SlideShare a Scribd company logo

CSSLP Course

Masoud Ostad
Masoud Ostad

ISACA CSSLP Course Material Instructor : Masoud Ostad

Software
1 of 62
©Copyrights 2013-2016 by Masoud Ostad CSSLP by (ISC)2 Course ©2013-2016 DESIGN AND DEVELOPMENT BY MASOUD OSTAD VERSION 1.5 BETA 1
©Copyrights 2013-2016 by Masoud Ostad Course Outline  Secure Software Concepts  Secure Software Requirements  Secure Software Design Note  Secure Software Implementation and Coding Note  Secure Software Testing  Software Deployment, Operations, Maintenance and Disposal  *This color module in next version or refer to Application Reverse Engineering Presentation 2
©Copyrights 2013-2016 by Masoud Ostad 3
©Copyrights 2013-2016 by Masoud Ostad  While there is no indication that other organizations in this space are addressing the knowledge areas in the same manner as the CSSLP, the following are addressing software development and/or security in the software lifecycle:  IEEE: CSDA and CSDP (Software Development)  SANS: GSSP-C, GSSP-J (Language specific secure coding)  ISSECO: CSSE (Entry level education program with certificate of completion)  DHS: Software Assurance Initiative (Awareness Program/Forum)  Vendor-Specific: Sun Microsystems SCJP, Microsoft MCSD, Symantec - based on internal lifecycle process or technology specific Key Players
©Copyrights 2013-2016 by Masoud Ostad CSSLP (ISC)² Professional Certification Program CSDA (IEEE) Associate Level Status CSDP (IEEE) Professional Certification Program GSSP-C (SANS) Software Coder Certification Program GSSP-J (SANS) Software Coder Certification Program Software Assurance Initiative (DHS) Awareness Effort CSSE (ISSECO) Entry-level Education Program Certificate of Completion Vendor- Specific Credentials Our Course Overlap with Other Certification
©Copyrights 2013-2016 by Masoud Ostad Secure Software Concepts Core Concepts of Secure Software Security Design Principles Privacy Governance, Risk, and Compliance (GRC) Software Development Methodologies 6
©Copyrights 2013-2016 by Masoud Ostad Holistic Security 7
©Copyrights 2013-2016 by Masoud Ostad Holistic Security Challenge Iron Triangle Constraints Security as an Afterthought Security Versus Usability 8
©Copyrights 2013-2016 by Masoud Ostad Iron Triangle Constraints Scope Schedule Budget 9
©Copyrights 2013-2016 by Masoud Ostad Relative Cost of Software Defects 10
©Copyrights 2013-2016 by Masoud Ostad TQM  Security is not separate of Product Quality  Before release or developed you should be test product  Code structure test  Feature test  Function test  Logical Test  Match with ISO standard  For example ITIL like 6Sigma 11
©Copyrights 2013-2016 by Masoud Ostad Security Profile Model 12
©Copyrights 2013-2016 by Masoud Ostad Security Profile Detail  Authentication The identifying information provided in this mechanism for validation is something that you own or have  Knowledge  Provide a Mechanism for valid Identity like : UN/PW or Passphrase or PIN  Ownership  Provide a Mechanism for valid Specify Identity like Token or Smart Card  Characteristic  Provide a Mechanism for valid Specify Identity mix with Biometric Method like Fingerprint , Blood ,Retina , Face and Voice 13
©Copyrights 2013-2016 by Masoud Ostad Security Profile Detail  Authorization  its top of layer of security concern or upper authentication  This method shown area of access or number of access  For detect material of user like human or not  With Authorization can manage an Object or target  For example in Database use (CRUD Concept)  Availability  BCP  SLA 14
©Copyrights 2013-2016 by Masoud Ostad Security Profile Detail  Accountability and Non-repudiation  Auditing is the security concept in which privileged and critical businesses transactions are logged and tracked.  For example an online shopping store view by Customer or Developer  At a bare minimum, audit fields which include who (the subject which may be a user or process) did what (operations such as create, read, update, delete etc.), where (the object on which the operation is performed such as a file or table) and when (timestamp of the operation) along with a before and after snapshot of the information that was changed must be logged for all administrative (privilege) or critical transactions as defined by the business.  Never overwrite new log on old log  Non-repudiation addresses the deniability of actions taken by either a user or the software on behalf of the user.  In Iran Like National Code Validation or NCV 15
©Copyrights 2013-2016 by Masoud Ostad Risk Management Standard  National Institute of Standards and Technology deploy SP800-64  Systems Development Life Cycle or SDLC  CSSLP must be familiar with are covered in this section  Some of the definitions used in this section are from NIST Risk Management Guide to Information Technology Systems special publication 800-30 (SP 800-30).  In the next page explain terminology 16
©Copyrights 2013-2016 by Masoud Ostad Standard Terminology 17 Asset Vulnerability Threat Protection Attack Probability Impact Exposure Factor Control
©Copyrights 2013-2016 by Masoud Ostad Type of Security Standard 18 Standards Internal e.g. Coding Standards External Industry e.g. PCI-DSS Government e.g. NIST Standard International e.g. ISO Series National e.g. FIPS
©Copyrights 2013-2016 by Masoud Ostad SP 800-30: Risk Management Guide for IT for Example 19
©Copyrights 2013-2016 by Masoud Ostad Federal Information Processing (FIPS) standards for Example  Some of the well-known FIPS publications that are closely related to software security are  FIPS 140: Security Requirement for Cryptographic Modules  FIPS 186: Digital Signature Standard  FIPS 197: Advanced Encryption Standard 20
©Copyrights 2013-2016 by Masoud Ostad ISO/IEC 15408-1:2005 EAL for Example 21
©Copyrights 2013-2016 by Masoud Ostad Software Development Methodologies Waterfall model Iterative model Spiral model 22
©Copyrights 2013-2016 by Masoud Ostad Waterfall Model Requirement Design Implementation Verification Maintenance 23
©Copyrights 2013-2016 by Masoud Ostad Iterative Model for Small Project 24
©Copyrights 2013-2016 by Masoud Ostad Spiral Model (Mix Model) 25
©Copyrights 2013-2016 by Masoud Ostad Regulations, Privacy and Compliance Gramm-Leach-Bliley Act (GLB Act) Health Insurance Portability and Accountability Act (HIPAA) State Security Breach Laws Or Privacy Terms 26
©Copyrights 2013-2016 by Masoud Ostad Trust Computing Security Model 27 Ring0 OS Kernel Ring1 IO Utilities Ring2 Drivers Ring3 User Application
©Copyrights 2013-2016 by Masoud Ostad 28
©Copyrights 2013-2016 by Masoud Ostad Security Requirement Essential 29
©Copyrights 2013-2016 by Masoud Ostad Availability Requirement  MTD : Maximum Tolerable Downtime  RTO : Recovery Time Object  BIA : Business Impact Analyst 30
©Copyrights 2013-2016 by Masoud Ostad Additional Security Requirement 31
©Copyrights 2013-2016 by Masoud Ostad Confidentiality Requirement 32
©Copyrights 2013-2016 by Masoud Ostad Masking Confidentiality Method Masking Method In Transit In Processing In Storage 33
©Copyrights 2013-2016 by Masoud Ostad Type of Access Control Model ACM Discretionar y Access Control (DAC) Non- Discretionar y Access Control (NDAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Resource- Based Access Control 34 • DAC on Object • NDAC on User • MAC on User mapping Object • RBAC make Role and assign role to User • Use Role and Group Role • REBAC on Resource of System
©Copyrights 2013-2016 by Masoud Ostad Protection Needs Elicitation (PNE)  PNE begins with the discovery of assets that need to be protected from unauthorized access and users.  Some standard force to used this concept like  The Information Assurance Technical Framework (IATF)  The United States National Security Agency (NSA)  The Information Systems Security Engineering (ISSE) 35
©Copyrights 2013-2016 by Masoud Ostad Protection Needs Elicitation (PNE) Techniques 36
©Copyrights 2013-2016 by Masoud Ostad Policy Decomposition 37
©Copyrights 2013-2016 by Masoud Ostad 38
©Copyrights 2013-2016 by Masoud Ostad Type of Cryptography 39
©Copyrights 2013-2016 by Masoud Ostad Symmetric Algorithm 40
©Copyrights 2013-2016 by Masoud Ostad Asymmetric Algorithm Method 41
©Copyrights 2013-2016 by Masoud Ostad Digital Certificate Component 42
©Copyrights 2013-2016 by Masoud Ostad Data Integrity using Hash Functions 43
©Copyrights 2013-2016 by Masoud Ostad Unsalted Hash 44
©Copyrights 2013-2016 by Masoud Ostad Salted Hash 45
©Copyrights 2013-2016 by Masoud Ostad Recreational Integrity or RDBMS 46
©Copyrights 2013-2016 by Masoud Ostad Availability Design Replication Replication usually follows a master-slave or primary- secondary backup scheme in which there is one master or primary node and dates are propagated to the slaves or secondary node either actively or passively. Fail Over In computing, failover refers to the automatic switching from an active transactional software, server, system, hardware component or network to standby (or redundant) system. 47
©Copyrights 2013-2016 by Masoud Ostad Other Design Considerations User Interface Application Programming Interfaces Security Management Interfaces Out-of-Band Interface Log Interfaces 48
©Copyrights 2013-2016 by Masoud Ostad Type of Malware 49 Malware Proliferative Virus Worm Stealth ware Spyware Adware Trojan Rootkit Ransomware
©Copyrights 2013-2016 by Masoud Ostad Cloud Model 50
©Copyrights 2013-2016 by Masoud Ostad Type of Cloud 51
©Copyrights 2013-2016 by Masoud Ostad Mobile Architecture 52
©Copyrights 2013-2016 by Masoud Ostad 53
©Copyrights 2013-2016 by Masoud Ostad Programming Language 54
©Copyrights 2013-2016 by Masoud Ostad Compile and Linking 55
©Copyrights 2013-2016 by Masoud Ostad List of Organization for application bug track and security advisory  The National Vulnerability Database (NVD)  Common Vulnerabilities and Exposures (CVE)  Common Weakness Enumeration (CWE™)  OWASP Top 10  Open Source Vulnerability Database  US Computer Emergency Response Team (CERT) Vulnerability Notes Database 56
©Copyrights 2013-2016 by Masoud Ostad Man-in-The Middle 57
©Copyrights 2013-2016 by Masoud Ostad Man-in-The Middle is E2E Solution 58
©Copyrights 2013-2016 by Masoud Ostad Electronic Social Engineering Phishing Pharming Vishing SMSishing ESE 59
©Copyrights 2013-2016 by Masoud Ostad Secure Software Processes Versioning(CM) Code Analysis(Syntax)(Automatic) Code/Peer review(Logic)(Manual) 60
©Copyrights 2013-2016 by Masoud Ostad Acquisition Lifecycle phases 61
©Copyrights 2013-2016 by Masoud Ostad 62 ©Copyright 2013-2016 by Masoud Ostad

Recommended

CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 

Recommended

CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfinfosec train
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 PresentationAmy McMullin
 
SOC Foundation
SOC FoundationSOC Foundation
SOC FoundationMasoud Ostad
 
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyEuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyCarlos Chalico
 

More Related Content

What's hot

How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfinfosec train
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 PresentationAmy McMullin
 

What's hot (20)

How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdfcertified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdf
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 Presentation
 

Similar to CSSLP Course

EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyEuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyCarlos Chalico
 
Securezy - A Penetration Testing Toolbox
Securezy - A Penetration Testing ToolboxSecurezy - A Penetration Testing Toolbox
Securezy - A Penetration Testing ToolboxIRJET Journal
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTIoT613
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsIRJET Journal
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?SecPod
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Application Security and PA DSS Certification
Application Security and PA DSS CertificationApplication Security and PA DSS Certification
Application Security and PA DSS CertificationDigital Security
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
 
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...IRJET Journal
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldCisco Canada
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 

Similar to CSSLP Course (20)

SOC Foundation
SOC FoundationSOC Foundation
SOC Foundation
 
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyEuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the sky
 
Securezy - A Penetration Testing Toolbox
Securezy - A Penetration Testing ToolboxSecurezy - A Penetration Testing Toolbox
Securezy - A Penetration Testing Toolbox
 
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoTSafety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
 
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weaponsAdvance security in cloud computing for military weapons
Advance security in cloud computing for military weapons
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
2020 safecomp-sep18
2020 safecomp-sep182020 safecomp-sep18
2020 safecomp-sep18
 
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Application Security and PA DSS Certification
Application Security and PA DSS CertificationApplication Security and PA DSS Certification
Application Security and PA DSS Certification
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
 
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 

Recently uploaded

What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 

Recently uploaded (20)

What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

CSSLP Course

  • 1. ©Copyrights 2013-2016 by Masoud Ostad CSSLP by (ISC)2 Course ©2013-2016 DESIGN AND DEVELOPMENT BY MASOUD OSTAD VERSION 1.5 BETA 1
  • 2. ©Copyrights 2013-2016 by Masoud Ostad Course Outline  Secure Software Concepts  Secure Software Requirements  Secure Software Design Note  Secure Software Implementation and Coding Note  Secure Software Testing  Software Deployment, Operations, Maintenance and Disposal  *This color module in next version or refer to Application Reverse Engineering Presentation 2
  • 3. ©Copyrights 2013-2016 by Masoud Ostad 3
  • 4. ©Copyrights 2013-2016 by Masoud Ostad  While there is no indication that other organizations in this space are addressing the knowledge areas in the same manner as the CSSLP, the following are addressing software development and/or security in the software lifecycle:  IEEE: CSDA and CSDP (Software Development)  SANS: GSSP-C, GSSP-J (Language specific secure coding)  ISSECO: CSSE (Entry level education program with certificate of completion)  DHS: Software Assurance Initiative (Awareness Program/Forum)  Vendor-Specific: Sun Microsystems SCJP, Microsoft MCSD, Symantec - based on internal lifecycle process or technology specific Key Players
  • 5. ©Copyrights 2013-2016 by Masoud Ostad CSSLP (ISC)² Professional Certification Program CSDA (IEEE) Associate Level Status CSDP (IEEE) Professional Certification Program GSSP-C (SANS) Software Coder Certification Program GSSP-J (SANS) Software Coder Certification Program Software Assurance Initiative (DHS) Awareness Effort CSSE (ISSECO) Entry-level Education Program Certificate of Completion Vendor- Specific Credentials Our Course Overlap with Other Certification
  • 6. ©Copyrights 2013-2016 by Masoud Ostad Secure Software Concepts Core Concepts of Secure Software Security Design Principles Privacy Governance, Risk, and Compliance (GRC) Software Development Methodologies 6
  • 7. ©Copyrights 2013-2016 by Masoud Ostad Holistic Security 7
  • 8. ©Copyrights 2013-2016 by Masoud Ostad Holistic Security Challenge Iron Triangle Constraints Security as an Afterthought Security Versus Usability 8
  • 9. ©Copyrights 2013-2016 by Masoud Ostad Iron Triangle Constraints Scope Schedule Budget 9
  • 10. ©Copyrights 2013-2016 by Masoud Ostad Relative Cost of Software Defects 10
  • 11. ©Copyrights 2013-2016 by Masoud Ostad TQM  Security is not separate of Product Quality  Before release or developed you should be test product  Code structure test  Feature test  Function test  Logical Test  Match with ISO standard  For example ITIL like 6Sigma 11
  • 12. ©Copyrights 2013-2016 by Masoud Ostad Security Profile Model 12
  • 13. ©Copyrights 2013-2016 by Masoud Ostad Security Profile Detail  Authentication The identifying information provided in this mechanism for validation is something that you own or have  Knowledge  Provide a Mechanism for valid Identity like : UN/PW or Passphrase or PIN  Ownership  Provide a Mechanism for valid Specify Identity like Token or Smart Card  Characteristic  Provide a Mechanism for valid Specify Identity mix with Biometric Method like Fingerprint , Blood ,Retina , Face and Voice 13
  • 14. ©Copyrights 2013-2016 by Masoud Ostad Security Profile Detail  Authorization  its top of layer of security concern or upper authentication  This method shown area of access or number of access  For detect material of user like human or not  With Authorization can manage an Object or target  For example in Database use (CRUD Concept)  Availability  BCP  SLA 14
  • 15. ©Copyrights 2013-2016 by Masoud Ostad Security Profile Detail  Accountability and Non-repudiation  Auditing is the security concept in which privileged and critical businesses transactions are logged and tracked.  For example an online shopping store view by Customer or Developer  At a bare minimum, audit fields which include who (the subject which may be a user or process) did what (operations such as create, read, update, delete etc.), where (the object on which the operation is performed such as a file or table) and when (timestamp of the operation) along with a before and after snapshot of the information that was changed must be logged for all administrative (privilege) or critical transactions as defined by the business.  Never overwrite new log on old log  Non-repudiation addresses the deniability of actions taken by either a user or the software on behalf of the user.  In Iran Like National Code Validation or NCV 15
  • 16. ©Copyrights 2013-2016 by Masoud Ostad Risk Management Standard  National Institute of Standards and Technology deploy SP800-64  Systems Development Life Cycle or SDLC  CSSLP must be familiar with are covered in this section  Some of the definitions used in this section are from NIST Risk Management Guide to Information Technology Systems special publication 800-30 (SP 800-30).  In the next page explain terminology 16
  • 17. ©Copyrights 2013-2016 by Masoud Ostad Standard Terminology 17 Asset Vulnerability Threat Protection Attack Probability Impact Exposure Factor Control
  • 18. ©Copyrights 2013-2016 by Masoud Ostad Type of Security Standard 18 Standards Internal e.g. Coding Standards External Industry e.g. PCI-DSS Government e.g. NIST Standard International e.g. ISO Series National e.g. FIPS
  • 19. ©Copyrights 2013-2016 by Masoud Ostad SP 800-30: Risk Management Guide for IT for Example 19
  • 20. ©Copyrights 2013-2016 by Masoud Ostad Federal Information Processing (FIPS) standards for Example  Some of the well-known FIPS publications that are closely related to software security are  FIPS 140: Security Requirement for Cryptographic Modules  FIPS 186: Digital Signature Standard  FIPS 197: Advanced Encryption Standard 20
  • 21. ©Copyrights 2013-2016 by Masoud Ostad ISO/IEC 15408-1:2005 EAL for Example 21
  • 22. ©Copyrights 2013-2016 by Masoud Ostad Software Development Methodologies Waterfall model Iterative model Spiral model 22
  • 23. ©Copyrights 2013-2016 by Masoud Ostad Waterfall Model Requirement Design Implementation Verification Maintenance 23
  • 24. ©Copyrights 2013-2016 by Masoud Ostad Iterative Model for Small Project 24
  • 25. ©Copyrights 2013-2016 by Masoud Ostad Spiral Model (Mix Model) 25
  • 26. ©Copyrights 2013-2016 by Masoud Ostad Regulations, Privacy and Compliance Gramm-Leach-Bliley Act (GLB Act) Health Insurance Portability and Accountability Act (HIPAA) State Security Breach Laws Or Privacy Terms 26
  • 27. ©Copyrights 2013-2016 by Masoud Ostad Trust Computing Security Model 27 Ring0 OS Kernel Ring1 IO Utilities Ring2 Drivers Ring3 User Application
  • 28. ©Copyrights 2013-2016 by Masoud Ostad 28
  • 29. ©Copyrights 2013-2016 by Masoud Ostad Security Requirement Essential 29
  • 30. ©Copyrights 2013-2016 by Masoud Ostad Availability Requirement  MTD : Maximum Tolerable Downtime  RTO : Recovery Time Object  BIA : Business Impact Analyst 30
  • 31. ©Copyrights 2013-2016 by Masoud Ostad Additional Security Requirement 31
  • 32. ©Copyrights 2013-2016 by Masoud Ostad Confidentiality Requirement 32
  • 33. ©Copyrights 2013-2016 by Masoud Ostad Masking Confidentiality Method Masking Method In Transit In Processing In Storage 33
  • 34. ©Copyrights 2013-2016 by Masoud Ostad Type of Access Control Model ACM Discretionar y Access Control (DAC) Non- Discretionar y Access Control (NDAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Resource- Based Access Control 34 • DAC on Object • NDAC on User • MAC on User mapping Object • RBAC make Role and assign role to User • Use Role and Group Role • REBAC on Resource of System
  • 35. ©Copyrights 2013-2016 by Masoud Ostad Protection Needs Elicitation (PNE)  PNE begins with the discovery of assets that need to be protected from unauthorized access and users.  Some standard force to used this concept like  The Information Assurance Technical Framework (IATF)  The United States National Security Agency (NSA)  The Information Systems Security Engineering (ISSE) 35
  • 36. ©Copyrights 2013-2016 by Masoud Ostad Protection Needs Elicitation (PNE) Techniques 36
  • 37. ©Copyrights 2013-2016 by Masoud Ostad Policy Decomposition 37
  • 38. ©Copyrights 2013-2016 by Masoud Ostad 38
  • 39. ©Copyrights 2013-2016 by Masoud Ostad Type of Cryptography 39
  • 40. ©Copyrights 2013-2016 by Masoud Ostad Symmetric Algorithm 40
  • 41. ©Copyrights 2013-2016 by Masoud Ostad Asymmetric Algorithm Method 41
  • 42. ©Copyrights 2013-2016 by Masoud Ostad Digital Certificate Component 42
  • 43. ©Copyrights 2013-2016 by Masoud Ostad Data Integrity using Hash Functions 43
  • 44. ©Copyrights 2013-2016 by Masoud Ostad Unsalted Hash 44
  • 45. ©Copyrights 2013-2016 by Masoud Ostad Salted Hash 45
  • 46. ©Copyrights 2013-2016 by Masoud Ostad Recreational Integrity or RDBMS 46
  • 47. ©Copyrights 2013-2016 by Masoud Ostad Availability Design Replication Replication usually follows a master-slave or primary- secondary backup scheme in which there is one master or primary node and dates are propagated to the slaves or secondary node either actively or passively. Fail Over In computing, failover refers to the automatic switching from an active transactional software, server, system, hardware component or network to standby (or redundant) system. 47
  • 48. ©Copyrights 2013-2016 by Masoud Ostad Other Design Considerations User Interface Application Programming Interfaces Security Management Interfaces Out-of-Band Interface Log Interfaces 48
  • 49. ©Copyrights 2013-2016 by Masoud Ostad Type of Malware 49 Malware Proliferative Virus Worm Stealth ware Spyware Adware Trojan Rootkit Ransomware
  • 50. ©Copyrights 2013-2016 by Masoud Ostad Cloud Model 50
  • 51. ©Copyrights 2013-2016 by Masoud Ostad Type of Cloud 51
  • 52. ©Copyrights 2013-2016 by Masoud Ostad Mobile Architecture 52
  • 53. ©Copyrights 2013-2016 by Masoud Ostad 53
  • 54. ©Copyrights 2013-2016 by Masoud Ostad Programming Language 54
  • 55. ©Copyrights 2013-2016 by Masoud Ostad Compile and Linking 55
  • 56. ©Copyrights 2013-2016 by Masoud Ostad List of Organization for application bug track and security advisory  The National Vulnerability Database (NVD)  Common Vulnerabilities and Exposures (CVE)  Common Weakness Enumeration (CWE™)  OWASP Top 10  Open Source Vulnerability Database  US Computer Emergency Response Team (CERT) Vulnerability Notes Database 56
  • 57. ©Copyrights 2013-2016 by Masoud Ostad Man-in-The Middle 57
  • 58. ©Copyrights 2013-2016 by Masoud Ostad Man-in-The Middle is E2E Solution 58
  • 59. ©Copyrights 2013-2016 by Masoud Ostad Electronic Social Engineering Phishing Pharming Vishing SMSishing ESE 59
  • 60. ©Copyrights 2013-2016 by Masoud Ostad Secure Software Processes Versioning(CM) Code Analysis(Syntax)(Automatic) Code/Peer review(Logic)(Manual) 60
  • 61. ©Copyrights 2013-2016 by Masoud Ostad Acquisition Lifecycle phases 61
  • 62. ©Copyrights 2013-2016 by Masoud Ostad 62 ©Copyright 2013-2016 by Masoud Ostad

Editor's Notes

  1. This is another slide from the ISC2 CSSLP Launch Presentation. These key players are shown on the following slide.