Submit Search
Upload
CSSLP Course
•
9 likes
•
1,593 views
Masoud Ostad
Follow
ISACA CSSLP Course Material Instructor : Masoud Ostad
Read less
Read more
Software
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 62
Recommended
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
Csslp
Csslp
Sushil Shakya
Application Threat Modeling
Application Threat Modeling
Marco Morana
Mobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
Basic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
Intro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
Cyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
Recommended
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
Csslp
Csslp
Sushil Shakya
Application Threat Modeling
Application Threat Modeling
Marco Morana
Mobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
Basic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
Intro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
Cyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
OWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
Android Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
Intro to Web Application Security
Intro to Web Application Security
Rob Ragan
Web Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
Threat Modelling
Threat Modelling
n|u - The Open Security Community
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdf
infosec train
IBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
Threat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
Chapter 2 Presentation
Chapter 2 Presentation
Amy McMullin
SOC Foundation
SOC Foundation
Masoud Ostad
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the sky
Carlos Chalico
More Related Content
What's hot
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
OWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
Android Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
Intro to Web Application Security
Intro to Web Application Security
Rob Ragan
Web Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
Threat Modelling
Threat Modelling
n|u - The Open Security Community
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdf
infosec train
IBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
Threat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
Chapter 2 Presentation
Chapter 2 Presentation
Amy McMullin
What's hot
(20)
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
OWASP Top Ten in Practice
OWASP Top Ten in Practice
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Android Security & Penetration Testing
Android Security & Penetration Testing
Security operation center (SOC)
Security operation center (SOC)
Intro to Web Application Security
Intro to Web Application Security
Web Application Security and Awareness
Web Application Security and Awareness
Threat Modelling
Threat Modelling
certified-ethical-hacker-cehv12_course_content.pdf
certified-ethical-hacker-cehv12_course_content.pdf
IBM AppScan - the total software security solution
IBM AppScan - the total software security solution
Threat Modeling Using STRIDE
Threat Modeling Using STRIDE
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Chapter 2 Presentation
Chapter 2 Presentation
Similar to CSSLP Course
SOC Foundation
SOC Foundation
Masoud Ostad
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the sky
Carlos Chalico
Securezy - A Penetration Testing Toolbox
Securezy - A Penetration Testing Toolbox
IRJET Journal
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
IoT613
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weapons
IRJET Journal
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
Robb Boyd
2020 safecomp-sep18
2020 safecomp-sep18
Kenji Taguchi
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?
SecPod
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
ControlCase
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
ControlCase
Application Security and PA DSS Certification
Application Security and PA DSS Certification
Digital Security
Application security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
Luca Martelli
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET Journal
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
Cisco Canada
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
IRJET Journal
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
Similar to CSSLP Course
(20)
SOC Foundation
SOC Foundation
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the sky
Securezy - A Penetration Testing Toolbox
Securezy - A Penetration Testing Toolbox
Safety reliability and security lessons from defense for IoT
Safety reliability and security lessons from defense for IoT
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
Advance security in cloud computing for military weapons
Advance security in cloud computing for military weapons
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
2020 safecomp-sep18
2020 safecomp-sep18
How to Achieve NIST Compliance using SanerNow?
How to Achieve NIST Compliance using SanerNow?
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
Application Security and PA DSS Certification
Application Security and PA DSS Certification
Application security and pa dss certification
Application security and pa dss certification
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Recently uploaded
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
JheuzeDellosa
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
Mehedi Hasan Shohan
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
BradBedford3
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
Power Karaoke
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
stazi3110
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
VICTOR MAESTRE RAMIREZ
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
kaushalgiri8080
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
kalichargn70th171
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
kalichargn70th171
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
AxelRicardoTrocheRiq
Asset Management Software - Infographic
Asset Management Software - Infographic
Hr365.us smith
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
OnePlan Solutions
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
joe51371421
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
Christina Lin
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
shikhaohhpro
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
Tier1 app
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Christina Lin
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
kellynguyen01
Recently uploaded
(20)
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
Asset Management Software - Infographic
Asset Management Software - Infographic
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
CSSLP Course
1.
©Copyrights 2013-2016 by
Masoud Ostad CSSLP by (ISC)2 Course ©2013-2016 DESIGN AND DEVELOPMENT BY MASOUD OSTAD VERSION 1.5 BETA 1
2.
©Copyrights 2013-2016 by
Masoud Ostad Course Outline Secure Software Concepts Secure Software Requirements Secure Software Design Note Secure Software Implementation and Coding Note Secure Software Testing Software Deployment, Operations, Maintenance and Disposal *This color module in next version or refer to Application Reverse Engineering Presentation 2
3.
©Copyrights 2013-2016 by
Masoud Ostad 3
4.
©Copyrights 2013-2016 by
Masoud Ostad While there is no indication that other organizations in this space are addressing the knowledge areas in the same manner as the CSSLP, the following are addressing software development and/or security in the software lifecycle: IEEE: CSDA and CSDP (Software Development) SANS: GSSP-C, GSSP-J (Language specific secure coding) ISSECO: CSSE (Entry level education program with certificate of completion) DHS: Software Assurance Initiative (Awareness Program/Forum) Vendor-Specific: Sun Microsystems SCJP, Microsoft MCSD, Symantec - based on internal lifecycle process or technology specific Key Players
5.
©Copyrights 2013-2016 by
Masoud Ostad CSSLP (ISC)² Professional Certification Program CSDA (IEEE) Associate Level Status CSDP (IEEE) Professional Certification Program GSSP-C (SANS) Software Coder Certification Program GSSP-J (SANS) Software Coder Certification Program Software Assurance Initiative (DHS) Awareness Effort CSSE (ISSECO) Entry-level Education Program Certificate of Completion Vendor- Specific Credentials Our Course Overlap with Other Certification
6.
©Copyrights 2013-2016 by
Masoud Ostad Secure Software Concepts Core Concepts of Secure Software Security Design Principles Privacy Governance, Risk, and Compliance (GRC) Software Development Methodologies 6
7.
©Copyrights 2013-2016 by
Masoud Ostad Holistic Security 7
8.
©Copyrights 2013-2016 by
Masoud Ostad Holistic Security Challenge Iron Triangle Constraints Security as an Afterthought Security Versus Usability 8
9.
©Copyrights 2013-2016 by
Masoud Ostad Iron Triangle Constraints Scope Schedule Budget 9
10.
©Copyrights 2013-2016 by
Masoud Ostad Relative Cost of Software Defects 10
11.
©Copyrights 2013-2016 by
Masoud Ostad TQM Security is not separate of Product Quality Before release or developed you should be test product Code structure test Feature test Function test Logical Test Match with ISO standard For example ITIL like 6Sigma 11
12.
©Copyrights 2013-2016 by
Masoud Ostad Security Profile Model 12
13.
©Copyrights 2013-2016 by
Masoud Ostad Security Profile Detail Authentication The identifying information provided in this mechanism for validation is something that you own or have Knowledge Provide a Mechanism for valid Identity like : UN/PW or Passphrase or PIN Ownership Provide a Mechanism for valid Specify Identity like Token or Smart Card Characteristic Provide a Mechanism for valid Specify Identity mix with Biometric Method like Fingerprint , Blood ,Retina , Face and Voice 13
14.
©Copyrights 2013-2016 by
Masoud Ostad Security Profile Detail Authorization its top of layer of security concern or upper authentication This method shown area of access or number of access For detect material of user like human or not With Authorization can manage an Object or target For example in Database use (CRUD Concept) Availability BCP SLA 14
15.
©Copyrights 2013-2016 by
Masoud Ostad Security Profile Detail Accountability and Non-repudiation Auditing is the security concept in which privileged and critical businesses transactions are logged and tracked. For example an online shopping store view by Customer or Developer At a bare minimum, audit fields which include who (the subject which may be a user or process) did what (operations such as create, read, update, delete etc.), where (the object on which the operation is performed such as a file or table) and when (timestamp of the operation) along with a before and after snapshot of the information that was changed must be logged for all administrative (privilege) or critical transactions as defined by the business. Never overwrite new log on old log Non-repudiation addresses the deniability of actions taken by either a user or the software on behalf of the user. In Iran Like National Code Validation or NCV 15
16.
©Copyrights 2013-2016 by
Masoud Ostad Risk Management Standard National Institute of Standards and Technology deploy SP800-64 Systems Development Life Cycle or SDLC CSSLP must be familiar with are covered in this section Some of the definitions used in this section are from NIST Risk Management Guide to Information Technology Systems special publication 800-30 (SP 800-30). In the next page explain terminology 16
17.
©Copyrights 2013-2016 by
Masoud Ostad Standard Terminology 17 Asset Vulnerability Threat Protection Attack Probability Impact Exposure Factor Control
18.
©Copyrights 2013-2016 by
Masoud Ostad Type of Security Standard 18 Standards Internal e.g. Coding Standards External Industry e.g. PCI-DSS Government e.g. NIST Standard International e.g. ISO Series National e.g. FIPS
19.
©Copyrights 2013-2016 by
Masoud Ostad SP 800-30: Risk Management Guide for IT for Example 19
20.
©Copyrights 2013-2016 by
Masoud Ostad Federal Information Processing (FIPS) standards for Example Some of the well-known FIPS publications that are closely related to software security are FIPS 140: Security Requirement for Cryptographic Modules FIPS 186: Digital Signature Standard FIPS 197: Advanced Encryption Standard 20
21.
©Copyrights 2013-2016 by
Masoud Ostad ISO/IEC 15408-1:2005 EAL for Example 21
22.
©Copyrights 2013-2016 by
Masoud Ostad Software Development Methodologies Waterfall model Iterative model Spiral model 22
23.
©Copyrights 2013-2016 by
Masoud Ostad Waterfall Model Requirement Design Implementation Verification Maintenance 23
24.
©Copyrights 2013-2016 by
Masoud Ostad Iterative Model for Small Project 24
25.
©Copyrights 2013-2016 by
Masoud Ostad Spiral Model (Mix Model) 25
26.
©Copyrights 2013-2016 by
Masoud Ostad Regulations, Privacy and Compliance Gramm-Leach-Bliley Act (GLB Act) Health Insurance Portability and Accountability Act (HIPAA) State Security Breach Laws Or Privacy Terms 26
27.
©Copyrights 2013-2016 by
Masoud Ostad Trust Computing Security Model 27 Ring0 OS Kernel Ring1 IO Utilities Ring2 Drivers Ring3 User Application
28.
©Copyrights 2013-2016 by
Masoud Ostad 28
29.
©Copyrights 2013-2016 by
Masoud Ostad Security Requirement Essential 29
30.
©Copyrights 2013-2016 by
Masoud Ostad Availability Requirement MTD : Maximum Tolerable Downtime RTO : Recovery Time Object BIA : Business Impact Analyst 30
31.
©Copyrights 2013-2016 by
Masoud Ostad Additional Security Requirement 31
32.
©Copyrights 2013-2016 by
Masoud Ostad Confidentiality Requirement 32
33.
©Copyrights 2013-2016 by
Masoud Ostad Masking Confidentiality Method Masking Method In Transit In Processing In Storage 33
34.
©Copyrights 2013-2016 by
Masoud Ostad Type of Access Control Model ACM Discretionar y Access Control (DAC) Non- Discretionar y Access Control (NDAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Resource- Based Access Control 34 • DAC on Object • NDAC on User • MAC on User mapping Object • RBAC make Role and assign role to User • Use Role and Group Role • REBAC on Resource of System
35.
©Copyrights 2013-2016 by
Masoud Ostad Protection Needs Elicitation (PNE) PNE begins with the discovery of assets that need to be protected from unauthorized access and users. Some standard force to used this concept like The Information Assurance Technical Framework (IATF) The United States National Security Agency (NSA) The Information Systems Security Engineering (ISSE) 35
36.
©Copyrights 2013-2016 by
Masoud Ostad Protection Needs Elicitation (PNE) Techniques 36
37.
©Copyrights 2013-2016 by
Masoud Ostad Policy Decomposition 37
38.
©Copyrights 2013-2016 by
Masoud Ostad 38
39.
©Copyrights 2013-2016 by
Masoud Ostad Type of Cryptography 39
40.
©Copyrights 2013-2016 by
Masoud Ostad Symmetric Algorithm 40
41.
©Copyrights 2013-2016 by
Masoud Ostad Asymmetric Algorithm Method 41
42.
©Copyrights 2013-2016 by
Masoud Ostad Digital Certificate Component 42
43.
©Copyrights 2013-2016 by
Masoud Ostad Data Integrity using Hash Functions 43
44.
©Copyrights 2013-2016 by
Masoud Ostad Unsalted Hash 44
45.
©Copyrights 2013-2016 by
Masoud Ostad Salted Hash 45
46.
©Copyrights 2013-2016 by
Masoud Ostad Recreational Integrity or RDBMS 46
47.
©Copyrights 2013-2016 by
Masoud Ostad Availability Design Replication Replication usually follows a master-slave or primary- secondary backup scheme in which there is one master or primary node and dates are propagated to the slaves or secondary node either actively or passively. Fail Over In computing, failover refers to the automatic switching from an active transactional software, server, system, hardware component or network to standby (or redundant) system. 47
48.
©Copyrights 2013-2016 by
Masoud Ostad Other Design Considerations User Interface Application Programming Interfaces Security Management Interfaces Out-of-Band Interface Log Interfaces 48
49.
©Copyrights 2013-2016 by
Masoud Ostad Type of Malware 49 Malware Proliferative Virus Worm Stealth ware Spyware Adware Trojan Rootkit Ransomware
50.
©Copyrights 2013-2016 by
Masoud Ostad Cloud Model 50
51.
©Copyrights 2013-2016 by
Masoud Ostad Type of Cloud 51
52.
©Copyrights 2013-2016 by
Masoud Ostad Mobile Architecture 52
53.
©Copyrights 2013-2016 by
Masoud Ostad 53
54.
©Copyrights 2013-2016 by
Masoud Ostad Programming Language 54
55.
©Copyrights 2013-2016 by
Masoud Ostad Compile and Linking 55
56.
©Copyrights 2013-2016 by
Masoud Ostad List of Organization for application bug track and security advisory The National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) Common Weakness Enumeration (CWE™) OWASP Top 10 Open Source Vulnerability Database US Computer Emergency Response Team (CERT) Vulnerability Notes Database 56
57.
©Copyrights 2013-2016 by
Masoud Ostad Man-in-The Middle 57
58.
©Copyrights 2013-2016 by
Masoud Ostad Man-in-The Middle is E2E Solution 58
59.
©Copyrights 2013-2016 by
Masoud Ostad Electronic Social Engineering Phishing Pharming Vishing SMSishing ESE 59
60.
©Copyrights 2013-2016 by
Masoud Ostad Secure Software Processes Versioning(CM) Code Analysis(Syntax)(Automatic) Code/Peer review(Logic)(Manual) 60
61.
©Copyrights 2013-2016 by
Masoud Ostad Acquisition Lifecycle phases 61
62.
©Copyrights 2013-2016 by
Masoud Ostad 62 ©Copyright 2013-2016 by Masoud Ostad
Editor's Notes
This is another slide from the ISC2 CSSLP Launch Presentation. These key players are shown on the following slide.