Zusammenfassung der Ressource
8. Software Development Security
- 8.1 Managing the Software Development Lifecycle
- Software development lifecycle
- Importance of secure software
- Microsoft security development lifecycle (SDL)
- SDL Phases
- Training
- Requirements
- Design
- Implementation
- Verification
- Release
- Response
- Post release maintenance
- Security Updates
- End of life retirement
- CISSP EXAM TPS
- Security must be naturally integrated in
all phases of the development lifecycle
- Full disclosure gives organizations the opportunity to
implement temporary and/or additional safeguards
- Layered controls help to mitigate the risk of a zero-day exploit
- 8.2 Understanding Software
Development Approaches, Models,
and Tools
- Software development maturity models
- SEI CMM - Capability Maturity Model
- Integrated product and process development (IPPD)
- DevOPs implementation of the IPPD in combination with Agile model
- Development project models
- Waterfall
- V-model
- Spiral
- RAD
- Agile
- CASE Tool
- Software development testing methodologies
- Unit testing
- Integration testing
- Validation testing
- Vulnerability testing
- Acceptance testing
- Regression testing
- CISSP EXAM TIPS
- A CMM model can be applied to any size or type organization
- DevOps is based on the DoD IPPD technique
coupled with the Agile process
- Regression testing should verify all major functions and
ensure that new flaws were not introduced
- 8.3 Understanding Source Code Security Issues
- Source code flaws
- Buffer overflows
- Injection
- Covert channels
- Memory or code reuse
- TOC/TOU race conditions
- Maintenance hooks
- API security - IoT
- OAuth
- Source code analysis tools
- Fuzzing
- Software configuration management
- CISSP EXAM TIPS
- Code review should happen throughout
the development lifecycle
- Changes to source code should be
done in a test environment
- Fuzzing is a testing technique that inputs
invalid data and monitors response
- 8.4 Managing Database Security
- DBMS
- Concurrency
- Commit operations
- Online Transactions Processing (OLTP)
- Rollbacks, checkpoints and
savepoints for availability
- ACID - transaction
code characteristics
- Atomicity
- Consistency
- Isolation
- Durability
- Access Controls
- Data Aggregation, Warehousing, Mining and inference
- CISSP EXAM TIPS
- Concurrency issues arise when a database is simultaneously
accessed by subjects and other objects
- Data warehousing can result in combining information that violates privacy
- Metadata can be more valuable and revealing than the original components
- 8.5 Assessing the Security Impact of
Acquired Software
- Secure acquisition and implementation
process
- CISSP EXAM TIPS
- Security decisions should not be made in isolation
- Risk assessments should be required at multiple phases in
the procurement and acquisition process
- 1 vendor assessment
- Security should always be an enabler