Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our security of software environment module. It is very important that you can properly control the interactions in your environment, in order to protect the confidentiality, integrity, and availability of your data and systems. There are several elements of secure software development, first, you must always start with security in mind and make sure that security is involved at all phases of the development process.
You should use best practices, such as coding standards that are proven to accomplish your results. You should make sure that your process is constantly improved considering any changes and upgrades that can make your process more efficient or more secure. You should also make sure that you have metrics in order to measure your performance and your security.
It is also important that you have good documentation as this is critical for your security as well. You should be familiar with the enemy and the techniques that they will use, so that you can protect your software. Incident response can be proactive or reactive. It is much better to have a proactive approach than a reactive approach.
You should always have your code evaluated by a third party for separation of duties. And security assurance is the process that establishes the confidence that your software's security needs have been properly planned for and are being met. It is important that you insure all software development personnel have training in how to write secure code for the development environment that they will be using.
This is critical to remember for the CISSP examination. You should also make sure that you use output sanization which is where you do not display system error messages to end-users in the production versions of your software. If you display error messages, attackers can use these error messages to learn more about your software and to make it easier for them to attack it.
You should test your deployed systems for common security weaknesses, using automated vulnerability scanners, and also make sure that any web applications that you develop are protected by deploying web application firewalls between the web servers and the unsecure internet. Your security should be planned for and managed throughout the entire life cycle of any system that you interact with.
You should never add security controls as an after thought because it is more time consuming. You should always make sure that security controls are add at the beginning of the process. It is important that you properly document the development process. And use checklists to make sure that your procedures are being followed. Certification of the control implementation should be carried out by a second party. And you should be aware of the strengths and weaknesses of different software development tools and libraries, and plan accordingly. A software library is where you can store and share reusable. Pre-written, functional code, scripts, configuration data, and procedures.
You should be familiar with the software library for the CISSP examination. Operational assurance focuses on the features and the architecture of your system to make sure that you have a sound design. It focuses on trusted recovery, system integrity, and covert channels. A covert channel is where someone uses an unintended or hidden channel of communications.
Software development and functionality issues also fall under operational assurance. Lifecycle assurance is where you ensure that your trusted computing base, or TCB Is designed maintained and developed under formally controlled standards that, will make sure protection is enforced at each stage of the system's life cycle. It includes configuration management and requires that you have security testing and a trusted distribution method.
Separation of duties is important so that you do not have one individual who can take advantage of the fact that they are the only person that is developing software, or performing some other task, to attack your organization. You should have mandatory change management procedures where you have engineers evaluating changes and a separate change control board that actually makes the decisions.
Your programmers should not be the ones that are testing their own work. You should have separate testers for quality assurance. Operations should not have access to the source code or object code while it's in production, and your programmer should never be interacting with software that's in production. Once the software is finished, it should go into the software library where it will be very tightly controlled.
Software released to production should only come from the secure library and again your programmers should not have any interaction with the software that is in production. It is important that you have proper testing in place and it is management's responsibility that this occurs. It is also important that you maintain the security of your APIs, or application programming interfaces.
They use the same security mechanisms that are used for most web applications. You should only use peer reviewed and tested security frameworks and libraries. You should have password requirements to key based authentication. And you should never on encrypted static keys because an attacker who is eavesdropping on the network could capture those keys and reuse them.
You should use hash based message authenticating codes or H marks with at least show two hashing for integrity. It is very important that you maintain the security of your code repository or library. Source code controls are needed to make sure that your source code is not stolen or tampered with.
You will need to have physical security controls in place, and there will need to be librarians who are responsible for overseeing this process. You should have very limited access to the data center. And you should maintain a log of everyone who goes in and out of the data center.
You need to make sure that your systems are kept secure by hardening them, patching your operating systems, and using firewalls and constantly updating you anti-virus software. Make sure that you're maintaining operational security by using independent audits and system access logs. Continuously monitor and update your software to make sure that it remains secure.
When you are using any type of communications on your internal network, you should use SSL or TLS or SSH to make sure that you are communicating in an encrypted manner that cannot be eavesdropped or captured by an individual who is monitoring the transmissions. You should also make sure that you have backups in place for your file systems, maintaining multiple copies of hardware and your source code backups in the event that an emergency occurs.
This concludes our security of software environment module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!