CCT 080: Understanding the Intersection of Libraries, IDE, Compilers and Object-Oriented Programming (CISSP Training D8.1)

Ready to level up your cybersecurity knowledge and coding prowess? We promise to elevate your understanding of CISSP development and libraries, as we venture into the world of code collections. Get a firm grip on the different types of libraries, from standard to custom, and learn about the potential dangers associated with cryptographic libraries. We also delve into the intriguing world of language-specific libraries and the pivotal role of packaging in the development realm.

We then shift gears towards the dynamic field of development tools. From the nitty-gritty of integrated development environments to the intricacies of chat GPTs, we discuss their pros and cons, and the significance of understanding the code. Get a closer look at compilers and version control systems, your crucial allies for translating and tracking changes in source code. Finally, we tackle the key concepts of Object-Oriented Programming (OOP), their practical implications in cybersecurity, and the power of encryption algorithms. So buckle up and prepare to enter a world of code, cybersecurity, and essential development tools.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey y'all, Sean Gerber, with CISSP Cyber Training and I hope you all are doing well. All are having an outstanding day today. Today we're going to be getting into some great topics around development, and this is on section domain 8.1 and we're going to be talking about the development world that we have, and the other area is going to be pulling it out of the CISSP book ISC Squared CISSP book. One of the things I wanted to kind of focus on is some key topics that come up, and I know I've talked to some of my students at CISSP Cyber Training and one of the pieces they struggle with quite a bit is the overall development landscape. Keep in mind, again, as a practitioner in CISSP and as a CISO4 company here in the United States, one of the things that comes up a lot is how do you work with developers? You're dealing with the development life cycle. That is a challenging spot, especially if you're with a company. You've never really done much within the development world. I'm going to tell you right now that in my space I've dealt mostly with a strategic kind of understanding around development. I work with developers on a daily basis in this position that I'm in right now. But me getting into the depths of what they understand, I just get into enough to that I can be conversational. That's where you want to understand when the CISSP. It doesn't mean you have to understand what is a library specifically in a specific programming language such as Python or C-Sharp or C++. You don't have to necessarily know that to the level of degree, but you do need to be able to understand the strategic view of what a library is. I'm just using that as one example. As we get into the section 8.1 of domain 8, we are going to understand this from a high level approach. I guarantee you there are people out there that are gazillion times smarter than me in the development world. Therefore, it's important that you look at other options From a CISSP standpoint. You need to really just understand the overall high level concepts and constructs around development so that you can be conversational and that you can help make decisions based from that level of knowledge. Let's go ahead and get started into this. One of the first ones we're going to talk about is a library. I would understand that. What is a typical library? Well, the libraries that I grew up with were in the school system and you go, or they're in the local community where you live and you go check out books. Same kind of concept, right, when you're dealing with libraries within the development world, it's a collection of various levels of code that is there that you can call upon. Now I'm going to use an example around Python. So when I taught my students at the local college of Wichita State University here in Wichita, Kansas, One of the things I had them do as an exercise was to be able to create a Python script specifically to teach around IoT, and in that Python script, they would pull from a library and in those libraries were, such as the time code. There was various levels of code as it relates to the Python capabilities, and so you would have to call up those libraries and they would run in this program and what it does is it allows you to have these books, as a better term, to be able to pull from, to run in your code, whereas you don't have to have all of that code available to you. You can just have these predefined libraries and you can pull from them. So it's all set up already and you can then just download it and go. Now, one of the cases as it relates to security is there's also cryptographic libraries and these are already done and you can then call upon them from a development standpoint. Now, one thing to keep in mind is there's a podcast I listen to frequently from Steve Gibson and it's called Security Now, and he's big into very technical, very technical, very good podcast, but it is it's quite technical, unless you, if you really like that. It's a great podcast to listen to, but he talks a lot about when we're dealing with encryption. And the fact is is that if you deal with someone who likes to create their own encryption code, run away, run away as fast as you can. And the reason behind that is is because the current encryption algorithms that are out there are tried and tested and people are banging on those things on a daily basis. So if there's flaws, they find them. Well, you want to use good cryptographic libraries within your development world, because you want to ensure that you're using ones that have been tried and tested. So that's where you'll get when you're talking with some of your developers, or you maybe ask a question on your CISSP around, where would you get your cryptographic code? You would, and an answer would be a library. Now that there's typical standards libraries, there's also third party libraries and then there's custom libraries. Now, obviously, that makes sense. You can pull them from a standard library with Python. You could have something that you purchase that is available to you from a third party, or you could have your own custom stuff that you create. You can get shared libraries that are out there and available that you can use off of GitHub and other areas. But you want to also be careful with what you get shared libraries from, because if you're a bad guy or girl, what would you put? Bad code, you could put it in the library. Now there's different language specific libraries. You've got your C-sharps, you've got your pythons, you have your Javas. They're all various libraries that are available for you. Now, when it comes to the packaging, these libraries come in not like an individual book. They come in a package and you would then uncompile that package. That's probably the wrong word, but you would basically extract the information out of that package and that would then install it on your development environment. Now, when it comes to Javascript, it's called NPN, it's a November Papa mic, and when you're Python it's PIP. So you'd get on the command line and you would type in PIP and then the library that you're looking for, and then it would bring that into your environment. And so you need to understand that if you're gonna talk to a developer, they may ask you questions about libraries, and then you just need to know that what the basic concept of them are. Now you're dealing with package managers. This is something that's specific language specific again, whether if it's Java or if it's Python, it would. You'd have a package manager, and this package manager is purpose is to automate the process of installing, upgrading and configuring these packages. It also will allow you to remove them as well from the overall operating system. So these package managers if you hear that term or you read that term in your CISSP they're designed to remove, upgrade or modify these various software packages or libraries within their environment. Now the common use case of these package managers, like I mentioned, is to remove them. They do allow you for an easy way to upgrade your overall libraries as well, and just kind of think of it as your uninstall or your add or remove programs if you're dealing with Windows. And that's the whole purpose is just to give you that ability to add or remove the library as needed. Now one possible negative consequence you've got to understand about libraries. So just keep in mind, like we talk about the overall package deployment itself. So we talked about PIP and Python and, like I mentioned before, you can have these third-party libraries that are available to you. Well, if you have these package managers and they go out and they grab new updates again, this comes down to understanding where you're getting these updates from. If you were beginning them from a trusted source and typically that trusted source would be someplace internal or a highly well-paid I mean you're dealing with a third party that you're getting this code from someplace that maybe goes through good checks of their software. If you get your packages from places such as, let's say, GitHub and you're not paying attention to where you might get that information or who collaborated with it, you could very easily have malicious software be added into your environment through this package manager. So, as you're talking to your developers and, again talking from a high-level perspective, you explain this to them to go okay, where are you getting this information from? What is the information in it? How do you use this? A trustworthy source? Those are the kind of conversations you would have with your developers and also to educate them on the risks associated from grabbing this information from places upon the internet. So now we're going to talk about some development tool sets that are out there that you may have to deal with. So there's a thing called IDE, which is India, Delta, Echo, and IDE is an integrated development environment and really what it comes down to is it provides you the entire capability of a computer program for your software development environment. So I've got guys that will talk about having the getting access to the Python IDE, and there's one such as P-WAP pie charm I know when I used them on I can't even think of the name of it on the different Raspberry Pis. There's a couple other ones and I'm just losing a total blank with them, but that IDE environment will install within your Python, within your your Raspberry Pi, and then you can use that from your development standpoint and it acts as a way to develop these overall programs within the Raspberry Pi itself. The nice part about this is that it has all of the aspects you need from a cybersecurity standpoint when it as it relates to the various encryption mechanisms and so forth. It also will give you the real time debugging. I know when we would force my students to go and run their program within their Raspberry Pi and I would ask them to debug it and then it would tell them where they had errors, what line they had errors on, and they would have to go back in and look at the code and make the changes as necessary and by purposely put errors in the code that I gave them to see if they would find the errors itself. But then came chat GPT and now you can just throw your code into chat GPT. It'll provide you something quite wonderful. Now I will tell you, as it relates to chat GPT and your developers, I highly recommend its use. I really do, especially if you're going to be developing code that is utilizing very big common types of code, If you like. For example, that Raspberry Pi instance I give you I had. The code I had for them was very easy, very simple, because I'm very simple, and what ended up happening was it was designed to act like a garage sensor, so in the United States, people have lots of garages to store their cars in. Well, in the case of you have. As you drive your car into this garage, it has a proximity sensor on it that would tell you how close you get, and you can modify the proximity sensor to determine, have it give you different colors based on the distance you are from the Raspberry Pi. So as you get closer, it's green, then you get a little bit closer, it's yellow, then, when you get to where you have these are to stop, you hit red. So, again, it's very simple program, not complex by any stretch of the imagination With. The interesting part, though, is you can get all of that code from chat GPT. I would spend because I'm about a developer weeks developing that code, just trying to understand it and put it in place. Then, along comes chat GPT, and in about 1.2 seconds, it can develop that same code for me much quicker, much better, without any bugs that I might have in it. So I highly recommend that your folks, if they are in the development world, use chat GPT to their benefit. So the negative is this, though, is if they use it too much and then they start pulling it from other areas outside of what they're known. It can't. They need to make sure they still need to understand the code, because whatever you grab from chat, GPT and put in your environment, it's still imperative that you understand what each line is doing, because it could hypothetically some bad stuff get injected in this code and you didn't even know it. So you must always trust and verify your code before you enter it into your programming language. Okay, compilers Now these are translate high level code into machine language or byte code. A compiler is often used to build an endpoint security solution written in languages such as C and C++, but it's used in different languages as well. But it basically pulls it all together, it translates it all, it compiles it, it puts it into a form, will actually will work. Now the one is a debugger. Now this is used to test and debug code we mentioned before. You can find they had this as part of a CI CD pipeline as well, where your CI CD is your continuous integration, continuous development process or its pipeline, and what will happen is is this debugger, as you put your code into this CI CD pipeline, you put it in, it runs through all of these different aspects and these checks to and then comes out at the end of where you want it to be. It can use automated debugging platforms out there that will look for errors and issues with your code and then also tie it back to what we call the CVE, which is your common vulnerability Ease exploitation. I'm gonna there's something else to that, but CVE gosh darn it, I'm losing my mind. But the bottom line is is it will look for those CVEs specifically and it will tie. If there is an error in your code that is tied, that is associated with a C known CVE, it will give you that error and it will say, hey, you need to make a change to this. And then in some cases as this is getting better because it uses the AI type capability it will come back and give you a recommended code change to make those changes within your development environment. So it's pretty cool what it can do now. Now there's version control. One thing that you want to understand as it relates to code, is it's in various versions, just like we talk about in CISP, cyber training. I will go over domain eight, dot one, and in eight dot one there might be dot one, dot two, dot three, and in the overall understanding of your CISP, you need to understand the various levels of version control to know that, if there is version one, what does version one dot one look like? What does one dot two? Are there any subcategories to that? You need to be aware of those. Now this there are systems that will help track change that within your source code, and get is commonly used as an integration and collaboration taught tool to be able to allow you to do that. And then all of your various IDEs, your compilers, debuggers, all of them have various versions and you're going to have to ensure that you have the most correct version. Now I will tell you like, when I'm recording this on this podcast, I do it on Camtasia and I've just read into some version problems with Camtasia and it's recording to the point of it's actually very frustrating. So it's important that you have good version control of the data that's going into it. Now, when you're dealing with software, one thing to keep in mind unless you're dealing with a software development team, it's good to stay up to date on your versions. However, sometimes when you get on the cutting edge of versions of software, it can cause lots of issues and then it can be some opportunity costs that can occur. My team would always keep one version behind. They weren't the most current version, but they also weren't the most. They weren't so far back when I first started with my development team. They were like on version 10 and they were below where they were supposed to be. They'd never updated their software and because it worked, so why should I update it? Well, as we went further into this, there was a lot of functionality that helped them create much more secure code with the most current versions. So we forced them to go through an upgrade, and of that, upgrade is extremely challenging, especially if they haven't done it in a long time. So you need to make sure that your folks in your development world they stay up on in the most current versions of their software that you feel comfortable with. Again, like I said, we stayed one version behind the most current one because it took so long to upgrade, and then we wanted to make sure that it was done in a very timely manner and also in a most secure manner. Okay, so an object-oriented programming what exactly is this Now? Grasping OOP, as it's commonly called? This can help a lot when you're dealing with in your cybersecurity world and, as a professional, to help you design better security models. Okay, so, as you're working with your development teams, understanding OOP, at least from a contextual or conversational standpoint, can really help a lot with the security model aspects and also vulnerabilities that you may find within software itself. Just trying to understand the basics around this, you have objects and classes. Now think of a class as a blueprint that outlines the properties or the attributes and the potential actions, slash methods that this object will have. So, as an example you may have, these could be objects that you would see in security. You have user, you have username, you have password, you have login, logout. Those are key attributes that you would see within the development space. So, if you're programming in C, sharp, whatever language you're in a Python, the attribute would be user or username, password or potentially login and log out. Those are the key aspects that you may see as it relates to security. Now, these objects are individual instances of that class, so each object would represent a specific user. Now, how does that currently work with within cyber security? Well, what it does is it allows for it to be modular based. It allows the code base to be organized and be thought of as well, self-contained units that are tested and updated independently of what you currently have out there, and it's crucial that you understand, especially when you're working on anything. That would be of the large significance is that it helps you make it easier to identify and patch vulnerabilities, because you have a framework in which you are following. It does allow for code reuse to be done and, though through inheritance, these various classes right, your user, your username, all of these can then create, or they can inherit, the protections or the processes that you already had in place with the original code. So, as an example, if you had a code that had called out super user right, so let's just think of that as within Linux, where you had SU right, so that's your super user you could inherit properties from the base user. Okay, that would be the user class. You can inherit those and allows it for being code to be reused multiple times. You don't have to create new code specifically for this super user class. Now, the downside, obviously, that is, is that if the base is incorrect, you could then inherit some of the vulnerabilities that come with it, so it's important that you have a good code base when you do this. Now, the flexibility around. All of this is a thing called polymorphism, and that allows objects to be treated as instances of their parent class. So it allows that for much simpler code and allows for fewer errors, because it can take the parent class and then it can allow those objects to be treated as such. So basically, you could have a simple design function that's done to validate different types of user credentials, based on the polymorphism which is being allowed. Again allows you for flexibility. Then there's another aspect called encapsulation. This allows for data to be hidden from the outside, basically exposing only what is necessary to go through the public methods. So it's important that if you have sensitive information that you don't want shared okay, across the internet, you can encapsulate this data to be hidden from outside entities. And then the last part is when we deal with abstraction. Now, abstraction this can be very complex, but it allows you to hide the intricate details and expose only the essential features, making it much easier to understand, especially when you're dealing with large amounts of code. Some key terms you gotta remember is classes, objects, inheritance, polymorphism, encapsulation and abstraction, and those are the key concepts and therefore, as you're working in cybersecurity, it's important for you to understand each of those. So what are some practical applications? As it deals with security? Well, when you're dealing with OOP, it allows you to design robust authentication pieces and mechanisms that could be tied to this user class. So if you have the user class that we defined earlier so that was your class you could actually have a two-factor authentication that could be set up specifically for this class. That is tied to basic username and password verification, so it allows you to pull in what was learned from the user and be able to use that. You also can use it within firewalls and other types of security out there, where you could have an object-oriented rule that looks at specific network packets and is looking for very specific items to come out of network packets, or it could be looking for something that would be inappropriate within that network packet and that programming language within those security tool or mechanism could actually look at that as well. When you're dealing with encryption, there's also algorithms that could be implemented within these various classes that you want to have it work on and therefore it allows you to reuse these cryptographic aspects over and over again. There's a great podcast by Steve Gibson and he talks about our podcaster. He talks a lot about encryption and the importance of utilizing known encryption algorithms and not grabbing algorithms from people that are on the internet that come up with their own ideas. So it's important for you to really truly understand that when you're dealing with object-oriented programming, there are some basic concepts you need to be aware of, and the basic concepts again we kind of bring down the core pieces of this is classes, objects, inheritance, polymorphism, encapsulation and abstraction, and you'll see questions on the CISSP that are going to talk into each of those and some key bulls to take away from OOP. Classes are blueprints. They're blueprints for the specific object and they define the class and the attributes and the methods. Your objects are instances of these classes. And then how each object represents the entity obviously the servers, the hardware they are acting in that entity. We talked about inheritance, where it reuses code and how we can reuse code from user and super user. We talked about polymorphism and how it can be used with the same interface but it can allow multiple underlying pull-ins from other protocols to help increase its flexibility. And then you have encapsulation, which allows, restricts, direct access of the object. So, like we talked about with the internet, it will encapsulate that data and allows it to not be shared. And then you have abstraction, which is very complex systems, and it keeps it in a much more manageable pieces and it can even create a higher level of security when you have abstraction involved. All right, that's all I've got for today. I hope you guys have a great, wonderful day. Make sure you come back on Thursday. We will have CISSP exam questions based focus on these specific topics within the CIS, within this podcast, and I'm excited to see you next Thursday. Go to CISSP Cyber Training. Check out all the great stuff that's out there. Tons of information is available for you each and every day. Just go to CISSPCybertrainingcom and check it all out. We'll talk to you later. Have a great day, Bye.