RCR 055: Understanding SDLC to pass the CISSP Exam (Domain 8) - CISSP Training and Study!
Jan 06, 2020
Description:
Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 8 (Software Development Security) of the CISSP Exam.
- CISSP Articles – RAYGUN - SDLC: 7 phases, popular models, benefits, and more
- CISSP Training – Integrate Security in the Software Development Life Cycle (SDLC)
- CISSP Exam Questions
CISSP Exam Questions:
QUESTION 1
Abstract episodes of interaction between a system and its environment:
- Misuse case
- Web proxies
- Use cases
- Negative testing
CORRECT ANSWER - Use cases
QUESTION 2
A list of the most widespread and critical errors that can lead to serious vulnerabilities in software:
- Information security continuous monitoring (ISCM)
- CWE/SANS Top 25 most dangerous software errors
- Automated vulnerability scanners
- Real user monitoring (RUM)
CORRECT ANSWER - Information security continuous monitoring (ISCM)
QUESTION 3
This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior:
- Statement coverage
- Data flow coverage
- Condition coverage
- Path coverage
CORRECT ANSWER - Statement coverage
BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/
Want to find Shon Gerber elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
LINKS:
- ISC2 Training Study Guide
- Raygun
- TechTarget
- Vendors:
- LastPass.com
TRANSCRIPT:
Halo Shankar's reduce Severus podcast episode 55 Security in software development life cycle domain 8 reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcast join me each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam all right what were the starters podcast how you all doing this wonderful day it's a great day here in the United States after the new year so life is good I can't complain at all it's actually in Wichita Kansas where I'm basically recording this podcast from the weather is a balmy 45 degrees and it's been quite Pleasant so it's after this time of year it's actually quite strange for it to have this cabin but you want to believe in global warming stay at the temperature is just is really really nice but not cuz it can change next week and the forecast and actually through the middle of January looks pretty promising so for this winter it's already starting off to pretty much be a very mild winter so the expectation hopefully is that it's not going to be an excruciating Lee Hot Summer cuz here it gets to be like a surface of the Sun so it's like a desert in many cases we can have a great Christmas season and we're now rolling into a brand new year 2020 and I know hope that all of you out there taking your cissp exam this year I have already set up some goals to get your test studying done and to be passing the exam the first time that's the ultimate goal because taking this test is a bugger and it is expensive and your pleasure putting your time into it so you really want to pass the first time there was been a couple of recent incidences that have had some large breeches so if you are a cypress tree professional and this is what you want to do with your career you definitely need to get this stuff done and get out there because that's really it's an interesting world that we live in and more and more of our Integrated Systems are all well basically in agreement and they're all connected so having cybersecurity professionals understand what to do is a lifeblood of the world because everything is interconnected so if you are if you are thinking about it on the fence you just need to do it and then what will do as you can watch you through reduce Iris will also have some areas for you at Sean guru.com for you to get a good study plan put together and how you want to get there because a lot of it it comes down to is having somebody that can kind of help you and keep you accountable for getting the studying done and just being ready to take the test so it's again it's pretty interesting how the world is changing and I would recommend especially being myself and being a chief security officer with a very large company I learned a lot everyday and having this knowledge of security has really been a instrumental part in in helping protect my company as well as his help me grow as a person but today strange as it may sound as a security professional I actually have the development team work for me and I also have some development developers that are in India working for me as well so the interesting part about all this is I've had to talk to them through the software development life cycle and Grill I would love to say that it is perfect no it's far from it but I've learned some valuable lessons doing this and what kind of role at into today's podcast and what you're going to see as a relates to what the test is going to ask you about but then also some real-life experience around how to handle the software aspects of this so weird raygun and its reagan.com sickly have the sdlc 7 phases and popular models benefits and more this is important for you to know you're going to be Quest on this on the cissp exam so it's important to understand what is sdlc and how does it work and does so as we get started here what is sdlc it's a software that comply complected steps okay so that's the can answer from ray gun and it is developing software because it takes a lot of time to do so it has a series of steps that you have to have delivered and you need to understand how to get to that point and becomes from a documentation standpoint of prototype other different methods that you may use but you have to use these steps to get from point A to point B and what I've learned in all the development team that works for me as we would come in and we would develop and we have it at just say about an enhancement are piece to a website that needs to be added well then yes the ideas then you have to break it down as you break it down you figure out what pieces and parts can be done in this. Of time now where to get waterfall and agile methods for getting work done and there's different schools of thought around that but you have to whatever you decide to pick for your methodology to get this product working from a meeting from an idea to the completion stage you just need to develop pit under a secure auspice how do I want to do this in a way up that's protect that the code but also protect the company that's putting that out there and so are the software's deliver to the customer and you but you need to consider the steps from sdlc which is your software development life cycle and I've also seen it as SSD what I would really kind of challenge a little bit around that is all software should be developed from a secure standpoint rather than just say it will aspersion is it sdlc in this version is secure you really need to focus on the fact that all code it's created should have a level security built into it and you're going to find out that many developers they're very good at what they do but security is not one thing that they are good at and so therefore you may have to secure professional teach them or what are some key Concepts to consider as they're developing their software now how does sdlc work the whole path behind it there from bug fixes uniface thanks let's just say you're going to have an enhancement on a website and you want to have this button instead being orange you want to be blue now perfect world you have you ever done website you go open there and I make a change well that's fine if you have like a WordPress website but if you're dealing with something as complex that maybe takes orders and provides invoices and all those aspects that are watch much more complex than just a chemical change the color blue and if you go to stronger or not, I use a site called kajabi well I can go in and I can change the color from a orange button to a blue button or vice versa it's real simple but if you do with these complex issues of a multi size site that maybe got multi-tenant involved you have to have a process by which okay we put this into a Sprint in the Sprint is it begins make we go we make the change to the color the color goes from Blue to Orange and then we test to make sure that the code is good and the fact that that then it once all that is complete that would be an item that would be in that Sprint has an agile Sprint that's a two-week Sprint typically it would be in there as one of many things that would be done now waterfall might be set up so that you may have a long. Of time I might be like whole group of things and and this one changing is one button is one task in that overall process but it's just how to iterate how it goes back to working at how do you want to handle that Sprint so you just have to decide which works best for you but it's basically it's runs in cycles and and it gets an ongoing basis and then we're dealing security you have to look at it from an ongoing standpoint Reagan there are seven phases of the sdlc the first one is planning the planning phase involves aspects of project and product management so against comes into resource allocation Capital capacity planning project scheduling cost estimation provisioning and so forth those are usually done by project managers and it's some of the development staff and that's the planet these right you figure out what you're going to do and it's so when they're planning his pieces out you also need to consider in and teach them about security and why is that working cuz you would also have some level of operations were security involved in the development of the software this must communicate with Itt conveying what their actual requirements are for the new development that needs to occur and then you have your subject matter experts that are in their learning and growing now in cases medications you may need to have an architect in there as well to help if it's going to be some large changes and the architect will also give a security spin on it at the may I hopefully they will that's the point and the output of this phase will be in a water waterfall or agile kind of methodology which we talked about a Jaws 2 weeks you start off with all your requirements you start off with what your stories are they going to use their stories and then what do they want them to look like they build that out then they do these things in at the end of it they have testing before they provide that to the customer typing is the next step or I should say once the completed then you roll into the design and prototype type and this is where are the requirements are understood software architects in developers can begin the software process developers will used design patterns basically to do to accomplish what they want to to do and there will be an output phase that will be completed with the end of the design it's a lot of times they call those wireframes up Bill. The sketch of what they wanted to be and then they'll pass that information on to the developer so what the better the requirements you can put out there the better that uses stores which basically definition of what they want to accomplish then that the developers will have a better opportunity to to create a really good product now this is where it moves into space for which is your software development and this is the part where the sophomores actually created by the developers and they utilize the Sprint that we had talked about either a single block effort which is waterfall or a Sprint which would be agile and again your cissp ability it just doesn't work well so there's a wide variety of issues and Ray Gun talks about this you got one is code quality to is unit testing which is your functional test integration testing performance testing a security testing those are the main big buckets that you'll fall under the testing piece security testing is kind of forgotten about people don't do it a lot it would be if you have an input field so you have a field that says I want to enter in a name well what'll happen is as you can set the characters of that name to a very large subset so let's say it instead of Shawn s h o n it which is really simple there's like four letters in my name you could say we were going to make the input field only 10 letters long so that we know Shawn or Billy Smith is that your first name get to first thing be put in the input field now the problem with that is you said it's really tight with 10 characters at all I can put it at input field well then what ends up happening it break so you got issues developers will decide you know what rather than put a limit on the input Field named characters we're just going to go and make it Like it Loud to the default what you many cases I've seen is brown 255 characters well sometimes bad guys that encode naked do I inject inject into that code and it would be a Saiga SQL injection if you have a SQL database in the back in they could do an injection that would actually cause issues with your sight until you therefore you need to put in the developers need to putting limits on saying no special characters are allowed in the username know it has a limited subset of only 20 characters for the first name of things are testing this out and they already have that set up as a standard has eight Standard Process will then it works really well that's the testing piece of this and you just really good side out there up pluralsight where it's at Roy hunt talks about how to basically hack yourself it's and that's a really good piece to understand how do you want how does that work and what were some of the things that you'd put in place to hack yourself as it relates to your website now the six phase 2B deployment the point phase is ideally a highly automated phase now you do with automated testing I highly recommend you do this we are actually I'm not that point yet we're in the process of building that out but an automated testing is a incredibly important piece where you don't have to have people mainly go to checking everything cuz guess what people are fallible don't make mistakes don't skip over things whereas the robot it doesn't do it now it doesn't work for everything it's not 100% foolproof but it will get a lot of the big rocks move that you need move also consider a continuous deployment model which is she was deployment those are really good things to consider a few have any sort of influence on your development team and I thought of this but the simple fact that matter is deployment is really important phase and it's just important that you Oughta make that as much as you possibly can without also be in the security testing as well that needs to be automated face seven operations and maintenance this is where we actually end and this is where the the product would be provided to the user another user that we user acceptance testing which is uat we should be in Phase 6 but when it's an operation maintenance that's where everything should work now if there's all kinds of the there's bug issues when this thing gets deployed they can go back and do regression and regress back to an old version so regression testing is another version that you another version of testing that you'll see in face 6 but bottom line is at Phase 7 this is where it comes out to the user and the user than is able to use it in their environment now if there are bugs that need to be addressed after it's been running then what would happen if those bug fixes will be put back into another Sprint in a future event depending upon out of critical they are that's how they would be decided into a future Prince AR7 phases and Ray Gun gets into those and they they do fit really well as in the cissp exam and you guys might be saying why is this in there but it's important from a software development as you guys see the hats that are occurring having good integration with your software developers is important so 7 phase of sdlc is planning requirements design and prototyping software development testing deployment and 7 is operations and maintenance gerber.com you can go check out my website at Sean Gerber as s h o n g e r b e r. Calm and you can check out the website there you set up my email list you'll get a plethora of information or and have a bunch of stuff around exam questions that are going to be there available to you is also going to be an aspect around the the different domains that I have available you'll be getting all the podcast that are there just by standing up and getting signed up with in my email distribution list II the last thing I should say is that I have domains one through eight the videos are all there and available for you just got to purchase those and you can have access to all the videos that I put together that will help you pass the cissp exam the first time and it's all available taken out of the official study guide and we are put that together plus I've got my years of experience you need to go to Sean gerber.com and you can check out that training as we roll into domain. Once we're going to talk about the various maturity models that are available and we're going to talk about that we've mentioned before in the first part of this podcast was the various models and what are these maturity models and how do they help you get to where you want to go now there's various ones that are out there and I say the various multiple times but there are there's multiple aspects of how you can Dude software development and we had talked about how waterfall was a key piece and also the agile model but there's waterfall spiral agile software capability maturity and ideal now I'm just going to briefly go over the the last ones I mean the software capability maturity and ideal a waterfall and agile Starfall is it was developed in the 19th and it was a series of iterative active piece of that needs to be completed you come up with an idea that needs to happen to build a user story around it is built into the overall overarching program that you go from Step a two-step Z right asset for our friends that are in Europe and what ends up happening is that you go through that process that's when you would fix that that but instead of being orange you'd make it blue the thing is though isn't when they're waterfall you cannot come back and make any changes to it until the entire process is over so depending upon how big that waterfall project is it could be some time before you come back and address that button from Orange to blue versus in the edge out method which will talk about it's usually about 2 or 3 weeks you can actually have that address now if there's critical situations you could do it sooner but bottom line you have to look at how fast do you want it right through your software their system is software requirements design detail design coding and debugging testing and then operations maintenance I saw those are the primary 6 that are there used for the waterfall aspects and again that we talked about those in those all happened as well within the agile method but the challenges that go Lil Bit faster than they do with waterfall now waterfalls provides feedback for defects if you see a defect while they're it's business let's just say it's a month-long arduous Journey there will be feedback and then you would build that into future waterfall event but there's that's the feedback occurs but you can't make changes during that. All you can do is just annotate the defects that are going on now and this was the first attempt to model the software development process in real estate it just doesn't allow you to have a very fast approach unless your waterfall projects are within two weeks to eat increments now the issues that come with this develops are yellow bell peppers are only able to step back one level so if you have an issue can go back if you're in the testing phase you can go back to the code and debug face but you can't go back the detail design design phase so those are limits on what you have and you'd have to come back and if there's a problem with the overall design as you're in the product testing phase you can make changes to the code to hopefully fit your needs but you can't go back to the detail design and make the changes there so that's a bit of a challenge with it so I discovered later down through that the actual waterfall there a limited mechanisms that you can put in place which is your X-ray Papa okay so those are the very ones that are set up with agile and and that's developed again the mid-1990s dealt with recently and its work really well I've been very big proponent of it it does allow you to have a couple two weeks prints it allows it to be done quickly so it's a really pretty cool aspect with a job I'm moving on the software capability maturity model this came from software engineering Institute at Carnegie Mellon the acronym is Sierra whiskey Charlie Mike Mike that sounds like a movie or movie what came directly from Carnegie Mellon now that this software directly is associate development they have various levels that are involved and I'm just I go over the levels because you can get into a lot of series Weeds holler Define specific levels level one which is your initial level to which is your repeatable level 3 is Define level fours managed level five is optimizing and they they follow up on the fact that the initial one is where people are trying to get something accomplished but there's little directions there this is how they went down this path the name of the repeatable aspects and they looked for Kotor aspects that are duplicatable and dust can be reused. There's a big deposit with this because you're getting into the world of low code and no code development a lot of those are in blocks it could be reused so if you can reuse the software that's a big benefit it doesn't you can't do that with the other models with agile waterfall you can it's just this was designed around a repeatable aspects and then it was basically using how much of this code do I have can I reuse and not have to redo over and over again Define you set for a formal document software development process which is process Focus definition training and so forth and then you're dealing with manage the management of the software process itself it's who's going to manage this the overall beginning to end software project management peace then level five is optimizing this is an improvement or change and how do you make annotations for change within the software itself so that's the India Delta Echo alpha lima and is very similar to the Carnegie Mellon Charlie Mike Mike which there five phases are initiating diagnosing establishing acting and learning so initiating is it's a business case for the change diagnosing is analyzing the current state provide recommendations establishing is develop a plan from diet the diagnosing stage the last one is Delta acting acting is the developing solution test adjust and Implement Casey bracelet bracketing it and then learning is your quality improvement in your learning from your mistakes so that they fall on the same process the process is aren't that far off from each other however each of them has a different phases and they have different way of doing business so it's important for you to understand when you're dealing with the cissp exam what are some of these maturity models and what is the purpose of them and I will tell you a typical ones that are used in the market today are waterfall and agile all right so we're going to roll into the cissp exam questions for domain 8 we're dealing with this is come from Target and has a bunch of quizzes that are available for you to go out check out you do that but let's roll into number one abstract episodes of interaction between a system and its environment okay so abstract episodes of interaction between a system and its environment hey is misuse cases B is web proxies is use cases D is negative testing all right so abstract episodes of interaction between a system no just got done talking about level are about Dwyane eighth and some of the aspects around that well that would be see Charlie use-cases use cases are abstract episodes in their things that occur that are happening between the system and its environment and therefore you utilize these use cases to help you make changes to your development environment question to a list of the most widespread and critical errors that can lead to Serious vulnerabilities in software SOA is information security continuous monitoring is c m b is cwe Sans top 25 most dangerous software errors that exist got one of sodas OS sees automated vulnerability scanners real user monitoring rum okay so the list of most widespread and critical errors that can lead to Serious vulnerabilities in software is CM sayings top 25 automated vulnerability scanners or real user monitoring and the answer is information security continuous monitoring is cm before we do one thing I want to mention about that is again but keep in mind he's exam questions are not II's when I was study for the exams I thought that way I can study for these exams Laurel master all these questions and I can pass a test that is not how she ices Pecos and you if y'all have profited studies questions and know that you can take a Brazilian of these exam questions and think I've got it down pat exam questions are going to help you pass the test other than the fact they're going to teach you how are some of the questions being asked and how do you do how do you deduce what the actual answer is you don't know the answer so you dis is the design of like through several podcast and all of the training is to get more of this information into your cranium so that way when you go to take the test it makes sense and you can answer my questions correctly it is not a virtually to help you with passing the test from a Year's exam question 3 this is on the test ;-) got to keep that in mind as your setting expectation the cissp question 3 this criteria are quite sufficient test cases for each program statement to be executed at least once however its achievement is insufficient to provide provide confidence in a software products Behavior okay so this criteria require sufficient test cases for each program statement to be executed at least once however it's a treatment is insufficient to provide confidence in a software product Behavior statement coverage be dataflow coverage condition coverage d-pad coverage a statement coverage basically talks about what is it being occurring while you were the criteria that specifically for this test cases consult considered a statement coverage to help you with prepping for this exam if you can do it multiple ways but yourself studying it this is what you need to do is look in different various areas we will get will give you the guidance on what you should do and where you should go to get that information so head over to Sean gerber.com get my free so like videos of got that from 1 through 4 you sign up for my email list and I will send you all kinds of great information as we get out there and get you going with the cissp exam all right to hope you all have a wonderful thanks so much for joining me today on my podcast I would greatly appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time Leslie head over to Sean gerber.com and look at the Cornucopia all my email subscribers thanks again for listening
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!
