RCR 047: Applying Security Controls (CISSP Domain 8)

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 8 - Software Development Security of the CISSP Exam:

CISSP / Cybersecurity Integration – Software Development Life Cycle

CISSP Training –  Integrate Security in the Software Development Life Cycle (Domain 8)

CISSP Exam Question – Development Security / SDLC

BTW - Get access to all my CISSP Training Courses here at:  http://www.shongerber.com/

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• • https://www.isc2.org/Training/Self-Study-Resources
• Infosec Industry
• • https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/software-development-security/#gref
• OWASP
• • https://www.owasp.org/index.php/Top_10-2017_What%27s_Next_for_Developers
  • file:///C:/Users/gerbersa/Downloads/SAMM_Core_V1-1-Final-1page.pdf
• SYNK.IO
• • https://snyk.io/blog/ten-git-hub-security-best-practices
• National Cyber Security Centre
• • https://www.ncsc.gov.uk/guidance/secure-your-development-environment

TRANSCRIPTS:

what color do cyber risk podcast 2019 episode 47 min8 software development welcome to the reduce cyber risk podcast where we provide you the training tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam Hale Sean Gerber again with reduce cyber risk and Sean gerber.com how are you all doing this beautiful beautiful morning hope things are going well in your part of the globe in this big shiny Blue Marble things are going awesome in Wichita Kansas yes the small little town of Wichita Kansas it's going well I cannot complain at all it's a beautiful summer day schools getting ready to get started and my kids are getting ready to go back to school which is an awesome thing very very cool it's one of those situations in your life when you have children out their kids are great most days the other days most parents will just he would be super happy with bleeds super happy because of the fact that the kids are no longer at home and they're now focus on school so yeah it is a good thing well today we're going to be talking about software development and how old is the security around that and you'll see many things that occurred I recently just a recent breach that hit with the Capital One here United States is probably therefore would end up happening is is Insider threat issues the Insider more about the software development but in the case Shawn gerber.com My ultimate plan is to be able to give you that cissp training you need to pass the cissp the first time again we want to go into that you want to pass this I know this test is a bugger been there done that we're going to have some next upcoming episodes are in chocolate more about the exam but bottom line is is this test is a bugger and I failed the first time I studied my butt off for that test pass the test cuz at the time they're there were boot camps but I didn't have the funds to be able to go pay for a boot camp and so I've studied it and it was actually good that I studied just because the fact that it helped me get a good knowledge of what I deal with on a daily basis but the cool part about knowing the cissp in passing the exam the first time is the fact that you will utilize our skill on a daily basis as a siso for a large multinational so those are things that consider is that the good thing is just just by taking the test is the first step in the examiner is the first step in the whole road to make becoming a security professional and so therefore it's it's imperative that you get these foundations and you know these fundamentals test questions is very important to understand what are they going to ask for and how they're going to ask understand the questions and how they answer how they question you or how they provide the information for you so that the answers you provide are the right ones again Kansas dentists REI grass but the cool part about studying for the cissp is the fact that you get to learn a lot of good stuff today we're going to learn about software development and the security that goes into that so the integration this is the area that I grabbed some information from the internet like an article or so forth and this one is software development life cycle and we'll get into that and that's it it's an interesting piece that you should understand your software development life cycle from beginning to end so from the beginning when he was conceived in your beautiful mind do when it dies and is rotting in the ground apps apps that were in our environment that are from the 1970s so they never die they just get a little aged State security in the software development life cycle hibernator great then donate and then the cissp exam questions are obviously around development security and sdlc into it yes this is cissp cybersecurity integration versus the Institute reference and I that's the who R&B call up today from their website they're we talk we talk about 8.1 software development life cycle this is if you are bad the cissp that is c squared subchapters around the icy this is 8.1 that's called out in document this is software development life cycle because I talked about in the intro applications are becoming more and more complex and in the therefore we're seeing these eggs that are tied together now in the past you would have you had just an app that looks just I said the past so distant past where it was your just your app store was set up with iTunes or with Google Play and you had that was your app or you had you'd build some sort of backed location that had a offering a Serta saw software-as-a-service where you log into a web portal and you would have access to it that way now what ends up happening is Aziz applications of becoming more complex because you have Edge Computing that's dealing with Amazon AWS you have your apps that you put on your phone and your phone extremely powerful so therefore that is able to LG continues to grow and get faster and faster these applications are growing in size and complexity as well and so security needs to be a key factor in when you're successful implementation of your application now whether this is an intentional or unintentional it really doesn't matter the fact of it is you got to do it and you really need to look at how you keep software embedded within your environment now software and Hardware control are extremely important and so if you're going to put any sort out there at all you need to have these controls in place some development control system development controls that are needed for the cissp exam with some key things you need to keep in mind now system development steps need for creating modify more maximizing Information Systems you need to have steps in place that are going to be used to help when you're dealing with creating modifier maximizing your information system that's a cute tournament you're going to run into on the cissp and you're pretty. Up formal activities is my saliva development team they work for me they work out of India and they do a great job and they do an awesome job and they have ability to do development and they're in the process of building out an entire Suite of things that they need to do from then their initial development products to CI CD. Beta testing so on so forth all that needs to be put in place when you're dealing with I need to create development standards around this coding and we run into this with third-parties so if I'm a third party that helps me and they provide some sort of coating then what is the standard by which the developing their coat so that's an important piece of this is that what are the aspects of development standard how can they do this now it could be as simple as a checklist they could be my naming convention is this we have we do have a fuzz testing on the application when it's done we have your all these little step we built into their process and they just go through it step-by-step now I have noticed the challenges that go into this because developers are they get paid their incentivize to develop quickly and to develop with good code but develop quickly and so therefore sometimes we don't take the time to do the initial steps run through scanning engine to make sure that it doesn't let it work so those what those are conditions that you need to help and talk to your people about and ensure that they're connected with it core model not owasp is it organization on that provides development for a web applications and it's basically web applications in the end what are the aspects around securing those web applications so you can go to a wasp and check it out online and they have a whole laundry list of things you can use specifically for ensuring that your product is properly secured your application I'm going to have all cats from scanners to best practices and he's a really good place if you are a application developer and you're looking to incorporate security within your environment they have a software Assurance model that's the sand software Assurance maturity model and it's basically an open frame working checklist little checklist a little bit too tight but it's more of a guide to formulate a strategy around applications and it felt evaluation organizations existing security practices while puts in well-defined iterations for their software demonstrates concrete improvements and measures of security-related activity so I did the bottom line is it breaks it down for you to be able to put security into your right now your current process so it's just a good framework in a good checklist to go by highly recommend checking if they have a great product out there and you will be but they're 20 best practices that they have will be will be called out specifically with cissp those practice best practice practice as you may see that another top-10 project practice controls of this is of 2016 first one is verified security early and often obviously right you but you need to stay on top of it I would rather than having something go into production and then have to do scans for it a privatized queries and Co data validate all inputs form fields and you validate that yet this I want a bit of birth to go in here and I don't want Java code to be put into your I want just date of birth that needs to be an input validation steps I need to be considered an identity authentication controls huge Implement appropriate access controls protect the data again now if you're dealing with applications that are just basic walkie data that may not be such an important step however you're dealing with any sort of personal data or data for your company that's considered confidential and if you're building an app that is for somebody else you need to consider that it would that data be possibly considered confidential then you need to look at protecting the data logging an intrusion detection this is one we had last week from talking about logging exception handling those top 10 if you did those that would do is dramatically reduce the risk to your sights and what would end up happening is as you would put you in a much better position as a relates to your site being affected by hackers or of the like born to win it dies or it guess what it may not die unless you kill it special for dealing software-as-a-service you can kill these things but if you go out individual programs that are going out that kind of stuff stays around forever so just consider that whatever you make what is the way you're going to be able to update it and do you want to deal with that headache for a long. Of time no one else about the CIA C models that are covered in the cissp now the most common are there various, that are Oprah various models that are open I'm going to go over some of these right now but the main one that I deal with it is a scrum and you'll see that model here in a little bit what's the agile scrum is a method of doing it it's actually like a scrum is like with the rugby but no it's actually agile method and we'll get it at just here in a second what's the most common model and it's typically been used by many in the past and this basically base comes down to is you finished one phase and then you go on to the next but there's not much room for making changes to the waterfall model you have to wait until the whole process is done before you can go make go back and make changes so if you noticed that there's changes while you're in the middle of the of the Sprint with the waterfall model there's very little leeway to go back and make changes to it have to Brown left the whole thing is done the v-shaped model was just vericut verification and validation model and it's very similar to the waterfall but each phase has a testing phase so the good piece of that as you don't wait till the end to find that you have issues you each phase will give you some sort of testing and then you can make you put that the backlog and then make iterations to that but it is still owed overall project if you have like five Sprint for this one project you may get all the way through the project and then realize okay now I got to go back and fix those changes Improvement and bases that comes back and it repeats recent and then improves it and it takes care of those things that set of requirements that are tested and implemented and you basically are your iterating you're going back and forth back and forth in the Newbery versions are based on new dinner of versions of the software so if you're off software gets updated duration is a record that they come back and make changes and it just keeps going in that process it's a very but get you a very viable product early so if you're dealing with the VIP which is your viable product going to get you there in a minute very quick it may take a lot of resources to do that because there's a lot of things that are going on especially to him to iterate over and over again and again these models are designed not to be one is the only one you do these they're designed to depending upon your situation which model would you use the water bottle parts model v-shaped model or the heater of model now we have the spiral model medicine works in an inner of model basically starts by continually repeating it over and over and over again but it kind of goes out allows for improvements on each route so it just you repeat phases the four phases over and over and over until you just keep going in a circle the Big Bang model typically good for small projects little work being done on planning and most Sirota sources are for development and with that comes in twos you bang you're done you just hit it hard everybody jumps in all hands on deck and that's the Big Bang model but if you're doing what's a small project that is very tiny and nature and that you can do quickly that would be a really good model to use the app reaching out to the product owners getting fee from them on how the process is going you have a backlog Hot Springs Museum 2 weeks cycles and what ends up happening is you you'll go through the backlog you prioritize what you're going to do you do that product and then at the end of it you the next Sprint anything that is considered a bug that doesn't critical gets thrown it back in the backlog in the necklace reparto prioritize in the next Sprint it's basically your you tested at each iteration until there is testing is put into testing your production or staging and production and so that process is done through the agile model depends on which one works best for you and your organization pass your test after completion strategy for security and if they would typically do is at the end of everything if and I say that even if the case is many times they won't even test but doesn't leave you vulnerable especially if you're waiting to the end of things have been in production incorporating secure the beginning does help her create more secure applications and it reduces your overall risk it from someone getting in taxes to you and especially during the time when you maybe if you find a mistake but you know what you fixed eight of the ten but you found two of them that are vulnerable well that's good that's I mean at least it's only two verses if you don't add security from the beginning you not have 10 plus and then that causes a lot of issues in corporate code review and Pen testing and your architecture analysis and there's different sdlc models available sdl and then missed also talks about it with 800 - 64 which is the Nash National National Institute of Technology and this 864 does provide security considerations into system development life cycle now there's also another model is called class which is a comprehensive lightweight application security process clasp and this says a set of processes map to job role and allows for early security stages again different sdlc models that you have to look at and want to come to the cissp they're going to focus on what are some models that are available and I say when I said it's going to it's at one of the questions you could run into doesn't mean it this specific question is on the test Airsoft development lifecycle one question you could potentially see it when considering sdlc models that are available to you which one of the following is a model the Model T by Ford T-Model Vega from the car the model XYZ or the Microsoft security development life cycle model or which government organization helps you with this the nist 800 - 64 okay that's all I have for the cissp integration and now we're going to roll into the cissp training 8.1 understanding integrate Security in software development life cycle that's the plan we're talk about this next objective we want to go over what you can get at Sean gerber.com and one of the things to consider as you're looking at your cissp you need to kill check out Sean gerber.com those sites just being built up its it's in the process of being created actually there but to all the little buttons and wedges are still being created as well but you need to go check it out on a lot of free stuff so that stronger. Com as part of the site reduce ever is podcast and there's going to be your cissp training going to be available to you all of the videos that I've traded over the time around cissp are going to be there the cissp training manual that's videos that are focused on the is c squared exam that are there that's about a hundred and twenty-nine different videos that you can watch it'll take you through zero all the way to hero and the cool part about it is at the end of the day when it's all said and done it will set you up substantially for to pass the cissp exam you have the knowledge you get from those videos what you've done on your own Hugo self study for the task you are going to have a subset substantial chance of passing the test I mean that you passed the first time that's the ultimate goal is that we want to help you pass it the first time let's roll right into the training security again for software environment now this is to all this information I'm providing you is considered out of the IC Square training manuals that have been provided so what you saw with the original cissp integration is from infosec Institute this is actually out of my knowledge and working with the house of the ISS is c squared official training manual for 2018 now you're talking with two key aspects avoid developers developers in a work environment from creating an environment that is bad for software you also need to have the ability to tap applied technical controls where appropriate in your software environment and it's also important to understand that what could happen if your software development area is compromised what would somebody get if they got into your code repository what if they got into your coat and development environment so what are some key aspects keep them on their special for developing apps for your company what kind of credentials development security considerations you need to have a separate Business Development functions it would come in the place we have email / document Management in Africa should be separate from development they need they need to be in separate environments not until you need to be in separate completely separate violence but they needed not be work your your daily work stuff and your development stuff should be separate utilize active directory groups and or virtual machines as you're looking at creating your security environment so those are important things again it separates from the business environment of business Network consider development environment has been compromised so if you look at it from the standpoint of a business are say most developed more most networks you need to consider as your building out security as you're looking at what's available to you that the fact that your development environment might be compromised and that means you to separate your admin and user account they could not have the same ability to work on the same things and you didn't corporate multi-factor that deals with your the pain you have a like multi-person review a good thing is to have someone within your organization review your code before I get shipped to production that allows to look for any sort of bugs that may be there or something else that may have affected it I also look at trust but verify you trust your individuals but not necessarily their accounts and that's another thing to consider is that as you are dealing with these accounts are people your people are working for you you need to trust him but their individual Network accounts could be compromised and they won't even know it so it's important that you do trust your people but not their their individual accounts you need to incorporate what you talked about last week and the importance of doing that and by doing that is that if you have something in production don't have a lot of spurious pages that are sitting out there available for people to go and attack keep it clean keep it crisp and you need to protect your assets that your credentials to get into your property is imperative that you do that secret keys are important as well and then you also need to understand from an incident response standpoint what is the impact of a compromise and ensure that those controls are in place to limit / managed to compromise if it does occur he production development environment separate and then Ensure again login monitoring isn't is enabled and being monitored problem is is turning on logging and monitoring is great if you don't do nothing with it that's how much so it's imperative that you do things like that patient management as an aspect of secure coding you need to impact analysis and you need to request change the needs to be done through the Sprint cycle doesn't mean you go in and just make changes you should have a Sprint cycle set up what are using one of those different waterfall methods and you need to go ahead and put that change in you also need to have a formal approval process to make that change and put that in the place highly recommended that you people are involved in conversations on the phone and if you have an automated change request process I need to be some way to verify that so that somebody got in a hacker be a bad thing also approve and reject changes you need to have a foolproof process on how to deal with that and then ways to test the change that is in your environment basically a non production location that you can do through like you have a setup AWS or someplace like that that has a pipeline actually go through run automated testing you have that place to check you for change schedule a time to change the production again come back to when would you do this have a plant organ at orchestrated event and then document the change make invitations in the document control now you're the only thing you need to have some level of nomenclature around this you need to have a naming convention this could come down at some level of late labeling you got your one. Oh your 1.11.2 so on so forth and you need to have documentation on your versioning and why you did it the software configuration management is imperative as it deals with Version Control and it's the one thing I've learned is that documentation around versioning is definitely a fan art and and how people do it and then the comment and it goes along with the version and labeling little cause issues as if you have ineffective Version Control it will cause outages and issues and because people don't understand why you're going from 1.12 1.11.1 1.11 to the point of that is his versioning is important that you needed Heather Define in a written format somewhere psycho depository Caesar important very important take care of your code repositories because the fact that keep everything there they actresses developers GitHub your bitbucket your source for all of those act as a code repository and so you need to understand the security around that because I get up a hacker gets into those once I get there and get all of your code take you out of business your competitor could get it and now you're done you also need to look at a single sign-on or multi-factor piece to this as well avoid the use of API keys in the depository it will connect to something else I need your API key may have is acting as a credential will if you had these API keys that are sitting here code repository somebody could utilize the API connected to your environment and you wouldn't even know it unless you have proper logging monitoring and able and so either high if you have API keys in your codes you might not have logging and monitoring enable and then there for another in your environment just like in their able to pass data in out without anybody really even seen it I need to have security best practices to avoid remove any sensitive data with the repository and control access by adding removing the awning removing process which would have your disclosure policy security update configurations and gaps and possible handsomest again that's a a message while it's available to talk about security and what could be what needs to be changed what has been changed welcome people disclose it and so forth your SSH keys and your personal tokens again those are good best practices don't keep them the same it's important to move that stuff around however we do know this people are human and people will if they default to the fact of it's hard to do it they will not do it so it's something to consider is that made software development companies are many people will not rotate the keys I just bought and and so therefore you need to look at how do you improve Implement that into your apartment always consider security when you are developing anything that's all I have for the cissp around I see Square training manual 2018 Let's Roll into the cissp exam okay this is not use any of the passwords now considering a development security there are some key considerations you need to be aware of as a considering twice considering and considerations those considering you consider a separate business and development functions Twitter development environment compromised see trust but verify D All the Above now the about so when considering developed security there are some key considerations you need to be aware of separate Business Development functions consider the development environment of compromised trust but verify or all the above or none of the above answer is All the Above against upper business environment you consider your environment compromise you trust but verify you treat you trust your people but it's same time as if you don't trust her credentials those are key things as a relates to username and password in the software development life cycle some preventive access controls what are the various sdlc development models covered in the cissp exam waterfall V shape iterative agile spiral and Big Bang that was a is waterfall at shaped agile spiral in Big Bang he has a lot of letters there agile spiral in Big Bang ones are involved they're going to cover by the cissp exam lanao Del number is of the letter is a waterfall be shaped iterative agile spiral and the Big Kahuna Bang those are important things you need to know the model Sunday and what are some of the pros and the cons around each of those development models all right that's all I have for today on reduced cyber risk podcast with Sean Gerber River. Comet and an 800 n yes I know Sean there you will have availability free videos of people coming up as a relationship remain so I'll part of my cissp exam there where is a list for you to be able to click on and sign up for my email videos for your study program and they are free so they're awesome horse videos that's going to be coming out here soon check it out you will love it. Here is the link that I have for as far as for today and it will be included in the show notes as we get this posted online all right I hope you all had a wonderful day and I will catch you on the flip side