Posts Tagged ‘CISSP’
CSSLP the beginning: What is secure software development?
So lets talk about what we are trying to accomplish becoming a CSSLP. In order to be a CSSLP you need to understand the basic concepts of software security.
- Confidentiality– keeping data private that is sensitive.
- Authentication– verifying the entity that they are who they say they are.
- Session management– HTTP is a stateless protocol and this is usually managed by cookies. States or session are sensitive.
- Integrity- making sure the books stay straight and that data is not modified
- Authorization- the entity has the clearance to do what he or she is supposed to do no more or no less. This also ties with the principle of least privilege.
- Exceptions management– that the software systems handles errors properly and maintains a fail safe secure state.
- Availability– that the software system is up and running when it needs to, to support the business.
- Auditing– the who, what, where and when questions to an activity.
- Configuration management– making sure that that vulnerabilities are not introduced to software systems when making changes.
Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
The secret to the CSSLP the beginning of the journey
I am studying to become a CSSLP. I have had my CISSP for a number of years and have been a programmer and ethical hacker for ten years. I have my master’s degree in information security and management science and a bachelor’s degree in information science and human computer interaction. I work for a very large security company. I am taking the exam too and wanted to share my knowledge of studying for it with the blogsphere.
The CSSLP examination tests the breadth and depth of a candidate’s knowledge by focusing on the seven domains which comprise the CSSLP, taxonomy of information security topics:
- Secure Software Concepts – security implications in software development and for software supply chain integrity
- Secure Software Requirements – capturing security requirements in the requirements gathering phase
- Secure Software Design – translating security requirements into application design elements Secure Software Implementation/Coding – unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
- Secure Software Testing – integrated QA testing for security functionality and resiliency to attack
- Software Acceptance – security implication in the software acceptance phase
- Software Deployment, Operations, Maintenance and Disposal – security issues around steady state operations and management of software
CSSLP stakeholders include:
- Auditors
- Top Management
- Business Unit Heads
- IT Manager
- Security Specialists
- Application Owners
- Developers & Coders
- Project Managers Team Leads
- Technical Archietects
- Quality Assurance Managers
- Business Analysts
- Industry Group Delivery Heads
- Client Side PM
Thanks Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
OWASP top 10 2013 Introduction
OWASP top 10 2013
https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
* A1-Injection
* A2-Broken Authentication and Session Management
* A3-Cross-Site Scripting (XSS)
* A4-Insecure Direct Object References
* A5-Security Misconfiguration
* A6-Sensitive Data Exposure
* A7-Missing Function Level Access Control
* A8-Cross-Site Request Forgery (CSRF)
* A9-Using Components with Known Vulnerabilities
* A10-Unvalidated Redirects and Forwards
We are going to look at the new OWASP top 10 for 2013 starting with injection to unvalidated redirects and forwards. We will go through each vulnerability and look at the attack vector, risks, how to exploit and how to remediate to protect an application from attackers.
Thanks,
Matt Parsons, CISSP, MSM, CWASE
mparsons@parsonsisconsulting.com
parsonsisconsulting 