¶ CISSP Cyber Training
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.
Hey, I'm Sean Gerber with CISSP Cyber Training. Hope you all are having a beautifully blessed day today. Today's an exciting day. Yes, we get to talk about software development. Yeah, baby, it's going to be fun. So we're getting into software.
development pieces. And this is going to be identifying and applying security controls in software development ecosystems. Yeah, that's lots of really big $10 words. So we're going to try to break that down into something a little bit more bite-sized and hopefully...
understandable. That's the ultimate goal of CISSP cyber training. Get it, make it so it's a little bit more understandable as you're studying for the CISSP exam. But before we do, I want to just talk about a quick article that I saw in the news today. So this is out of Wired Magazine and it's kind of a...
Follow-on to what we've talked about a little bit before on the podcast around TP-Link routers and the potential ban that is occurring or may be occurring within the United States related to these pieces of equipment. Now, I don't know if you all are aware, but the TP-Link... router or TP-Link type equipment, there's a lot of it within.
people's houses and different places around their country that are tied and associated with TP-Link. The article basically says there's roughly around 34% or actually 36% of U.S. households have TP-Link devices. them so that's pretty substantial but the ultimate point of this is that it's in wired magazine and they talk about how the fact is that it the chinese government may have their claws into tp-linked devices and therefore the u.s government
is determining whether or not they wish to ban these products within the United States because they're concerned that the Chinese government may have access to these various networks. And honestly, that is a really good concern. Now, I don't can say it's about the Chinese or whoever. Any company that manufactures this kind of equipment does have the ability to put a Trojan horse type activity or active access into these devices. And the goal, if I was the Chinese government or somebody.
else is if you had that ability to go and embed some level of software within these devices and in the event that there's a shooting match then you can go ahead and turn these systems off so there is a lot of subterfuge that could be involved with these types of equipment. So, again, it was founded in 2008 is when it was established.
But it was really, it wasn't until 2022 when the United States and China were getting into some challenges around this. And one of the big issues that came out of it was related to the ownership of the Hong Kong and the United States divisions during the pandemic.
pandemic and how that was moved around so again one of the big factors you want to consider is do you want to run tp link within your company and you want to have this kind of devices there now some of the things you can do to help protect your your company or your home is one is regularly update your router credentials and firmware obviously and mitigate any potential security risks that you may see there now
That may or may not work if whatever's here, if there is anything, is embedded deeply within the firmware. It may not... get rid of it right because if you're updating the firmware one of the big factors around that is they're providing the updates so they may say sure we'll update the firmware we just won't update this little section over here to the right so that's something to consider that if you do update the systems
You may not get rid of it if there is anything there at all as well. Make sure your firewall settings are set and configure those in a lockdown format. Obviously, you want to put some level of monitoring on these systems. So if for some reason data is leaving at whenever the...
the zero hour is, you have the ability to see that and potentially stop that. What I see happening here is if this was a specific situation where they had these routers set up to be part of the Chinese government, one, they would use them for active spying.
But in reality, what I would say is if they were going to go and start a war, they most likely would just kill them all at that one point in time. They would shut them all down. And that would be what I would do because that would cause all kinds of chaos and pandemonium throughout an organization. throughout a country if 34% of the routers all shut off. Because guess what? We're probably tied pretty directly into all bits and pieces of this.
You have to make the decision whether or not you want to go and rip this out and put in a US-based type of router or... piece of equipment or if you want to just roll the dice and see what happens again that's all up to you you kind of have to decide what works best for you and your company i would say if you were
based on the fact that your whole company relies on these systems, I would recommend that if you go through and do an accurate inventory of what you have, and then potentially phase these out over a period of time. I know the U.S. government is going to be forcing that. movement with many of the agencies that may have TP-linked or type systems within their infrastructure.
But just keep that in mind. If you're a business, you've got TP-Link, you may want to consider migrating off of them as time permits when these systems become outdated and you have to replace them. Just kind of consider that when you're going forward. Okay, so let's go ahead.
and get started about what we're going to talk about today. Okay, so as you see, this is Domain 88.2, and this is part of CISSP Cyber Training. One of the things I want to mention before we get started is that I'm going to be doing a...
vendor podcast. Actually, just it's tied to CISSP. It's going to be one episode we'll have on vendors. And I want to try to do one of those once a month. The ultimate goal of that is I've got some feedback from folks saying, you know, this is great. And this is feedback I've got from mentorship.
because I have various mentorship programs within the CISSP cyber training platform. And one of the things I get is that I don't know what are some of the good vendors to use. Now, when I put them on the podcast, that doesn't mean that I'm saying they're the vendor you need to go use. There are ones that I see that... could be valuable, one from a standpoint that they are tied to the CISSP.
aspects you'll be able to use what domain are these tools tied to with related to the CISSP but also it just kind of gets some awareness around different vendors that are out there on the market again
Bottom line is that I don't recommend any of these vendors that I'm saying. Some of them I may actually come out and say, yeah, I recommend them. But for the most part, it's just trying to get some exposure and some knowledge around different vendors in the different spaces that are tied to the different domains of the CIS.
pete i said different a lot there actually about four times so yeah so just hang on okay so we're going to get into domain eight domain 8.2 identifying and applying security controls in software development ecosystems so let's get started
So, the first aspect is going to be talking about programming languages. Okay, that really didn't come off right. Programming languages. That was really weird. So, programming languages, as you all aren't aware, when you're dealing with development, there's all kinds of languages that are out there.
¶ Programming Languages and Development Environments
And it's become more and more... as time has gone on when i first started i think it was basic and then you know that shows really how old i am but there was all just a very few subset i think i did a little bit of programming in c sharp and that was pretty much it and my programming languages is
very very limited but bottom line is their languages have grown right so developers will use obviously programming languages to develop their software and more and more companies are developing software and so there's a lot more developers out there in the world and hence there's different types of
development languages. Obviously, Ruby, Ruby on Rails, Python, C++, C Sharp, you name it. C Sharp, I think, probably went away. But there's lots of different things that are out there for you to develop in. process of working with a company that is developing a a tick tock version of of i think it's called up and it looks really good but they've got a whole herd of developers for that my dad or my dad my son other son has a moving and storage business and they deal with people moving
stuff from point A to point B. Well, guess what? They have a whole herd of developers as well. So programming languages are out there. Developers are out there. And you therefore, from a security standpoint, you need to really consider how do you want to protect this stuff? So when we're dealing with the different languages out there, they can be compiled.
compiled in c java fortran are examples yes you probably say fortran what is that that is like really old stuff and that's when they had punch cards but you'd be surprised there's still fortran out there on the market it and what it does it creates an executable program and this program will run right and you can reverse engineer these different types of decompilers and so using decompilers to kind of reverse engineer these executables
that have been created in the past. One example would be is if there was, I have in manufacturing space, people created a executable that ran a very certain process. We had to reuse decompilers to reverse engineer how it was done so that they could...
turn around and redo it in a different language. So those are out there and available. And in the past, it used to be very hard and complex to do these things. But in today's world, it's a whole lot simpler. My son was just telling me about different types of coding that can occur. And it's based on AI. You just grab a piece of code, you throw it in there, and it does its magic. And that's come a long way from just in a year.
You can see where this is going to go over the next 4, 5, 10, 15 years. It's just going to explode. So if you are in the development space, good on you. You're probably in a really good growth market, at least for the short term.
one thing you want to consider is how do you understand security? So I think if you are a developer, you may want to start getting in and you may be listening to this because of that. You want to get into the security space because developers are going to become a dime a dozen and they're going to use AI to do it.
Security and understanding security for development is probably something that will be at some point replaced by AI, but you're still going to have to understand the concepts. And I think that will take you a little bit longer. So runtime environments, also what these are, is these allow for portable execution of code. And then one example about that is the Java virtual machine. It's a runtime environment that allows portable code to be run in a very small virtual environment.
Okay, what are libraries? Okay, so libraries, these are collections of non-volatile resource uses used by the program. So I'll give you an example. Like if you have Python. Python in of itself, right, is a program that's... but it will reach out to libraries and it will pull data in and then it will run that and these libraries hold different types of aspects so in python we would use uh timing there'd be a time library there would be also different types of
data that would be stored in these libraries that could be fed into the overall python program so they can they may consist of configuration data documentation all different types of things they're very reusable and they will range in size from very small to can be quite
substantial in size now without the libraries each user would have to know the entire program which is not really useful so the goal is that you have these libraries that are relatively static and then you have the program that you're making that is dynamic and it pulls from these static programs these static libraries to help your program become more voluminous. Voluminous, yeah.
Better. There you go. Is that better? So there's various types of libraries. We talked about date time, OS-related libraries, web scraping, you name it, they're out there. And there's all kinds of ones that you can use. Many of them are already... developed and done you just have to pull them off the shelf and incorporate them within your your python or whatever program language you are using one thing to consider though
From a security standpoint, make sure you get your libraries from trusted sources. Because if I'm a bad boy or girl, what can I do? I can put stuff in the libraries. And then you can pull that stuff into your program. So you want to make sure that, again, you're using libraries that are reputable. same time they can be very efficient and very useful for you.
Now IDE, this is Integrate Development Environment. We're going to just go into a few slides around IDE because it can be a little bit confusing to some individuals, especially if you haven't dealt with programming. It was very confusing to me. I didn't quite understand it until I dug a little bit deeper into it. And now we have...
a cissp level understanding of ide what does that mean it means if i'm not a developer that's exactly what that means okay so ide this provides developers a single environment to develop their code in it's just like a little cocoon that these things are in. Now the software development provides comprehensive facilities to do this, right? So it consists of source code editors, automation, debuggers, you name it. This is this IDE environment and it's designed to maximize
maximize the programmer's production and keep it all in-house right so he doesn't have to go to he or she doesn't have to go to separate locations to do this they can all do it within this one IDE environment now it does integrate with the other similar interfaces and the great part about this is it has some IDE dedications for specific program languages so you can have an IDE creator that is done in C++ you have an IDE creator that's done in C sharp, so on and so forth, right?
¶ Securing IDEs and Runtime Environments
Now, the three IDE download pages most searched out there on the web are Visual Studio, Eclipse, and Android. Visual Studio is the Microsoft-based product. It does a lot of different languages in there. It's very useful. Many, many people use it. Eclipse is tight.
specifically around Java and C, and then Android is focused specifically around the Android platform, which is a Linux-based product. So again, those are the IDEs. Now, one thing around IDEs that you also need to consider is that there's a lot of importance around securing.
these. You want to ensure that these IDEs are set up so that you cannot do any sort of code modifications or injection attacks on them. Okay, so what are some common security risks with an IDE? So we're just going to go through a few of these. I'm just going to grab a couple off of this slide. deck but what you can do is you can go to CISSP Cyber Training and you can actually see this video and you'll be able to if you join CISSP Cyber Training and you get
access to my content, you can have access to this specific slide itself and get it. So it's all out there at CISSP Cyber Training. But just a couple of these I'll talk about is insecure plugins and extensions. So if you buy or you end up getting extensions from a third that will plug into your IDE. You have to, again, like we talk about, you have to make sure that you're getting these from reputable sources. And it's also one of these aspects I do trust, but verify.
One of the big factors is you don't know what's coming into your environment, so therefore you should be very careful around that. Another one that's a big one that I see a lot is hard-coded credentials. Developing and storing API keys, passwords, or other secrets in code files. files within an IDE environment. I see that a lot. I also see that a lot within code repositories as well. So you really want to be careful with
hard-coded credentials, especially API keys. Those things are used everywhere. And I mean, if you're a hacker looking for this stuff, I'm sure you can find anything you want around API keys because why? People, API keys used, right? There's an application program. interfaces. The goal is to use those connections back and forth. Well,
Probably as you're listening to the podcast, you're going, I don't see you doing anything yet. If you watch the video, you'll see me move my hand back and forth. But the hard-coded credentials, as your APIs are connected in there, a lot of times people will just hard-code those in because they don't want to have to have...
some sort of key management system that negotiates the transfer so they'll put those into place and then they'll go hey we're good it's running my api is awesome and then they forget that these credentials are there so again something to kind of consider when you're dealing with that
Access Control is another one, but there's about six or seven different key security risks you need to understand around IDE. Again, go to CISSP Cyber Training. You'll be able to see it there. But those are some common risks that you run into. Weak Authentication is another one.
so what are some best practices around securing your ide's right hardening the ide environment giving well-maintained built-in security features obviously such as visual studio code id idea or eclipse building that into it at the beginning when you're building the overall environment in making sure that you update your plugins and secure this
vulnerabilities that are patched as as necessary right i would also come back and say make sure that your developers understand code and how to do secure best security code practices Restrict your plugin installation. Again, only verified plugins from official marketplaces. Don't go out and grab the thing. Oh, that looks cool. I'm going to use that. Don't let your folks do that because that will cause you problems. And then next thing you know, you've got a whole big issue.
so again make sure you have you're getting this from official marketplaces and removing unnecessary extensions as well Secure code development practices, you want to obviously use security-focused plugins, avoid hard-coded credentials, and then implement security scanning, obviously through GitGuardian or TruffleHog. All of those can help remove exposed credentials that are out there. Key consideration, always consider security in all the things you're doing.
Access controls and repository security. We talk about that. Enable MFA. You need to make sure that in your GitHub, GitLab, any of those things where you're keeping your code, that you have MFA tied to it. And you have role-based access set up specifically around. user permissions and the roles that are going on in this overall process. You want to secure your repository connections using SSH obviously and personal access tokens are a big factor as well.
Always lock down the access to this stuff. Use trusted sources, lock it down. You want to also build your IDEs in a configuration of following the best practices related to CICD, which we're going to get into in a minute, which is continuous integration, continuous delivery. You want to get into doing that around best practices for those as well.
Use signed commits. So when you're committing code, you want to make sure that that commit is signed, right? You also want to have when you go over code reviews, you want to have a really good code review policy in place. And how do you deal with that with all of your folks?
And then lastly, you want to really look at your overall logs that are going on within your IDE. And this, you can use different types of logging and monitoring tools out there, such as ElkStack or Splunk, to actually look for potentially unusual behavior. So again, you want to... develop all that in i'm throwing a lot at you and this is a lot of stuff if you have an ide environment or a cicd pipeline
It's going to take you some time to build this, and I would recommend you building this in small steps. But it's an important factor if you rely on code and code development for your organization. runtime so runtime environment this refers to the system and the software configurations that support execution of your apps right so this includes your operating system your libraries any middleware that's out there or any interpreters for that runtime specifically so the importance of
security is it ensures applications run securely without vulnerabilities being exploited and that's the ultimate goal is you want when these things are running in the background you don't need to be worried that there's some sort of vulnerability tied to this such as memory corruption code injection
escalation you want to avoid all of those aspects as much as possible so therefore it's imperative that you have you feel confident around your runtime and what it's doing within your environment so again it's it's called the runtime environment it does provide an environment where everything runs uh its application memory is running in this space too and then it also is includes the compiled and interpreted languages that are in that space
So some of the best practices to consider, and a lot of these we'll see as repeats from what we talked about just in the IDE space. But you want to have least privilege, right? Our back. You want to make sure your root admin is, you want to avoid running those as much as possible. And again, that's...
It's no different than any sort of admin account you want to avoid running as that as much as possible. Run your apps with the minimum necessary permissions. Don't give them too much permission because what can happen is they will be exploited and abused.
secure runtime dependencies and libraries you want to have trusted repositories kind of mentioned this already whether you're dealing with that anything that's coming in make sure it's coming from a trusted source is it your repository or is it a third party that you're pulling this in with
Make sure you update your libraries and check for vulnerabilities. Now, OWASP, they have a dependency check that is out there that helps you understand the libraries and some of the vulnerabilities that might be associated with it. You may want to run that. There's software composition analysis, SCA tool. I did a little bit of stuff on a previous podcast many years ago about SCA. So help it look for vulnerable components as well.
Now, you want to consider the sandboxing piece of this when you're going forward. What is a sandbox? We talked about a sandbox as a place where you can have your applications, they can run in a controlled environment, and it will limit the damage of anything that may occur within this environment.
So that's where you keep it in a sandbox. Now, the good thing about sandbox in this case, it doesn't have cats. So there's no cats doing their business in your sandbox. Don't want that. That's very bad and disgusting.
containerization one of the things around containerization is using docker kubernetes lxc and then again these help isolate the applications as well so if you containerize these keep them small they can operate in these containers and then getting outside the containers can be a challenge for any sort of malware so therefore that helps also run in an isolated
form. Virtualization run critical apps in separate VMs for additional security. Again, all these things are great. That doesn't mean you should do that because it may not work within your environment, but it's something to consider when you're deploying these things within your company.
other best practices you can consider is run maybe monitor runtime behaviors for anomalies you've got a host intrusion detection system of his right that's could be in place and running you have a runtime application self-protection or rasp tool
It's another thing that could be running during this time frame. So there's different types of tools that are out there and may be available for you. Secure APIs and environment variables. We talked about APIs and making sure that you have a secret management tool. HashiCorp, AWS Secrets Manager.
They all have different secrets managers. You want to use those for API environments. Now they could be tied into your gateway, which is great. That could be an awesome aspect, but you do want to have the APIs that are your key management is being managed by this.
this key management system or this gateway of some kind. Because again, when it talks about the second bullet, we don't hard code credentials. We want to avoid that in your configuration files. And then you also want to enforce encryption for all of your runtime communications if you can do it.
Again, all these things I'm recommending, these are best practices. This doesn't mean you have to get there today, but you should consider this, especially if you're trying to secure up your environment and it's important to you and your company.
Apply patch management. Vulnerability management is a big factor. Many people don't do enough of it, and you want to make sure that you have a good process in place to deal with this. I'm working with a company right now, developing out the processes, a governance process around.
¶ Pipeline and Software Security Best Practices
vulnerability management they have good practices good processes there but that it needs to come together in a coalesced environment so you want to make sure that you have this done if you don't if you're not doing it if you're just kind of going oh i'm doing a little here doing a little there you
really truly want to take a step back and analyze your vulnerability management because it's one of the easiest things you can do it's almost it's free but it does take thought and time to go out and do it in a proper format in a proper way and it does potentially if it's been you haven't done it To this point, it's going to take time for you to educate your people on how to have a good patch management process in place.
Continuous delivery and continuous integration. What is this? So we're going to get into, it's a much bigger thing than I'm just going to give you with a few slides. So I would highly recommend if you have a development shop and you are not doing CICD. and you don't have a CICD pipeline, you really want to truly look at this. Take some time, do some studying around it, try to understand the CICD pipeline and how it works.
So the overall view of this is a continuous delivery. This is a software development methodology where software is released in an automated format. Now, the software changes are automatically built, tested, and deployed so that you don't have to go do it. Now, in the past, you'd have to have a team that would go out and they would test it. They would build it. They would test it. They would deploy it all in different formats. And they still have that.
obviously, but it's things that don't need to have a lot of rigor. The CICD pipeline will build it, it will test it, it will deploy it, and it will look for vulnerabilities before it deploys it. So CICD pipelines are a game changer. They are in software development. They make things so much easier, so much better.
However, they have challenges that go with them too, and we'll kind of get into those. They allow software change to be immediately released into production, and it can be very helpful, especially when you're dealing with a lot of changes within your company.
continuous integration this is where team members will use version control system and they'll work to to have the same location the same they call it a branch and this the branch is where they'll do their code development they'll do their testing but that this branch is where it will automatically
automatically then be it'll go down this path and it will be deployed one of the areas that i've used in the past and i say i i don't have people that do this and i kind of looked at it and went oh that's cool um is aws code pipeline this is a really good tool out there very helpful at AWS it has it because again AWS is built on code development and so therefore they have this pipeline and you can utilize it to help develop your code and get it into production in a much
quicker and more secure manner. Again, it takes a little time and understanding on how to deal with it, but it's a really good tool out there. There's a lot of third parties that will also have their own sort of pipelines that you can tap into. But again, just...
only one i pulled out because i've had some limited exposure to it basically saw people doing really cool stuff going oh wow that's pretty awesome how do i do that oh i'm not smart enough but you're smarter than me so okay cool i'll watch you Okay, that's basically it. But the ultimate goal is use pipelines. So some security risks that you'll see. Again, you can see all this at CISSP Cybertraining. I'm just going to give you a couple little.
tidbits of it supply chain attacks right so malicious code injected into the dependencies or cicd pipeline script that would be bad so there's various Things that have happened out there you've seen in the world, solar winds, many others that are supply chain type attacks. If they were to get access to your CICD pipeline and they were to then inject malicious code into these, it could cause all kinds of chaos and pandemonium.
And the thing is, is if you have a CICD pipeline that's been running for a while and you don't really keep tabs on it, someone could slip something in there and then... you wouldn't even know it for a period of time. And it would take a lot of digging to be able to go out and discover what is actually going on. The old days, as old as I am, they say slip them a Mickey. I think that's just like you spike their drink, right? So you're slipping them a Mickey in your CICD pipeline.
uh insufficient access controls again another one big one right if you don't in your pipeline you don't have enough access controls then users can go in and do potentially unauthorized modifications this is a bad thing this can cause a lot of chaos and pandemonium
within your company. I've seen this happen where they have had situations where users have had too progressive of permissions, gone in, made changes, and it busts the pipeline. And then everything comes to a screeching halt. Fingers start getting... Cointed, gnashing of teeth, yeah, it's not good. So you want to make sure that you understand your access controls as well.
And then back to the exposed secrets. Why does that keep coming up? Oh, because it happens all the time. Exposed secrets, hard coding credentials, obviously in your pipeline, bad idea. Now, if you use some of the vulnerability scanning tools that are out there, they will flag this.
in your pipeline saying, yeah, this shouldn't be there. Now, you as a company may decide, you may accept the risk with some of these hard-coded credentials. Just because they're hard-coded does not mean you should always rip them out. I know we highly recommend that.
your company, you may take the position that I'm going to accept the risk on this and we're just going to move on. So something you have to work through with your company. So some key best practices around pipelines. All right, securing, coding, secrets management. Again, HashiCorp, TruffleHog, GitGuardian, all of those are really good. Having robust access controls, role-based access controls, MFA tied to your CICD platform.
Again, all of those things are really important to do. Digitally sign your artifacts, right? So digital signatures are an important part. You know that the code that's coming in, it's been digitally signed, is authentic, and therefore you feel much more confident with it being put within. your environment. Enforcing security testing such as SAS and DAS, which we'll get into just a little bit here in a minute, and then software.
composition analysis which we kind of mentioned a little bit earlier again same thing all these things build upon themselves and if you have a good plan then and you follow the plan you're in a much more secure environment monitoring cicd pipelines for activity put them into your sim right if you have your splunk or arcside or any of these other types of sims put that type of data in there and have uh triggers based on that and then secure your infrastructure with your cicd
environment this could be within if it's on-prem within your overall company or if it's out in the cloud in aws or Azure any of those locations but make sure you harden it you have plenty of things built in place and then you limit the exposure to internal folks only don't make it public facing again when you start putting stuff out in the cloud it's real easy to accidentally
Put that in where it's facing externally. Maybe you want to put it facing externally because you've got developers all over the globe. Well, if you do, you better make sure that you have a lot of really tight role-based access controls in place and you are monitoring it like a hawk. Because again... If there's a way in, that's a really good way of getting into your company.
Software configuration management. What is this? So this is where you have tasks that are tracking and controlling changes in your overall software. And this helps determine what has changed, who changed it.
all of those aspects that go into controlling your your management of your tools and of your software itself so secure software control management is an important factor you need to consider when you're developing any sort of software within your company so there's best practices for software control management role-based access controls oh ding ding ding ding hearing that again mfa important part
storing secrets, configuration files, again, storing all of your secrets. That's an important part. See, I keep bringing the same concept over and over again. Hopefully you guys will understand that.
environmental variables and storing those as well as your hardcoder credentials automate your configuration management such as ansible puppet or chef now i will tell you that if you automate your scm that's awesome it works great it's super cool but it can be expensive so you better plan for that but it works really well and it will be a it makes you much more productive it has less employees and it can be much more secure when you do that
Implement infrastructure as a code, as a security best practice. That's an important part of this, and that's going down a whole different animal, right? That's where you're getting into, you have scripts that are running software processes that in the past you would actually stand up a whole server just to run this process.
You can actually have the scripts running in micro environments that are then going out and doing all these functions for you. Regularly auditing and compliancing. Obviously, you want to make sure that you're checking this out, and I would highly recommend that you do have some level of...
of regular auditing or assessments of these types of systems in these places it's an important part there's open scap and then cloud formation guard these will also look for misconfiguration tools or misconfigurations within your overall environment code repository security all right so code repository we talked about github bitbucket all of these different pieces and we've kind of touched on a lot of this already but it's important that you have within your code repository
One, if you're using it out in the world, right, your GitHub, Git Labs, those types. that you have, one, you limit who has access. Two, you have MFA or multi-factor enabled. Three, single sign-on is a good piece of this, a very good aspect, and you'd want to incorporate that if possible. And then three, you also...
want to avoid any sort of use of API keys in your code repository. Say it because you see it all the time. If you go to a code repository, guarantee that there's tons of API keys. I kind of bang, bang on. the API piece of this, because to me, I see it as one of the biggest gaps that companies have is they will integrate APIs and they'll have no clue what's going in or out of these APIs. So something to consider there.
Security best practices, add or remove any sensitive data within a repository, and that helps. One, you have a good process of putting data in. You have a good process of pulling data out. And therefore, by doing that, you will limit the amount of sensitive data stored. And these are policies and processes. So you have policies of going, you shall not go do this.
important part with your developers you need to make sure you educate them you train them on this that they don't put secrets up there as easy as convenient as it is don't do it because guess what if someone gains access to it okay life is over Control your access, add or remove processes as well. Those are all best practices when you're dealing with code repositories.
You also want to have a security.md file. Now, this is something they consider that this MD file is a configuration file that's out there, and it helps you with your policy, it helps you with your configurations, and it does have known gaps with possible enhancements that are out there as well. So your MD file is that. It's just like a configuration file that's set up with your security tools or your security recommendations.
Remote SSH and personal tokens, another key factor. And then always consider security with development. Always consider security anytime you're dealing in the development world. Okay, so quickly, I'm going to go into SAST and DAST. So SAST is Static Application Security Testing. Now, this is where the software inspects and analyzes your code. We've kind of talked about this through your CICV pipeline. SAST will look for any vulnerabilities.
within the without executing the code itself so it's looking for known things and it'll go like oh that looks like it should not be there and it will tell you that right and it actually uses that voice too but it will look for that specifically and it looks for flaws before that it goes out and sort of actually deploys that
And it's similar to static code analysis, but it's focused specifically around security testing. And that's SAS, Static Application Security Testing. So it's got security in the name. It's static application. Kind of helps you point you in the right direction.
¶ Development Environment Security Best Practices
Next one is dynamic application security testing, so DAST. Now, this is where a procedure actively investigates running applications, right? And it's looking for some sort of security problem. It's more of a security forward approach.
web development so that you're getting it you're getting it prepped and hardened before it actually gets deployed sends automated alerts to appropriate teams and then the businesses can use DAST to assist in PCI compliance as well as it allows them to integrate with their DevSecOps so DAST is a much more
Bust, and I'll tell you just though, but DAST, because it's proactive and it's security forward, it can break things. So you want to make sure that before you turn on DAST that you have a good process to deal with all of this. One, when it blows stuff up, how do you deal with that? but two do you have a really solid core process going forward when you're dealing with that dynamic application security testing so again static application security testing dynamic application security testing
Security of software environments. One thing to consider when you're dealing with any sort of security is, again, you've got to help build an environment for your people to work in where they have the tools they need to be secure. So you want to make sure that you apply these technical controls, which we've mentioned multiple times.
times about within your company to protect them as well as your organization you need to understand what can happen if your environment is compromised do not i repeat do not assume that just because you had one guy put it in place that who is the expert that it's going to be good you need to constantly be looking at this and ensuring that it is not
in an insecure manner the moment you do that you're going to be a much better position so you but you must know what would happen if some bad guy or girl got access to your code development environment what would happen to your company
Key thing to consider. Development security considerations, again, separate business development functions. Don't have them together. You need to have them in separate environments. Email document management is separate from the development. So like your developers have an email.
and documentation repositories that are separate from your overall enterprise you don't want those back and forth i don't need my developers getting email and checking it within the development environment why spear phishing yeah they could go ahead and get spear phished and then life is over they need it needs to be a standardized an environment that is completely separate and segregated. Utilize Active Directory groups and virtual machines as well. So all of those pieces are a big factor.
Consider development environments as compromised. What happens? That means you need to have a separate admin and user accounts. Don't let your developers have admin privileges without checking them in or checking them out of a password. a pam type tool right uh some sort of locker of some kind incorporate multi-factor multi-person review that's another one that's really good have multi-people multi-people i think it's like the multiverse have multiple people look at and review
the the codes right for insight that's where that that code review process is an important part now if you can automate some of that awesome but you also still need to continue doing it and then the last bullet on that is trust but verify you need to trust individuals but not necessarily their accounts and you need to incorporate logging and monitoring at all costs in many different locations.
Reduce the attack surface. If you're dealing with any sort of other security applications, you need to make sure that that's limited. You need to protect credentials and security keys, which we have talked about in numerous times during this podcast. And then implement...
assess the impact of a compromise. You need to do a risk assessment of your development environment and understand what could happen if things go south so again a risk assessment is an important part and i would highly recommend that you do that within your company especially within your development environment once you figure this whole process out so as we're dealing
Okay, so that is all I have for you today. We threw a lot at you today. A ton, a gob, a lot of bazillion amounts. But what I want you to do is go to CISSP Cyber Training. That's CISSP Cyber Training. Go there.
And you can get access to the videos that are out there. You can get access to my free content. I have free CISSP questions. You can also purchase, they have three different tiers. You can get a tier that's just, I want to study the CISSP and it's available to you. You can also get a tier where you can get some mentorship from me.
And one, you get all the products I get, plus you get hours with me and we can work through things such as resumes. We can look at, talk about your goals and so forth. That's a mentorship piece of this. And then there's a third tier, which is basically you can bring me on and I...
help you with one your CISSP but two can also help you with some of your security related tools and and process and questions you may have for your company so there's three different tiers available for you you can check them all out I highly recommend the first tier at a minimum them just because it will give you all of this content it will has a blueprint to help you through to step by step by step on what you need to how to pass the test it will there be there for you step by step
I think I said that a few times, but it's true. It will. It makes it in a very logical format, makes it easy to understand, and you can get it done. No question about it. I have no doubt in my mind that if you go follow the blueprint, you will pass the test. But again,
Go out to CISSPcybertraining.com, check it out. Or if you need a consultant, you can go to ReduceCyberRisk.com and check that out. That's my consultant side of the house, and I'm happy to help you from there as well. Either way, you reach out to me, I'll take care of you. Going to happen. No big deal. All right. I hope you all have a wonderfully, beautifully blessed day, and we will catch you all on the flip side. See ya.
Hey, thanks again for listening today. It's been my pleasure to prep you for the CISSP exam. Are you interested, though, in some free CISSP exam questions? Head on over to FreeCISSPQuestions.com and sign up to join my email list and you'll receive access for 60 free CISSP questions each and every month for the next six months. That's a total of 360 questions. just for signing up with CISSP Cyber Training.
You'll also gain access to other free CISSP resources, so just head on over to FreeCISSPQuestions.com and sign up, or head on over to CISSPCybertraining.com and sign up today. Have a wonderful day, and we will catch you on the flip side. See ya.