Rating: 5 out of 5 stars
5/5
Ebook119 pages2 hours
Software Development Security: CISSP, #8
Rating: 0 out of 5 stars
()
About this ebook
Security Operations is the 8th domain of the CISSP's common body of knowledge. This course will cover the following' application security, systems development life cycle (SDLC), secuirty impact of acquired software, software threats, programming language concepts and concerns, secure coding and security control concepts.
Author
Selwyn Classen
A seasoned and highly qualified IT/IS professional with over 20 years working experience within the Petrochemical industry (i.e. Supply chain management, Knowledge management, Product and Quality management, Business analysis and processing) including the Telecommunications industry.
Read more from Selwyn Classen
Risk Management and Information Systems Control Incident Management Rating: 0 out of 5 stars0 ratings
Related to Software Development Security
Titles in the series (8)
Security and Risk Management: CISSP, #1 Rating: 4 out of 5 stars4/5Asset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsSecurity Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Identity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratings
Related ebooks
Security Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsSecurity Operations: CISSP, #7 Rating: 0 out of 5 stars0 ratingsCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance Rating: 5 out of 5 stars5/5Application Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsSecurity and Risk Management: CISSP, #1 Rating: 4 out of 5 stars4/5Modern Cybersecurity Practices: Exploring And Implementing Agile Cybersecurity Frameworks and Strategies for Your Organization Rating: 0 out of 5 stars0 ratingsSecurity Operations Center - SIEM Use Cases and Cyber Threat Intelligence Rating: 0 out of 5 stars0 ratingsCyber Resilience: Defence-in-depth principles Rating: 0 out of 5 stars0 ratingsAZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500 Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Web Application Security is a Stack: How to CYA (Cover Your Apps) Completely Rating: 0 out of 5 stars0 ratingsAssessing Information Security: Strategies, Tactics, Logic and Framework Rating: 5 out of 5 stars5/5Cybersecurity Design Principles: Building Secure Resilient Architecture Rating: 0 out of 5 stars0 ratingsCybersecurity Architect's Handbook: An end-to-end guide to implementing and maintaining robust security architecture Rating: 0 out of 5 stars0 ratingsCloud Security and Governance: Who's on your cloud? Rating: 1 out of 5 stars1/5Building a Life and Career in Security Rating: 5 out of 5 stars5/5Security Operations Center - Analyst Guide: SIEM Technology, Use Cases and Practices Rating: 4 out of 5 stars4/5Certified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5Cybersecurity Jobs & Career Paths: Find Cybersecurity Jobs, #2 Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 CCSP CBK Reference Rating: 0 out of 5 stars0 ratingsSecurity Assessment and Testing: CISSP, #6 Rating: 2 out of 5 stars2/5Identity and Access Management: CISSP, #5 Rating: 0 out of 5 stars0 ratingsAsset Security: CISSP, #2 Rating: 0 out of 5 stars0 ratingsCommunication and Network Security: CISSP, #4 Rating: 0 out of 5 stars0 ratingsCyber Security A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsInformation Security Risk Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratings
Software Development & Engineering For You
Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5Agile Practice Guide Rating: 4 out of 5 stars4/5Agile Project Management: Scrum for Beginners Rating: 4 out of 5 stars4/5Ry's Git Tutorial Rating: 0 out of 5 stars0 ratingsPYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5Python For Dummies Rating: 4 out of 5 stars4/5Good Code, Bad Code: Think like a software engineer Rating: 5 out of 5 stars5/5Beginning Programming For Dummies Rating: 4 out of 5 stars4/5Coding with AI For Dummies Rating: 0 out of 5 stars0 ratingsLevel Up! The Guide to Great Video Game Design Rating: 4 out of 5 stars4/5Lean Management for Beginners: Fundamentals of Lean Management for Small and Medium-Sized Enterprises - With many Practical Examples Rating: 0 out of 5 stars0 ratingsWordpress 2023 A Beginners Guide : Design Your Own Website With WordPress 2023 Rating: 0 out of 5 stars0 ratingsHow to Write Effective Emails at Work Rating: 4 out of 5 stars4/5Kanban: A Quick and Easy Guide to Kickstart Your Project Rating: 4 out of 5 stars4/5UX Simplified: Models & Methodologies Rating: 3 out of 5 stars3/5RESTful API Design - Best Practices in API Design with REST: API-University Series, #3 Rating: 5 out of 5 stars5/5Making Money By Selling 3D Models Online Rating: 5 out of 5 stars5/5Git Essentials Rating: 4 out of 5 stars4/5Adobe Illustrator CC For Dummies Rating: 5 out of 5 stars5/5Fundamentals of Software Engineering: Designed to provide an insight into the software engineering concepts Rating: 0 out of 5 stars0 ratingsGrokking Simplicity: Taming complex software with functional thinking Rating: 4 out of 5 stars4/5Hand Lettering on the iPad with Procreate: Ideas and Lessons for Modern and Vintage Lettering Rating: 4 out of 5 stars4/5Tiny Python Projects: Learn coding and testing with puzzles and games Rating: 4 out of 5 stars4/5Art of Clean Code: How to Write Codes for Human Rating: 3 out of 5 stars3/5Programming Problems: A Primer for The Technical Interview Rating: 4 out of 5 stars4/5Learn Software Testing in 24 Hours Rating: 0 out of 5 stars0 ratings
Related podcast episodes
cybersecurity maturity model certification (CMMC) (noun) [Word Notes] 0% found this document usefulStudy Guide for SC-200: Microsoft Security Opertions Analyst 100% found this document usefulHow I Passed The CIPP/E Exam In 7 Days (And You Can Too!) 0% found this document usefulIs enhanced hardware security the answer to ransomware? [CyberWire-X] 100% found this document usefulCybersecurity and Hacking with Kevin Mitnick 0% found this document usefulSecurity Trends in 2023 and Beyond 0% found this document usefulCybersecurity Trends and Practices 0% found this document usefulEpisode 116 Rae Baker, OSINT Analyst 0% found this document usefulBonus: Afternoon Cyber Tea: IoT-Based Infrastructures 0% found this document usefulStorytelling and Cybersecurity Awareness 0% found this document usefulCyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd. 0% found this document useful
Related articles
Web App Security Linux FormatArticle
Web App Security
Jun 29, 2021
8 min readEverything You May Have Wanted to Know About Ethical/Whitehat Hackers TechfastlyArticle
Everything You May Have Wanted to Know About Ethical/Whitehat Hackers
Oct 21, 2020
5 min readCybersecurity Firm Fireeye Says Was Hacked By Nation State TechLife NewsArticle
Cybersecurity Firm Fireeye Says Was Hacked By Nation State
Dec 12, 2020
3 min readVulnerability Assessments PC Pro MagazineArticle
Vulnerability Assessments
Jan 7, 2021
3 min readTop Eight Cybersecurity Predictions For 2022-23 NZBusiness and ManagementArticle
Top Eight Cybersecurity Predictions For 2022-23
Jul 20, 2022
3 min readCybersecurity: It Might Be The Small Stuff That Gets You NZBusiness and ManagementArticle
Cybersecurity: It Might Be The Small Stuff That Gets You
Jan 16, 2020
2 min readCreating a Cybersecurity Checklist Residential Tech TodayArticle
Creating a Cybersecurity Checklist
Aug 25, 2021
Cybersecurity technology has experienced a tremendous surge in consumer interest in 2021 that has shown no signs of slowing down. The trend is largely because developers are introducing numerous innovations in this realm, at a pace that meets market
4 min readThe Weakest Link Facility ManagementArticle
The Weakest Link
Jun 24, 2018
7 min readArtificial Intelligence: The Next Step for Cybersecurity Cannabis & Tech TodayArticle
Artificial Intelligence: The Next Step for Cybersecurity
Apr 1, 2019
3 min read“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster” PC Pro MagazineArticle
“DORA Is A Force For Good And Will Help Businesses To Make Better Decisions, Faster”
Apr 10, 2022
6 min readHow To Earn Cyber Essentials Certification PC Pro MagazineArticle
How To Earn Cyber Essentials Certification
May 9, 2024
8 min readProtect Your Data APCArticle
Protect Your Data
Jul 13, 2020
13 min readHow To Stop Ransomware Attacks? 1 Proposal Would Prohibit Victims From Paying Up NPRArticle
How To Stop Ransomware Attacks? 1 Proposal Would Prohibit Victims From Paying Up
May 13, 2021
4 min readSupply Chain Attacks TechLifeArticle
Supply Chain Attacks
Aug 23, 2021
4 min readAntivirus Go Free Or Buy A Suite? APCArticle
Antivirus Go Free Or Buy A Suite?
Apr 20, 2023
32 min readSecure Mobile Comms RECOIL OFFGRIDArticle
Secure Mobile Comms
Dec 6, 2022
9 min readBusiness Endpoint Protection PC Pro MagazineArticle
Business Endpoint Protection
Nov 11, 2021
3 min readCyber Safe Facility ManagementArticle
Cyber Safe
Dec 23, 2018
4 min readHow To Choose The Right Security Suite APCArticle
How To Choose The Right Security Suite
Apr 29, 2024
4 min readHow To Choose The Right Security Suite PC Pro MagazineArticle
How To Choose The Right Security Suite
Mar 7, 2024
4 min readThe Security Dilemma Of Iot Devices And Potential Consequences HWM SingaporeArticle
The Security Dilemma Of Iot Devices And Potential Consequences
Jan 10, 2021
3 min readWe Need To Talk About AV Software: A Buyer’s Guide PC Pro MagazineArticle
We Need To Talk About AV Software: A Buyer’s Guide
Mar 9, 2023
4 min readBusiness Endpoint Protection 2022 PC Pro MagazineArticle
Business Endpoint Protection 2022
Nov 10, 2022
4 min readHow To Cyber Security: Software Testing Is Cool HWM SingaporeArticle
How To Cyber Security: Software Testing Is Cool
Jul 3, 2020
4 min read8 Network Security For Your Home And Office TechfastlyArticle
8 Network Security For Your Home And Office
Nov 30, 2020
7 min readSecurity Experts Predict 2021 HWM SingaporeArticle
Security Experts Predict 2021
Jan 10, 2021
Yes, right after an article about how security predictions may not always come through in the way they are predicted, we’ve rounded up a series of 2021 predictions from the very same experts, and even some hackers. Why? Because unlike previous years,
7 min read01 Super Apps Are Here, But Are They Secure Enough? HWM SingaporeArticle
01 Super Apps Are Here, But Are They Secure Enough?
May 12, 2023
3 min readProtect Your Endpoints PC Pro MagazineArticle
Protect Your Endpoints
Jul 9, 2020
4 min readSecurity Suite GROUP TEST APCArticle
Security Suite GROUP TEST
Oct 4, 2021
4 min readProtect And Secure Your Windows Computer: A Practical Guide PCWorldArticle
Protect And Secure Your Windows Computer: A Practical Guide
Mar 5, 2024
4 min read
Reviews for Software Development Security
Rating: 0 out of 5 stars
0 ratings
0 ratings0 reviews
Book preview
Software Development Security - Selwyn Classen
While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
SOFTWARE DEVELOPMENT SECURITY
First edition. April 2, 2020.
Copyright © 2020 Selwyn Classen.
Written by Selwyn Classen.
Table of Contents
Introduction
Overview
Application Security
Overview
The Importance of Application Security
Governance
Controls, Versioning, and Change Control
Process Improvement
Personnel and Conclusion
Development Life Cycle
Introduction
Terminology and Introduction to SDLC
Injecting Security into the SDLC
Why Use Software Development Models?
Common Software Development Models
Agile Methodologies
Conclusion
Security Impact of Acquired Software
Introduction
Impact of Acquired Software
Governance
References and Conclusion
Software Threats
Introduction
Misconfigurations, Buffer Overflows, Injection
Path Traversal, Covert Channels, DOS, Trap Doors, Flaws
Social Engineering, Errors, XSS, Brute Force, CSRF
File Inclusion, Violations, Undocumented Functionality
Metadata and Conclusion
Programming Language Concepts and Concerns
Introduction
Programming Language Concepts
Introduction to Object Oriented Programming
Distributed Programming and Course Conclusion
Secure Coding and Security Control Concepts
Introduction
The Cause of Software Vulnerabilities
Defense in Depth and Input Validation
Outputs, Cryptography, and Fail Secure
Memory Protection, Architecture, and Code Review
Code Reuse, Security Testing, and Patching
Deployment and Well Defined Systems
Separation of Duties and Anti-malware
Audit Trails and Course Conclusion
Introduction
In this course, we will be discussing the software development security concepts that you should be familiar with before attempting the CISSP examination. We begin the course with an overview of what Application Security even means, and why it is important. This includes reviewing governance concerns and even versioning and change control. We also look at the process of software development and how to inject security in the right places. And then quickly review the security impact that employees have on.
Overview
Once the application security foundation has been set, we can move towards talking about key terminology that everyone should be familiar with, the various concepts directly related to the development life cycle, and then take a look at some more common development models, such as waterfall, and spiral. A bad software purchase and integration can turn a secured environment into something that is just begging to be hacked by the bad guys. In the Software Acquisition module, we will take a look at ensuring that any third-party software we buy does not harm our existing environments. We will review the types of documentation that you should be asking for and reviewing when attempting to determine the security impact of third party software. We discuss third party attestation and what to look for to ensure that we can have some level of trust that what the vendor promises are true. This is especially important when dealing with closed source software. And then we will take a look at the controls we should keep in mind when integrating new software into our environments. There are all sorts of threats that we need to be aware of when assessing or designing secured applications. We will cover those in this course. Of course, there are also vulnerabilities that we need to be mindful of as well.
And last but not least, you will need to understand why and how these vulnerabilities can be exploited. Many security professionals may not have started their career as software developers, or even have any intention of becoming someone that writes code for a living. Most of the security professionals that I know of began as systems administrators or network engineers and then decided that they had a passion for security. They then pursued that passion and became security professionals in the security industry as it matured. With that in mind, all security professionals need to understand that there are many types of programming languages. A CISSP is not expected to be proficient at writing code or creating applications. Still, they are expected to understand the technology to the degree that they can collect information from developers, look at process documentation, and know what types of security concerns are directly related to software development processes and applications.
We will then talk a little bit about object-oriented programming concepts, and finish that section off with distributed programming methodologies. In the Secure Coding and Security Control Concepts section of the course, we will discuss what it means to have a secure architecture for your applications, what some development best practices are, and basic design principles that everyone should be aware of. Also, throughout this course, we will be talking about many, many different concepts. The CISSP is based on a broad set of knowledge that spans many different domains and attempts to certify the types of knowledge that a working security professional should have picked up over time while working. In this module, we covered the purpose of this course, which is to prepare for the CISSP software development security domain, we looked at the various topics that will need to be covered, such as programming languages. Now we can move forward and start the course in the next module in which we will discuss application security concepts, and provide the necessary foundation that much of the material in the course is built upon.
Application Security
Overview
In this module, we will review Application Security as it relates to ISC-squared's CISSP software development security domain. Often, people seem to place a large portion of their security focus on network and system-level security controls. Many of these are tools that are designed to prevent or protect from a particular type of threat. With application development security, we get the opportunity to ensure that security is considered at the most important place of all, in the development of software. In this course, we are going to discuss the role of application security and why security practitioners and developers alike should care about application development. We will discuss governance methodologies, and the development controls, change control, and available versioning options. We also take a look at the fact that well-defined and improved processes lead to cleaner code and applications with fewer vulnerabilities, and what we should be concerned with in regards to the employees that have access to development resources, such as source code.
The Importance of Application Security
Software is used to run our hardware, provide us with information, and to do anything that we want to do with modern technology. There are billions of electronic devices in the world, and the one thing that all of these devices have in common is that they all use some sort of software. This domain is all about making sure that that software is designed with security in mind. There was a time where news about breaches and information security were rare. That is no longer the case. You are almost guaranteed to hear about a new breach or new security vulnerabilities on the mainstream news networks, and if you work in the information technology security field, you are probably already inundated with your friends and family seeking advice on how they can better protect themselves from these horrible vulnerabilities that they hear about daily. For instance, taking a look at a statement released at DataLossDB.org, you can find that by mid-year in 2014, there were already reports of 502 million records exposed. If these trends continue, it will just be a matter of time before many just automatically expect their private information to be compromised. Some of the big vulnerabilities that were announced shortly before this recording included ShellShock. This particular vulnerability is said to have been around for nearly 20 years. The thing to remember about vulnerabilities is that their announcement date does not necessarily mean that no one else knew about the vulnerability. It just means that no one has reported it until now.
Another example would include Heartbleed. This vulnerability was not around for nearly as long as ShellShock, but it is the perfect example of how even the software that we use to protect ourselves can be susceptible
Enjoying the preview?
Page 1 of 1