October 30, 2025 • 39 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Quantum threats aren’t waiting politely on the horizon, and neither should we. We kick off with Signal’s bold move to deploy post-quantum encryption, unpacking the “belt and suspenders” approach that blends classical cryptography with quantum-resistant algorithms. No jargon traps—just clear takeaways on why this matters for privacy, resilience, and the pressure it puts on other messaging platforms to evolve. We point you to smart reads from Ars Technica and Bruce Schneier that make the technical guts approachable and actionable.
From there, we switch gears into a focused CISSP Domain 8 walkthrough: how to weave security into every phase of the software development lifecycle. We talk practical integration across waterfall, agile, and DevOps; show why change management, continuous monitoring, and application-aware incident response are non-negotiable; and explain how maturity models like CMMI and BSIMM help teams move from reactive to repeatable. We also break down the developer’s toolbox—secure language choices, vetted libraries with SCA, hardened runtimes, and IDE plugins that surface issues in real time—so teams can ship faster without trading away safety.
Speed meets rigor in the CI/CD pipeline, where shift-left security comes alive with SAST, DAST, and SOAR-driven checks. We cover repository hygiene, secret scanning, and how to measure effectiveness with audit trails and risk analysis that map code issues to business impact. You’ll get a clear view of third-party risk across COTS and open source, the shared responsibility model for SaaS, PaaS, and IaaS, and the daily practices that keep APIs from leaking data: least privilege, strict authorization, input validation, and rate limiting. We close with software-defined security—policies as code—bringing consistency, versioning, and automation to your defenses. Subscribe, share with a teammate who owns your pipeline, and leave a review to tell us the next Domain 8 topic you want us to deep-dive.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
CISP sniper screen screen and CISP Hi my name is
Sean Gerber the information youneed.
CISP and roll your cyber checkerin the way.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Trading and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday.
But today we are going to finishup our rapid review domain or
exam prep for domain eight.
Yes, the final one, the finalmelon, the final one we're gonna
(00:45):
go after is domain eight, andthis is of the CISSP rapid
review provided to you by CISSPCyber Training.
You can get all of that at CISSPCyber Training.
Okay, but before we do, beforewe get started on that, wanted
to talk about an article that Isaw in the news today, which was
awesome.
It's actually super good.
I mean, if you guys are use anysort of encryption, this is a
(01:08):
great thing.
And uh this is from SI basicallyArs Technica, and it's about
some post-equantum encryptionthat Signal is going to deploy,
or is in the process ofdeploying.
Now, I'm not going to try toelaborate on this more than my
little pea brain can provide youbecause it's pretty in-depth,
and I highly recommend that yougo and you read it.
(01:28):
It makes sense when you read it,but tried for me to explain it
to you, I would probably butcherit, and somebody would, when my
audience would go, uh yeah,dude, you're wrong.
Uh no, so I'm not even going toattempt to do that.
However, I'm going to bring youout some of the big buckets,
some of the big things for youto take away from this so that
you have a good plan andunderstanding of what this
article is about.
So it's in Ars Technica.
I will warn you that there isall kinds of advertising that
(01:51):
will drive your mind or numb,and uh there's so much
flickering lights that you mayactually may go into a spasm.
But that being aside, um, theultimate point of this is that
they're talking about the factthat we know encryption at this
point is breakable.
With the quantum computers thatare coming out, it's close to
being to a point where at leastin the lower level of encryption
(02:12):
is crackable through quantumcomputing.
It hasn't been able to get up tothe 256 and so forth, but the
higher numbers, but at thispoint, the US government,
through the National Instituteof Tech Technologies, uh,
Standard and Technologies, hasrecommended that you will look
at some sort of post-encryptioncapability for your tools.
Well, Signal has done that.
(02:33):
And what they did was is theythey added I'm not just gonna
quickly brush over some of thekey points here, but there's a
double ratchet and then there'sa triple ratchet.
And what they really basicallydid was they added, they blended
both of these products, oldschool crypto and new school
crypto, and they created thisthird ratchet.
And it has the ability to runwith that capability, with both
(02:57):
the algorithms working together,as well as if one of the
algorithms breaks, it canoperate and degrade or go to a
lower level.
So it's not it can actuallystill operate if the uh higher
algorithm works and the loweralgor one of the lower
algorithms does not work.
So it's got a good way to mixall of that together.
And they call it the Belt andSuspenders approach.
(03:18):
Uh, but bottom line is that theyare working with PQS Shield,
AIS, Japan, and New YorkUniversity to be able to get all
of this done and publicly uhdisclosed for everybody so you
can actually see what they'redoing.
So now why is this such a bigdeal?
Um, it's one of the firstlarge-scale real-world messaging
(03:38):
systems, obviously, if you useSignal, uh, that is quantum safe
encryption.
That is true.
So you don't have the the metasof the world and you don't have
the the apples of the world.
Those are all there, right?
They're fine, then people usethem, but it's not quantum safe
encryption.
And Signal has always setthemselves apart by kind of
pushing the envelope in thisspace.
And I I moved off of um my Appletype of uh texting for my normal
(04:05):
business activities because Ijust didn't like the welln't
like the way it felt and the theaspect around the encryption
piece of this.
And now that Signal is moving,I'm gonna begin moving my family
over to Signal, at least theones that I care most about,
because I really do feel thatthis is a really great move, a
super great move.
Um, it does help keep the theregular classical machinery in
(04:26):
place, like the the doubleratchet that they have, but they
also layer the quantum uhresistance algorithms on top of
it.
So it does, it works really goodfor the old school and the new
school, supposedly.
I have yet to test it.
So I'm just giving you what thearticle is talking about here.
Now, one of the big aspects thatthey say is that obviously we
have to, as a as a group, assecurity professionals, we need
(04:50):
to make sure that we are pushingthis type of activity out to our
vendors.
We need to push them on them tosay, you need to up your game
when it comes to encryption.
We as enterprise architects andand as CISOs and as security
professionals for variouscompanies need to demand that
one from external vendors, buttwo also from our internal staff
(05:10):
and not just say, okay, well,we've protected our outer donut.
You know, we're everything'sgood and hardened on the
outside, but once you get on theinside, it's soft and gooey.
We need to make sure that theareas inside that need this kind
of layered protection aregetting the encryption they need
to be able to protect the datatransfers between points inside
the network.
So again, it's a double-edgedsword here.
(05:32):
It's really important that we dothis.
It's gonna take some time andenergy, but now that the fact
that uh signal has done this,it's only gonna you're only
gonna get more pressure on theother messaging platforms that
are out there.
WhatsApp, uh when you're dealingwith Apple, you're dealing with
Google, all of those are gonnaall start getting more pressure
to incorporate this level ofsecurity within their tools as
(05:55):
well.
So it's super good.
I love it.
It's a great, great concept, agreat article.
I would definitely recommendreading it.
Just take some time and gothrough it and give yourself a
little bit of extra time doingthis.
Um, the other thing you want tomay want to read is an article
from um Schneer.
I can never say his name.
Schneier.
Uh, this is another one wherehe's kind of goes through it a
(06:17):
little bit more in depth.
I really like him.
He breaks down crypto in a waythat makes much more sense to
people like myself that's got athird grade education.
Uh, so it's it's really good.
And um, so I would recommend youread his article, then from
there, he's got some links intothe Rs Technica article as well.
So good place, good place tostart.
But let's get started about whatwe're gonna talk about today.
(06:40):
Okay, this is CISSP Rapid ReviewExam Prep Domain Eight, Software
Development Security.
Okay, so these are the questionquestions per domain breakdown,
like we've talked about so manyother times.
But this is domain eight.
There's about 11% of the CISSPquestions that are available on
that test.
(07:00):
Now, like we've talked about,this is computer-aided testing,
and so it's going to uh workwith you.
And if you make start makingmistakes, it's going to start
adding more questions that areharder onto you.
But about 11% of the overallquestion bank is considered part
of the software developmentsecurity.
Now, I will tell you that thisis probably one of the areas
that people struggle with mostin the CISSP exam.
(07:23):
And the reason is because theyjust don't deal with it.
And they just don't, they don'treally deal with it on a daily
basis.
Now, this is obviously isn'teverybody.
There's many people out therethat deal with software
development routinely, but as anoverall whole, it is probably
one of the least known areas ofthe security space.
And that is actually changingdramatically because as we see
(07:44):
all of this software developmentthat's occurring now, everything
is running on some sort ofapplication.
That is even more important thatyou understand software
development.
Uh, and looking back at myselfin a previous life, as a CISO, I
didn't have really muchbackground in software
development.
So I went to my CIO and said,hey, there was a software
(08:04):
development team that was in ourmultinational that we had, and
it was global, and they weredealing with all kinds of fun
stuff.
I said, I want to take thoseguys on.
I want to lead them, I want themto be part of my team, and it
was done for two specificreasons.
One, they needed a leader, so Iwanted to show that I could help
lead this group.
Two, they didn't, I didn'tunderstand software development.
(08:26):
And since I didn't understandsoftware development, I wanted
to have an opportunity to learnhow to grow my knowledge in
software development and be ableto pass on security to them.
So that was the purpose ofaround me doing this with my the
development team that I workedwith.
Now, that being said, it was agreat opportunity and I loved
it, and I learned a lot from it,and I also learned what I didn't
(08:47):
really truly know.
And since then I've learned togrow that knowledge.
However, my knowledge is verysmall in relation to many
others, and so I would highlyrecommend that you go out and
you get as much knowledge aroundthe software development side as
you can, especially before yougo and take the CISSP, because
there will be questions on it,and if you're not prepared for
those, they will bite you prettyhard.
But before we get into whatwe're gonna talk about today, I
(09:09):
wanted to throw out my freeresources and paid resources at
CISSP Cyber Training.
So there are the free resources.
I have got tons of informationout there for you.
I've got a three to five monthstudy plan.
I've got questions, over 360questions that are available to
you.
All of the rapid review contentis there.
You can get access to my blog.
Everything is accessible throughCISSP Cyber Training.
(09:32):
Great, great content out thereand available for you.
If you need a little extra helpand you want a bit more of uh
hand holding and a bit moreknowledge and depth, then you
want to look at my paidresources.
And again, I've got over 50hours of video covering all the
CISSP content, over 1,500 CISSPquestions.
I've got a 250 question quizthat is at you'll get at the end
(09:56):
of your training, uh curatedaudio and video content.
I got deep dive topics, all ofthose that are available to you.
If you're needing virtual CISO,any sort of IT leadership or
consulting, I have that throughmy through my partners that I
work with that can help you fromred teaming all the way up to
virtual CISO to in SOCimplementations.
So everything is there, it'savailable to you at CISSP Cyber
(10:19):
Training.
So go check it out, go sign upfor my free content.
It does not cost you anything,and there's a lot of free stuff
out there that I guarantee youwill help you with your CISSP.
And even if you're not takingyour CISSP, it will help you in
your cybersecurity trainingknowledge as you build this
within your own organization.
Okay, so let's start with domain8.1.
(10:41):
So this is 8.1, and we're gonnaunderstand and integrate
security in the softwaredevelopment lifecycle.
Now, like we've talked aboutthis about life cycles
throughout these rapid reviewsand throughout the CISSP
training, they are an importantpart, and that's basically from
birth to death.
The ultimate point is you wantto have some sort of development
plan on how you're gonna birthsomething and then how you're
(11:03):
going to put it in the ground.
And this is an important partwhen you're dealing with
development methodologies aswell.
So you need to understand thevarious software development
approaches, obviously,waterfall, agile, DevOps, all of
those you need to understandwhile integrating your security
activities into each phase ofthis chosen methodology.
So, what methodology you want,waterfall, agile, whatever it
(11:24):
might be, you want to thenincorporate security activities
into these.
Now, one thing you need to avoidis do not do where some people
are kind of gravitating towardI'm seeing at least, is they'll
implement security within thesemethodologies, within these
frameworks.
And what ends up happening isthey just set it and forget it.
And they don't actually thentweak the security
implementations here, and it canthen cause more drama down the
(11:47):
road.
So you're gonna have to, itisn't something you just throw
in place and move on to the nexttopic.
You need to put it in and youneed to have some care and
feeding with it.
Now, there's maturity modelsthat go along with this.
These frameworks are used toassess and improve the maturity
of your organization's softwaredevelopment security processes.
And you as you start off, you'renot gonna be very mature.
You're barely gonna be able towalk.
But as you get better walking,then you'll get to running, and
(12:09):
then you'll get to sprinting,and that's the whole point of
it.
Now, there's examples would bethe CMMI, which is your
Capability Maturity ModelIntegration, or BSIMM.
This is your building securityin maturity model.
These are different examplesthat are part of the maturity
models for uh DevOps.
Now, you need to ensure that theongoing security in the software
is deployed, or after you deployit, you need to make sure you
(12:32):
maintain it and keep it up andgoing.
This includes activities likecontinuous monitoring, incident
response forapplication-specific issues, and
performance management.
So the the whole once you putthese, it's like everything
else, you put the tools inplace, you do have to continue
the care and feeding, themonitoring of it.
You need to make sure you haveincident response in place in
(12:52):
the event that something badhappens.
You can respond to it.
Uh, if you're a fully set upsoftware development shot shop,
your incident response needs tomirror how that would work.
If you have on-prem, you're in ahybrid model or on-prem and
cloud, how does that work?
Do you have third partiesinvolved that are doing your
development work and then how doyou report to them and to give
(13:13):
them notification thatsomething's occurred?
And then on the flip side, howdo you then notify your
regulators that something hasoccurred and your customers?
So all of that has to be doneand created for your
organization to be successful inthis SDLC.
You also have to have changemanagement, which we've
mentioned over and time again,is that you have to have a
(13:33):
formal process that'simplemented to control and track
all modifications to yoursoftware.
And this is this can be donethrough tools, um, this can be
done through even spreadsheets,but you need to have a way to
track what modifications haveyou done to it.
Because there's one, you'regoing to get audited.
Two, if something goes sideways,you have the ability to go back
and look at what happened withit.
(13:54):
What did you do?
What changes did you implement?
So you really need to make surethat that is a formalized
process.
Do not do this off the hip.
You need to make sure that nomatter if you start off and you
say, hey, we're starting ourbrand new development team,
begin this process withunderstanding your change
management to begin with.
Do not just go, well, hey, we'regonna start making some stuff
(14:17):
and we'll just kind of throwstuff on the wall and see how it
works.
Yeah, that getting thingsstarted and doing that is is
fine.
I say that out of both sides ofmy mouth, because you want to
show some sort of work.
However, if you're doing that,you need to make sure that you
at least have some sort ofdocumented change management.
Even if it is just aspreadsheet, what did you do and
how did you do it and why didyou do it?
You need to ensure that securityimpact assessments are performed
(14:39):
for every change.
So this is something where,depending upon the location of
where it's at, especially insoftware development, you need
to understand the securityassessment that may go into
that.
And do you it could be a verylarge change or a security
assessment that you feel youneed to do, or it could be just
a couple questions that you needto ask yourself.
So you need to understand whatwould that security impact
(14:59):
assessment look like.
Work with your CISO if you're adeveloper.
If you are the developer and theCISO and the security guy and
the analyst and the engineer,then just kind of think about
what are some questions that youshould ask yourself about before
you deploy anything like this.
The other thing to consider isthat at some point, if you are
just that one person or twopeople, you're gonna grow at
(15:20):
some point, hopefully.
So if you do that, you want toat least put some of these
processes in place now.
So that way when the team comeson, they understand what they're
doing.
Integrated product teams isIPTs, these are multiple distant
multiple multiple.
Yeah, they're a bunch of peoplethat can know how to do stuff.
They have lots of disciplines,right?
They're a team that'sresponsible for the entire life
(15:40):
cycle of the product system.
So we would have product teams,and these product teams would
come in and you'd have a personfrom HR, you'd have a person
from finance, you'd have aperson from whatever, and they'd
all be part of this integratedteam.
So when you're deploying thisproduct, they have insight into
what they want it to be.
Now there's user acceptancetraining or testing that occurs
at the end, and if the user thatis going to be accepting it is
(16:04):
HR, then you'd always just workwith them.
But in so many cases, whenyou're dealing with applications
that are touching HR, legalcompliance, um, you know,
production, operations, all ofthose, you'll want people from
each of those sections in thedevelopment process, at least in
some form or fashion.
The reason is because if they'vegot it, if they got any skin in
(16:24):
the game, if they have any sortof insight, that would be the
time for them to tell you that,hey, no, don't do that, because
if you do that, it will cause animpact over here.
That's why these integratedproduct teams are really
important.
Uh, and again, but they do add alot of headaches because it's a
lot of opportunity cost to bringall these people together to be
able to go over these types ofdevelopment changes.
(16:46):
So use them sparingly, use themwisely, but they are extremely
valuable, especially if yourapplications do touch multiple
areas.
So this would include securityprofessionals working alongside
developers, operations, businessstakeholders, all of them, so
that security is embedded in thestart.
And it also is very helpful forthe operations folks so that
(17:09):
they understand what issecurity.
Why should I be concerned?
So often my operations teamswouldn't understand security.
And so what would they do?
They would then ask me questionsor they would just ignore us
because they're like, that's asecurity guy.
It's the geek sitting in thecorner.
Um, that you need to make surethat everybody is engaged and
involved.
Now, this will take leadershipfrom the top down.
(17:30):
I mean the CEO down is going tohave to be the one that's going
to help to help direct thisbecause in many cases the the
minions won't want to do itbecause it's just added time.
It's more time and more energyfor them.
Okay, domain 8.2.
Identify and apply securitycontrols in the development
environments.
So programming languages.
The choice choice of aprogramming language can impact
(17:51):
security substantially.
Some languages do offer morememory safety or built-in
security features than others.
And so understandinglanguage-specific
vulnerabilities and securecoding patterns is crucial.
So, what does this mean?
If you're already developing inC, which is really old, but
let's say you're doing that, youwill have to work through some
(18:12):
of the security challenges thatmay go along with that.
And you say, I've been workingthis for years.
We cannot migrate anybody off ofC.
We're stuck with it.
Well, then that's a differentconversation versus going, we're
Greenfield, let's get started.
We can do all of thisimmediately.
So those are different types ofconversations that you may have
to have.
You need to understand thelanguages being used.
And understandinglanguage-specific
(18:33):
vulnerabilities and securecoding patterns is an important
part because you, if you knowthe vulnerabilities out there,
you can then head off any sortof questions that your
development team may have.
And it helps them to understandhow should they do secure coding
from the beginning.
Now, libraries, these arereusable, not reusable, reusable
(18:53):
blocks of code that providespecific functionality.
And you'll see this wherethere's just a repository that
are all sitting there withdifferent types of capabilities
in these libraries, and you canpull from these libraries to put
that in your code.
The thing is with this is thatthere's code libraries you've
created, and then there's opensource libraries that were
created by the masses.
The problem is that if you grabopen source libraries, they can
(19:16):
be very, very valuable.
They also can be very buggy.
They also can have lots ofissues with them, potentially
malware.
So you need to keep that in yourback of your mind as you're
moving this forward.
You also must be very carefullyvetting on any known
vulnerabilities that could bepotentially out there.
There's software compositionanalysis tools or SCA tools, and
(19:36):
they can help work through yourlibraries to determine if you
have some sort ofvulnerabilities that might be
associated with those.
Tool sets, you need a collectionof software tools used by
developers.
This is obviously yourcompilers, your debuggers, any
sort of automation tools thatare out there.
These must be secured andconfigured to support secure
development practices.
We had user acceptance trainingtesting tools, and these user
(19:58):
acceptance tools wouldautomatically do push buttons,
they would automatically run thecode, but you want to make sure
that those are actually secureas well.
Because if you run some sort ofdevelopment code in there, it
depending upon where yourdevelopment area is at, if it's
in, if you're just testing onproduction, uh these tools could
actually cause substantialchallenges to your organization.
(20:20):
Not that you would actually dothat.
Testing on production is not agood idea.
I would highly dissuade you fromdoing that, but it has happened
and I do see people doing it.
They're like, well, let's justgive it a shot and see what
happens.
Don't do that.
Uh integrated developmentenvironment or IDE.
This is where softwareapplications that provide
comprehensive facilities tocomputer programmers for
(20:41):
software development.
That's lots of big words.
It's basically an area that theycan operate in and that the
computer programmers can play into create their product.
It's an IDE.
They can integrate securityplugins such as SaaS tools, uh,
Linters, and also to providereal-time security feedback for
your developers.
So an integrated developmentenvironment is an area set up
specifically for them to developtheir tools and for them to
(21:02):
develop their programs and havethem available to test and to
run.
Runtime.
This is the environment in whichthe program actually executes,
right?
So and you secure the runtimeenvironment basically through
container security, virtualmachine hardening, et cetera.
Those are different ways you cando it.
And it's critical to preventcode execution and
vulnerabilities.
(21:23):
So you it's an area that's likea sandbox where you would
operate and run your virtualcode in a virtual machine or a
virtual type environment.
And then that is what youtypically in a test type
environment.
Once you do all of that andeverything looks good, then you
would migrate that out of testuh into production.
So it's like lab, test,production.
(21:44):
It's usually the typicalenvironments that people are
operating out of.
Now you have continuousintegration and continuous
delivery, CICD.
So continuous integration, thisis where you automatically,
automatically uh merges codechanges into a central
repository, followed byautomated builds and tests.
So in the past, you would buildit, you then would test it, you
(22:05):
would then uh make two tweaks toit, put roll it back through the
cycle, and then you would buildit, you would modify it, throw
it and build, roll it and test,and you just keep reiterating on
this.
That was very manually, verytime consuming.
Now it does this where it mergesit all together and puts it in a
one big format for you.
It's pretty amazing.
C D is the automation ofdelivery of these validated code
(22:28):
to production environments.
So you can have it set up, we wedid at least, where once we
dated out a test and everythingwas good, it automatically would
push to production.
Once someone agreed, all thetests ran, no vulnerabilities,
no issues.
They just smash a button andthen it deploys to production.
And it was pretty awesome.
It worked really, really well.
(22:49):
Uh, the first days we did thisbefore we got into a CI CD
pipeline, it was laborious.
It was painful.
It was like, okay, now we moveone step.
Ready, push the button, good.
Everything good now?
Yeah, everything's good.
Okay, now we move to the secondstep.
Okay, push the button, yep,good.
So you can see it's just veryvery painful.
So the point was is that we youcan now mash a button, it runs
(23:12):
it through test, comes back andsays, any issues?
Nope, no issues.
Okay, push the button, we'reinto production.
Awesome.
It worked really, really well.
Security is now shifted left byintegrating automated security
testing such as SaaS, DAS, andSCA into the pipeline.
And now the pipeline hassecurity testing in it.
So you can actually put yourcode in there and you can have
the security tools will come outand flag saying, Hey, the way
(23:35):
you have this coded is going toallow for a cross-site scripting
attack, or it's going to allowfor uh whatever.
You can add JavaScript to thisline.
So it's going to tell you thatbefore you even do it.
So it's pretty doggone cool.
Security orchestrationautomation and response.
SOR.
So now SOAR, you can do thiswithin the development space as
well as your security operationscenter.
(23:57):
Now it automates securityworkflows and tasks.
It often responds to securityalerts.
SOR, if you can correct it,correctly connect it and do it
well, it can save your people alot of time.
The challenge is you got to setit up right and do it well.
It can be used to automatesecurity checks within the CICD
pipeline or to respond toapplication security incidents.
(24:18):
So again, it's a SOAR tool,works great in the development
space as well as in other areaswhere you might need some level
of orchestration and automationand response, i.e.
the SOC.
Software ConfigurationManagement, SCM.
This manages and controlschanges to software, including
source code, documentation, andconfigurations.
(24:38):
So like SCCM, it's very similar.
It manages the controls andchanges.
It ensures integrity,traceability, version control,
and all on all the softwareassets.
Again, really great tool, reallygreat capabilities.
Your code repositories, this isa centralized system for storing
and managing all your sourcecode, such as Git, SVN.
It must be secure with strongaccess controls and
(25:00):
vulnerability scanning andsecret detection.
Secret detection is a big factorwhere you're using your
repository and now you havepeople that are putting
passwords within their code tomake their code run.
Well, you need some level ofsecret detection within that
repository to make sure thatpeople are not doing that.
So that's an important piece ofthis as well.
You need to really considerthat.
(25:21):
Application security testing,this is where you can get into
static and dynamic testing.
The static testing, thisanalyzes your source code, your
bytecode, or your binary forsecurity vulnerabilities without
executing the actual code.
Air quotes white box testing.
So this is SAST.
This is what you call yourstatic application security
testing.
(25:41):
DAST, which is your dynamicapplication security testing,
this analyzes the runningapplication from the outside,
such as what an attacker woulddo to find vulnerabilities.
This is air quotes black boxtesting.
So each of these are essentialfor identifying security flaws
throughout the entiredevelopment process.
You really need to utilize SASTat a minimum.
(26:02):
If you're not doing anythingelse and you don't have a DAST
or you don't have a SAST, startwith SAST.
Get SAS in place within yourorganization.
Once it's running and you get atleast gets those initial
vulnerabilities done, then youcan roll into DAST and look at
that from the outside.
But step one would be SAST, steptwo would be DAST.
So domain 8.3, assess theeffectiveness of software
(26:26):
security.
So this is what we're going totalk about is audit and logging
changes.
So you need to implement anysort of mechanism to record all
modifications made to the code.
It's imperative that you dothis.
I can't stress this enoughbecause this comes down to any
changes to the code, theconfigurations, or the
development environment.
You have to have a log of whathappened.
Because if you don't, when yougo back when things break, which
(26:49):
they will, you're going to go, Idon't know what we did.
How did we do that?
Why did that happen?
You have to track these changes.
It needs to be very methodical.
It needs to be very muchattention to detail.
And I just can't stress thatenough.
It ensures traceability,accountability, and provides
data and forensics analysis.
So you just make sure you knowwhat has actually occurred with
the overall development thatyou've done.
(27:11):
Risk analysis and mitigation.
This is where you're conductingsystematic assessments to
identify and evaluate securityrisks within the development
environment and the overallprocesses.
And you're implementingappropriate controls and
strategies to reduce identifiedrisk to an acceptable level.
You need to analyze it from arisk standpoint.
If you have developers, you needto work with them very hard on
(27:32):
understanding risk analysis andmitigation.
They need to understand risk.
So often it's the senior leadersthat understand risk for the
company, and they don't reallycommunicate that to the minions
that work in there.
But if you help peopleunderstand risk to the company,
risk to the organization, riskto the data, now the people that
are working on these systemswill utilize the appropriate
(27:54):
level of protections to ensurethat they reduce the risk to
their company.
Commercial off-the-shelf.
So this is pre-packaged softwareproducts widely available from
vendors.
So if you go out and buy apackage or your software is a
service type package, this issoftware that's available from
vendors.
Most places you can get allthis, right?
Your QuickBooks, your whateverit might be.
(28:16):
I mean, right, anything you canget online.
Now the security relies heavilyon the vendor's development
practices and their patchmanagement.
That's all hidden behind thescenes.
You're just assuming they'redoing what they're supposed to
be doing.
Unfortunately, the news islittered with plenty of places
that don't do that.
But this is where you're dealingwith commercial off-the-shelf
type of software, COTS.
(28:37):
Open source, this is softwarewith a publicly available source
code allowing for the communityto review and modify, make
modifications to it.
There's benefits, obviously,from a transparency standpoint,
but it does require diligentvulnerability management and
license compliant.
So you really need to understandhow your licenses are.
You can't just express to yourpeople, your developers, hey,
(28:57):
you just can't go out and grab alibrary you want.
One, maybe there's some sort oflegal requirements around it,
you know, some terms andconditions.
Two, what where did this comefrom?
Who gave it to you?
It's like the guy in the streetgoing, hey, little girl, I've
got some candy for you.
You don't know where the candycame from.
So probably not a good idea toeat the candy.
Uh I'm not saying open source isbad.
(29:19):
I'm not saying that at all.
Open source is used everywhere,right?
I'm just saying you need to bediligent with it and make sure
that you have a plan on howyou're going to utilize and
orchestrate open source softwarewithin your environment.
Third party, this is anysoftware component obtained from
an external entity, includingCOTS, open source, or custom
developed by the vendor.
So basically you're buying itfrom somebody, right?
(29:40):
That's that's the third partyaspects.
This requires a robust vendorrisk management, consent
contractual security clauses,and ongoing monitoring.
So again, if you get you'veyou're dealing with purchasing
third party software for yourcompany, you need to make sure
that all of your documentationmatches up and that there are
security clauses in place,especially.
Especially if this third-partysoftware is running critical
(30:03):
data or critical applicationswithin your environment.
You need to have a securityclause within your legal review
of your legal contracts.
Highly suggest this.
Okay.
Again, one great thing aboutthese rapid reviews and also
about CISSP, cyber training ingeneral, is the fact that you're
getting experience with all thecontent.
If you take any one nugget outof this, if this free stuff is
(30:25):
make sure that you talk to yourlegal team and ensure that you
have security clauses in placefor your critical applications.
Knock on wood, stomp foot,important part.
Big, big important part.
If you don't really know, ifyou're like, say this is I'm
just working to get my CISSPstuff and I'm just happy with
that, go talk to your CISO.
Tell them, say, hey, I've justbeen studying for my CISP.
(30:47):
Do we have any security clausesin our contracts?
And ask them.
And if they he or she goes, uhno, then you go, Great.
Have you considered that?
If they go, yeah, we're on topof it, awesome.
Thanks, boss, boss, whatever.
And then now they go, Oh, hey,this person's pretty smart.
He's looking into stuff.
That's good.
So again, I'm telling you thatthat's one great area that you
(31:09):
can do right now, depending uponwhere you're at, that can help
protect your company and alsoshow that you have a big brain
and you are very good at whatyou do.
That was a lot of talking there.
Sorry.
All right, so 8.4, assesssecurity impact of required
software.
So we have managed services suchas software as a service,
infrastructure as service, andplatform as a service.
(31:30):
SaaS, this is a cloud-basedapplication that are accessed
over the internet, such asSalesforce, Microsoft 365, etc.
IaaS, these are cloudinfrastructure services such as
virtual machines, storage, ornetworking devices, obviously
your AWS EC2, which is yourElastic Cloud Compute, Amazon
virtual machines, and so forth.
So this is your overall virtualaspect within the various cloud
(31:52):
environments.
PaaS is a platform allowing forcustomers to develop, run, and
manage applications withoutbuilding and maintaining the
infrastructure.
So it's basically it's all setup, all ready to go for you.
You don't have to do theinfrastructure to make sure it
works.
AWS Elastic Beanstock, Azure AppService, and so forth.
Now the shared responsibilitymodel applies where cloud
(32:12):
providers manage security of thecloud and the customer manage
security in the cloud.
So as an example, AWS isresponsible to make sure that
their infrastructure is secure.
That's what they do.
But they provide you thesesecurity, these different
servers and virtual machines andwhatever else.
It's yours, baby.
You get to do whatever you wantwith it.
However, so you need to makesure that you have it properly
(32:32):
secured for you.
Amazon is not liable if yoursite gets hacked because that is
not what they're doing.
Now, if their infrastructuregets hacked overall, yes, they
are liable for that.
But that's what they have theirsecurity teams designed to do.
They're just giving youplatforms, something you can go
and play with and have fun, andyou can give yourself as much
rope to hang yourself or not.
(32:53):
Depends upon what you want todo.
Domain 8.5, define and applysecurity coding guidelines and
standards.
This is where securityweaknesses and vulnerabilities
at your source code level.
This includes common flaws likebuffer overflows, integer
overflows, race conditions, allof those aspects are there.
And this covers injection flawssuch as SQL, Command, LDAP, all
(33:14):
of those types of injectionflaws, as well as cross-site
scripting and insecuredeserilization.
So again, those are justdifferent kinds of weaknesses
that you can have at the sourcecode level.
This encompasses insecure directobject references and improper
error handling leading toinformation disclosure.
So you need to understand whatis a security weakness around at
the source code point.
(33:36):
Now, security of applicationprogramming interfaces, APIs.
If you've been listening toCISSP cyber training for any
period of time, you know I loveslash hate APIs.
And the reason behind it isobviously because they are a
great tool to provide data inand out of your organization.
They're also a great tool toprovide data in and out of your
(33:57):
organization.
So they're just like VPNs onsteroids.
This is focused forauthentication and authorization
of API endpoints.
It's a big factor.
Authentication and authorizationof API endpoints.
This includes rate limiting,input-output validation,
protection against massassignment, and as well as
address API specificvulnerabilities like a broken
(34:17):
object level authorization orexcessive data exposure.
What that basically means isthat is it authenticated?
And if it if it is authenticatedAPI, if it breaks, will it still
work?
And then excessive data exposurebasically means are you allowing
a lot of data to be shipped outof your organization and you're
not inspecting it.
So again, APIs are amazing.
They work great, they helpeverything just kind of connect
(34:38):
together.
They're the connective tissuethat makes everything run.
However, yeah, they also canmake your life extremely painful
because now instead of havingmaybe a VPN between one vendor,
you now have VPNs between 50vendors.
And that was that's a challenge.
So uh APIs, they're awesome.
You will live or/slash die byAPIs.
(34:59):
Secure coding practices.
This is where you adhere to theprinciples like least privilege,
defense in depth, and securedefaults.
This is where you implementrobust input validation,
whitelisting, and proper outputencoding and secure error
handling.
This ensures secure memorymanagement as well as control
and cryptographic best practicesin your code.
Again, you want secure codingpractices, come up with them at
(35:20):
the beginning.
Make sure your people are awareof them.
You want to make sure that theyunderstand how to properly code
in a secure environment.
Software-defined security, SDSs.
This is where you managesecurity policies,
configuration, and controls ascode.
So if you have a policy, insteadof having a typical application
where you'll go in and you'llclick buttons to actually
(35:42):
implement some level of policy,this is where the policy is set
up specifically around code.
So it's in the JSON format thatyou might be already setting up
the policy for it.
This leverages infrastructure ascode and principles for security
provisioning and automation.
It enables consistent,repeatable, and audible security
deployments through the versioncontrol and automated testing.
(36:02):
It's a much better solution thanhaving to go in there and click
buttons if it's already builtinto the code.
That being said, not everybodycan do that.
And so, therefore, you have tobe able to understand what
applications can I do this with,what applications can I not do
this with.
So, again, software-definedsecurity, very, very good uh
capability for your organizationto help secure your software.
(36:23):
Okay, thank you so much forjoining me.
That is all I have today fordomain eight of the CISSP Rapid
Review.
Again, this is the final one ofall of those.
If you want access to my CISSPrapid reviews, head on over to
CISSP Cyber Training.
You can gain access to all of myrapid reviews, and you can get
every single one of them there.
You can go to my blog, getaccess to it on my blog, you can
(36:46):
get access to them in my freecontent that I provide.
Again, all you got to provide isan email address.
That's it.
And you can get access to all myquestions, or not all my
questions, the 360 questions.
You can get access to my studyplan, you get access to my
weekly podcast, you get accessto the rapid review just by
having an email address.
Never before has an emailaddress been so useful and so
(37:09):
valuable to you that arestudying for the CISSP exam,
right?
Now, that being said, if youneed more help and you need more
questions, like more questions,you need the ability to have a
better plan that kind of walksyou through the using the book,
using my content, using otheroutside entities, just kind of
step by step.
The one thing I never had when Istudied for the CISSP was a
step-by-step approach.
(37:30):
If you want a step-by-stepblueprint, that is the product
for you to get and some of mypaid resources.
I got over 50 hours of CISSPcontent that's available to you,
video content that's justcovering all the CISSP domains.
That doesn't include any videocontent tied to the podcast.
There's 1500 CISSP questionswith another 250 question test
(37:51):
at the end that's just beingdeveloped right now.
And then I've got curated audioand video content.
If you need something more, suchas some sort of consulting
capabilities, I've got VCISO, uhIT leadership kind of
consulting, and any sort of redteaming, you name it, I can get
it for you with my partners uhwith CISSP Cyber Training.
So all of that is available toyou.
(38:12):
Just reach out to me at contactat CISSP Cyber Training, and I'm
happy to help you out onanything here.
Again, that's all I've got.
Have a wonderful, wonderful day,and we'll catch you on the flip
side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube, and just head to
(38:34):
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
CISP sniper screen screen and CISP Hi my name is
Sean Gerber the information youneed.
CISP and roll your cyber checkerin the way.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Trading and hope you all
are having a beautifully blessedday today.
Today is CISSP questionThursday.
But today we are going to finishup our rapid review domain or
exam prep for domain eight.
Yes, the final one, the finalmelon, the final one we're gonna
(00:45):
go after is domain eight, andthis is of the CISSP rapid
review provided to you by CISSPCyber Training.
You can get all of that at CISSPCyber Training.
Okay, but before we do, beforewe get started on that, wanted
to talk about an article that Isaw in the news today, which was
awesome.
It's actually super good.
I mean, if you guys are use anysort of encryption, this is a
(01:08):
great thing.
And uh this is from SI basicallyArs Technica, and it's about
some post-equantum encryptionthat Signal is going to deploy,
or is in the process ofdeploying.
Now, I'm not going to try toelaborate on this more than my
little pea brain can provide youbecause it's pretty in-depth,
and I highly recommend that yougo and you read it.
(01:28):
It makes sense when you read it,but tried for me to explain it
to you, I would probably butcherit, and somebody would, when my
audience would go, uh yeah,dude, you're wrong.
Uh no, so I'm not even going toattempt to do that.
However, I'm going to bring youout some of the big buckets,
some of the big things for youto take away from this so that
you have a good plan andunderstanding of what this
article is about.
So it's in Ars Technica.
I will warn you that there isall kinds of advertising that
(01:51):
will drive your mind or numb,and uh there's so much
flickering lights that you mayactually may go into a spasm.
But that being aside, um, theultimate point of this is that
they're talking about the factthat we know encryption at this
point is breakable.
With the quantum computers thatare coming out, it's close to
being to a point where at leastin the lower level of encryption
(02:12):
is crackable through quantumcomputing.
It hasn't been able to get up tothe 256 and so forth, but the
higher numbers, but at thispoint, the US government,
through the National Instituteof Tech Technologies, uh,
Standard and Technologies, hasrecommended that you will look
at some sort of post-encryptioncapability for your tools.
Well, Signal has done that.
(02:33):
And what they did was is theythey added I'm not just gonna
quickly brush over some of thekey points here, but there's a
double ratchet and then there'sa triple ratchet.
And what they really basicallydid was they added, they blended
both of these products, oldschool crypto and new school
crypto, and they created thisthird ratchet.
And it has the ability to runwith that capability, with both
(02:57):
the algorithms working together,as well as if one of the
algorithms breaks, it canoperate and degrade or go to a
lower level.
So it's not it can actuallystill operate if the uh higher
algorithm works and the loweralgor one of the lower
algorithms does not work.
So it's got a good way to mixall of that together.
And they call it the Belt andSuspenders approach.
(03:18):
Uh, but bottom line is that theyare working with PQS Shield,
AIS, Japan, and New YorkUniversity to be able to get all
of this done and publicly uhdisclosed for everybody so you
can actually see what they'redoing.
So now why is this such a bigdeal?
Um, it's one of the firstlarge-scale real-world messaging
(03:38):
systems, obviously, if you useSignal, uh, that is quantum safe
encryption.
That is true.
So you don't have the the metasof the world and you don't have
the the apples of the world.
Those are all there, right?
They're fine, then people usethem, but it's not quantum safe
encryption.
And Signal has always setthemselves apart by kind of
pushing the envelope in thisspace.
And I I moved off of um my Appletype of uh texting for my normal
(04:05):
business activities because Ijust didn't like the welln't
like the way it felt and the theaspect around the encryption
piece of this.
And now that Signal is moving,I'm gonna begin moving my family
over to Signal, at least theones that I care most about,
because I really do feel thatthis is a really great move, a
super great move.
Um, it does help keep the theregular classical machinery in
(04:26):
place, like the the doubleratchet that they have, but they
also layer the quantum uhresistance algorithms on top of
it.
So it does, it works really goodfor the old school and the new
school, supposedly.
I have yet to test it.
So I'm just giving you what thearticle is talking about here.
Now, one of the big aspects thatthey say is that obviously we
have to, as a as a group, assecurity professionals, we need
(04:50):
to make sure that we are pushingthis type of activity out to our
vendors.
We need to push them on them tosay, you need to up your game
when it comes to encryption.
We as enterprise architects andand as CISOs and as security
professionals for variouscompanies need to demand that
one from external vendors, buttwo also from our internal staff
(05:10):
and not just say, okay, well,we've protected our outer donut.
You know, we're everything'sgood and hardened on the
outside, but once you get on theinside, it's soft and gooey.
We need to make sure that theareas inside that need this kind
of layered protection aregetting the encryption they need
to be able to protect the datatransfers between points inside
the network.
So again, it's a double-edgedsword here.
(05:32):
It's really important that we dothis.
It's gonna take some time andenergy, but now that the fact
that uh signal has done this,it's only gonna you're only
gonna get more pressure on theother messaging platforms that
are out there.
WhatsApp, uh when you're dealingwith Apple, you're dealing with
Google, all of those are gonnaall start getting more pressure
to incorporate this level ofsecurity within their tools as
(05:55):
well.
So it's super good.
I love it.
It's a great, great concept, agreat article.
I would definitely recommendreading it.
Just take some time and gothrough it and give yourself a
little bit of extra time doingthis.
Um, the other thing you want tomay want to read is an article
from um Schneer.
I can never say his name.
Schneier.
Uh, this is another one wherehe's kind of goes through it a
(06:17):
little bit more in depth.
I really like him.
He breaks down crypto in a waythat makes much more sense to
people like myself that's got athird grade education.
Uh, so it's it's really good.
And um, so I would recommend youread his article, then from
there, he's got some links intothe Rs Technica article as well.
So good place, good place tostart.
But let's get started about whatwe're gonna talk about today.
(06:40):
Okay, this is CISSP Rapid ReviewExam Prep Domain Eight, Software
Development Security.
Okay, so these are the questionquestions per domain breakdown,
like we've talked about so manyother times.
But this is domain eight.
There's about 11% of the CISSPquestions that are available on
that test.
(07:00):
Now, like we've talked about,this is computer-aided testing,
and so it's going to uh workwith you.
And if you make start makingmistakes, it's going to start
adding more questions that areharder onto you.
But about 11% of the overallquestion bank is considered part
of the software developmentsecurity.
Now, I will tell you that thisis probably one of the areas
that people struggle with mostin the CISSP exam.
(07:23):
And the reason is because theyjust don't deal with it.
And they just don't, they don'treally deal with it on a daily
basis.
Now, this is obviously isn'teverybody.
There's many people out therethat deal with software
development routinely, but as anoverall whole, it is probably
one of the least known areas ofthe security space.
And that is actually changingdramatically because as we see
(07:44):
all of this software developmentthat's occurring now, everything
is running on some sort ofapplication.
That is even more important thatyou understand software
development.
Uh, and looking back at myselfin a previous life, as a CISO, I
didn't have really muchbackground in software
development.
So I went to my CIO and said,hey, there was a software
(08:04):
development team that was in ourmultinational that we had, and
it was global, and they weredealing with all kinds of fun
stuff.
I said, I want to take thoseguys on.
I want to lead them, I want themto be part of my team, and it
was done for two specificreasons.
One, they needed a leader, so Iwanted to show that I could help
lead this group.
Two, they didn't, I didn'tunderstand software development.
(08:26):
And since I didn't understandsoftware development, I wanted
to have an opportunity to learnhow to grow my knowledge in
software development and be ableto pass on security to them.
So that was the purpose ofaround me doing this with my the
development team that I workedwith.
Now, that being said, it was agreat opportunity and I loved
it, and I learned a lot from it,and I also learned what I didn't
(08:47):
really truly know.
And since then I've learned togrow that knowledge.
However, my knowledge is verysmall in relation to many
others, and so I would highlyrecommend that you go out and
you get as much knowledge aroundthe software development side as
you can, especially before yougo and take the CISSP, because
there will be questions on it,and if you're not prepared for
those, they will bite you prettyhard.
But before we get into whatwe're gonna talk about today, I
(09:09):
wanted to throw out my freeresources and paid resources at
CISSP Cyber Training.
So there are the free resources.
I have got tons of informationout there for you.
I've got a three to five monthstudy plan.
I've got questions, over 360questions that are available to
you.
All of the rapid review contentis there.
You can get access to my blog.
Everything is accessible throughCISSP Cyber Training.
(09:32):
Great, great content out thereand available for you.
If you need a little extra helpand you want a bit more of uh
hand holding and a bit moreknowledge and depth, then you
want to look at my paidresources.
And again, I've got over 50hours of video covering all the
CISSP content, over 1,500 CISSPquestions.
I've got a 250 question quizthat is at you'll get at the end
(09:56):
of your training, uh curatedaudio and video content.
I got deep dive topics, all ofthose that are available to you.
If you're needing virtual CISO,any sort of IT leadership or
consulting, I have that throughmy through my partners that I
work with that can help you fromred teaming all the way up to
virtual CISO to in SOCimplementations.
So everything is there, it'savailable to you at CISSP Cyber
(10:19):
Training.
So go check it out, go sign upfor my free content.
It does not cost you anything,and there's a lot of free stuff
out there that I guarantee youwill help you with your CISSP.
And even if you're not takingyour CISSP, it will help you in
your cybersecurity trainingknowledge as you build this
within your own organization.
Okay, so let's start with domain8.1.
(10:41):
So this is 8.1, and we're gonnaunderstand and integrate
security in the softwaredevelopment lifecycle.
Now, like we've talked aboutthis about life cycles
throughout these rapid reviewsand throughout the CISSP
training, they are an importantpart, and that's basically from
birth to death.
The ultimate point is you wantto have some sort of development
plan on how you're gonna birthsomething and then how you're
(11:03):
going to put it in the ground.
And this is an important partwhen you're dealing with
development methodologies aswell.
So you need to understand thevarious software development
approaches, obviously,waterfall, agile, DevOps, all of
those you need to understandwhile integrating your security
activities into each phase ofthis chosen methodology.
So, what methodology you want,waterfall, agile, whatever it
(11:24):
might be, you want to thenincorporate security activities
into these.
Now, one thing you need to avoidis do not do where some people
are kind of gravitating towardI'm seeing at least, is they'll
implement security within thesemethodologies, within these
frameworks.
And what ends up happening isthey just set it and forget it.
And they don't actually thentweak the security
implementations here, and it canthen cause more drama down the
(11:47):
road.
So you're gonna have to, itisn't something you just throw
in place and move on to the nexttopic.
You need to put it in and youneed to have some care and
feeding with it.
Now, there's maturity modelsthat go along with this.
These frameworks are used toassess and improve the maturity
of your organization's softwaredevelopment security processes.
And you as you start off, you'renot gonna be very mature.
You're barely gonna be able towalk.
But as you get better walking,then you'll get to running, and
(12:09):
then you'll get to sprinting,and that's the whole point of
it.
Now, there's examples would bethe CMMI, which is your
Capability Maturity ModelIntegration, or BSIMM.
This is your building securityin maturity model.
These are different examplesthat are part of the maturity
models for uh DevOps.
Now, you need to ensure that theongoing security in the software
is deployed, or after you deployit, you need to make sure you
(12:32):
maintain it and keep it up andgoing.
This includes activities likecontinuous monitoring, incident
response forapplication-specific issues, and
performance management.
So the the whole once you putthese, it's like everything
else, you put the tools inplace, you do have to continue
the care and feeding, themonitoring of it.
You need to make sure you haveincident response in place in
(12:52):
the event that something badhappens.
You can respond to it.
Uh, if you're a fully set upsoftware development shot shop,
your incident response needs tomirror how that would work.
If you have on-prem, you're in ahybrid model or on-prem and
cloud, how does that work?
Do you have third partiesinvolved that are doing your
development work and then how doyou report to them and to give
(13:13):
them notification thatsomething's occurred?
And then on the flip side, howdo you then notify your
regulators that something hasoccurred and your customers?
So all of that has to be doneand created for your
organization to be successful inthis SDLC.
You also have to have changemanagement, which we've
mentioned over and time again,is that you have to have a
(13:33):
formal process that'simplemented to control and track
all modifications to yoursoftware.
And this is this can be donethrough tools, um, this can be
done through even spreadsheets,but you need to have a way to
track what modifications haveyou done to it.
Because there's one, you'regoing to get audited.
Two, if something goes sideways,you have the ability to go back
and look at what happened withit.
(13:54):
What did you do?
What changes did you implement?
So you really need to make surethat that is a formalized
process.
Do not do this off the hip.
You need to make sure that nomatter if you start off and you
say, hey, we're starting ourbrand new development team,
begin this process withunderstanding your change
management to begin with.
Do not just go, well, hey, we'regonna start making some stuff
(14:17):
and we'll just kind of throwstuff on the wall and see how it
works.
Yeah, that getting thingsstarted and doing that is is
fine.
I say that out of both sides ofmy mouth, because you want to
show some sort of work.
However, if you're doing that,you need to make sure that you
at least have some sort ofdocumented change management.
Even if it is just aspreadsheet, what did you do and
how did you do it and why didyou do it?
You need to ensure that securityimpact assessments are performed
(14:39):
for every change.
So this is something where,depending upon the location of
where it's at, especially insoftware development, you need
to understand the securityassessment that may go into
that.
And do you it could be a verylarge change or a security
assessment that you feel youneed to do, or it could be just
a couple questions that you needto ask yourself.
So you need to understand whatwould that security impact
(14:59):
assessment look like.
Work with your CISO if you're adeveloper.
If you are the developer and theCISO and the security guy and
the analyst and the engineer,then just kind of think about
what are some questions that youshould ask yourself about before
you deploy anything like this.
The other thing to consider isthat at some point, if you are
just that one person or twopeople, you're gonna grow at
(15:20):
some point, hopefully.
So if you do that, you want toat least put some of these
processes in place now.
So that way when the team comeson, they understand what they're
doing.
Integrated product teams isIPTs, these are multiple distant
multiple multiple.
Yeah, they're a bunch of peoplethat can know how to do stuff.
They have lots of disciplines,right?
They're a team that'sresponsible for the entire life
(15:40):
cycle of the product system.
So we would have product teams,and these product teams would
come in and you'd have a personfrom HR, you'd have a person
from finance, you'd have aperson from whatever, and they'd
all be part of this integratedteam.
So when you're deploying thisproduct, they have insight into
what they want it to be.
Now there's user acceptancetraining or testing that occurs
at the end, and if the user thatis going to be accepting it is
(16:04):
HR, then you'd always just workwith them.
But in so many cases, whenyou're dealing with applications
that are touching HR, legalcompliance, um, you know,
production, operations, all ofthose, you'll want people from
each of those sections in thedevelopment process, at least in
some form or fashion.
The reason is because if they'vegot it, if they got any skin in
(16:24):
the game, if they have any sortof insight, that would be the
time for them to tell you that,hey, no, don't do that, because
if you do that, it will cause animpact over here.
That's why these integratedproduct teams are really
important.
Uh, and again, but they do add alot of headaches because it's a
lot of opportunity cost to bringall these people together to be
able to go over these types ofdevelopment changes.
(16:46):
So use them sparingly, use themwisely, but they are extremely
valuable, especially if yourapplications do touch multiple
areas.
So this would include securityprofessionals working alongside
developers, operations, businessstakeholders, all of them, so
that security is embedded in thestart.
And it also is very helpful forthe operations folks so that
(17:09):
they understand what issecurity.
Why should I be concerned?
So often my operations teamswouldn't understand security.
And so what would they do?
They would then ask me questionsor they would just ignore us
because they're like, that's asecurity guy.
It's the geek sitting in thecorner.
Um, that you need to make surethat everybody is engaged and
involved.
Now, this will take leadershipfrom the top down.
(17:30):
I mean the CEO down is going tohave to be the one that's going
to help to help direct thisbecause in many cases the the
minions won't want to do itbecause it's just added time.
It's more time and more energyfor them.
Okay, domain 8.2.
Identify and apply securitycontrols in the development
environments.
So programming languages.
The choice choice of aprogramming language can impact
(17:51):
security substantially.
Some languages do offer morememory safety or built-in
security features than others.
And so understandinglanguage-specific
vulnerabilities and securecoding patterns is crucial.
So, what does this mean?
If you're already developing inC, which is really old, but
let's say you're doing that, youwill have to work through some
(18:12):
of the security challenges thatmay go along with that.
And you say, I've been workingthis for years.
We cannot migrate anybody off ofC.
We're stuck with it.
Well, then that's a differentconversation versus going, we're
Greenfield, let's get started.
We can do all of thisimmediately.
So those are different types ofconversations that you may have
to have.
You need to understand thelanguages being used.
And understandinglanguage-specific
(18:33):
vulnerabilities and securecoding patterns is an important
part because you, if you knowthe vulnerabilities out there,
you can then head off any sortof questions that your
development team may have.
And it helps them to understandhow should they do secure coding
from the beginning.
Now, libraries, these arereusable, not reusable, reusable
(18:53):
blocks of code that providespecific functionality.
And you'll see this wherethere's just a repository that
are all sitting there withdifferent types of capabilities
in these libraries, and you canpull from these libraries to put
that in your code.
The thing is with this is thatthere's code libraries you've
created, and then there's opensource libraries that were
created by the masses.
The problem is that if you grabopen source libraries, they can
(19:16):
be very, very valuable.
They also can be very buggy.
They also can have lots ofissues with them, potentially
malware.
So you need to keep that in yourback of your mind as you're
moving this forward.
You also must be very carefullyvetting on any known
vulnerabilities that could bepotentially out there.
There's software compositionanalysis tools or SCA tools, and
(19:36):
they can help work through yourlibraries to determine if you
have some sort ofvulnerabilities that might be
associated with those.
Tool sets, you need a collectionof software tools used by
developers.
This is obviously yourcompilers, your debuggers, any
sort of automation tools thatare out there.
These must be secured andconfigured to support secure
development practices.
We had user acceptance trainingtesting tools, and these user
(19:58):
acceptance tools wouldautomatically do push buttons,
they would automatically run thecode, but you want to make sure
that those are actually secureas well.
Because if you run some sort ofdevelopment code in there, it
depending upon where yourdevelopment area is at, if it's
in, if you're just testing onproduction, uh these tools could
actually cause substantialchallenges to your organization.
(20:20):
Not that you would actually dothat.
Testing on production is not agood idea.
I would highly dissuade you fromdoing that, but it has happened
and I do see people doing it.
They're like, well, let's justgive it a shot and see what
happens.
Don't do that.
Uh integrated developmentenvironment or IDE.
This is where softwareapplications that provide
comprehensive facilities tocomputer programmers for
(20:41):
software development.
That's lots of big words.
It's basically an area that theycan operate in and that the
computer programmers can play into create their product.
It's an IDE.
They can integrate securityplugins such as SaaS tools, uh,
Linters, and also to providereal-time security feedback for
your developers.
So an integrated developmentenvironment is an area set up
specifically for them to developtheir tools and for them to
(21:02):
develop their programs and havethem available to test and to
run.
Runtime.
This is the environment in whichthe program actually executes,
right?
So and you secure the runtimeenvironment basically through
container security, virtualmachine hardening, et cetera.
Those are different ways you cando it.
And it's critical to preventcode execution and
vulnerabilities.
(21:23):
So you it's an area that's likea sandbox where you would
operate and run your virtualcode in a virtual machine or a
virtual type environment.
And then that is what youtypically in a test type
environment.
Once you do all of that andeverything looks good, then you
would migrate that out of testuh into production.
So it's like lab, test,production.
(21:44):
It's usually the typicalenvironments that people are
operating out of.
Now you have continuousintegration and continuous
delivery, CICD.
So continuous integration, thisis where you automatically,
automatically uh merges codechanges into a central
repository, followed byautomated builds and tests.
So in the past, you would buildit, you then would test it, you
(22:05):
would then uh make two tweaks toit, put roll it back through the
cycle, and then you would buildit, you would modify it, throw
it and build, roll it and test,and you just keep reiterating on
this.
That was very manually, verytime consuming.
Now it does this where it mergesit all together and puts it in a
one big format for you.
It's pretty amazing.
C D is the automation ofdelivery of these validated code
(22:28):
to production environments.
So you can have it set up, we wedid at least, where once we
dated out a test and everythingwas good, it automatically would
push to production.
Once someone agreed, all thetests ran, no vulnerabilities,
no issues.
They just smash a button andthen it deploys to production.
And it was pretty awesome.
It worked really, really well.
(22:49):
Uh, the first days we did thisbefore we got into a CI CD
pipeline, it was laborious.
It was painful.
It was like, okay, now we moveone step.
Ready, push the button, good.
Everything good now?
Yeah, everything's good.
Okay, now we move to the secondstep.
Okay, push the button, yep,good.
So you can see it's just veryvery painful.
So the point was is that we youcan now mash a button, it runs
(23:12):
it through test, comes back andsays, any issues?
Nope, no issues.
Okay, push the button, we'reinto production.
Awesome.
It worked really, really well.
Security is now shifted left byintegrating automated security
testing such as SaaS, DAS, andSCA into the pipeline.
And now the pipeline hassecurity testing in it.
So you can actually put yourcode in there and you can have
the security tools will come outand flag saying, Hey, the way
(23:35):
you have this coded is going toallow for a cross-site scripting
attack, or it's going to allowfor uh whatever.
You can add JavaScript to thisline.
So it's going to tell you thatbefore you even do it.
So it's pretty doggone cool.
Security orchestrationautomation and response.
SOR.
So now SOAR, you can do thiswithin the development space as
well as your security operationscenter.
(23:57):
Now it automates securityworkflows and tasks.
It often responds to securityalerts.
SOR, if you can correct it,correctly connect it and do it
well, it can save your people alot of time.
The challenge is you got to setit up right and do it well.
It can be used to automatesecurity checks within the CICD
pipeline or to respond toapplication security incidents.
(24:18):
So again, it's a SOAR tool,works great in the development
space as well as in other areaswhere you might need some level
of orchestration and automationand response, i.e.
the SOC.
Software ConfigurationManagement, SCM.
This manages and controlschanges to software, including
source code, documentation, andconfigurations.
(24:38):
So like SCCM, it's very similar.
It manages the controls andchanges.
It ensures integrity,traceability, version control,
and all on all the softwareassets.
Again, really great tool, reallygreat capabilities.
Your code repositories, this isa centralized system for storing
and managing all your sourcecode, such as Git, SVN.
It must be secure with strongaccess controls and
(25:00):
vulnerability scanning andsecret detection.
Secret detection is a big factorwhere you're using your
repository and now you havepeople that are putting
passwords within their code tomake their code run.
Well, you need some level ofsecret detection within that
repository to make sure thatpeople are not doing that.
So that's an important piece ofthis as well.
You need to really considerthat.
(25:21):
Application security testing,this is where you can get into
static and dynamic testing.
The static testing, thisanalyzes your source code, your
bytecode, or your binary forsecurity vulnerabilities without
executing the actual code.
Air quotes white box testing.
So this is SAST.
This is what you call yourstatic application security
testing.
(25:41):
DAST, which is your dynamicapplication security testing,
this analyzes the runningapplication from the outside,
such as what an attacker woulddo to find vulnerabilities.
This is air quotes black boxtesting.
So each of these are essentialfor identifying security flaws
throughout the entiredevelopment process.
You really need to utilize SASTat a minimum.
(26:02):
If you're not doing anythingelse and you don't have a DAST
or you don't have a SAST, startwith SAST.
Get SAS in place within yourorganization.
Once it's running and you get atleast gets those initial
vulnerabilities done, then youcan roll into DAST and look at
that from the outside.
But step one would be SAST, steptwo would be DAST.
So domain 8.3, assess theeffectiveness of software
(26:26):
security.
So this is what we're going totalk about is audit and logging
changes.
So you need to implement anysort of mechanism to record all
modifications made to the code.
It's imperative that you dothis.
I can't stress this enoughbecause this comes down to any
changes to the code, theconfigurations, or the
development environment.
You have to have a log of whathappened.
Because if you don't, when yougo back when things break, which
(26:49):
they will, you're going to go, Idon't know what we did.
How did we do that?
Why did that happen?
You have to track these changes.
It needs to be very methodical.
It needs to be very muchattention to detail.
And I just can't stress thatenough.
It ensures traceability,accountability, and provides
data and forensics analysis.
So you just make sure you knowwhat has actually occurred with
the overall development thatyou've done.
(27:11):
Risk analysis and mitigation.
This is where you're conductingsystematic assessments to
identify and evaluate securityrisks within the development
environment and the overallprocesses.
And you're implementingappropriate controls and
strategies to reduce identifiedrisk to an acceptable level.
You need to analyze it from arisk standpoint.
If you have developers, you needto work with them very hard on
(27:32):
understanding risk analysis andmitigation.
They need to understand risk.
So often it's the senior leadersthat understand risk for the
company, and they don't reallycommunicate that to the minions
that work in there.
But if you help peopleunderstand risk to the company,
risk to the organization, riskto the data, now the people that
are working on these systemswill utilize the appropriate
(27:54):
level of protections to ensurethat they reduce the risk to
their company.
Commercial off-the-shelf.
So this is pre-packaged softwareproducts widely available from
vendors.
So if you go out and buy apackage or your software is a
service type package, this issoftware that's available from
vendors.
Most places you can get allthis, right?
Your QuickBooks, your whateverit might be.
(28:16):
I mean, right, anything you canget online.
Now the security relies heavilyon the vendor's development
practices and their patchmanagement.
That's all hidden behind thescenes.
You're just assuming they'redoing what they're supposed to
be doing.
Unfortunately, the news islittered with plenty of places
that don't do that.
But this is where you're dealingwith commercial off-the-shelf
type of software, COTS.
(28:37):
Open source, this is softwarewith a publicly available source
code allowing for the communityto review and modify, make
modifications to it.
There's benefits, obviously,from a transparency standpoint,
but it does require diligentvulnerability management and
license compliant.
So you really need to understandhow your licenses are.
You can't just express to yourpeople, your developers, hey,
(28:57):
you just can't go out and grab alibrary you want.
One, maybe there's some sort oflegal requirements around it,
you know, some terms andconditions.
Two, what where did this comefrom?
Who gave it to you?
It's like the guy in the streetgoing, hey, little girl, I've
got some candy for you.
You don't know where the candycame from.
So probably not a good idea toeat the candy.
Uh I'm not saying open source isbad.
(29:19):
I'm not saying that at all.
Open source is used everywhere,right?
I'm just saying you need to bediligent with it and make sure
that you have a plan on howyou're going to utilize and
orchestrate open source softwarewithin your environment.
Third party, this is anysoftware component obtained from
an external entity, includingCOTS, open source, or custom
developed by the vendor.
So basically you're buying itfrom somebody, right?
(29:40):
That's that's the third partyaspects.
This requires a robust vendorrisk management, consent
contractual security clauses,and ongoing monitoring.
So again, if you get you'veyou're dealing with purchasing
third party software for yourcompany, you need to make sure
that all of your documentationmatches up and that there are
security clauses in place,especially.
Especially if this third-partysoftware is running critical
(30:03):
data or critical applicationswithin your environment.
You need to have a securityclause within your legal review
of your legal contracts.
Highly suggest this.
Okay.
Again, one great thing aboutthese rapid reviews and also
about CISSP, cyber training ingeneral, is the fact that you're
getting experience with all thecontent.
If you take any one nugget outof this, if this free stuff is
(30:25):
make sure that you talk to yourlegal team and ensure that you
have security clauses in placefor your critical applications.
Knock on wood, stomp foot,important part.
Big, big important part.
If you don't really know, ifyou're like, say this is I'm
just working to get my CISSPstuff and I'm just happy with
that, go talk to your CISO.
Tell them, say, hey, I've justbeen studying for my CISP.
(30:47):
Do we have any security clausesin our contracts?
And ask them.
And if they he or she goes, uhno, then you go, Great.
Have you considered that?
If they go, yeah, we're on topof it, awesome.
Thanks, boss, boss, whatever.
And then now they go, Oh, hey,this person's pretty smart.
He's looking into stuff.
That's good.
So again, I'm telling you thatthat's one great area that you
(31:09):
can do right now, depending uponwhere you're at, that can help
protect your company and alsoshow that you have a big brain
and you are very good at whatyou do.
That was a lot of talking there.
Sorry.
All right, so 8.4, assesssecurity impact of required
software.
So we have managed services suchas software as a service,
infrastructure as service, andplatform as a service.
(31:30):
SaaS, this is a cloud-basedapplication that are accessed
over the internet, such asSalesforce, Microsoft 365, etc.
IaaS, these are cloudinfrastructure services such as
virtual machines, storage, ornetworking devices, obviously
your AWS EC2, which is yourElastic Cloud Compute, Amazon
virtual machines, and so forth.
So this is your overall virtualaspect within the various cloud
(31:52):
environments.
PaaS is a platform allowing forcustomers to develop, run, and
manage applications withoutbuilding and maintaining the
infrastructure.
So it's basically it's all setup, all ready to go for you.
You don't have to do theinfrastructure to make sure it
works.
AWS Elastic Beanstock, Azure AppService, and so forth.
Now the shared responsibilitymodel applies where cloud
(32:12):
providers manage security of thecloud and the customer manage
security in the cloud.
So as an example, AWS isresponsible to make sure that
their infrastructure is secure.
That's what they do.
But they provide you thesesecurity, these different
servers and virtual machines andwhatever else.
It's yours, baby.
You get to do whatever you wantwith it.
However, so you need to makesure that you have it properly
(32:32):
secured for you.
Amazon is not liable if yoursite gets hacked because that is
not what they're doing.
Now, if their infrastructuregets hacked overall, yes, they
are liable for that.
But that's what they have theirsecurity teams designed to do.
They're just giving youplatforms, something you can go
and play with and have fun, andyou can give yourself as much
rope to hang yourself or not.
(32:53):
Depends upon what you want todo.
Domain 8.5, define and applysecurity coding guidelines and
standards.
This is where securityweaknesses and vulnerabilities
at your source code level.
This includes common flaws likebuffer overflows, integer
overflows, race conditions, allof those aspects are there.
And this covers injection flawssuch as SQL, Command, LDAP, all
(33:14):
of those types of injectionflaws, as well as cross-site
scripting and insecuredeserilization.
So again, those are justdifferent kinds of weaknesses
that you can have at the sourcecode level.
This encompasses insecure directobject references and improper
error handling leading toinformation disclosure.
So you need to understand whatis a security weakness around at
the source code point.
(33:36):
Now, security of applicationprogramming interfaces, APIs.
If you've been listening toCISSP cyber training for any
period of time, you know I loveslash hate APIs.
And the reason behind it isobviously because they are a
great tool to provide data inand out of your organization.
They're also a great tool toprovide data in and out of your
(33:57):
organization.
So they're just like VPNs onsteroids.
This is focused forauthentication and authorization
of API endpoints.
It's a big factor.
Authentication and authorizationof API endpoints.
This includes rate limiting,input-output validation,
protection against massassignment, and as well as
address API specificvulnerabilities like a broken
(34:17):
object level authorization orexcessive data exposure.
What that basically means isthat is it authenticated?
And if it if it is authenticatedAPI, if it breaks, will it still
work?
And then excessive data exposurebasically means are you allowing
a lot of data to be shipped outof your organization and you're
not inspecting it.
So again, APIs are amazing.
They work great, they helpeverything just kind of connect
(34:38):
together.
They're the connective tissuethat makes everything run.
However, yeah, they also canmake your life extremely painful
because now instead of havingmaybe a VPN between one vendor,
you now have VPNs between 50vendors.
And that was that's a challenge.
So uh APIs, they're awesome.
You will live or/slash die byAPIs.
(34:59):
Secure coding practices.
This is where you adhere to theprinciples like least privilege,
defense in depth, and securedefaults.
This is where you implementrobust input validation,
whitelisting, and proper outputencoding and secure error
handling.
This ensures secure memorymanagement as well as control
and cryptographic best practicesin your code.
Again, you want secure codingpractices, come up with them at
(35:20):
the beginning.
Make sure your people are awareof them.
You want to make sure that theyunderstand how to properly code
in a secure environment.
Software-defined security, SDSs.
This is where you managesecurity policies,
configuration, and controls ascode.
So if you have a policy, insteadof having a typical application
where you'll go in and you'llclick buttons to actually
(35:42):
implement some level of policy,this is where the policy is set
up specifically around code.
So it's in the JSON format thatyou might be already setting up
the policy for it.
This leverages infrastructure ascode and principles for security
provisioning and automation.
It enables consistent,repeatable, and audible security
deployments through the versioncontrol and automated testing.
(36:02):
It's a much better solution thanhaving to go in there and click
buttons if it's already builtinto the code.
That being said, not everybodycan do that.
And so, therefore, you have tobe able to understand what
applications can I do this with,what applications can I not do
this with.
So, again, software-definedsecurity, very, very good uh
capability for your organizationto help secure your software.
(36:23):
Okay, thank you so much forjoining me.
That is all I have today fordomain eight of the CISSP Rapid
Review.
Again, this is the final one ofall of those.
If you want access to my CISSPrapid reviews, head on over to
CISSP Cyber Training.
You can gain access to all of myrapid reviews, and you can get
every single one of them there.
You can go to my blog, getaccess to it on my blog, you can
(36:46):
get access to them in my freecontent that I provide.
Again, all you got to provide isan email address.
That's it.
And you can get access to all myquestions, or not all my
questions, the 360 questions.
You can get access to my studyplan, you get access to my
weekly podcast, you get accessto the rapid review just by
having an email address.
Never before has an emailaddress been so useful and so
(37:09):
valuable to you that arestudying for the CISSP exam,
right?
Now, that being said, if youneed more help and you need more
questions, like more questions,you need the ability to have a
better plan that kind of walksyou through the using the book,
using my content, using otheroutside entities, just kind of
step by step.
The one thing I never had when Istudied for the CISSP was a
step-by-step approach.
(37:30):
If you want a step-by-stepblueprint, that is the product
for you to get and some of mypaid resources.
I got over 50 hours of CISSPcontent that's available to you,
video content that's justcovering all the CISSP domains.
That doesn't include any videocontent tied to the podcast.
There's 1500 CISSP questionswith another 250 question test
(37:51):
at the end that's just beingdeveloped right now.
And then I've got curated audioand video content.
If you need something more, suchas some sort of consulting
capabilities, I've got VCISO, uhIT leadership kind of
consulting, and any sort of redteaming, you name it, I can get
it for you with my partners uhwith CISSP Cyber Training.
So all of that is available toyou.
(38:12):
Just reach out to me at contactat CISSP Cyber Training, and I'm
happy to help you out onanything here.
Again, that's all I've got.
Have a wonderful, wonderful day,and we'll catch you on the flip
side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube, and just head to
(38:34):
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!