CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 238: Assessing the Effectiveness of Software Security (Domain 8.3)
Software security assessment can make or break your organization's defense posture, yet many professionals struggle with implementing effective evaluation strategies. This deep dive into CISSP Domain 8.3 reveals critical approaches to software security that balance technical requirements with business realities.
The recent funding crisis surrounding CVEs (Common Vulnerability Exposures) serves as a perfect case study of how fragile our security infrastructure can be. When the standardized system for cataloging vulnerabilities faced defunding, it highlighted our dependence on these foundational systems and raised questions about sustainable models for critical security infrastructure.
Database security presents unique challenges, particularly when managing multi-level classifications within a single environment. We explore how proper implementation requires strict separation between classification levels and how technologies like ODBC serve as intermediaries for legacy applications. The key takeaway? Data separation isn't just a technical best practice—it's an essential security control.
Documentation emerges as a surprisingly critical element in effective security. Beyond regulatory compliance, proper documentation protects security professionals when incidents inevitably occur. As one security leader candidly explains, when breaches happen, fingers point toward security teams first—comprehensive documentation proves you implemented appropriate controls and communicated risks effectively.
The most successful security professionals step outside their comfort zones, collaborating across organizational boundaries to integrate security throughout the development lifecycle. Static analysis, dynamic testing, vulnerability assessments, and penetration testing all provide complementary insights, but only when security and development teams maintain open communication channels.
Ready to strengthen your software security assessment capabilities? Join us weekly for more insights that help you pass the CISSP exam and build practical security knowledge that makes a difference in your organization.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started cybersecurity knowledge.
Speaker 2:All right, let's get started, hey all, sean Gribber, with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today we're going to be talking about Domain 8, Domain 8.3, assessing the effectiveness of software security in the CISSP training. So today's goal is to get over some of that information and then on Thursday, as you guys all know, we will be having out the questions for the CISSP over Domain 8.3. So the goal is to kind of go through this, give you some great information If you've. All this is new to you from the listening to this podcast. As you can see, our podcast is smoking. I mean, I'm being totally honest. I'm amazed at the growth that we've had, which is awesome because there's a lot of people out there demonstrating the fact that they really, truly want to understand the CISSP and they really want to pass the test. So pass the test and understand it is the key goals. So today we're going to be getting into Wayne 8.3 of the ISC squared book and the manual related to taking the CISSP exam. But before we do, we're going to be getting to an article that I saw today. I don't know if you all saw this news, just the. I think it was yesterday or maybe it was on Thursday.
Speaker 2:You know the defunding part in the United States government. One of the big pieces that came around this was related to CVEs and if you're all connected with CVEs, cves are what they call the common vulnerability exposures, and we've talked about this a lot in CISSP Cyber Training in this podcast numerous times, and the goal around this is to truly try to understand. It's a programized or, I should say, standardized way of naming systems for publicly known security vulnerabilities that are out there, right, and they have unique identifiers with each of them, and this is from the government. They come down and they say, well, if there's a vulnerability, it ties it to a CVE number, which makes it easy to reference and also helps companies understand what are the vulnerabilities out there. Now it's really a true foundational aspect of security efforts that we do out on the web, and one of the key factors that goes along with that is deals with vulnerability management, patching and overall security efforts across the entire industry. So it was a program that was put together by the US government, been funded by the government and during some of the doge aspects of the US government, one of the things was to start cutting funding of these areas.
Speaker 2:Now, politically, whether it's right, wrong and different, it doesn't really matter at this point, because you know what politically stuff I don't like getting into, because, realistically, everybody's got an opinion. I was in an article, that or not an article. I was talking to a lawyer one time, and the lawyer said if you get a room full of lawyers, eight or nine lawyers, just say nine lawyers in a room and you're all going to discuss a topic, you'll get 10 different opinions. And it is so true because, when it comes to politics, everybody has a thought. So, that being said, we'll stay out of that mess.
Speaker 2:The bottom line, though, is is that the cve funding was turned off, which was total shock to me. I was doing a presentation at our local isc square chapter meeting on friday and it came up and I was like, uh yeah, I didn't even know that was out there, and a lot of other folks that were on the chapter meeting did not know it either. So the point of it is is that how do we deal with the situation now? I guess there was some funding that was done last minute that made this all kind of come back around, and there is an aspect where it's in place. But the ultimate goal is is that they have to come up with a plan around how they're going to deal with this, because when it deals with one company or one country focused specifically on providing this information, things can happen and then it can cause disruptions. Well, the government's been funding this US government for about 25 years and therefore they were looking at ways to kind of change it and they thought, well, let's just go cut funding. That caused all kinds of kerfuffle within the security folks' space, all kinds of kerfuffle within the security folks' space, and as a result, it was at the last minute. Funding was provided and still brought back online.
Speaker 2:But the ultimate goal is this article kind of talks about what are some different options around that. One of the proposed options includes transitioning the governance to a non-profit foundation. One of the guys on the ISC Squared meeting said we could do a GoFundMe. So there's different types of options out there. But another one of the options he suggested was a decentralized system, which potentially could cause some level of confusion. I think at the minimum a country probably needs to own it, but in reality, probably a nonprofit is probably the best thing, and then it gets funding from outside sources. Now will the outside sources all pony up to pay for this? I don't know, but realistically it's something to kind of figure out what needs to happen. Now, when these things occur these funding fights that as they are, and some of the issues that roll with it, it does force people to actually bring this up in a conversation, versus let's just ignore it and keep kicking the can down the road. So there's positivity around that aspect of it forcing people to decide what do they want to keep, what do they not want to keep. I think obviously the CVE program is of vital importance to the security of the globe. I mean, I think it's really, really important. So now they just got to figure out how they're going to fund it and how they're going to pay for it.
Speaker 2:So interesting things that are going on in our world that we deal with on a daily basis, and you know when you're dealing with security, you just never, ever know. So we're going to go ahead and we're going to get into now Domain 8.3. Okay, domain 8, 8.3, assessing the effectiveness of software security. So, as we talk about one of the big things that we're dealing with when security is the new, the growth of development and its capabilities within the environment. So what I mean by that is that we are constantly in the state of more development that's occurring way beyond when I first started getting into cyber a few years ago we joke, a few years ago it was more like about 20. But the point of it is that the security has, requirements have changed, the development has changed. Much of this is really just kind of growing extremely fast, almost exponentially, as we incorporate new AI, ml. You've got now rockets that land themselves. I mean, all this stuff did not occur 20 years ago when I was first getting into this.
Speaker 2:So development security was considering. You know it was there, but it wasn't a forefront of what people need to be concerned about. So, as we deal with security and assessing risk, one of the aspects you're going to need to understand is auditing and logging of the changes that occur. Now we're going to talk about databases and some different aspects here, but at the end of all of this, you really need to consider how are you going to audit and how are you going to log the different changes that occur within your environment, especially when it comes to development, because, as we know domain 8 we are focused strongly on overall development, the overall development environment.
Speaker 2:So when you're dealing with multi-level database security, it does contain information with different classification levels and we've talked about the different classification levels in various podcasts we've had in various trainings with CISSP, cyber Training. So you need to strive to keep the data separate within these different classification levels and it's imperative that as you're architecting your overall solution, that you do work hard to keep them separate and distinct. Mixing data classifications will cause you issues guaranteed and I also know that if you don't have a good plan going into it, they will get mixed up. I deal with companies right now as a consultant and there's all kinds of data everywhere. I mean you name it and it and it's not anything new. All companies deal with this specific issue. Now you're dealing with concurrency.
Speaker 2:This can be applied to a single or multi-level databases and it utilizes a way to lock out only users to make a specific change. So once the change is complete, the unlock occurs, and this is an area where my developers would go in the past. They would go in and make a change within an environment and only they could make that specific change. It wouldn't allow anybody else to be in there at the same time, they are making their modifications to the code. Now this comes down to the point where you have to have a really good strong again infrastructure around how you're going to manage this, and it's not just having the technology, it's also having the processes, followed by the documentation of each of these steps. So it's really important that you kind of look at this as a holistic view, a big picture view, that you started off at the beginning, that you have a good plan. If you haven't done this to this point and you have a software development team, you may want to take a step back and then kind of figure out how do I want to approach this so that I don't have, so I have consistency in my development cycles and that I ensure that I have a good handle from a security standpoint in each of these areas.
Speaker 2:So we're going to use, as an example, odbc. Now this is open database connectivity. Now the purpose of this is it allows applications to interact with various databases at different types. That's the ultimate goal. It has a connector that can connect to NoSQL, mysql, oracle, different types of databases and the open database connectivity. It acts as a proxy between these applications. So it witnesses basically using a lot of legacy applications will use an ODBC connection and it just acts as the intermediary between that. So we're going to break this down a little bit. So you have an ODBC driver manager. Now this acts as the central point of contact and air quotes, as a potential traffic cop, the one that's going to guide and direct which way the data is going to go. Now it receives a connection request from the specific application in that it's connecting with and then it looks up their data source name or the connection string, but basically that the point that ties them together and it's looking at that. It's similar to like what we'd consider an API. It's using this data source name to help tie these different databases together. Now then it loads the specific driver. So if you have an Oracle database, it would load the driver for Oracle and then for that specific target database, and then it forwards the application requests to the specific driver and we're going to get into that in just a minute of what the driver is. So again, it's working with these older databases. It's allowing an interaction between them.
Speaker 2:I dealt with this in the manufacturing space. There was a lot of legacy type databases that didn't have real good connectivity, so we would use an ODBC type connection to help with that. So there's a lot of great ways you can use these kind of tools. Now there's also some challenges that come with that, but we'll get into those later. Now an ODBC driver this is the specific software components provided by the database vendor, okay, or a specific third party. But realistically the vendor will give you that driver. Now it understands both the ODBC API calls and the specific language and protocols of that database. So it's helping those different communications in place. Now the ultimate goal is that you want to have this communication so that it's relatively seamless between both aspects, and it will then take the results from the database, translate those back and forth into the application so it understands it, and it's just this communication that occurs between these different connections.
Speaker 2:Now, as an example, we use NoSQL. So you have MySQL, you have NoSQL. Nosql is the non-version. I should say not the non-version. Mysql is very expensive from a licensing standpoint. Nosql is not. It's no longer a relational type database, it's more of a tabular relationship and it allows for simple design between these. It allows for quick queries between the groups. So the ultimate goal is is that the just to kind of put it in perspective, the odbc is the connection between the various databases. It allows you to connect older databases and it will have the drivers in most cases, around what allow you to connect to these older databases that are out there. So if you're going to be having an older system, make sure you consider is there an ODBC connection for it?
Speaker 2:Now, when you're dealing with NoSQL, there's three major classes. There's a key value store, a document store and a graph. So, of the three classes, the key value store is the simplest non-trivial data model and it can be used with RAM and SSDs, so it's a very simple key value store. The document store offers APIs to retrieve documents based on the specific contents that are in those different tabs. These could be collections, tags, metadata and so forth is all stored within the document store. And then the graph. This is designed for data representation, such as graphs, maps, network topologies. All of that is tied into the three major classes.
Speaker 2:When you deal with audit and logging changes, one of the things you want to really consider is log everything you can within reason. Why do I say within reason? Well, if you log everything one, it's a huge nightmare. Two, it's a lot of information you may never, ever need Three. It also costs you a lot of money in many cases to be storing all of this data. So you want to keep the most critical things you possibly can, but you do want to log the things as much as you possibly can within reason. So capturing user activity, system events, application access, configuration changes, all of those things are really important things that you need to consider.
Speaker 2:Depending upon the organization that you're in, depending upon the overall business that you are in, you may need to record these logs for a long or extended period of time. Highly regulated environments you got to keep a lot of logs, not as much regulation you don't necessarily need to keep as many logs, however. You may want to keep those for future reference. So, again, keep as much information as you possibly can. You also want to tamper proof your logs. You want to store those logs in a central, secure location that prevents unauthorized altercation or access, so such as a worm right Write once, read many. Storage that's one of those things where you want to make sure that you write it once but then you can read as much as you need to. Again, you want to avoid them being tampered with. You want to define log retention periods determine how long to keep the logs, based on the compliance needs and the investigation timelines that are associated with it. You do need to balance the security with the storage space limitations, and that is a true factor.
Speaker 2:You are going to be looked at by your senior leaders of going. If you have all these logs that you're being stored, they're going to go. I have this really, really high bill that I need to pay. Do you really need all of that? You need to be business-minded and have enough acumen to go. You know what we don't necessarily need that they're going to come to you as the expert, so you therefore need to be prepared to deal with that as an expert. See these stuff. I tell you this is stuff you won't get it on other kind of podcasts from guys that have never been doing this for years. Those are big key factors you need to remember, especially if you're taking the cissp and you're going to take the test. They may ask you a question similar to that.
Speaker 2:User accountability implement strong user authentication and authorization controls. Logs should record the user who made the change, the time and what was modified. User accountability Implement strong user authentication and authorization controls. Logs should record the user, who made the change, the time and what was modified. Monitoring and alerting Always look for suspicious activity within your logs. You should have alerts within your SIEM that tie to that, looking for any unauthorized access, configuration changes, anything outside the baseline parameters or other types of anomalies, and that's a really important part in overall log retention and log security.
Speaker 2:So I put an example out here on the slides and it implements this. The whole example is this you have a centralized logging system that captures all user activity on a specific web application. The log will record that user ID, timestamp, action performed. Obviously they click a link, whatever that is, download files or any modified data. These are all stored in a tamper-proof server for one year and monitored for unauthorized access attempts or unusual modification patterns. That would be a nirvana situation.
Speaker 2:That being said, you want to consider the point of is that really necessary for all applications? For specific critical applications, you bet, but for all applications probably not. So you need to kind of consider that when you're looking at this. If it's a forward-facing on the internet and it's something they have critical data, that is something you may want to really truly consider. If it's something internal with your environment and it doesn't hold any critical data, you may want to think of twice about doing something that maybe login attempts you may want to keep, but all this other data maybe probably not. Again something to consider for you and your organization.
Speaker 2:So when you're dealing with other parts of risk analysis and mitigation, you want to identify security risks with a development plan. Take the time to complete a risk analysis of your software. This can take time. It also forces you to get outside of your comfort zone and go talk to other people. So I see this in security. A lot. People are in silos. They work in security. I like security. I stay in security. I don't get outside security. I know that's really a bad kind of Italian kind of thing. I don't know what that was, but, being said, the ultimate point is that it's outside of security. You want, you have, to get out of it. You cannot stay within your little bubble and you also need to know the threat and act like the adversary. Think about what the adversary is doing. So when you're looking at your overall development plan and you're understanding risk, what would the adversary do to your organization? You need to document the highest risk. Also Put those in a risk register. That needs to be defined.
Speaker 2:Again, it's a methodical approach to ensuring that you have security within your organization. You need to focus on your high-risk items first. Good example Troy Hunt hack your site first. He mentions that you want to look at how could I hack my site and what would that find for me? You want to utilize documented risk items and verify the stakeholders and then develop a plan to remediate the highest risk items. You possibly can Document any accepted risk and ensure you have best knowledge around all parties that are there. So again, it's an important part Look at yourself first. Figure out how, if I was a bad guy or girl trying to hack my site, how would they do it? Make sure you verify the stakeholders, develop a plan to remediate these issues.
Speaker 2:Again, this is the strategic view. You, as a security professional, especially if you're in a specific leadership position, need to truly think hard and hard, long and hard about Now. Integrate with your development methodology to achieve the results you want. Again, you need to work with your development team. If you do not have that relationship, you're in your silo. Get out of your silo, go talk to your development team. You need to integrate with them as much as you possibly can. Now, if they have a leader that's big into security, awesome. You then need to work with that development leader to ensure that everybody's on the same page. Everybody understands what's to be expected. All of that is defined, and, again, you ensure your development team is connected with the remediation strategy.
Speaker 2:They may not be aware of the risk. My development team did not understand the risk in cyber. I was therefore the one that had to help educate them on that, and then you need to track and document any remediation processes. This is from an evidentiary perspective. If you are in a highly regulated environment, you've got to document everything. I was talking with another individual, very smart security individual, but he doesn't. Him and his organization. He's got a very large organization, but they've grown from a small organization to a very large one a lot of influence. The point is, though, is he doesn't believe that they need to document all of these things, and in many cases, you don't necessarily have to, especially if you're a small organization.
Speaker 2:However, when you are a big company, you have to document these things. One, from a couple of different ways. One, you are the person that has the information. Other people need to know it. Two is that the evidence that's out there has proved that. The fact is, you have thought through this. It's not just in your head. You probably thought through it, but it's not in your head, it's on a piece of paper.
Speaker 2:And then three I come back to, and this is one that people don't really think about CYA Cover your yeah, cover your hiney, because the point of it is is that, in the event, something goes sideways and they go. The first thing they're going to do is they're going to look at the security leader, because, on the C-suite, if you go in the C-suite, the CIO, ceo, ciso, the CISO is pretty low on the totem pole as it relates to the C-suite. Why? Well, because it has relatively new introduction to the C-suite. That being said, if all of a sudden you get hacked, fingers are going to start pointing and they're going to start coming right back to you as the senior leader. One, from a regulatory standpoint, you can go to jail. Two is you could lose your job. Three, you probably will lose your job, but most likely you want to avoid the jail thing. People are going to start pointing fingers and so you therefore have to consider how do I CYA? And that's not just been a bad way of going well, I want to make sure I'm protected. It's the fact that you have thought through this process. So if it all falls apart and you have thought through all of these different things, it will at least put you in a much better position.
Speaker 2:Give you an example and I'm stressing this hard. Give you an example of the fact that I had a situation where a third party tried to hack into some very important documents. I had put in place all of the security controls, working with a third party, to ensure that this outside entity didn't get this information Documented. Everything, said my senior leaders. What happened? Come to find out. The hack tried to occur. The moment, the moment that that hack occurred, my CFO was pointing fingers at me, going what did you do? How did you protect this information? And guess what? We did everything we were supposed to. We had all the protections in place and you know, at the end of the day, I didn't get fired. Now the bad part is, it's not. They don't get you a pat on the back saying awesome job, you're amazing. No, they didn't do that, they're just like. That's expected. So the point is you better document this stuff and ensure that you are protecting your company and yourself.
Speaker 2:Two plan for risk and communicate with stakeholders. Compete with constant communication with your stakeholders. Stakeholders may or may not be connected with the risk. You're dealing with business leaders. They're probably not connected with the security risk. Just saying the risk could be acceptable, but proper knowledge is required. What does that mean? It basically means is that they may accept this risk, that they're going okay. Well, I accept the fact that we have this wireless access point sitting in our most critical system on the planet. I'm okay with it. But if they don't truly know the risk behind leaving that out there, then they're just going to go oh yeah, sounds good. And then at the end of it they're going to come back and they're going to have your head on a guillotine. So you got to make sure you are covering everything and you ensure that all of this risk is communicated to the correct partners. So again, this is one of the use case that you can think of.
Speaker 2:The security is recommended by multi-factor for all users at a specific site. Right, this is what security is recommending. The development team requires a complex password rotation and a variable history to ensure that the information is best protected. The cost for adding multifactor is high, both in an opportunity cost, time spent doing it and the overall capital required to implement it right. So that's a big deal. Now, no financial data is being shared and limited personal information is available. So this case, the stakeholders are willing to accept the risk with no multi-factor, because they're like, eh, the exposure is small, not worried about, it, costs a lot of money. Don't want to do it that case. But you've gone through all of those steps. Now the shareholders or the stakeholders understand what their risk is. They're actually accepting. Now, one thing that isn't in this use case is the fact that is there a reputational aspect to it? If it gets pwned, is that going to hit your reputational side of the house? You got to ask yourself that question too. But again, you as a senior leader, have to communicate this with all of your stakeholders. You're not going to get that anywhere else. I'll tell you that Risk analysis and mitigation Track the progress and document acceptable risk scenarios.
Speaker 2:Track with development methodology. You want to document all of the accepted risk scenarios and reevaluate acceptable risk scenarios based on the yearly basis, at least yearly. You got to have this defined in your policy and standards what you're going to do. But you want to track the progress and what things you're going to be willing to accept. But they all need to be documented. Why? Because you need to come back and reevaluate them on a annual or semi-annual basis, depending upon your company, and then at the end of this, you rinse and repeat. You just keep going over and over again, repeat the process with variable agile sprints. Some sprints may require updates and some may allow for acceptance of the risk. So again, risk analysis and mitigation is an important part of all of this.
Speaker 2:Okay, so risk analysis and mitigation techniques so we've got a few. We're going to kind of go through and bullet by bullet. So you need to understand the attack surface. You need to understand all of the entry points into your organization Interfaces, applications, apis my favorite If you've listened to this podcast for any period of time, you will know that APIs I love and I despise APIs any sort of dependencies, operating systems, you name it All of the entry points into your organization. You need to know, minimize and control the attack surface for better security. Why? Because if you're minimizing, who can control that attack surface, who can control these APIs, interfaces and so forth, you now increase the security of your organization.
Speaker 2:Threat modeling important factor. You need to really truly identify potential threats and vulnerabilities and then utilize the stride technique which we have talked about in the podcast in numerous ways and on my training on cissp cyber training. Uh, the stride is how do you anticipate specific weaknesses? And so it's an important part you deal with threat modeling. Go to the section in my content under cissSP Cyber Training, under Threat Modeling, and you'll see the overall goal to Stride and how Stride works. Really good content out there about that. At CISSP Cyber Training. Just sign up for the bronze package and get access to all of that. So again, understand your attack surface. Threat modeling is foundational.
Speaker 2:Secure Software Development Lifecycle SSDLC. You'll see it called SDLC, ssdlc. At the end of the day, your SDLC, which is your software development lifecycle, needs to incur in. That's not it incorporate, that's it better word, incorporate security into it. But you may see it as SSDLC. Just kind of keep that in the back of your mind that they kind of go synonymousonymous, as long as they're synonymous only if you've incorporated security into your sdlc environment. But in today's world that should be a given.
Speaker 2:Integrate security into every part of the development stage would depend on which way you're doing. If you're an agile. However you're doing, you've incorporated security within your entire software development life Employ secure design principles and then implement secure coding practices. That's an imperative part and it requires your folks to understand secure coding, conduct regular code reviews manual and automated Ensure that those are done and then perform security testing throughout the entire process. You want to ensure that you are actually doing security testing throughout all of it and that's what will allow for you to catch vulnerabilities earlier and easier, when it allows for much more effective and cost-effective fixes. But if you could put this in a CICD pipeline and you can automate it, it's a much better process. It's a more automated process. Cicd pipelines go out there and research them, or go to CISSP Cyber Training and you can go through the entire pipeline process. Cicd pipelines go out there and research them, or go to CISSP Cyber Training and you can go through the entire pipeline process. You can then understand how those work.
Speaker 2:Now, vulnerability assessment, penetration testing, vapt right. These regularly assess software for known vulnerabilities. They simulate attacks and these can be automated as well. They provide inputs on improving mitigation efforts and then they look for whatever types of security enhancements you may need. But a vulnerability assessment and penetration testings are really good. If you have a vulnerability assessment type of methodology in your environment, you should use it. You should also, if you have red teamers that are within your environment that you've created your own maybe red team package, they can go out and do pen testing on various aspects. I still recommend, even if you have red teams within your organization and they are built into your company, that you go out and actually bring in third parties to do a pen test against you on certain applications. One, you may be required to by regulatory standards, but two, it also bringing in a third party gives you a much better perspective of that Static and dynamic application security testing. We've kind of talked through this in multiple ways, but you have static, and this is code analysis without execution, right, so it's just basically analyzing it specifically and then DAST this is actually running the app testing environment. This will help you get a good view of any potential weaknesses you may have in your software and it also helps identify early coding flaws that you may or may not have within your environment. So that's when it comes to all of this is an important part, each of those.
Speaker 2:You need to act on the findings of both types of testing and make changes immediately. Now we talk about I shouldn't say immediately. You may not want to, you may want to accept the risk, depending on the situation, but in reality it's nice to have. In most cases, or I should say in the past, developers would actually get this information at the end. Or I should say security folks would get it at the end and say here's a finished product. What do you think? Security? And security goes well. I finds all kinds of holes and it has to go back to the beginning of this entire process. Incorporating it in the development lifecycle is an important part of security because now that security is developed at the beginning, you can now, at the end, run into the risk of when you get a product that comes out, it has been thoroughly tested and a lot of the vulnerabilities as known today are removed from the application.
Speaker 2:Third-party component security you need to recognize the security. That's critical. Criticality of libraries and frameworks Again, libraries are a huge deal. Lots of good stuff in them could also be lots of bad stuff. So you need to understand the criticality of the libraries that you're using, understand the vulnerabilities and the dependencies with these and implement a strategy for timely patching and updates. Again, this is strategic thought process. You have to go into this, utilize software composition analysis tools, sca tools.
Speaker 2:And then another one is configuration management and hardening. You need to secure the software deployment and the configuration of anything you are deploying. Why? Because this is what controls the application. If you don't have good, positive control over your configuration management, this can be a problem where someone can gain access to it and then cause all kinds of issues with your application. So this is hardening the operating system, the web servers, the databases, and then it also reduces the risk of exploitation through secure configurations. Again, lock it down, tighten it down. A lot of times people don't want to do that because they want to be able to go in and have the ability to configure things quickly and on the fly. Yeah, so do the hackers like that too, and so you've got to really truly think about this. Before you implement something to make your life easy, you're also making the hacker's life easy.
Speaker 2:Now, another one is incident response. You need to prepare for security incidents. Despite preventable measures, it's gonna happen. It's not a matter of if, it's a matter of when, and you need to establish a plan for detecting, responding and recovering. Resiliency is an important part, met with plenty of security leaders and they get it, but they have not communicated this onto their senior leaders of why the resiliency piece of this is so important. It's not just backup and recovery, it's resiliency. You've got to stress resiliency to your senior leaders and explain to them the reasoning behind it, because they get it financially. So now you need to get it financially and communicate to them why the resilience piece is such an important part in the overall financial structure of your organization. Again, you won't get that someplace else.
Speaker 2:Security awareness training for developers you need to educate developers on security best practices. Train them on OWASP top 10, ensure secure coding and importance of security testing. If they've never done it, you're going to have to teach them. If they're outsourced right they are air quotes offshore someplace else you need to make sure that they have a good program in place. If you're hiring an offshore asset, you, as a security professional, need to. One of the questions you need to ask them is what is your SDLC environment? What is your SSDLC? However you want to slice it, what is it? How do you deal with secure development life cycles? Walk me through the process and then again you need to go back if they're third party and audit them and make sure they're doing exactly what they say they're going to do.
Speaker 2:You've got to empower your developers to build this secure software and give them the tools they need, but you also need to set up with expectations with senior leaders to know that if they're utilizing secure principles, it could take more time to develop the software that these people want. Again, it's you acting as the communication. You are the conduit between the two organizations. And then last thing is continuous monitoring and improvement. You always want to keep your eye on it because the threat landscape is continuously changing, constantly changing. You want to monitor new vulnerabilities and threats at all times and then regularly review and update risk analysis and mitigation strategies based on these threats. So, again, you've got to keep a strong and adaptive security posture when you're dealing with security in the development space.
Speaker 2:I cannot stress this enough. I know a lot of folks that take the CISSP domain. Aid is probably one of their weaker areas because they don't totally get it. Not because they're not smart, it's because they haven't really done it. This is an important part. If you are having developers, you, as a security professional, need to understand the risk mitigation and the security posture associated with it Again imperative that you get this stuff. I mean it, I can't stress it enough. Okay, that's all I have for you today.
Speaker 2:Head on over to CISSP Cyber Training. You can get access to my free videos that I have that I put out there weekly. Sometimes I fall a little bit behind, but they're out there about weekly. One of the things that you can do is purchase my content from CISSP Cyber Training. It's the cheapest way you're going to study for your CISSP. I'm just going to be point blank honest. It costs you very little money to get my bronze package.
Speaker 2:You can get the mentorship. I saw a guy out there online that he's got some mentorship program, did something, got a job in three months and was doing some security and now he's providing mentorship to people. That's great. You want to follow the guy like that. I can give you mentorship from a CISO, from a security architect, from all kinds of. I even got a friend of mine that I'm incorporating into this whole mentorship program. That's a pen tester and we're going to be mentoring and helping people that want to get into security but also give you more than just hey, if you go do what I did, you'll be rich.
Speaker 2:I see some of these arguments out there with guys that are saying if you do what I do, you'll go from making $50,000 to $270,000. That's bunk. I'm sorry it's bunk. It's total, something that you might find some rabbit that will do that, but in many, many cases that does not happen. Mentorship is what you need to help guide you in this process. But with the right mentorship, those kinds of aspirations and financial impacts that you would like to have can definitely happen, but it takes a little bit of time and a lot of dedication. You can do it, but it takes dedication and work.
Speaker 2:The point of it comes down to is is go to cissp, cyber training. I've got mentorship. I've got training again. You're studying for the cissp. You can go out and spend ten to fifteen thousand dollars, or you can go to my program if you're into self-study, and it can help you with it. That being said, the program isn't for everybody. If you don't like self-study, then this program isn't for you. If you want someone to walk you through step by step by step and feed you this information over a period of time and answer all your questions, this is not the program for you.
Speaker 2:This program is specifically designed for people that want to do self-study and are busy professionals that don't have time to go to a self-study program or don't have the funds and financial resources to do so. This will give you all you need to get what you want to pass the CISSP exam and move on in your career and in your future. A good example about consult or about an individual with doing mentorship talk to an individual from Japan. He's walking me through how he's in the GRC environment and how important it is for him to be into security and what are the things he has to do. That's the kind of mentorship you get with CISSP Cyber Training. Okay, I know I've went on that a little bit long, but the point of it is is I'm here to help you get your goals and your dreams and incorporate you around the people that are in my network To help you with that as well. Alright, have a wonderful day and we will catch you all on the flip side, see ya.
