CISSP Domain 8 Lecture notes

• Welcome to the Eighth CBK Domain:

• This chapter is how we secure software as we develop it.
• Security has for a long time been an afterthought in software development, we
need to design it in and not bolt it on.
• Security in the software development lifecycle.
• How we include security in the software requirements of our
SDLC.
• Development environment security controls.
• How security should be designed and planned in and should be
a requirement of our development.
• Software security effectiveness
• How we assess the effectiveness of our software security
controls
• Acquired software security impact.
• How we test and secure software we buy from 3rd parties.

• CBK 8 makes up 10% of the exam questions.

• Designing security into our software:

• The more breaches and compromises, the more we see the move towards security
being part of the scope of the software design project.
• We use software at our jobs, our personal lives, our homes, cars, power, water...
• It is everywhere. And it has been, and still is, common to write functional code. Security
is an afterthought, or not considered at all.
• A large part of our defense-in-depth is to protect our assets, but ultimately most of it is
to protect our data/software.
• Software with security built in is much securer than software where it is added on later.
• It is common for programmers to make 15-50 mistakes per 1,000 lines of code. If using a
programming maturity framework, we can lower that to 1 error per 1,000 lines of code.
• Most of the errors are not a vulnerability, or really a concern, but the more we use
software in everything, the more critical the vulnerabilities become.
• Hacks have accelerated and stopped cars on highways, had planes change course
(hacked through bad security on the in-flight entertainment), power grids, elections...

• Programming concepts:
• Machine Code:
• Software executed directly by the CPU, 0s and 1s understood by the CPU.
• Source Code:
• Computer programming language, written in text and is human understandable,
translated into machine code.
• Assembler Language:

1|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Short mnemonics like ADD/SUB/JMP, which are matched with the full-length
binary machine code; assemblers convert assembly language into machine
language. A disassembler does the reverse.
• Compiler Languages:
• Translates the higher-level language into machine code and saves, often as
executables, compiled once and run multiple times.
• Interpreted languages:
• Similar to compiler languages but interprets the code each time it is run into
machine code.

• Programming concepts:
• Bytecode:
• An interpreted code, in intermediary form, converted from source code to
interpreted, but still needs to be converted into machine code before it can run
on the CPU.
• Procedural languages (Procedure-oriented):
• Uses subroutines, procedures and functions.
• Object-oriented Programming (OOP):
• Based on the concept of objects, which may contain data, in the form of fields,
often known as attributes, and code, in the form of procedures, often known as
methods.
• An object's procedures can access and often modify the data fields of the
objects with which they are associated.
• In OOP, computer programs are designed by making them out of objects that
interact with one another.

• Programming concepts:
• 4th Generation languages (4GL):
• Fourth-generation languages are designed to reduce programming effort and
the time it takes to develop software, resulting in a reduction in the cost of
software development.
• Increases the efficiency by automating the creation of machine code.
• Often uses a GUI, drag and drop, and then generating the code, often used for
websites, databases and reports.

• Programming languages and generations:

• 1st generation: Machine Code
• 2nd Generation: Assembler
• 3rd Generation: Cobol, basic, C, C++, C#, Java, JavaScript …
• 4th Generation: ColdFusion, Progress 4GL, SQL, PHP, Perl …

• Programming concepts:
• CASE (Computer-Aided Software Engineering):

2|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Similar to and were partly inspired by computer-aided design (CAD) tools used
for designing hardware products.
• Used for developing high-quality, defect-free, and maintainable software.
• Often associated with methods for the development of information systems
together with automated tools that can be used in the software development
process.
• CASE software is classified into 3 categories:
• Tools support specific tasks in the software life cycle.
• Workbenches combine two or more tools focused on a specific part of
the software life cycle.
• Environments combine two or more tools or workbenches and support
the complete software life cycle.

• Programming concepts:
• Top-Down Programming:
• Starts with the big picture, then breaks it down into smaller segments.
• An overview of the system is formulated, specifying, but not detailing, any first-
level subsystems.
• Each subsystem is then refined in yet greater detail, sometimes in many
additional subsystem levels, until the entire specification is reduced to base
elements.
• Procedural programming leans toward Top-Down, you start with one function
and add to it.
• Bottom-Up Programming:
• Piecing together of systems to build more complex systems, making the original
systems a sub-system of the overarching system.
• The individual base elements of the system are first specified in great detail,
they are then linked together to form larger subsystems, which then in turn are
linked, sometimes in many levels, until a complete top-level system is formed.
• OOP leans tends toward Bottom-Up, you start by developing your objects and
build up.

• Programming concepts:
• Software release:
Open source:
• We release the code publicly, where it can be tested, improved and corrected,
but it also allows attackers to find the flaws in the code.
• Closed Source:
• We release the software, but keep the source code a secret, may be sound
business practice, but can also be security through obscurity.
• Proprietary software:

3|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Software protected by intellectual property and/or patents, often used
interchangeably with Closed Source software, but it really is not. It can be both
Open and Closed Source software.
• Any software not released into the public domain is protected by copyright.

• Programming concepts:
• Software release:
• Free software:
• Freeware:
• Actually, free software, it is free of charge to use.
• Shareware:
• Fully functional proprietary software that is initially free to use.
• Often for trials to test the software, after 30 days you have to
pay to continue to use.
• Crippleware:
• Partially functioning proprietary software, often with key
features disabled.
• The user is required to make a payment to unlock the full
functionality.
• EULAs (End-User License Agreements):
• Electronic form where the user clicks “I agree” to the software terms
and conditions while installing the software.

• Programming concepts:
• Software licenses:
• Open source software can be protected by a variety of licensing agreement.
• GNU (General Public License): Also called GPL or GPL
• Guarantees end users the freedom to run, study, share and
modify the software.
• A copyleft license, which means that derivative work can only
be distributed under the same license terms.
• BSD (Berkeley Software Distribution):
• A family of permissive free software licenses, imposing minimal
restrictions on the use and redistribution of covered software.
• This is different than copyleft licenses, which have reciprocity
share-alike requirements.
• Apache:
• Software must be free, distribute, modify and distribute the modified
software.
• Requires preservation of the copyright notice and disclaimer.

• Software Development Methodologies:

4|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• There is a wide range of software development
methodologies used today.
• In the past the Waterfall method was widely used, it is a
very linear process, and does not work very well with
the iterative nature of software development.
• To remedy that problem other methods were developed
Spiral, Sashimi, Agile and Scrum.
• The individual phases are different from organization to
organization, understand how each methodology works
and the phases flow.
• Waterfall:
• Very linear, each phase leads directly into the next.
• The unmodified waterfall model does not allow us to go back to the previous
phase.

• Software Development Methodologies:

• Sashimi model (Waterfall with overlapping phases):
• Similar to waterfall, but we always have 2
overlapping phases, if we close one phase, we add
the next phase.
• The modified waterfall model allows us to go back
to the previous phase but no further.
• Agile software development:
• Describes a set of values and principles for software
development under which requirements and
solutions evolve through the collaborative effort of
self-organizing cross-functional teams.
• Uses adaptive planning, evolutionary development,
early delivery, and continuous improvement, and it
encourages rapid and flexible response to change.
• There are many types of agile, for the exam know the flow.

• Software Development Methodologies:

• Agile software development:
• Manifesto for Agile Software Development:

5|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• What is valued in the manifesto?
• Individuals and Interactions more than
processes and tools.
• Working Software more than
comprehensive documentation.
• Customer Collaboration more than
contract negotiation.
• Responding to Change more than following
a plan.
• The twelve principles in the manifesto:
• Customer satisfaction by early and continuous delivery of
valuable software.
• Welcome changing requirements, even in late development.
• Working software is delivered frequently (weeks rather than
months).
• Close, daily cooperation between businesspeople and
developers.
• Projects are built around motivated individuals, who should be
trusted.

• Software Development Methodologies:

• Agile software development:
• Manifesto for Agile Software Development:
• The twelve principles in the manifesto:
• Face-to-face conversation is the best
form of communication (co-location).
• Working software is the primary
measure of progress.
• Sustainable development, able to
maintain a constant pace.
• Continuous attention to technical
excellence and good design.
• Simplicity—the art of maximizing the
amount of work not done—is essential.
• Best architectures, requirements, and
designs emerge from self-organizing
teams.
• Regularly, the team reflects on how to become more effective,
and adjusts accordingly.

• Software Development Methodologies:

• Agile software development:
• Scrum:

6|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Scrum is a framework for managing software development. Scrum is
designed for teams of approximately 10 individuals, and generally relies
on two-week development cycles, called "sprints", as well as short daily
stand-up meetings.
• The three core roles in the Scrum framework.
• The product owner:
• Representing the product's stakeholders, the voice of
the customer, and is accountable for ensuring that the
team delivers value to the business.
• Development team:
• Responsible for delivering the product at the end of
each sprint (sprint goal).
• The team is made up of 3–9 individuals who do the
actual work (analysis, design, develop, test, technical
communication, document, etc.).

• Software Development Methodologies:

• Agile software development:
• Scrum:
• The three core roles in the Scrum framework.
• Development team:
• Development teams are cross-functional, with all of the
skills as a team necessary to create a product
increment.
• Scrum master:
• Facilitates and accountable for removing impediments
to the ability of the team to deliver the product goals
and deliverables.
• Not a traditional team lead or project manager but acts
as a buffer between the team and any distracting
influences.
• The scrum master ensures that the Scrum framework is
followed.

• Software Development Methodologies:

• Agile software development:
• XP (Extreme programming):
• Intended to improve software quality and responsiveness to changing
customer requirements.
• Uses advocates frequent releases in short development cycles, intended
to improve productivity and introduce checkpoints at which new
customer requirements can be adopted.
• XP uses:

7|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Programming in pairs or doing extensive code review.
• Unit testing of all code.
• Avoiding programming of features until they are actually
needed.
• Flat management structure.
• Code simplicity and clarity.
• Expecting changes in the customer's requirements as time
passes and the problem is better understood.
• Frequent communication with the customer and among
programmers.

• Software Development Methodologies:

• The spiral model:
• A risk-driven process model generator for
software projects.
• The spiral model has four phases: Planning, Risk
Analysis, Engineering and Evaluation.
• A software project repeatedly passes through
these phases in iterations (called Spirals in this
model).
• The baseline spiral, starting in the planning phase,
requirements are gathered, and risk is assessed.
• Each subsequent spiral build on the baseline spiral.

• Software Development Methodologies:

• RAD (Rapid Application Development):
• Puts an emphasis on adaptability and the necessity of adjusting requirements in
response to knowledge gained as the project progresses.
• Prototypes are often used in addition to or sometimes even in place of design
specifications.
• Very suited for developing software that is driven by user interface
requirements.
• GUI builders are often called rapid application development tools.
• Prototyping:
• Breaks projects into smaller tasks, creating multiple prototypes of system design
features.
• A working model of software with some limited functionality, rather than
designing the full software up front.
• Has a high level of customer involvement, the customer inspects the prototypes
to ensure that the project is on track and meeting its objective.

• Software Development Methodologies:

• SDLC (Software Development Life Cycle):

8|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• The SDLC is not really a methodology, but a
description of the phases in the life cycle of software
development.
• These phases are (in general), investigation, analysis,
design, build, test, implement, maintenance and
support (and disposal).
• Can have security built into each step of the process,
for the exam it always does.
• If an answer about SDLC does not list secure or
security, it would be wrong and can be eliminated.
• Has a number of clearly defined and distinct work
phases which are used by systems engineers and
systems developers to plan for, design, build, test, and deliver information
systems.

• Software Development Methodologies:

• SDLC:
• The aim is to produce high-quality systems that meet or exceed customer
expectations, based on customer requirements, by delivering systems which
move through each clearly defined phase, within scheduled time frames and
cost estimates.
• SDLC is used during the development of a project, it describes the different
stages involved in the project from the drawing board, through the completion
of the project.
• All software development methodologies follow the SDLC phases but the
method of doing that varies vastly between methodologies.
• Many different SDLC methodologies have been created, Waterfall, Spiral, Agile,
Rapid Prototyping, ...
• In Scrum project a single user story goes through all the phases of the SDLC
within a single two-week sprint, where Waterfall projects can take many
months or several years to get through the phases.
• While very different they both contain the SDLC phases in which a requirement
is defined, then pass through the life cycle phases ending in the final phase of
maintenance and support.

• Software Development Methodologies:

• Projects, programs and portfolios.

9|Page
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• A project is a temporary
endeavor, with a finite
start and end that is
focused on creating a
unique product, service,
or result.
• A program is a collection
of related projects.
Like a project, a program is temporary, when the collection of projects is
complete, the program is complete.
• A portfolio is a collection of projects and programs that are managed as a group
to achieve strategic objectives.

• Software Development Methodologies:

• IPT (Integrated Product Team):
• A multidisciplinary group of people who are collectively responsible for
delivering a defined product or process.
• IPTs are used in complex development programs/projects for review and
decision making.
• The emphasis of the IPT is on involvement of all stakeholders (users, customers,
management, developers, and contractors) in a collaborative forum.
• IPTs can be addressed at the program level, there may also be Oversight IPTs
(OIPTs), or Working level IPTs (WIPTs).
• IPTs are created most often as part of structured systems engineering
methodologies, focusing attention on understanding the needs and desires of
each stakeholder.

• Software Development Methodologies:

• Source code escrow:
• The deposit of the source code of software with a third-party escrow agent.
• Escrow is typically requested by a party licensing software (the licensee), to
ensure maintenance of the software instead of abandonment or orphaning.
• The software source code is released to the licensee if the licensor files for
bankruptcy or otherwise fails to maintain and update the software as promised
in the software license agreement.
• Source code repositories:
• Using public third-party code repositories comes with some security concerns.
• Other than the provider security, one of the most important controls is using
multi-factor authentication.
• File archive and web hosting facility where a large amount of source code, for
software or for web pages, is kept, either publicly or privately.

10 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• They are often used by open-source software projects and other multi-
developer projects to handle various versions. They help developers submit
patches of code in an organized fashion.

• Software Development Methodologies:

• API Security (Application Programming Interface):
• Allows an application to communicate with another application, operating
systems, databases, networks, ...
• Many applications use APIs, this could be to add super sign-on, integrate 2
applications, or many other things, ...
• They are a good example of how we integrate for better usability, but often
security is overlooked.
• API's are the cause of a number of recent high-profile website security breaches
including Snap Chat, Pinterest and Instagram.
• We covered the OWASP top 10 web vulnerabilities in domain 3.
• OWASP also has an Enterprise Security API Toolkits project, which includes
these critical API controls:
• Authentication, Access control, Input validation, Output encoding/escaping,
Cryptography, Error handling and logging, Communication security, HTTP
security and Security configuration.

• Software Development Methodologies:

• Software Change and Configuration Management:
• Earlier in this domain we covered how software development has a lifecycle,
and in Domain 7 we covered configuration and change management.
• Both change and configuration management are very applicable to our software
development process, all the way from investigation/initiation to disposal of the
software.
• As with many of the concepts we cover they are to some extend logical,
configuration management tracks changes to a specific piece of software where
change management is all changes in the entire software development process.

• Software Development Methodologies:

• Software Change and Configuration Management:
• NIST 80-128: Guide for Security-Focused Configuration Management of
Information Systems uses these terms:
• A Configuration Management Plan (CM Plan) is a comprehensive description of
the roles, responsibilities, policies, and procedures that apply when managing
the configuration of products and systems.
• The basic parts of a CM Plan include:
• Configuration Control Board (CCB) – Establishment of and charter for a group of
qualified people with responsibility for the process of controlling and approving

11 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
changes throughout the development and operational lifecycle of products and
systems, may also be referred to as a change control board.
• Configuration Item Identification – for selecting and naming configuration items
that need to be placed under CM.
• Configuration Change Control – Process for managing updates to the baseline
configurations for the configuration items.
• Configuration Monitoring – Process for assessing or testing the level of
compliance with the established baseline configuration and mechanisms for
reporting on the configuration status of items placed under CM

• Software Development Methodologies:

• DevOps:
• A software development and delivery process that emphasizes communication
and collaboration between product management, software development, and
operations professionals in the entire service lifecycle, from design through
• The development process to production support.
• It does this by automating and monitoring the process of software integration,
testing, deployment, and infrastructure changes by establishing a culture and
environment where building, testing, and releasing software can happen
rapidly, frequently, and more reliably.

• Databases:
• An organized collection of data.
• It is the collection of schemas, tables,
queries, reports, views, and other
objects.
• The data are typically organized to model
aspects of reality in a way that supports
processes requiring information, this
could be modelling the availability of
rooms in hotels in a way that supports
finding a hotel with vacancies.

• Databases:
• DBMS (database management system):
• A computer software application that interacts with the user, other applications,
and the database itself to capture and analyze data.
• A general-purpose DBMS is designed to allow the definition, creation, querying,
update, and administration of databases.
• MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase,
SAP HANA, SQLite and IBM DB2.

• Databases:

12 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Database management systems are often classified according to the database model
they support, the most common database systems since the 1980s have all supported
the relational model as represented by the SQL language.
• A database model is a type of data model that determines the logical structure of a
database and fundamentally determines in which manner data can be stored,
organized, and manipulated. The most popular example of a database model is the
relational model (the SQL version), which uses a table-based format.
• Common logical data models for databases include:
• Navigational databases: Hierarchical database model, Network model, Graph
database.
• Relational model.
• Entity–relationship model, Enhanced entity–relationship model.
• Object model.
• Document model.
• Entity–attribute–value model.
• Star schema.

• Databases:
• Relational model:
• Organizes data into one or more tables (or relations) of columns and rows, with
a unique key identifying each row.
• Rows are also called records or tuples.
• Generally, each table/relation represents one entity type.
• The rows represent instances of that type of entity
and the columns representing values attributed to
that instance.
• Foreign key:
• They are in relational databases the
matching primary key of a parent
database table.
• It is always the primary key in the local
DB.
• The SSN is Primary key in the
Paygrade/scale table, but Foreign Key in
the Name one, seen from the Paygrade/scale table.

• Databases:
• Integrity:

13 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Referential integrity:
• When every foreign key in
a secondary table matches
a primary key in the
parent table.
• It is broken if not all
foreign keys match the
primary key.
• Semantic integrity:
• Each attribute value is
consistent with the
attribute data type.
• Entity integrity:
• Each tuple (row) has a unique primary value that is not null.

• Databases:
• Integrity:
• User-defined integrity
• A set of rules specified by a user, which do not belong to the entity,
domain and referential integrity categories.
• If a database supports these features, it is the responsibility of the
database to ensure data integrity as well as the consistency model for
the data storage and retrieval.
• If a database does not support these features, it is the responsibility of
the applications to ensure data integrity while the database supports
the consistency model for the data storage and retrieval.
• Having a single, well controlled, and well-defined data-integrity system
increases:
• Stability: One centralized system performs all data integrity operations
• Performance: All data integrity operations are performed in the same
tier as the consistency model.
• Re-usability: All applications benefit from a single centralized data
integrity system.
• Maintainability: One centralized system for all data integrity
administration.

• Databases:
• Integrity:
• Modern databases support these features, and it has become the de facto
responsibility of the database to ensure data integrity.
• If our databases are older, we can use companies or database systems, who
offer products and services to migrate legacy systems to modern databases.

14 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Databases normally run multiple threads simultaneously and they are all
capable of altering data.
• When two threads try to change the same record, the DBBMS will attempt to
commit the update.
• If the commit is unsuccessful, the DBMSs can do rollbacks/aborts and restore
from a save point.
• A database journal is a log of all database transactions.
• If a database become corrupted, the database can be reverted to a back-up
copy, and then transactions are replayed from the journal, restoring database
integrity.

• Databases:
• Database normalization:
• Used to clean up the data in a database table to make it logically concise,
organized, and consistent.
• Removes redundant data and improves the integrity and availability of the
database.
• Normalization has three forms (rules):
• First Normal Form: Divides the base data into tables, primary key is
assigned to most or all tables.
• Second Normal Form: Move data that is partially dependent on the
primary key to another table.
• Third normal Form: Remove data that is not dependent on the primary
key.
• The major benefits of using normalization include:
• Greater overall database organization
• Reduction of redundant data
• Data consistency within the database
• A much more flexible database design
• A better handle on database security

• Databases:
• Database Views:
• Database tables may be queried, what we see when we query them is called a
database view.
• They can give users a view of the parts of the database they are allowed to
access.
• For a normal employee this could be their own employee data, where HR can
access all employee's data. Remember the need to know principle, even if you
have the access that doesn't mean you are allowed to access it.
• Data Dictionary:
• Contains a description of the database tables (metadata).

15 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• It has the database view information, information about authorized database
administrators, user accounts names and privileges, auditing information,
database schema ...
• Database schema:
• Describes the attributes and values of the database tables.
• Names should only contain letters, in the US SSN’s should only contain 9
numbers, …

• Databases:
• Database query language:
• Allow the creation, modification and deletion of database tables, the read/write
access for those tables, ...
• Database query languages have at least two subsets of commands:
• Data Definition Language (DDL):
• A standard for commands that define the different structures in a
database.
• Creates, modifies, and removes database objects such as tables,
indexes, and users.
• Common DDL statements are CREATE, ALTER, and DROP.
• Data Manipulation Language (DML).
• Used for selecting, inserting, deleting and updating data in a database.
• Common DML statements are SELECT, DELETE, INSERT, UPDATE.
• SQL or a SQL derivative are by far the most common query languages.

• Databases:
• Hierarchical Databases
• Use a tree-like structure for how data is organized.
• The data is stored as records which are connected to one another through links.
• A record is a collection of fields, with each field containing only one value.
• The entity type of a record defines which fields the record contains.
• Object-Oriented Databases (Object Database Management
Systems):
• Object databases store objects rather than data such as
integers, strings or real numbers.
• Objects are used in object-oriented languages such as
Smalltalk, C++, Java, ...
• Objects, in an object-oriented database, reference the
ability to develop a product, then define and name it.
• The object can then be referenced, or called later, as a
unit without having to go into its complexities.

• Databases:
• Object-Oriented Databases:

16 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Objects basically consist of the following:
• Attributes:
• Data which defines the characteristics of an object.
• This data may be simple such as integers, strings, and real numbers or it
may be a reference to a complex object.
• Methods:
• Defines the behavior of an object and are what was formerly called
procedures or functions.
• Objects contain both executable code and data.
• Classes:
• Define the data and methods the object will contain; they are the
template for the object.
• Does not itself contain data or methods but defines the data and
methods contained in the object.

• Databases:
• We covered these in domain 7:
• Database shadowing:
• Exact real time copy of the database or files to another location.
• It can be another disk in the same server, but best practices dictate
another geographical location, often on a different media.
• Electronic vaulting (e-vaulting):
• Using a remote backup service, backups are sent off-site electronically
at a certain interval or when files change.
• Remote journaling:
• Sends transaction log files to a remote location, not the files
themselves. The transactions can be rebuilt from the logs if we lose the
original files.

• Databases:
• Coupling:
• The degree of interdependence between software modules, a measure of how
closely connected two routines or modules are.
• Cohesion:
• Refers to the degree to which the elements inside a module belong together.
• Measures the strength of relationship between pieces of functionality within a
given module.
• In highly cohesive systems functionality is strongly related.
• Coupling is usually contrasted with cohesion.
• Low coupling often correlates with high cohesion, and vice versa.

17 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Low coupling is often a sign of a well-structured computer system and a good design,
and when combined with high cohesion, supports the general goals of high readability
and maintainability.

• Databases:
• ORB (Object Request Broker):
• Middleware which allows program calls to be made from one computer to
another via a network, providing location transparency through remote
procedure calls.
• ORBs promote interoperability of distributed object systems, enabling such
systems to be built by piecing together objects from different vendors, while
different parts communicate with each other via the ORB.
• Common object brokers included .net remoting, COM, DCOM, and CORBA.
• COM (Component Object Model):
• A language-neutral way of implementing objects that can be
used in environments different from the one in which they were
created, even across machine boundaries.
• It is used to enable inter-process communication object creation
in a large range of programming languages.

• Databases:
• ORB (Object Request Broker):
• DCOM (Distributed COM)
• The networked sequel to COM which adds to support
communication among objects on different computers—on a
LAN, a WAN, or even the Internet.
• The application can be distributed at locations that make the
most sense to your customer and to the application itself.
• DCOM includes Object Linking and Embedding (OLE), a way to
link documents to other documents.
• Both COM and DCOM are slowly being replaced by
Microsoft.NET, which can interoperate with DCOM, but offers
more advanced functionality than COM and DCOM.

• Databases:
• ORB (Object Request Broker):
• CORBA (Common Object Request Broker Architecture):
• Open vendor neutral ORB standard defined by the Object
Management Group (OMG) designed to facilitate the
communication of systems that are deployed on diverse
platforms.
• Enables collaboration between systems on different operating
systems, programming languages, and computing hardware.

18 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• CORBA uses an object-oriented model although the systems
that use the CORBA do not have to be object-oriented.

• Databases:
• OOAD (Object-oriented analysis and design):
• Iteration after iteration, the outputs of OOAD activities, analysis models for OOA
and design models for OOD respectively, will be refined and evolve continuously
driven by key factors like risks and business value.
• OOA (Object-oriented analysis):
• Creates a model of the system's functional requirements that is
independent of implementation constraints.
• Organizes requirements around objects, which integrate both behaviors
(processes) and states (data) modeled after real world objects that the
system interacts with.
• The primary tasks are:
• Find the objects, organize the objects, describe how the objects
interact, define the behavior of the objects, define the internals of the
objects.

• Databases:
• OOAD (Object-oriented analysis and design):
• OOD (Object-oriented design):
• The developer applies the constraints to the conceptual model
produced in object-oriented analysis.
• Such constraints could include the hardware and software platforms,
the performance requirements, persistent storage and transaction,
usability of the system, and limitations imposed by budgets and time.
• Concepts in the analysis model which is technology independent, are
mapped onto implementing classes and interfaces resulting in a model
of the how the system is to be built on specific technologies.
• Important topics during OOD also include the design of software
architectures by applying architectural patterns and design patterns
with object-oriented design principles.
• OOM (Object-oriented modeling):
• Common approach to modeling applications, systems, and business
domains by using the object-oriented paradigm throughout the entire
development life cycles.
• Heavily used by both OOA and OOD activities in modern software
engineering.

• Software vulnerabilities and Attacks

• OWASP (Open Web Application Security Project):
• Top 10 of the most common web security issues, from the 2017 candidate list.

19 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• A1 Injection.
• A2 Broken Authentication and Session Management.
• A3 Cross-Site Scripting (XSS).
• A4 Broken Access Control.
• A5 Security Misconfiguration.
• A6 Sensitive Data Exposure.
• A7 Insufficient Detection and Response (NEW still being worked on).
• A8 Cross-Site Request Forgery (CSRF).
• A9 Using Components with Known Vulnerabilities.
• A10 Underprotected APIs (Application Programming Interfaces) (NEW
still being worked on).

• Software vulnerabilities and Attacks

• OWASP:
• A1 Injection.
• Can be any code injected into user forms, often seen is SQL/LDAP.
• Attackers can do this because our software does not use:
• Strong enough input validation and data type limitations input
fields.
• Input length limitations.
• The fix is to do just that, we only allow users to input appropriate data
into the fields, only letters in names, numbers in phone number, have
dropdowns for country and state (if applicable), we limit how many
characters people can use per cell, ...
• CGI (Common Gateway Interface):
• Standard protocol for web servers to execute programs running
on a server that generates web pages dynamically. We use the
interface to ensure only proper input makes it to the database.
• The CGI separates the untrusted (user) from the trusted
(database).

• Software vulnerabilities and Attacks

• OWASP:
• A2 Broken Authentication and Session
Management.
• Sessions do not expire or take too long
to expire.
• Session IDs are predictable. 001, 002,
003, 004, …
• Tokens, Session IDs, Passwords ... are
kept in plaintext.

20 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Software vulnerabilities and Attacks
• OWASP:
• A3 Cross-Site Scripting (XSS).
• Attackers inject client-side scripts into web pages viewed by other
users.
• Vulnerability may be used by attackers
to bypass access controls such as the
same-origin policy.
• To prevent XSS we can use proper input
validation and data typing.
• Set our server to, redirect invalid
requests, detect a simultaneous login
from two different IP addresses and
invalidate the sessions, require users to
enter their passwords again before changing their registration
information and set cookie with HttpOnly flag to prevent access from
JavaScript.

• Software vulnerabilities and Attacks

• OWASP:
• A4 Broken Access Control.
• Not implemented consistently across an entire application.
• It might be done correctly in one location, but incorrectly in another.
• We need a centralized access control mechanism, and we write the
tricky logic once and reuse it everywhere.
• This is important both for writing code correctly and for making it easy
to audit later.
• Many access control schemes were not deliberately designed but have
simply evolved along with the web site.
• Inconsistent access control rules are often inserted in various locations
all over the code, making it near impossible to manage.
• One particularly dangerous type of access control vulnerability arises
from Web-accessible administrative interfaces, frequently used to allow
site administrators to efficiently manage users, data, and content on
their site.

• Software vulnerabilities and Attacks

• OWASP:
• A5 Security Misconfiguration.
• Databases configured wrong.
• Not removing out of the box default access and settings.
• Keeping default usernames and passwords.
• OS, Webserver, DBMS, applications, etc., not patched and up to date.

21 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Unnecessary features are enabled or installed, this could be open ports,
services, pages, accounts, privileges, ...

• Software vulnerabilities and Attacks

• OWASP:
• A6 Sensitive Data Exposure.
• Sites being http, not https.
• Data at rest, backups and in transit are not encrypted
(stored/transmitted in plain text).
• Phishing.
• Using older weak deprecated encryption.
• Not monitoring if data is being exfiltrated.

• Software vulnerabilities and Attacks

• OWASP:
• A7 Insufficient Detection and Response (NEW).
• Not detecting we have been compromised, due to lack of controls,
detection applications
• Not performing our due diligence and due care on our applications,
systems, and our response to compromise.
• Not responding in a proper way to compromise, not informing anyone,
informing too late or just ignoring the incident (at best plugging the
leak).
• We need to not just protect against this attack, but future similar
attacks, patch software and applications, close ports.

• Software vulnerabilities and Attacks

• OWASP:
• A8 Cross-Site Request Forgery (CSRF).
• Stolen session IDs or tokens.
• Often phishing.
• Passwords/Username saved
in cookies.
• Saved site passwords, not
logging off when done,
using the same browser for
sensitive and non-sensitive
information.
• Current browsers do
mitigate some of this, they
should use unique session
specific tokens (random or pseudo random) and validate session tokens
are not replayed.

22 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Software vulnerabilities and Attacks
• OWASP:
• A9 Using Components with Known Vulnerabilities.
• Developers using deprecated code or objects that are known to be
unsecure, but they use them because they are used to it or the library,
they use has the objects in it.
• A10 Underprotected APIs (NEW).
• Badly coded APIs.
• Not using in depth API code reviews and auditing.
• Not using SSL/TLS.
• Forgotten and abandoned APIs that still have access to backend
systems.

• Software vulnerabilities and Attacks

• OWASP:
• 2013 OWASP top 10 vulnerabilities, no longer on the 2017 list, but still
something you should know for the exam and your future security job.
• 2013 A4 Insecure direct object reference.
• Users can access resources they shouldn't, by guessing the URL or path,
often if it is logical.
• If you have access to a report name ending in financials_may2017.pdf
on your organization's network, you can try guessing other file names
you should not have access to financials_August.pdf or
financials_2017.pdf
• Mitigated by proper access control, using non-sequential names or
monitoring file usage.
• 2013 A10 Unvalidated Redirects and forwarding.
• Not confirming URLs forward and redirect us to the right page.
• Mitigated with user awareness and spider our site to see if it generates
any redirects (HTTP response codes 300-307, typically 302.

• Software vulnerabilities and Attacks

• Buffer overflow (buffer overrun):
• An anomaly where a program, while writing data to a buffer, overruns the
buffer's boundary and overwrites adjacent memory locations, happen from
improper coding when a programmer fails to perform bounds checking.
• Buffers are areas of memory set aside to hold data, often while moving it from
one section of a program to another, or between programs.
• Buffer overflows can often be triggered by malformed inputs, if one assumes all
inputs will be smaller than a certain size and the buffer is created to be that size,
if an anomalous transaction produces more data it could cause it to write past
the end of the buffer.

23 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• If this overwrites adjacent data or executable code, this may result in erratic
program behavior, including memory access errors, incorrect results, and
crashes.
• By sending in data designed to cause a buffer overflow, it is possible to write
into areas known to hold executable code and replace it with malicious code.

• Software vulnerabilities and Attacks

• Race condition (race hazard):
• Two or more programs may collide in their attempts to modify or access a file.
• This can be an attacker with access, altering files which can then result in data
corruption or privilege escalation.
• TOCTOU (time of check to time of use):
• A software bug caused by changes in a system between the checking of
a condition (such as a security credential) and the use of the results of
that check.
• Privilege escalation:
• Exploiting a bug, design flaw or configuration oversight in an OS or application
to gain access to resources that are normally protected from an application or
user.
• Attacker often use this to elevate the user account they have gained access to,
in order to get administrator access.
• The result is that an application with more privileges than intended by the
application developer or system administrator can perform unauthorized
actions.

• Software vulnerabilities and Attacks

• Backdoors:
• Often installed by attackers during an attack to allow them access to the
systems after the initial attack is over, to exfiltrating data over time or to come
back and compromise other systems.
• Bypassing normal authentication or encryption in a computer system, a product,
or an embedded device, ...
• Backdoors are often used for securing remote access to a computer or obtaining
access to plaintext in cryptographic systems.
• Disclosure:
• What do you do when you discover a vulnerability? We covered some of this in
the white, gray, black hat hacker section.
• Full disclosure: Tell everyone, make it public, assuming attackers already know
and are using it.
• Responsible/Partial disclosure: Telling the vendor, they have time to develop a
patch and then disclose it.
• If they do nothing, we can revert to the full disclosure forcing them to
act.

24 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• No disclosure: Attackers finding a vulnerability would try to exploit it and keep it
secret as long as possible.

• Software vulnerabilities and Attacks

• CMM (Capability Maturity Model):
• The maturity relates to the degree of formality and optimization of processes,
from ad hoc practices, to formally defined repeatable steps, to managed result
metrics, to active optimization of the processes.
• There are five levels defined in the model and, which describe where an
organization is, it also has practical steps to how to mature the organization to
get to the next level.
• Level 1: Initial
• Processes at this level are normally undocumented and in a state of
dynamic change, tending to be driven in an ad hoc, uncontrolled and
reactive manner by users or events.
• This provides a chaotic or unstable environment for the processes.
• Level 2: Repeatable
• This level of maturity that some processes are repeatable, possibly with
consistent results.
• Process discipline is unlikely to be rigorous, but where it exists it may
help to ensure that existing processes are maintained during times of
stress.

• Software vulnerabilities and Attacks

• CMM:
• Level 3: Defined
• This level that there are sets of defined and documented standard
processes established and subject to some degree of improvement over
time.
• These standard processes are in place.
• The processes may not have been systematically or repeatedly utilized
enough for the users to become competent or the process to be
validated in a range of situations.
• Level 4: Managed (Capable)
• Processes at this level uses process metrics, effective achievement of
the process objectives can be evidenced across a range of operational
conditions.
• The suitability of the process in multiple environments has been tested
and the process refined and adapted.
• Process users have experienced the process in multiple and varied
conditions and are able to demonstrate competence.

• Software vulnerabilities and Attacks

25 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• CMM:
• Level 5: Optimizing
• Processes at this
level focus on
continually
improving process
performance
through both
incremental and
innovative technological changes/improvements.
• Addressing statistical common causes of process variation and changing
the process to improve process performance.

• Software vulnerabilities and Attacks

• CMM:
• Acceptance testing:
• There are many different testing types we use throughout the
development lifecycle.
• At the end of development, we also use acceptance testing, we need to
test it to ensure it does what it is supposed to, and it is robust and
secure.
• The User Acceptance test:
• Is the software functional for the users who will be using it? it is
tested by the users and application managers.
• Operational acceptance testing:
• Does the software and all of the components it interacts with
ready requirements for operation.
• Tested by system administrators are the backups in place, do
we have a DR plan, how do we handle patching, is it checked for
vulnerabilities, etc.?

• Software vulnerabilities and Attacks

• CMM:
• Acceptance testing:
• Contract Acceptance testing:
• Does the software fulfil the contract specifications? The
what/where/how of the acceptance is defined in the contract.
• Compliance acceptance testing:
• Is the software compliant with the rules, regulations and laws of
our industry?
• Compatibility/production testing:
• Does the software interface as expected with other applications
or systems?

26 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Does the software perform as expected in our production
environment vs. the development environment?

• Software vulnerabilities and Attacks

• Buying software from other companies:
• When we buy software from vendors either COTS (Commercial Off the Shelf) or
custom-built software we need to ensure it is as secure as we need it to be.
• Vendors claims of security posture should until proven be seen as marketing
claims.
• We need to do our due care and due diligence, as well as use outside council if
needed.
• Many organizations deal with C-level executives going to conferences and
buying software that the organization may not want or need.
• Software development and procurement as well as any other project should be
carefully scoped, planned be based on a clear analysis of what the business
needs and wants.

• Software vulnerabilities and Attacks

• Buying software from other companies:
• COTS (Commercial Off-the-Shelf) Software:
• When buying COTS software, we can, depending on how widely the
software is used, look at reviews, talk to current customers and users to
get a clearer understanding of the software capabilities and security.
• Software roadmaps are nice, but only buy the software for what it can
actually do now, not what it can maybe do in the future.
• We can use a clear RTM (requirements traceability matrix),
requirements are divided into "Must have, nice to have and maybe
should have".
• We would then score the software candidates on the "Have's" and from
that we should be able to see feasible candidates, other factors such as
cost, maintenance also play a big part in the decision.
• For large/expensive implementations it may also be possible for the
vendor to provide references to talk to.
• We would also look at how financially sound the vendor looks to be, if
we spend $2,000,000 on software and the vendor goes out bankrupt in
3 months, we may have to spend another $2,000,000 all over again.

• Software vulnerabilities and Attacks

• Buying software from other companies:
• Custom-Developed Third-Party Products:
• Having someone else develop the software we need is also an option.
• This is higher cost than COTS software, but also far more customizable.

27 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• The same questions and then some should be asked:
• How good are they? Have they done this before? How secure are they?
Etc.
• Do we own the code, or do we rent it when it is done?
• What happens if they go out of business?
• Who will support it?
• Do you have capable staff that can support and tweak the software?
• Is it secure or is it security through obscurity?
• Many code shops are just that, only code shops, once the software is
accepted it is your problem to do the day to day maintenance, they may
contract for updates, but that is it.

• AI (Artificial intelligence):
• Intelligence exhibited by machines, rather than humans or other
animals.
• What true AI is, is a topic of discussion, what was considered AI
years ago we have achieved and when once goal is reached the
AI definition is tweaked a little.
• From what we are seeing published we do in my mind not
currently have true AI, but very highly simulated intelligence,
that being said IBM and Google do seem to be getting a lot
closer.
• It is also used when a machine mimics cognitive functions that
humans associate with other human minds, such as learning and problem solving.
• AI currently defined as advice that perceives its environment and takes actions that
maximize its chance of success at some goal, not through experience/programming, but
through reasoning.

• AI (Artificial intelligence):
• Expert systems:
• A computer system that emulates the decision-making ability of a human
expert.
• Designed to solve complex problems by reasoning about knowledge,
represented mainly as if–then rules rather than through conventional
procedural code.
• An expert system is divided into two subsystems:
• The knowledge base represents facts and rules.
• The inference engine applies the rules to the known facts to deduce new facts
and can also include explanation and debugging abilities.

• AI (Artificial intelligence):
• ANN's (Artificial neural networks):

28 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Computing systems inspired by the biological neural networks that constitute
animal brains, we make decisions based on 1000’s of memories, stories, the
situation and many other factors, the ANN tries to emulate that.
• The systems learn and progressively improve their performance, to do tasks,
generally without task-specific programming.
• They can learn to identify images that contain geckos by analyzing example
images that have been manually labeled as "gecko" or "no gecko" and using the
analytic results to identify geckos in other images.
• They are mostly used in areas that are difficult to express in a traditional
computer algorithm using rule-based programming.
• An ANN is based on a collection of connected units called artificial neurons.
• Each connection (synapse) between neurons can transmit a signal to another
neuron.
• Typically, neurons are organized in layers, different layers may perform different
transformations on their inputs.
• Signals travel from the first input, to the last output layer, at times after
traversing the layers multiple times.

• AI (Artificial intelligence):
• GP (Genetic Programming):
• A technique where computer programs are encoded as a set of genes that are
then modified (evolved) using an evolutionary algorithm often a GA (Genetic
Algorithm).
• The results are computer programs able to perform well in a predefined task.
• The methods used to encode a computer program in an artificial chromosome
and to evaluate its fitness with respect to the predefined task are central in the
GP technique and still the subject of active research.
• GP evolves computer programs, traditionally represented in memory as tree
structures.
• Trees can be easily evaluated in a recursive manner.
• Every tree node has an operator function and every terminal node has an
operand, making mathematical expressions easy to evolve and evaluate.
• Traditionally GP favors the use of programming languages that naturally
embody tree structures for example, Lisp or other functional programming
languages.

• AI (Artificial intelligence):
• GP (Genetic Programming):
• The process is in its simple form like this:
• Generate an initial population of random computer programs.
• Execute each program in the population and assign it a fitness value
according to how well it solves the problem.
• Create a new population of computer programs.

29 | P a g e
https://thorteaches.com/
 CISSP Domain 8 Lecture notes
• Copy the best existing programs
• Create new computer programs by mutation.
• Create new computer programs by crossover.
• Genetic Algorithms and Genetic Programming have been used to program a
Pac-Man playing program, robotic soccer teams, networked intrusion detection
systems, and many others.

30 | P a g e
https://thorteaches.com/