RCR 080: Secure Development Environment - CISSP Training and Study!

Description: 

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.   

In this episode, Shon will provide CISSP training for Domain 8 (Software Development Security) of the CISSP Exam.  His extensive training will cover all of the CISSP domains. 

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/  

CISSP Exam Questions 

Question:  122 

What type of reconnaissance attack provides attackers with useful information about the services running on a system? 

1. A) Session hijacking
2. B) Port scan
3. C) Dumpster diving
4. D) IP sweep 

Port scan 

Port scans reveal the ports associated with services running on a machine and available to the public.  

From https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328

------------------------------------ 

Question:  123 

What technology does the Java language use to minimize the threat posed by applets? 

1. A) Confidentiality
2. B) Encryption
3. C) Stealth
4. D) Sandbox 

Sandbox 

The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.  

From <https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328> 

------------------------------------ 

Question:  124 

What is the most effective defense against cross-site scripting attacks? 

1. A) Limiting account privileges
2. B) Input validation
3. C) User authentication
4. D) Encryption 

Input validation 

Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML  

From <https://www.brainscape.com/flashcards/software-development-security-976024/packs/1774328> 

------------------------------------ 

Want to find Shon elsewhere on the internet? 

LinkedIn – www.linkedin.com/in/shongerber 

Facebook - https://www.facebook.com/CyberRiskReduced/ 

LINKS:  

• ISC2 Training Study Guide 
  • https://www.isc2.org/Training/Self-Study-Resources 

TRANSCRIPT:

welcome is reduce the risk podcast episode 80 creating a secure development environment hey good morning everybody hope everybody's doing well this beautiful Monday morning and it's great here in Kansas as we look into the sprinker Springer Evansville spring it's going to be wonderful it's just now starting to Blossom here in the beautiful state of Kansas and so life is good starting to get out and about if we can just avoid the Corona virus yes that's that would be avoid however if you are on best at home having to be stuck there waiting for this thing to pass you now have an option for you you can watch my videos on YouTube and you can listen to my podcast as well so you can get all kinds of me if you are basically stuck at home so they hate what a better opportunity for you to be working on your cissp if you are stuck at home that would really unfortunate that would really be unfortunate that playing that right now trying to figure out what they're going to do in the United States with children and sending them home so my Works figuring out well do we send you home if that happens then you got to work from home and I'm like the first sounds really tempting an awesome but then you feel like okay I'm stuck at home with my children for two weeks father called Cloud wedge I like the wedge like the wedge the cloud wedg.com and they've got five key to securing a secure five keys for a secure development environment that's a big word but bottom line is some things you to consider when you're dealing with a development world and how should you best secure it as a security officer also has a software leader for our company ideas on a routine basis and so it's good for you if you're staying for the cissp to also be aware of how this works I am putting together for only only only play my podcast listeners a training course and this training courses Justice initial stages I've got a few modules done with it but I'm throwing out to my podcast listeners so that you go ahead and you can go to Sean gerber.com and you can click on there's a there's basically my training program there is a program and I'll have it in the show us the link but basically you just go specifically to more my training is on Shawn gerber.com and click on the podcast around the ciso training area and if you click on that you should get tax free access to it but against what's my podcast listeners I'm not saying it out through mail or anything else that I have just want you guys to come and get it directly for people that have been so loyal and listening to this podcast and it isn't working progress It's just getting started there's a there's some content out there here soon but they'll be some more as well this is a Content going to offer Spade in the future so now is the time to get a look at it and you'll get attitude that content as well so again go to Sean gerber.com and look for ciso training creating a secure development environment create this environment that basically have you going to deal with this on a routine basis I was just in a meeting like this week talking to it with a company that does this for a living up with Accenture basically and one of the concepts that they had was it you have to deal with when the security person I secure development lifecycle and how do you going to deal with a secure development environment and in as you do is of some from a security standpoint if you think that is only the developers are going to worry about that you're wrong you're going to have to deal with this on a routine basis now just one specific room of people okay that would have comes down to is that these individuals are going to be developing for you in your own company also around the globe it does not matter anymore where the developer sit so you're going to have to understand how to do secure development technology makes it easier than ever and it but it does pose some challenges so again this comes on the remote aspect of working with development teams my development team is in India I've been migrating from onshore to I say offshore but really to them it's so they're on Shore and so I've learned a lot during this time that you would collaboration and the tools we have it does make it much easier however you do as a security person need to be able to train these people on the best practices for secure development environment because guess what they don't know it they're not not the extremely intelligent just that was there not talked this in school and it's not an impetus to them as they are going to their training listen to some regulatory requirements financial industry you have to do this. I will say we do this from our own perspective of amide software development world with my business had on because it doesn't makes it much easier and trying to manage all of this within one environment a lot of bad things can happen right you end up your data is corrupted what takes out everything gets hacked it takes you have issues it is just you have multiple people involved in one environment you have a structured path that goes from Death to test production it's just really important to do it this way but they have a references gentleman other by Scott Ambler he's an Agile development person and he recommends there's basically five areas of development sandboxes they talk about the first one is development this is working environment for developers and their team this is where they do their their initial playing and you could save his guy eat a sandbox Russian testing and specifically focused on the first place where they will start doing their development work allows for work in seclusion for the rest of the team and you don't have other people putting their fingers into areas that are not necessarily needed at that time access to either IP address VPN or other type of communication tool unsegregated and you do want to have that restricted as well so it's important that you set up that development sandbox sandbox that they talk about as well each person should have its own immigration environment at AKA a build environment and this could be a local environment so you can have an ugly on your machine or you can have a cloud environment where you do your build but each person should have their own that way if you do something it doesn't mess up somebody else's environment a promotion of change code is published to that's when you promote the code and you've them Pub environment on the development World used publisher code and you would push it to the project integration area and the goals combined and validate work for the entire team that's the place you want to get to is that it's all or the entire team shows up production testing QA let us know where you'll do it and you're testing on this pre-production T testing and Yorkie way folks would start doing this now you may have dedicated QA individuals you may have just your developers doing QA for you but this is where they test the system to make sure that when you click on the link it does what it says it supposed to do it looks the way it's supposed to look within a mobile environment or laptop or what sort of aspect that this is where they would do the pre-production testing QA staging but it can be call pre-production test in then you get a push it to the production environment and this is where the code will be run once it is deployed now you also may have your user acceptance testing would happen potentially in your pre-production testing QA as well depend upon how your environment and set up some people that don't have the user acceptance testing until it gets pushed into production it just depends upon the company of how you have instruction the second thing is he talks about securing your employees in this goes without saying if your security person you get this even getting those for a long time but you want to secure the development computers and endpoints from malicious activity malicious malware and again how to do this and you're going to require them you're required to be putting in an AWS or Citrix environment for them to have a development World they can play in your sure there's some level security enabled on each of the endpoint and ensure the development devices dedicated specifically for their development purposes so get those aren't key things you want to make sure that when you're as a security person getting your development team up running you want to make sure you provide them a device that is well protected and then also set up a r o e The Rules of Engagement are where they should and should not use this you want to keep this is level 3.3 keep this code in a secure environment avoid public code repositories IE get lab that that's just up it's great if you're doing open source work but if you're doing something for the business do not put it in gitlab not unless you have your own internal version of gitlab there that can happen you could set up your own Development Laboratory org repository within your company and you could use get lab for that but do not allow it to share with the outside world you like private servers again AWS Azure are really good places to do that and that would be an important aspect to securing your coat and share the data is secured and you own it specifically again when you're choosing shared environments you better have that Define at delineate it very closely do you want it logically separate or do you need to physically separated summer some regulations will require you to have it physically separate I'm sure you have back of someplace cuz things get corrupted and things highly recommend you have a backup system in place and ready to go and you need to test your backups and make sure that they're not corrupted that would be every once in awhile you would do a restore from backup but you'd want to setup a server that is not your production server and then do that front on the side so you can have people walk through what would it take to restore from backup maybe that you have an audit trail of all the access that American standard website there's no requirement around it it's just good good practice to do audit all the time you want to make sure that you are consistently constantly auditing this your coat I to make sure there's no vulnerabilities that are being pushed into production now this comes down to you may have to set up while you probably will have to set up some way for them to be able to scan the code so that they know that they have a good solid quality code as well as the vulnerabilities are not in it you're going to have to a security person take care of them and set this information up for them test should cover 100% of the source code especially in the scripting language is most definitely the scripting languages those get used a lot for attackers so you will make sure that that does the vulnerabilities in those have been addressed various ways to access the coach remote locations sometimes people will get creative and they will add things that they can remote in from home so they can do their work from home because they liked it that there's one idea they want to fix make sure you control the keys of who gets in and who does not and how do they get in from a remote standpoint good hiring process for all your programmers and designers again background checks are important work with your HR team to do this you should be as a security person working very closely with your HR team and if you're obviously so and you're going to be with your security officer as a security officer or just ended as the Director of security for your company you're going to work very closely with HR finally blind security innovation I you need to use a risk-based approach the security so you can make this extremely painful on people and nothing will get done or you can be a little bit less stringent and get a lot of innovative ideas find that fine balance do not be the Draconian security person that just sits on implus developers to help you in this process I'm bored help them help them to try to develop a secure environment for you get them to get some education for them on how to do that you might be surprised maybe they'll gravitate towards the secure environment and do make you even way more secure than you could ever do yourself so I can build bring people with you being an influencer and then look at Securities at tool to help creating an open and free-flowing collaboration is important that you do that make sure that whatever you create it's available for everybody and that is people can can go back and forth to what they need to do to provide the best product for you and your company against these are the five steps this comes from again cloud wedg.com Pirates all right so let's roll on into my next set of training okay so now we're going to roll into my specific cissp training 8.2 apply security controls in development environments so this follows in line with what we talked about earlier with developments and secure development environment where time on a few little controls we kind of mentioned there's a little bit up there earlier but it's kind of reaffirm what you need to do is from the to understand this for the cissp exam so again as we talked about that. That product was that they mentioned in the article all of these things are what you're going to need to learn and know for the cissp exam so last late again podcast listener go to Sean gerber.com and go to my training and you can put in they'll be at if it'll be free for you you just got to go ahead and sign up give me your email address so I got to have that I'll dress and then from there you can have access to my Cisco training again this is going to be $150 training that I'm going to provide once it's complete but for my podcast listeners I'm giving it to you for free for the time being against wall light once it's created a shutter down so I highly recommend you go to the site and start your name in there so that any changes you will see them directly security of software environments that the key thing around this if you want to avoid preventing your developers from doing their work as we mentioned earlier you want to create an environment for them to be able to complete their work and it's applied technical you need to apply technical control where appropriate to allow them to do that work. You need to understand what can happen if this environment is compromised so if you get can you get your deposit for the signature code repository and in this code repository you have all of the development code for your organization a lot of things can happen in this one you can have the less you say you have keys in there that a lot MPC this that they'll beat the keys your secret keys that are set up for your amp your Cloud environment Amazon or your environment are actually put and get love get your what can happen I need to be able articulate this two leaders within your business Kitty considerations you need to separate the bill functions again you need to make sure that they emailed document management all of that stuff is separated from your business environment and the reason is because if your email is the same and they target your email what could they business environment as well so those are considerations to think about you like to active directory groups or virtual machines so you should have a director ad group that is fed up specifically for your developers to get access to this environment or use specific virtual machines where only they have user access to this environment another option is considered development environment has been compromised need to separate your admin and user accounts queso you want to make sure that you're not using your user account or not your admin account and vice-versa you want to make sure that they are separate accounts Union corporate multi-factor authentication into this environment Christian review I also as well when you're doing your code it's just important to make sure that you everybody is connected with what potentially could happen in the event that this these those accounts are compromised individuals what you need to verify it I still throw login monitoring this important thing people need to understand it's not about them what is to protect your business and then to protect people while you protect your business by protecting your people however you don't know some of these people may have a grudge may have an axe to grind they may not be happy until you still have to protect your business from The Insider threat it's important that you trust individuals but you would log and monitor their activities one to protect them but two to protect your company from them or their account I mean now that could be just there, as well Corporation login is really a big big factor reactions reduce the attack surface again if you are dealing with the development environment you want to make sure that you reduce that Tax Service you don't want it over time these develop environments will grow new pages are added new features are added you want to avoid that and if you do at least head up a time once a year that you go back in and clean that all up Texas credentials and secret keys I talked about that as it relates to the Amazon environment and your gitlab environment or GitHub you want to make sure that you are set up with the goes keys are in a protected environment and they're not stored in your get lab environment assess the impact of a compromise applied controls you want to make sure that you would do that you walk through what would happen in the event that there is a cop my company keep production development environment separate and then sure login monitoring Town talked about that already configuration management as an aspect of secure coding that you want to also impact analysis of the change some common tasks around this are you want to request the change what you would be done in your Sprint cycle I review the change which room they require a formal approval do you request it right in this is the change that occurs within your Sprint cycle gets put the backlog the change will occur you want to review the change to make sure that there may be more formal approval depending upon your company and then you approve or reject or the change and this may need a formal process examples that you have changed it has to occur you may need somebody to actually approve it some leader within your organization may have to approve the change that it goes into your development environment and maybe the business has to approve it just it kind of depends now if the business is the one that's providing them what they want to have happen that may get that approval of tacitly they say that just by giving this is how we want to change schedule a time to make a change and then document the change as well something else to consider around versioning you want to consider that there is a Version Control in place now your software configuration management when you're dealing with versioning you want to go like 1.01. 11.1.1 1.2.13 all that you want to follow that level of burgeoning now yours may be different you may do something you may be ABCD I don't know but bottom line is you want it and teach them to have some sort of labeling and numbering in their Version Control that's that's kind of basic stuff I get but the fact is that you be surprised sometimes developers especially if they're taught by themselves or self-taught developer say Jane Goodall some formal development training may not get that the YouTube channel they watched may not provide that for them so it's important that you help getting that guidance ineffective versions causing outages or issues you to make sure those are correct as well and then documentation around versioning is definitely an art and a skill that is I've got some guys that are very good at documentation when it comes to the door code I have others that are not so good that's awesome and you really need to make sure that you have someone that's good at it give me the code repository these acts as a central location for developers GitHub bitbucket sourceforge all those are Central locations for your developers are you need to enable protections and security on these repositories single sign-on multi-factor X and then avoid the use of API keys and code repositories you have seen that avoid the API keys at all cost in the code Repository sensitive data within the repository control access add or remove these processes that's important for you to do in these repositories again don't allow sensitive data to be in them at security. MD file and this is empty file will have your disclosure policy your update policy security configurations and then no gaps impossible enhancement have that out there for people to look at this would be your md as in Mike Delta and then rotate your SSH keys and purple tokens always consider the security of the development environment I know it's a lot around development and you need to be concerned about that especially if these people working for you or you maybe are that person again has domain 8 p.m. go to Sean gerber.com go to my sister training for only for podcast users you're going to be able to get that training and it would be up and operational by this weekend and go to it if you should have it when this podcast downloads and be ready to go all right have a wonderful wonderful week and we will catch you on the flip side see you thanks so much for my podcast does that I have available for you there is a cissp mini course free cissp exam questions podcast and so much more it's all available to my email subscriber so sign up if you want my personalized cissp training purchase my training courses and I'll be there to help you with your cissp need so you can pass the test the first time thanks so much for listening will catch you on the flip side