PERFORM CONFIGURATION MANAGEMENT APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS APPLY RESOURCE PROTECTION CONDUCT INCIDENT MANAGEMENT OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES IMPLEMENT RECOVERY STRATEGIES IMPLEMENT DISASTER RECOVERY PROCESSES TEST DISASTER RECOVERY PLANS PARTICIPATE IN BUSINESS CONTINUITY PLANNING AND EXERCISES IMPLEMENT AND MANAGE PHYSICAL SECURITY ADDRESS PERSONNEL SAFETY AND SECURITY CONCERNS SUMMARY
15 DOMAIN 8: Software Development Security UNDERSTAND AND INTEGRATE SECURITY IN THE SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC) IDENTIFY AND APPLY SECURITY CONTROLS IN SOFTWARE DEVELOPMENT ECOSYSTEMS ASSESS THE EFFECTIVENESS OF SOFTWARE SECURITY ASSESS SECURITY IMPACT OF ACQUIRED SOFTWARE DEFINE AND APPLY SECURE CODING GUIDELINES AND STANDARDS SUMMARY
16 Index
List of Tables
1 Chapter 2TABLE 2.1 Examples of Asset Classifications
2 Chapter 3TABLE 3.1 An Example Access MatrixTABLE 3.2 Cloud Service ModelsTABLE 3.3 Cryptographic ApproachesTABLE 3.4 Overview of Block CiphersTABLE 3.5 General Data Center Redundancy Tier Levels
3 Chapter 4TABLE 4.1 IPv4 Network ClassesTABLE 4.2 802.11 Standard AmendmentsTABLE 4.3 Basic Overview of Cellular Wireless TechnologiesTABLE 4.4 Important Characteristics for Common Network Cabling Types
List of Illustrations
1 Chapter 1FIGURE 1.1 CIA TriadFIGURE 1.2 NIST Cybersecurity FrameworkFIGURE 1.3 Relationship between policies, procedures, standards, and guideli...FIGURE 1.4 Relationship between MTD, RTO, and RPOFIGURE 1.5 Relationship between threats, vulnerabilities, assets, and risks...FIGURE 1.6 Steps for assessing riskFIGURE 1.7 ISO 31000:2018FIGURE 1.8 NIST Risk Management Framework
2 Chapter 2FIGURE 2.1 General benefits of asset classificationFIGURE 2.2 Data de-identification via anonymizationFIGURE 2.3 Data de-identification via maskingFIGURE 2.4 Typical asset management lifecycleFIGURE 2.5 Secure data lifecycleFIGURE 2.6 Relationship between data processor and data controllerFIGURE 2.7 Data states and examplesFIGURE 2.8 Tailoring process
3 Chapter 3FIGURE 3.1 N-tier architectureFIGURE 3.2 Finite state modelFIGURE 3.3 Simple Security Property and Star Property rulesFIGURE 3.4 Simple Integrity Property and Star Integrity Property rulesFIGURE 3.5 Brewer–Nash security modelFIGURE 3.6 Plan-Do-Check-Act cycleFIGURE 3.7 Operating system memory protectionFIGURE 3.8 Trusted Platform Module processesFIGURE 3.9 The cloud shared responsibility model for IaaS, PaaS, and SaaSFIGURE 3.10 Components of the Mirai DDoS BotNet attackFIGURE 3.11 Monoliths and microservicesFIGURE 3.12 An operating system efficiently allocates hardware resources bet...FIGURE 3.13 Type 1 and Type 2 hypervisorsFIGURE 3.14 ECB, CBC and CFB block encryption implementationsFIGURE 3.15 Stream cipher encryption algorithmFIGURE 3.16 Block cipher encryption algorithmFIGURE 3.17 Multiple rounds of mathematical functions in block ciphersFIGURE 3.18 Block cipher with substitution of S-boxesFIGURE 3.19 Block cipher with permutation of P-boxesFIGURE 3.20 Adding padding at the end of a message in a block cipherFIGURE 3.21 ECB padding produces serious weaknesses for longer messagesFIGURE 3.22 CBC mode encryptionFIGURE 3.23 CFB mode encryptionFIGURE 3.24 CTR mode encryptionFIGURE 3.25 Elliptic curveFIGURE 3.26 A certificate chain protects a CA's root private keyFIGURE 3.27 Producing and verifying a digital signatureFIGURE 3.28 Steps for using a cryptographic hash to detect tampering of a me...FIGURE 3.29 HMAC process
4 Chapter 4FIGURE 4.1 The OSI reference modelFIGURE 4.2 TCP three-way handshakeFIGURE 4.3 The TCP/IP reference modelFIGURE 4.4 Comparison of the OSI and TCP/IP modelsFIGURE 4.5 NAT implemented on a perimeter firewallFIGURE 4.6 Man-in-the-middle attackFIGURE 4.7 Virtual local area networkFIGURE 4.8 Multiple firewall deployment architectureFIGURE 4.9 Ring topologyFIGURE 4.10 Linear bus and tree bus topologiesFIGURE 4.11 Star topologyFIGURE 4.12 Mesh topologyFIGURE 4.13 Common areas of increased risk in remote access
5 Chapter 5FIGURE 5.1 The access management lifecycle
6 Chapter 6FIGURE 6.1 Pen test phases
7 Chapter 7FIGURE 7.1 Security perimeters
8 Chapter 8FIGURE 8.1 The Waterfall modelFIGURE 8.2 Scrum process flowFIGURE 8.3 SAMM domains and practices
Guide
1 Cover
4 Copyrigt
7 Foreword
10 Index
Pages
1 i
2 ii