CCT 028: Integrate Security in SDLC (CISSP Domain 8)

CCT 028 - RCR 125 - Integrate Security in SDLC (Domain 8)_RCR 055

[00:00:00] Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity.

Alright, let's get started.

How y'all doing this wonderful day? It's a great day here in the United States. It's after the new year, so life is good. We can't complain at all. It's actually in Wichita, Kansas. Where I'm basically recording this podcast from, the weather is a balmy 45 degrees and it's been quite pleasant.

So it's for this time of year, it's actually quite strange for it to have this happen. But if you wanna believe in global warming heck, that'll work too. It doesn't really matter at this point. The the temperatures just. Is really nice. But cuz it can change next week. But I was looking at the forecast and actually through the middle of January it looks pretty promising.

For this winter [00:01:00] it's already starting off to pretty much be a very mild winter. The expectation hopefully is that it's not gonna be an excruciatingly hot summer, cuz here it gets to be like a surface of the sun. Come July, everything melts and blows. So it's kinda like a desert in many cases.

But I hope everybody's done well this past week and had a great Christmas season. And we're now rolling into a brand new year of 2020, and I hope that all of you out there are taking your CISSP exam this year. Have already set up some goals to get your test studying done and to be passing the exam.

The. First time, right? That's the ultimate goal because taking this test is a bugger and it is expensive, and you're, plus you're putting your time into it, so you really wanna pass us the first time. Also noticed there recently there has been a couple of recent incidences that have had some large breaches.

So if you are a cybersecurity professional and this is what you wanna do with your career it, you definitely need to get this stuff done and get out there because it's really, it's an interesting world that we live in and more and more of. Integrated systems are all well [00:02:00] basically integrated and they're all connected.

Having cybersecurity professionals out there that understand what to do is a lifeblood of the world because everything is interconnected. If you are taking your test this in 2020, you need to get this done asap. If you are thinking about it on the fence, you just need to do it. And then what we'll do is you actually through reduced cyber risk, we'll also have some for you to get a good study plan put together on how you want to get there, because a lot of it comes down to is having somebody that can help you and keep you accountable for getting the studying done.

And just being ready to take the test. It's, again, it's pretty interesting how the world is changing and I would recommend it, especially being a ciso, myself and being a chief security officer with a very large company I learn a lot every day. And having this knowledge of security has really been a instrumental part.

In helping protect my company as well as just helping me grow as a person. But today we're gonna talk about software development. And strange, as it may sound, as a security professional. I actually have, the development team works for me[00:03:00] and I also have some development developers that are in India.

Working for me as well. So the interesting part about all this is I've had to talk to them through the software development life cycle and I would love to say that it is perfect. No, it's far from it, but I've learned some valuable lessons doing this. And we'll roll that into today's podcast and what you're gonna see as it relates to what the test is gonna ask you about, but then also some real life experience around how to handle.

The software aspects of this. So we're gonna go into the first article we're gonna get to is a company, basically the reference is Ray Gun and it's ray gun.com and it's, they basically have the SDLC seven phases and popular models, benefits and more. And so this is important for you to know you're gonna be Quest.

Quizzed on this, on the C I S P exam. So it's important to understand what does SDLC and how does it work. And so as we get started here, what is sdlc? It's a software, it's a comp complex product that has develop, developed and delivered through a series of steps. Okay. So that's the canned answer from [00:04:00] Reagan, and it is, it's developing.

Because it takes a lot of time to do. It has a series of steps that you have to have delivered and you need to understand how to get to that point. And it becomes, from a documentation standpoint perhaps a prototype, other different methods that you may use. But you have to use these steps to get from point A to point B.

And what I've learned in the development team that works for me is we would come in and we would develop and we'd have a just. An enhancement or a piece to a website that needs to be added, then that's the idea. So then you have to break it down. And as you break it down, you figure out, okay, what pieces and parts can be done in this period of time?

Now we're gonna get into waterfall on Agile methods for getting work done. And those, there's different. Schools of thought around that. But you have to, whatever you decide to pick for your methodology to get this product working from a beginning, from an idea to the completion stage, you just need to develop it under a secure auspice.

How do I wanna do this in a way that'll best protect the code, but also [00:05:00] protect the company That's, Putting that out there. And so eventually the software is delivered to the customer and you, but you need to consider the steps from sdlc, which is your software development lifecycle. Now, I've also seen it as s sdlc, which is Secure Software Development lifecycle.

But what I would really challenge a little bit around that is all software should be developed from a secure standpoint rather than just saying this version is an SDLC and this version is secure. You really need to focus on the. All code that's created should have a level of security built into it.

Now you're gonna find out that many developers they're very good at what they do, but security is not one thing that they are good at. And so therefore, you may have to, as a security professional, teach them on what are some key concepts to consider as they're developing their software Now, How does SDLC work?

It's an iterative approach to the software to process, right? That's the whole path behind it. They're from bug fixes, fixing issues with this code, usability issues. That would be your user experience, [00:06:00] user interface your error with applications. All of these would need to be addressed through the software development life lifecycle.

And these typically run in cycles, which I mentioned before. You either have, there's spiral, there's Waterfall, there's Agile, and we'll get into those here in the next part. Of the podcast, but the bottom line is that you pick up the thing. So let's just say you're gonna have an enhancement on a website and you want to have this button instead of it being orange, you want to be blue now.

In a perfect world, if you've ever done websites, you go I'll just jump in there and I make a change. That's fine if you have a WordPress website, but if you're dealing with something that's complex that maybe takes orders and provides invoices and all those aspects that are much, much more complex than just a, I'm gonna go change the color blue.

And if you go to sean garber.com, I use a site called Cajabi. I can go in and I can change the. From a orange button to a blue button or vice versa. It's real simple. But as you do with these complex issues of a multis size site that's maybe got multi-tenants involved, you [00:07:00] have to have a process by which, okay, we put this into a sprint, and this sprint is, it begins, we make, we go and we make the change to the color.

The color goes from blue to orange, and then we test to make sure that the code is good and the fact that then once all of that is complete, that would. An item that would be in that sprint. If that's an agile sprint, that's a two week sprint. Typically it would be in there as one of many things that would be done.

Now waterfall might be set up so that you may have a long period of time. It might be like a whole group of things. And this one, changing of this one button is one task in that overall process, but it's just how to iterate, how it goes back to lurking at how do you want to handle that sprint. So you just have to decide which, which works best for you.

But it's basically it's runs and cycles and it's an ongoing basis. And then when you're dealing with security, you have to look at it from an ongoing stand. Now, according to Reagan, there are seven phases of the sdlc. The first one is planning. The planning phase involves aspects of project and product management.

So again, [00:08:00] this comes into resource allocation, capital capacity planning, project scheduling, cost estimation, provisioning, and so forth. Those are usually done by project managers and then some of the development staff. And that's the planning piece, right? You figure. What you're gonna do and so when they're planning these pieces out, you also need to consider and teach them about security and why is that working?

Cuz you would also have some level of operations or security involved in the development of the software. Now. Second thing is requirements. The business must communicate with IT teams conveying what their actual requirements are for the new de development that needs to occur. And then you have your subject matter experts that are in there learning and growing and they gather this information from what the actual customer wants.

Now, in cases, many cases, you may need to have an architect in there as well to help if it's gonna be some large changes, and the architect will also give a security spin on it. Hopefully they. The point and the output of this phase will be in a water pro waterfall or agile kind of methodology, which we talked about [00:09:00] Agiles two weeks.

You start off with all your requirements. You start off with what your stories are. You, they call 'em a user stories and then what do they want them to look like? They build that out. Then they do these things and at the end of it they have testing before they provide that to the customer. Now once the design and prototyping is the next step, or I should say once the requirements are completed, then you roll into the design and prototyping typing piece of this, and this is where the requirements are understood.

Software architects and developers can begin the software process. Developers will use design patterns basically to des to. Accomplish what they want to do. And there will be an output phase that will be completed with the end of the design. So a lot of times they call those wire frames, they'll build out the sketch of what they want it to be and then they'll pass that information onto the developer.

So what, the better the requirements you can put out there, the better the user stories, which basically the definition of what they want to accomplish, then that the developers will have a better opportunity to create a really good. Now [00:10:00] this is where it moves into phase four, which is your software development.

And this is the part where the software's actually created by the developers and they utilize the sprints that we had talked about. Either it's a single block effort, which is waterfall, or a sprint, which would be agile. And again, your CISSP, you're gonna need to know these and what and how these work.

From a testing standpoint. That's the next phase that you would roll into is that you would you want, once the software development is done, then it would provide a testable, functional piece of software. Now it's gonna have bugs, but that's where the testing piece comes into play, which is phase five.

The testing piece is, this is where one of the most important pieces of the phases, because you have to figure out how good is the code quality and do you have issues with it. Now I've run into issues with testing in the past where you'll get somebody that'll throw code together. It'll work.

They'll want to just bl brush through the testing piece and move on to user acceptance testing. And that's a bad idea just because the [00:11:00] fact of it is that if you don't have a good standardization around coding, you don't have a good standardization for your third parties to code. It will cause. All kinds of issues.

Lots of issues from being insecure from a security standpoint to just usability. It just doesn't work well. So there's a wide variety of issues, and Raygun talks about this. You got, one is code quality, two is unit testing, which is your functional tests, integration testing, performance testing, and security testing.

Those are the main big. Buckets that you'll fall under the testing piece. Now, in many cases, the security testing is forgotten about. People don't do it a lot. And this would, what one of the ideas around a security test would be if you have an input field. So you have a field that says, I wanna enter in a name.

What'll happen is you can set the characters of that name to a very large subset. So let's say it's, I. For Sean, s h o n, which is really simple. There's only four letters in my name. You could say you were gonna make the input field only 10 letters long so that we know Sean or Billy Smith.

If that's your first name, you get two first names. If Billy Smith [00:12:00] is long enough to be put in the input field. Now the problem with that is if you said it's really tight with 10 characters is all that could be put in that input field, then what ends up happening, it breaks. So you got. So you'll, a lot of times developers will decide, you know what, rather than put a limit on the input field name characters, we're just gonna go and make it let it allow to the default, which in many cases I've seen is around 255 characters.

Sometimes bad guys can turn around and use that in code and they can do in inject injects into that. And it would be a, like a SQL injection. If you have a SQL database on the backend, they could do an injection that would actually cause issues with your site. And so you, therefore, you need to put in, the developers need to put in limits on saying no special characters are allowed in the username.

No it has a limited subset of only 20 characters for the first name. Those type of things are aspects where the developers would have to put in while they're testing. And if they have good coding quality [00:13:00] and they already have that set up as a standard process, then it works really well.

So that's the testing piece of this. And there's a really good site out there, a plural site where it's a Troy Hunt talks about how to basically hack yourself. It's, and that's a really good piece to understand. How do you want, how does that work? And what were some of the things that you'd put in place to hack yourself as it relates to your.

Now the sixth phase would be deployment. Deployment phase is ideally a highly automated phase. You deal with automated testing. I highly recommend you do this. We are actually, I'm not at that point yet. We're in the process of building that out. But an automated testing is an incredibly important piece where you don't have to have people manually going and checking everything, because guess what?

People are fallible. They'll make mistakes, they'll skip over things, whereas the. It doesn't do it now. It doesn't work for everything. It's not a hundred percent foolproof, but it will get a lot of the big rocks moved that you need moved. Also consider a continuous de deployment model, which is a lot of times they talk this C I C D, which is your [00:14:00] continuous integration.

Continuous deployment. Those are really good. Things to consider if you have any sort of influence on your development team, and I'm, it's highly likely they've already thought of this. But the simple fact of the matter is deployment is really an important phase, and it's, IM, it's important that you automate that as much as you possibly can, but that would also be in the security testing as well, that needs to be automated.

Now phase seven operations and maintenance, this is where we actually end. And this is where the product that would be provided to the user. Now the user, there'll be user acceptance testing, which is u a t, which would be in phase six. But when it's an operation maintenance, that's where everything should work.

Now, if there's all kinds of, if there's bug issues, when this thing gets deployed, they can go back and do regress. And regress back to an old version. So regression testing is another version that you'll, another version of testing that you'll see in phase six, but bottom line is at phase seven, this is where it comes out to the user, and the user then is able to use it in their environment.

Now, if there are bug fixes that need to be [00:15:00] addressed after it's been running, then what would happen is those bug fixes will be put back into another sprint in a. Event depending upon how critical they are, that's how they would be decided upon putting back into a future sprint. So the bottom line is there are seven phases and Reagan gets into those and they, they do fit really well within the CISSP exam.

And you guys might be saying, why is this in there? But it's important from a software development as you guys see, the hacks that are occurring, having good integration with your software developers is important. So the seven phases of SDLC is planning. Requirements, design and prototyping, software development, testing, deployment, and seven is operations and maintenance.

Okay, so before we get started, we're gonna roll about sean gerber.com. You can go check out my website at Sean Gerber, that's s h o n g e r b e r.com, and you can check out the website there. You sign up for my email list. You'll get a plethora of information. We're gonna have a bunch of stuff around exam questions that are gonna be there available to you.[00:16:00] 

There's also gonna be an aspect. The the different domains that I have available. You'll be getting all the podcasts that are there just by sending up and getting signed up within my email distribution list. The second, the last thing I should say is that I have domains one through eight. The videos are all there and available for you.

You just gotta purchase those and you can have access to all of the videos that I put together that will help you pass the CISSP. The first time, and that's all available. It's taken out of the official study guides and we are put that together. Plus I've got my years of experience have been built, baked, right into it.

They need to go to sean gerber.com and you can check out that training. All right, so as we roll into domain, 8.1, we're gonna talk about the various maturity models that are available, and we're gonna talk about the, we'd mentioned before in the first part of this podcast was the various models, and what are these maturity models and how do they help you get to where you want to go?

Now there's various ones that are out there, and I say [00:17:00] the various multiple times, but there are, there's multiple aspects of how you can do software development and we had, I had talked about how water. Was a key piece and also the Agile model, but there's Waterfall, spiral, agile software capability, maturity, and Ideal.

Now, I'm just gonna briefly go over the last ones. The software capability, maturity, and ideal. The main ones I'm gonna focus on are Waterfall and Agile. Now Waterfall is, was developed in the 1970s and it was a series of iterative activities in which you would do a method. So a good example is, like we talked about before, where you have a software.

A piece of that needs to be completed. You come up with a, an idea that needs to happen. You build a user story around it. It's built into an overall overarching program that you go from step A to step Z, right? Or Z for our friends that are in Europe. And what ends up happening is as you go through that process, that's when you would fix.[00:18:00] 

That button, instead of being orange, you'd make it blue. The thing is though, is in when they're waterfall, you cannot come back and make any changes to it until the entire process is over. So depending upon how big that waterfall project is, it could be some time before you come back and address that button from orange to blue.

Versus in the Agile method, which we'll talk about, it's usually about two to three weeks. You could actually have that addressed. If there's critical situations, you could do it sooner, but bottom line, you have to look at how fast you want to iterate through your software. So there's the series of iterative activities are, there's system and software requirements, preliminary design, detail design, coding and debugging testing, and then operations maintenance.

And so those are the primary six that are there used for the waterfall. And again, that we talked about those, and those all happen as well within the Agile method. But the challenges, they go a little bit faster than they do with Waterfall. Now, [00:19:00] waterfall also provides feedback for defects. So if you see a defect while they're, it's been this, let's just say it's a month long, arduous journey, there would be feedback and then you would build that into future waterfall events.

But there's, that's the feedback occurs, but you can't make changes during that period. All you can do. I'm gonna annotate the defects that are going on now, and this was the first attempt to model the software development process. And realistically, it's a good model. There's nothing wrong with it. It just doesn't allow you to have a very fast approach unless your waterfall projects are within two week, two week increments.

Now the issues that come with this is develops are del develops, are only able to step back one level. So if you have an issue, you can go back. If you're in the testing phase, you can go back to the code and debug phase, but you can't go back to the detailed design phase. So those are limits on what you have, and you'd have to come back.

And if there's a problem with the overall design, as you're in the PR testing phase, you can make changes to the code to hopefully fit your needs, but you can't go back to the [00:20:00] detailed design and make the changes. So that's a bit of a challenge with it. So again, if they're discu errors are discovered later down through the actual water or fall, there are limited mechanisms that you can put in place as a result.

There's verification, validation processes be before you move on to the next steps. You have to validate and verify everything looks good before you move on from, let's say, detail design into code and debugging. The next model we're gonna talk about is agile. This was developed in the mid 1990s and in 2001 is the manifesto for Agile software development.

They have key 12, 12 key principles that they work through. But bottom line is tho through those principles, it will help you move through the agile process. Now there's various. Variance of agile. There's scrum, there's Agile, unified process, dynamic Systems Development model or extreme Programming. So that's Scrum, agile unified Process, which is a u p, it's alpha uniform [00:21:00] Papa dynamic Systems Development Model, which is D, so Delta, Sierra, Delta, Mike.

And then there's Extreme programming, which is your Z X-ray. Okay, so those are the various ones that are set up with Agile and that's developed again in the mid 1890s. Yeah, so Agile, as you can see, that's the one that I've dealt with recently and it's worked really well. I've been very big proponent of it.

It does allow you to have a couple, two week sprints. It allows it to be done quickly, so it's a really pretty cool aspect with Agile. Now moving on to software capability maturity model. This came from Software Engineering Institute at Carnegie Mellon. The acronym is Sierra Whiskey. Charlie Mike.

That sounds like I love a movie, A war movie. Charlie, Mike. Mike. But this is what came directly from Carnegie Mellon. Now, the quality of the software directly is associated with the quality of the development, and they have various levels that are involved. And I'm just, I'm briefly gonna go over the levels.

Because you can get into a lot of serious weeds when it comes down to how they're defined, but just going through the specific levels, there's level [00:22:00] one, which is your initial level two, which is your repeat. Level three is defined. Level four is managed, level five is optimizing and they follow along the fact that the initial one is where people are trying to get something accomplished, but there's little direction.

So there, this is how they went down this path. Then they went into the repeatable poll aspects and they looked for coder aspects that are duplicatable and thus can be reused. Now there's a big positive with this because as you're getting into the world of low-code and no-code development, a lot of those are in blocks that could be reused.

So if you can reuse the software, that's a big benefit. That doesn't mean you can't do that with the other MO models with Agile Waterfall, you can. It's just this was designed around a repeatable aspects, a and then it was basically using how much of this code do I, can I reuse and not have to redo over and over?

The when you're talking define, you set for a formal document as a software development process, which is process focus, definition training, and so forth. And then when you're dealing with manage the management of the [00:23:00] software process itself, it's who's gonna manage this, the overall beginning to end software, project management piece.

Then level five is optimizing. This is a continuous improvement or change. And how do you make annotations for change within the software? So that's the, basically the one from Carnegie Mellon. Now we're enroll into the ideal model, which is India, Delta, ya, echo, alpha, Lima. And it's very similar to the Carnegie Mellon.

Charlie Mike which their five phases are initiating, diagnosing, establishing, acting and learning. So initiating is, it's a business case for the. Diagnosing is analyzing the current state. Provide recommendations. Establishing is develop a plan from dia, the diagnosing stage. The last one, or not the last one.

Delta, the acting. Acting is the com. Develop a solution, test, adjust, and implement. Okay, so you're basically bracketing it. And then learning is your quality improvement and you're learning from your mistakes. So they fall all on the [00:24:00] same process. The processes aren't that far off from each other.

However, each of them has a different phases and they have. Way of doing business. So it's important for you to understand at a minimum, when you're dealing with the C I S P exam, what are some of these maturity models and what is the purpose of them. And, but I will tell you the typical ones that are used in the market today are waterfall and agile.

All right? So we're gonna roll into the CISSP exam questions for domain. Now as we're dealing with this comes from Tech Target. And Tech Target has a bunch of quizzes that are available for you to go out and check out. And I highly recommend you do that, but let's roll into question number one.

Abstract episodes of interaction between a system and its environment. Okay? So abstract episodes of interaction between a system and its environment. Okay? Yeah. A is misuse. B is web proxies, C is use cases. D is negative testing. [00:25:00] All right, so abstract episodes of interaction between a system and its environment.

Now we just got in talking about level eight or about domain eight, and some of the aspects around that. That would be C Charlie use cases. Use cases are abstract episodes and there are things that occur that are happening between the system and its environment, and therefore you u you utilize these use cases to help you make changes to your development.

Question two, a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. Okay. So A is information security, continuous monitoring. I S C M B is c w E Sand's top 25 most dangerous software errors. I don't know if even that exists. Yeah, actually, it does.

They're saying has got one in soda's, O osp. C is automated vulnerability. And D is user real User monitoring rum. Okay, so the list of the most widespread and critical errors that can lead to serious vulnerabilities in software iscm [00:26:00] Sands, top 25, automated vulnerability scanners, or real user monitoring.

And the answer is, Information security, continuous monitoring, I S C M. All right, and we're gonna roll into the last question here. Now, before we do, one thing I wanna mention about that is, again, keep in mind these exam questions are not I, when I was studied for the exams, I thought that hey, I can study for these exams, learn all the master, all these questions, and I can pass the test.

That is not how the CISs peak goes, and you. Probably been studying these questions and know that you can take a bazillion of these exam questions and think, okay, I've got it. Now, pat, the exam questions aren't gonna help you pass the test other than the fact they're gonna teach you. How are some of the questions being asked and how do you do, how do you deduce what the actual answer is if you don't know the answer?

So this is the design of the Reduced Cybers podcast. And all of this training is to get more of this information into your cranium, so that way when you go to take the test, it makes sense and you can answer the questions correctly. It is not unfortunately to help you [00:27:00] with passing the test from a, here's an exam, question three.

This is on the test. Wink. That's not the case. So just kinda keep that in mind as you're setting the expectation to take the c I s S. All right, question three. This criteria requires sufficient test cases for each program statement to be executed at least once. However, its achievement is insufficient to provide confidence in a software products behavior.

Okay, so this criteria requires sufficient test cases for each program statement to be executed at least once. However, its achievement is insufficient to provide confidence in a software products. A statement Coverage B, data flow coverage. C condition coverage, D, path coverage. All right. And the answer is a statement coverage.

Basically, it talks about what is it being occurring while you with the criteria that's specifically for this test case. It's consol considered a statement coverage. All right, that's all I have for [00:28:00] today, so I hope.