and I'veseen this firsthand with my
kids it isn't always rainbowsand unicorns and sunshine it's
not, but it is a wonderfulopportunity and my kids are
(17:50):
well-blessed and I blessed, andI'm well blessed for the fact
that we did this for them.
And again, god gave this to us,gave us the opportunity to do
it, and it's been a blessing toboth of us, to all my kids and
to my wife and myself.
So if you are interested insome training, you can get.
Again.
All of that is going to ournonprofit and we greatly
appreciate any and all supportfor this endeavor All nonprofit,
(18:13):
and we greatly appreciate anyand all support for this
endeavor.
All right, have a wonderful day, just have a great day, and we
will catch you on the flip side,see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:28):
All right, let's get started Good morning, sean
Gerber with CISSP Cyber Training.
Hope you all are having awonderful day today.
Today is CISSP QuestionThursday.
Today we're going to be talkingabout CISSP questions tied to
Domain 8.3.
And so we're going to focus onthe aspects of that today, and
you can get all these questionsat CISSPCyberTrainingcom.
You can get all these questionsat cisspcybertrainingcom, along
with all the video that goesalong with.
(00:49):
It is all there available,co-located for you, so it's
ready for you to use anytime youwant.
And also know that anything youpurchase at
cisspcybertrainingcom goes tocharity, as we're looking to
deploy and grow our charity foradoptive families.
So, again, anything youpurchase at CISSP Cyber Training
will go to our nonprofit foradoptive families.
(01:12):
I got to put that plug outthere.
Just do Well.
I hope you all are having agreat day and I hope you all are
staying cool.
I know it's extremely hot outthere, especially for the folks
down in Texas.
It's quite hot right now.
A lot of them still don't havepower.
So I hope you are all doingwell and staying safe, because,
yeah, that's not good.
(01:32):
Heat sucks.
It just truly does.
It's not fun.
But let's get into questionnumber one.
Again, this is over domain 8.3.
Question number one A companyutilizes a continuous
integration and continuousdelivery pipeline for its
software development plan.
Which of the following securitycontrols would be most effective
in mitigating risks associatedwith code vulnerabilities A
(01:54):
static application securitytesting integrated into your
CICD pipeline.
B dynamic application securitytesting performed during
post-deployment.
C code reviews conducted bysenior developers before merging
the code.
Or.
D application whitelisting onproduction servers.
And the most effective?
Again, what would be the mosteffective in mitigating the
(02:15):
associated code vulnerabilitieswould be a static application
security testing integrated intoyour pipeline.
The more you can integrate intoyour CICD pipeline, the much
better it's going to be.
I've seen very good results outof this.
So any way that you can lookfor vulnerabilities while it's
in the CICD pipeline, good call,really good call.
(02:37):
Question two During the codeaudit, the reviewer discovers a
critical buffer overflowvulnerability.
The developer argues that thevulnerability is not exploitable
because the specific user inputsize required to trigger it
would be highly unlikely tooccur in a real-world usage.
Which of the following is themost appropriate response?
Again, the code auto-reviewDeveloper says nah, it's not a
(02:59):
big deal because it's toounlikely that it's going to
happen.
What should you do?
A accept the developer'sexplanation and move on.
B implement input validation toprevent specific user input
size.
C refractor the code toeliminate the buffer overflow
vulnerability entirely.
Or.
D conduct a risk assessment todetermine the likelihood of the
(03:19):
impact and exploitation.
So obviously, b, c and D areall positive.
A yeah, I don't know if I'dmove it, accept it or not.
You need to understand.
Accepting it's not bad, but youalso need to have some
validation behind it.
The answer is C refractor thecode and eliminate the buffer
overflow vulnerability entirely.
That's what you want to dobecause it's the most secure
approach.
(03:39):
Now you have to talk about it.
You may decide you know what.
From a risk standpoint, youwould just add a user input size
change to that actual field,but in this case the refractor
will take care of it completely.
Question three your companyutilizes a cloud-based software
development platform, called aSaaS platform for building
(03:59):
internal applications.
Which of the following is mostimportant?
Security control to implementand to manage the risks
associated with the code storedon this SaaS provider's
infrastructure.
Okay, so again, you've gotcloud software development,
you've got a SaaS environment.
Which is the most importantsecurity control for your
environment?
A implement strong accesscontrols within the SaaS
(04:23):
platform for your developers.
B regularly perform penetrationcontrols within the SaaS
platform for your developers.
B regularly perform penetrationtesting of the SaaS provider's
infrastructure.
C requiring the SaaS providerto obtain a SOC 2 Type 2
compliance report.
Or D utilizing code obfuscationtechniques to protect the
source code on the platform.
So which of these is the mostimportant factor that you could
(04:43):
do, the most important securitycontrol you could do.
The most important securitycontrol you could do.
Again, you're going to have todefine what is best for you and
you have to determine what isthe most valuable risk.
Obviously, utilizing codeobfuscation D on that platform
would be the ideal, the mostsecure environment to reduce the
most amount of risk, because ifthe code was stolen they
(05:04):
wouldn't know.
The downside is that that has alot of drama, potentially.
So you may have to decide whichway you want to go.
Question four you're tasked withimplementing a risk management
framework for your softwaredevelopment lifecycle, for your
SDLC.
Which of the following riskassessment methodologies is most
appropriate to identify andprioritize the threats to your
code?
(05:24):
So, again, you're tasked withimplementing a risk management
framework for your software ismost appropriate to identify and
prioritize threats to your code.
So again, you're tasked withimplementing a risk management
framework for your softwaredevelopment lifecycle.
Which is the most appropriateto identify and prioritize
threats to your code?
A failure mode and effectsanalysis, that's F-M-E-A.
B stride threat modeling, cOWASP top 10 web application
(05:49):
security risks.
Or D CBSS common vulnerabilityscoring system.
So all of those are good, right, but which is the most
appropriate to identify andprioritize threats to your code?
And OWASP would be the top 10web application security risks
would be your first place tostart.
C WASP would be the top 10 webapplication security risks would
be your first place to start.
C.
(06:10):
Question five your company usesa centralized logging system to
record all user activity relatedto code changes.
However, a recent securityincident involved an attacker
compromising a developer'scredentials and modifying the
critical code.
Which of the following securitycontrols could have the most
effectively prevented thisincident from occurring?
So again, if a centralizedlogging records all user
activity to code changes,however, a security incident
involved an attackercompromising the developer's
(06:33):
credentials and modifying thecritical code, what could have
been done to most effectivelyprevent this incident?
A implement multi-factorauthentication.
B utilize role-based or RBACfor those specific code modules.
C employing code signing andverifying integrity of the code
commits.
Or.
D enabling continuous CIpipelines to automatically
(06:56):
detect and revert malicious codechanges.
And the answer is A.
Mfa would be one of the bestoptions you could do in this
situation.
It would definitely add anextra layer of security and,
even though they got access tothe credentials, hopefully they
would not have access to theperson's MFA token.
Question six your developmentteam utilizes open source
(07:16):
libraries in their code.
Which of the following securitycontrols is the most important
to mitigate risk associated withvulnerabilities in these
libraries A.
Implement least privilege modelfor developer access to the
code base.
B.
Regularly update all opensource libraries to the latest
versions.
C.
Perform static applicationsecurity testing of the entire
(07:38):
code base.
Or.
D.
Manually review the source codeof all utilized open source
libraries.
Again, your development teamutilizes open source libraries
in their code.
Which of the following securitycontrols is the most important
to mitigate the risk associatedwith these vulnerabilities?
And the answer is B.
Regularly update all opensource libraries to the latest
(07:58):
versions.
Question 7.
Which of the following securitytesting methodologies is most
effective in identifyingvulnerabilities in the business
logic of the softwareapplication?
In identifying vulnerabilitiesin the business logic of the
software application?
So which of the followingsecurity testing methodologies
is most effective in identifyingvulnerabilities in the business
logic of a software applicationA dynamic application security
(08:22):
testing DAST with fuzzingtechniques.
B penetration testing withfocused on exploiting known
vulnerabilities.
B penetration testing withfocused on exploiting known
vulnerabilities.
C static application securitytesting SAS with code analysis
capabilities.
Or.
D security code reviewsconducted by senior developers.
Okay, so which is the mosteffective in identifying
vulnerabilities in businesslogic of a software application?
(08:45):
Okay, begin business logic ofthe software application
Security code reviews conductedby senior developers.
D would be the best choice, andthe reason is is because it's
of that business logic.
They would have understandingaround the business logic and
they would be able to understandhow the software application
conducts itself.
But all the other ones arereally good.
They're all very, very good,but when you're dealing with
(09:07):
business logic, that would befor the actual business.
You need somebody with eyes onto understand it.
Question eight your company isdeveloping a new mobile
application that will storesensitive user data.
Which of the following securitycontrols should be prioritized
during the design phase tominimize risks associated with
the data breaches?
Again, your new mobile appyou're developing with sensitive
(09:28):
user data.
What should you do?
A implement strong accesscontrols for user authentication
within the app.
B.
Utilize data encryption at restin transit for all sensitive
data user data B or C and forstrong password policies on all
user accounts, or D.
Conduct penetration testing inthe completed mobile application
.
Again, all are very good, butyou want to utilize encryption
(09:53):
at rest and in transit forsensitive user data B.
There might be compliance orregulatory requirements that are
forcing you down this path aswell.
Question nine you areimplementing a vulnerability
management program for yoursoftware development process.
Which of the followingactivities is the lowest
priority when addressing newlyidentified critical
vulnerabilities in your code?
So, again, you're implementinga vulnerability management
(10:15):
program for your softwaredevelopment process.
Which of the followingactivities is the lowest
priority when addressing a newlyidentified critical
vulnerability in your code?
A immediately notify allrelevant stakeholders and
developers.
B identify the root cause ofthe vulnerability and
understanding its potentialimpact.
C.
Prioritize the vulnerabilitybased on its severity and
(10:36):
exploitability, or d.
Patch the vulnerability basedon its severity and
exploitability or D.
Patch the vulnerability in atest environment before
deploying to production.
Okay, lowest priority patchingthe vulnerability in a test
environment.
Testing is important, but it'sbecause it is a critical patch.
You need to get it out thereand let everybody know.
So again, that is aninteresting environment.
You just need to kind of thinkabout that.
A lot of people will deploy totest and patch it there first,
(10:59):
just to make sure.
But if it's that critical youmay need just to get it out
there and just see what happens.
Question 10, your companyutilizes security information
and event management systems,siem.
Okay, we talk about the SIEM alot on CISSP, cyber Training
System to aggregate and analyzelogs from various security tools
.
Which of the following is themost important consideration
when configuring log retentionof a SIM system A Maximizing log
(11:23):
storage capacity to retaindetailed logs for extended
periods.
B Balancing log retention needswith storage limitations and
regulatory compliancerequirements.
C Setting up the same logretention period for all
security tools integrated withthe SIM.
Or.
D focusing on real-timeanalysis of logs and discarding
historical data.
So the most importantconsideration when configuring
(11:45):
log retention for a SIM is Bbalancing log retention needs
with storage limitations andregulatory compliance
requirements.
Yeah, because it can get veryexpensive and your regulatory
people may have questions andthey may have additional storage
requirements that you may notwant to do but you have to do.
Question 11.
Your company is implementing aDevSecOps approach to integrate
(12:05):
security throughout the softwaredevelopment lifecycle.
Which of the following securitycontrols is the most effective
for ensuring developers receivea timely feedback on potential
vulnerabilities in their code?
Receive a timely feedback onpotential vulnerabilities in
their code.
So, again, devsecops.
They're determining thesoftware development lifecycle.
Which of the following is themost effective in ensuring
developers receive timelyfeedback on potential
vulnerabilities in their code?
(12:26):
A security code reviewsconducted at the end of the
development sprint.
B integrating staticapplication security testing
SAST tool to the continuousintegration pipeline.
Static application securitytesting SAST tool to the
continuous integration pipeline.
B or D conducting penetrationtests on pre-production
environments.
Or.
D providing developers withsecurity awareness training.
(12:47):
Okay, the most effective.
Which one is the most effective?
Again, all those are good, butthe most effective is B
integrating static applicationtesting into your CICAD pipeline
.
Question 12.
During a code audit, a reviewerdiscovers a potential security
flaw in a custom authenticationmechanism.
The developer argues that theflaw is a security through
(13:09):
obscurity, which we know worksreally well technique that is
not a real vulnerability.
Which of the following is themost appropriate response?
Okay, so security throughobscurity.
Accept the developer'sexplanation.
If no known exploits exist inthe flaw.
B explain that security throughobscurity is not a reliable
security control.
(13:29):
C refractor authenticationmechanism to eliminate any
potential security flaw.
Or.
D conduct a penetration test todetermine if a flaw can be
exploited.
And the most appropriate is hey, dude, you know what Security
through obscurity isn't reallythat good of a thing to do.
It just really isn't, doesn'twork.
Don't try it, doesn't work.
They figure it out, they'resmart.
(13:50):
Question 13.
Your company plans to outsourcethe development of a critical
software application.
Which of the following securitycontrols is most appropriate to
or most important to implementwhen it's considering a
potential vendor?
So a company plans to outsourceits development of critical
software application probablynot a good idea.
I would avoid it.
A and require the vendor toprovide a sock to type 1
(14:14):
compliance report.
B conducting a securityassessment of the vendor to
provide a SOC 2 Type 1compliance report.
B conducting a securityassessment of the vendor's
development environment.
C specifying detailed securityrequirements in the development
contract.
Or.
D implementing code reviews onall code delivered by the vendor
.
Okay, the last one good idea,but that would take way too much
work.
So, when it comes down to it,what would you do?
(14:34):
Well, if they're going to bedeveloping it for you.
You want to do a full securityassessment of their development
environment, which may includeyou going on site to understand
it.
Been there, done that, got thet-shirt.
So you may have to do that.
Something to consider,especially if they're doing
outsourcing of your code.
I do not recommend it as muchas you possibly can unless they
have a rock solid system thatyou can audit and that you know
(14:58):
feel comfortable.
Comfortable with that they willdo.
Question 14 which of thefollowing security best
practices is most relevant whendesigning software development
process that process prioritizessecure coding practices?
Okay, again, security bestpractices which is most relevant
when designing softwaredevelopment processes that
prioritize secure codingpractices?
(15:19):
That's a lot of P's.
There's a lot of P's in thatquestion.
A.
Implement the least privilegedmodel for developer access to
production environments.
B.
Utilize automated code reviewswith static application security
testing.
C.
Enforce strong passwordpolicies for developer accounts.
Or D.
Provide developers with securecoding training and resources.
(15:39):
Okay, the most relevant isutilize automated code reviews.
Again, I talked about it.
Utilize them as much as youpossibly can because, again,
they will help make your life somuch easier.
Question 15, the last melon.
If you know the movie for extracredit.
Which of the followingactivities is the least
effective approach foridentifying and prioritizing
(16:01):
security risks associated withnew software?
Again, the least effectiveapproach with identifying and
prioritizing security risks fornew software applications?
A conduct a threat modelingexercise to identify potential
attack vectors.
C perform a vulnerability scanon the completed application to
identify known vulnerabilities.
C review industry bestpractices and security
(16:23):
recommendations for similarapplications.
Or.
D utilizing a checklist ofgeneric security controls to
identify potential weaknesses.
So which one is the leasteffective?
Yeah, you got it.
D checklist of generic securitycontrols to identify potential
weaknesses.
So which one is the leasteffective?
Yeah, you got it.
D.
Checklist of generic securitycontrols.
Yeah, that's great, but it'snot going to work so well.
Again, up to you.
You decide what you want to doand all right, that's all I've
got for you today.
(16:44):
Head on over toCISSPcybertrainingcom.
Again, I got some great freematerials there.
There's awesome free stuff, butthere's also if you purchase,
like my bronze package or any ofthe other packages.
Obviously all of that fundinggoes to our local charity that
we're creating.
It's a non-profit that's set upspecifically for adoptive
families, parents who want toadopt children, and they,
(17:06):
financially, are struggling todo so.
We are offering an opportunityfor them to be able to get a
potentially low interest loan orpotentially a grant, depending
upon the need and the situation.
Again, not everybody will beable to qualify, not everybody
will qualify, not everybody willget a loan, but the bottom line
is it's designed specificallyfor families that are struggling
that may need a little bit ofextra help, to help adoptive
(17:28):
parents and bring kids intoloving and caring families.
That's the ultimate goal.
There's a lot of kids out therethat got nothing.
They got nothing at all, andhaving an adoptive family to
help them, to grow them and I'veseen this firsthand with my
kids it isn't always rainbowsand unicorns and sunshine it's
not, but it is a wonderfulopportunity and my kids are
(17:50):
well-blessed and I blessed, andI'm well blessed for the fact
that we did this for them.
And again, god gave this to us,gave us the opportunity to do
it, and it's been a blessing toboth of us, to all my kids and
to my wife and myself.
So if you are interested insome training, you can get.
Again.
All of that is going to ournonprofit and we greatly
appreciate any and all supportfor this endeavor All nonprofit,
(18:13):
and we greatly appreciate anyand all support for this
endeavor.
All right, have a wonderful day, just have a great day, and we
will catch you on the flip side,see ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!