The Official (ISC)2 CISSP CBK Reference

The Official (ISC)2 CISSP CBK Reference
Авторы книги: id книги: 2131584     Оценка: 0.0     Голосов: 0     Отзывы, комментарии: 0 7248,26 руб.     (72,76$) Читать книгу Купить и скачать книгу Электронная книга Жанр: Зарубежная компьютерная литература Правообладатель и/или издательство: John Wiley & Sons Limited Дата добавления в каталог КнигаЛит: ISBN: 9781119790006 Скачать фрагмент в формате   fb2   fb2.zip Возрастное ограничение: 0+ Оглавление Отрывок из книги

Реклама. ООО «ЛитРес», ИНН: 7719571260.

Описание книги

The only official, comprehensive reference guide to the CISSP Thoroughly updated for 2021 and beyond, this is the authoritative common body of knowledge (CBK) from (ISC)2 for information security professionals charged with designing, engineering, implementing, and managing the overall information security program to protect organizations from increasingly sophisticated attacks. Vendor neutral and backed by (ISC)2, the CISSP credential meets the stringent requirements of ISO/IEC Standard 17024. This CBK covers the current eight domains of CISSP with the necessary depth to apply them to the daily practice of information security. Revised and updated by a team of subject matter experts, this comprehensive reference covers all of the more than 300 CISSP objectives and sub-objectives in a structured format with: Common and good practices for each objective Common vocabulary and definitions References to widely accepted computing standards Highlights of successful approaches through case studies Whether you've earned your CISSP credential or are looking for a valuable resource to help advance your security career, this comprehensive guide offers everything you need to apply the knowledge of the most recognized body of influence in information security

Оглавление

Aaron Kraus. The Official (ISC)2 CISSP CBK Reference

Table of Contents

List of Tables

List of Illustrations

Guide

Pages

CISSP: Certified Information Systems Security Professional. The Official (ISC)2® CISSP® CBK® Reference

Lead Authors

Technical Reviewer

Foreword

Introduction

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management

Security Assessment and Testing

Security Operations

Software Development Security

DOMAIN 1 Security and Risk Management

UNDERSTAND, ADHERE TO, AND PROMOTE PROFESSIONAL ETHICS

(ISC)2 Code of Professional Ethics

Organizational Code of Ethics

Ethics and the Internet

UNDERSTAND AND APPLY SECURITY CONCEPTS

Confidentiality

Integrity

Availability

Limitations of the CIA Triad

EVALUATE AND APPLY SECURITY GOVERNANCE PRINCIPLES

Alignment of the Security Function to Business Strategy, Goals, Mission, and Objectives

Organizational Processes

Governance Committees

Mergers and Acquisitions

Divestitures

Organizational Roles and Responsibilities

Security Control Frameworks

ISO/IEC 27001

ISO/IEC 27002

NIST 800-53

NIST Cybersecurity Framework

CIS Critical Security Controls

Due Care and Due Diligence

DETERMINE COMPLIANCE AND OTHER REQUIREMENTS

Legislative and Regulatory Requirements

U.S. Computer Security Act of 1987

U.S. Federal Information Security Management Act (FISMA) of 2002

Industry Standards and Other Compliance Requirements

U.S. Sarbanes–Oxley Act of 2002

System and Organization Controls

Payment Card Industry Data Security Standard

Privacy Requirements

UNDERSTAND LEGAL AND REGULATORY ISSUES THAT PERTAIN TO INFORMATION SECURITY IN A HOLISTIC CONTEXT

Cybercrimes and Data Breaches

U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030

U.S. Electronic Communications Privacy Act of 1986

U.S. Economic Espionage Act of 1996

U.S. Child Pornography Prevention Act of 1996

U.S. Identity Theft and Assumption Deterrence Act of 1998

USA PATRIOT Act of 2001

U.S. Homeland Security Act of 2002

U.S. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003

U.S. Intelligence Reform and Terrorism Prevention Act of 2004

The Council of Europe's Convention on Cybercrime of 2001

The Computer Misuse Act 1990 (U.K.)

Information Technology Act of 2000 (India)

Cybercrime Act 2001 (Australia)

Licensing and Intellectual Property Requirements

Licensing

Patents

Trademarks

Copyrights

Trade Secrets

Import/Export Controls

Transborder Data Flow

Privacy

U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552a

U.S. Health Insurance Portability and Accountability Act of 1996

U.S. Children's Online Privacy Protection Act of 1998

U.S. Gramm-Leach-Bliley Act of 1999

U.S. Health Information Technology for Economic and Clinical Health Act of 2009

Data Protection Directive (EU)

Data Protection Act 1998 (UK)

Safe Harbor

EU-US Privacy Shield

General Data Protection Regulation (EU)

GDPR Fines

Determination

Lower Level

Upper Level

UNDERSTAND REQUIREMENTS FOR INVESTIGATION TYPES

Administrative

Criminal

Civil

Regulatory

Industry Standards

DEVELOP, DOCUMENT, AND IMPLEMENT SECURITY POLICY, STANDARDS, PROCEDURES, AND GUIDELINES

Policies

Standards

Procedures

Guidelines

IDENTIFY, ANALYZE, AND PRIORITIZE BUSINESS CONTINUITY REQUIREMENTS

Business Impact Analysis

Develop and Document the Scope and the Plan

People

Processes

Technologies

CONTRIBUTE TO AND ENFORCE PERSONNEL SECURITY POLICIES AND PROCEDURES

Candidate Screening and Hiring

Employment Agreements and Policies

Onboarding, Transfers, and Termination Processes

Onboarding

Transfers

Termination

Vendor, Consultant, and Contractor Agreements and Controls

Compliance Policy Requirements

Privacy Policy Requirements

UNDERSTAND AND APPLY RISK MANAGEMENT CONCEPTS

Identify Threats and Vulnerabilities

Threats

Vulnerabilities

Assets

Risk Assessment

Risk Identification

Risk Analysis

Quantitative Risk Calculation

Risk Evaluation

Risk Response/Treatment

Avoid

Mitigate

Transfer

Accept

Countermeasure Selection and Implementation

Security-Effectiveness

Cost-Effectiveness

Operational Impact

Applicable Types of Controls

Control Assessments

Monitoring and Measurement

Reporting

Continuous Improvement

Risk Frameworks

International Standards Organization

U.S. National Institute of Standards and Technology

COBIT and RiskIT

UNDERSTAND AND APPLY THREAT MODELING CONCEPTS AND METHODOLOGIES

Threat Modeling Concepts

Attacker-centric

Asset-centric

Software-centric (or System-centric)

Threat Modeling Methodologies

STRIDE

PASTA

NIST 800-154

DREAD

Other Models

APPLY SUPPLY CHAIN RISK MANAGEMENT CONCEPTS

Risks Associated with Hardware, Software, and Services

Malicious Code in the Supply Chain

SolarWinds and the SUNBURST Attack

Third-Party Assessment and Monitoring

Minimum Security Requirements

Service-Level Requirements

Frameworks

NIST IR 7622

ISO 28000

U.K. National Cyber Security Centre

ESTABLISH AND MAINTAIN A SECURITY AWARENESS, EDUCATION, AND TRAINING PROGRAM

Methods and Techniques to Present Awareness and Training

Social Engineering

Security Champions

Gamification

Periodic Content Reviews

Program Effectiveness Evaluation

SUMMARY

DOMAIN 2 Asset Security

IDENTIFY AND CLASSIFY INFORMATION AND ASSETS

Data Classification and Data Categorization

Data Classification

Examples of Classification Schemes

Data Categorization

Asset Classification

Benefits of Classification

Asset Classification Levels

ESTABLISH INFORMATION AND ASSET HANDLING REQUIREMENTS

Marking and Labeling

Handling

Storage

Declassification

De-identification

Tokenization

PROVISION RESOURCES SECURELY

Information and Asset Ownership

Asset Inventory

Inventory Tool/System of Record

Process Considerations

Asset Management

Information Technology Asset Management

Configuration Management

Change Management

MANAGE DATA LIFECYCLE

Data Roles

Owners

Controllers

Custodians

Processors

Users

Subjects

Data Collection

Data Location

Data Maintenance

Data Retention

Data Destruction

Data Remanence

ENSURE APPROPRIATE ASSET RETENTION

Determining Appropriate Records Retention

Records Retention Best Practices

DETERMINE DATA SECURITY CONTROLS AND COMPLIANCE REQUIREMENTS

Data States

Data at Rest

Data in Transit

Data in Use

Scoping and Tailoring

Common Controls

Compensating Security Controls

Standards Selection

Leading Security Frameworks

Security Standards

Data Protection Methods

Digital Rights Management

Data Loss Prevention

Cloud Access Security Broker

SUMMARY

DOMAIN 3 Security Architecture and Engineering

RESEARCH, IMPLEMENT, AND MANAGE ENGINEERING PROCESSES USING SECURE DESIGN PRINCIPLES

ISO/IEC 19249

ISO/IEC 19249 Architectural Principles

Domain Separation

Layering

Encapsulation

Redundancy

Virtualization

ISO/IEC 19249 Design Principles

Least Privilege

Attack Surface Minimization

Centralized Parameter Validation

Centralized General Security Services

Preparing for Error and Exception Handling

Threat Modeling

STRIDE

DREAD

PASTA

Secure Defaults

Fail Securely

Separation of Duties

Keep It Simple

Trust, but Verify

Zero Trust

BeyondCorp at Google

Privacy by Design

Shared Responsibility

Defense in Depth

UNDERSTAND THE FUNDAMENTAL CONCEPTS OF SECURITY MODELS

Primer on Common Model Components

Information Flow Model

Noninterference Model

Bell–LaPadula Model

Biba Integrity Model

Clark–Wilson Model

Brewer–Nash Model

Take-Grant Model

SELECT CONTROLS BASED UPON SYSTEMS SECURITY REQUIREMENTS

UNDERSTAND SECURITY CAPABILITIES OF INFORMATION SYSTEMS

Memory Protection

Potential Weaknesses

Spectre and Meltdown

Secure Cryptoprocessor

Trusted Platform Module

Potential Weaknesses

Cryptographic Module

Hardware Security Module

ASSESS AND MITIGATE THE VULNERABILITIES OF SECURITY ARCHITECTURES, DESIGNS, AND SOLUTION ELEMENTS

Client-Based Systems

Server-Based Systems

Server Hardening Guidelines

Database Systems

Cryptographic Systems

Algorithm and Protocol Weaknesses

The Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DBRG)

WEP: A Design Flaw Case Study

Implementation Weaknesses

Heartbleed: An Implementation Flaw Case Study

Key Management Vulnerabilities

Industrial Control Systems

Ukraine Power Grid Cyber Attack

Israel Water Supply Cyber Attacks

Cloud-Based Systems

Distributed Systems

Internet of Things

Smart Lightbulb Hack

IoT Security from an Equipment Manufacturer's Perspective

IoT Security from a User's Perspective

UK Report on Consumer IoT

Microservices

Containerization

Security Concerns

Serverless

Security Concerns

Embedded Systems

High-Performance Computing Systems

Edge Computing Systems

Security Concerns

Virtualized Systems

Potential Weaknesses

SELECT AND DETERMINE CRYPTOGRAPHIC SOLUTIONS

Cryptography Basics

Cryptographic Lifecycle

Cryptographic Methods

Symmetric Encryption

Stream Ciphers

Block Ciphers

Block Cipher Modes of Operation

Data Encryption Standard

Triple DES

Advanced Encryption Standard

Rivest Ciphers

Asymmetric Encryption (Public Key Cryptography)

Diffie–Hellman–Merkle Key Exchange

RSA

ElGamal

Elliptic Curve Cryptography

Quantum Cryptography

Public Key Infrastructure

DigiNotar: When a Trusted CA Is Compromised

Key Management Practices

Secure Key Generation

Secure Key Storage and Use

Separation of Duties, Dual Control, and Split Knowledge

Timely Key Rotation and Key Change

Key Destruction

Digital Signatures and Digital Certificates

Nonrepudiation

Blockchain and Nonrepudiation

Integrity

UNDERSTAND METHODS OF CRYPTANALYTIC ATTACKS

Brute Force

Ciphertext Only

Known Plaintext

Chosen Plaintext Attack

Frequency Analysis

Chosen Ciphertext

Implementation Attacks

Side-Channel Attacks

Fault Injection

Timing Attacks

Man-in-the-Middle

Pass the Hash

Kerberos Exploitation

Ransomware

APPLY SECURITY PRINCIPLES TO SITE AND FACILITY DESIGN

DESIGN SITE AND FACILITY SECURITY CONTROLS

Wiring Closets/Intermediate Distribution Facilities

Server Rooms/Data Centers

Media Storage Facilities

Evidence Storage

Restricted and Work Area Security

Least Privilege and Need-to-Know

Separation of Duties and/or Dual Control

Defense in Depth

Compliance Obligations

Utilities and Heating, Ventilation, and Air Conditioning

Generator Failure Takes Out Major Data Center

Environmental Issues

Cloud Computing and Availability

Fire Prevention, Detection, and Suppression

SUMMARY

DOMAIN 4 Communication and Network Security

ASSESS AND IMPLEMENT SECURE DESIGN PRINCIPLES IN NETWORK ARCHITECTURES

Open System Interconnection and Transmission Control Protocol/Internet Protocol Models

The OSI Reference Model

Layer 1: Physical Layer

Layer 1 Attack Vectors

Layer 2: Data Link Layer

Layer 2 Attack Vectors

Layer 3: Network Layer

Layer 3 Attack Vectors

Layer 4: Transport Layer

Transmission Control Protocol

User Datagram Protocol

Layer 4 Attack Vectors

Layer 5: Session Layer

Layer 5 Attack Vectors

Layer 6: Presentation Layer

Layer 6 Attack Vectors

Layer 7: Application Layer

Layer 7 Attack Vectors

The TCP/IP Reference Model

Link (or Network Access) Layer

Internet Layer

Transport Layer

Application Layer

Internet Protocol Networking

Internet Protocol Version 4

Network Address Translation

Internet Protocol Version 6

Network Attacks

Distributed Denial-of-Service Attacks

SYN Flooding

DDoS and the Internet of Things

Man-in-the-Middle Attacks

Packet Sniffing

Hijacking Attacks

MITRE ATT&CK Framework

Secure Protocols

Secure Shell

Transport Layer Security

Kerberos

Internet Protocol Security

Internet Key Exchange

Implications of Multilayer Protocols

Virtual Local Area Networks

Supervisory Control and Data Acquisition Systems

Converged Protocols

Microsegmentation

Software-Defined Networking

Software-Defined Security

Software-Defined Wide Area Network

Virtual eXtensible Local Area Network

Encapsulation

Wireless Networks

Wi-Fi

Wired Equivalent Privacy and Wi-Fi Protected Access

WPA2 (or IEEE 802.11i)

WPA3

IEEE 802.1X

Extensible Authentication Protocol

Protected Extensible Authentication Protocol

Lightweight Extensible Authentication Protocol

Temporal Key Integrity Protocol

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

Securing Wireless Access Points

Conducting a Site Survey

Determining Wireless Access Placement

Antenna Types

Wireless Channels

Infrastructure Mode and Ad Hoc Mode

Service Set Identifiers

Using Captive Portals

MAC Filters

Wireless Attacks

Li-Fi

Bluetooth

ZigBee

Cellular Networks

Content Distribution Networks

SECURE NETWORK COMPONENTS

Operation of Hardware

Firewalls

Types of Firewalls

Static Packet Filtering Firewalls

Application-Level Firewalls

Stateful Inspection Firewalls

Circuit-Level Firewalls

Next Generation Firewalls

Multihomed Firewalls

Bastion Host/Screened Host

Firewall Deployment Architectures

Repeaters, Concentrators, and Amplifiers

Hubs

Bridges

Switches

Routers

Gateways

Proxies

LAN Extenders

Wireless Access Points

Transmission Media

Local Area Network Technologies

Ethernet

Wireless LAN

Network Cabling

Coaxial Cable

Baseband and Broadband Cables

Twisted Pair

Conductors

Additional Cabling Considerations

Network Topologies

Ring Topology

Bus Topology

Star Topology

Mesh Topology

Network Access Control

Endpoint Security

Mobile Devices

IMPLEMENT SECURE COMMUNICATION CHANNELS ACCORDING TO DESIGN

Voice

Private Branch Exchange and Plain Old Telephone Service

Voice over Internet Protocol

Multimedia Collaboration

Remote Meeting

Zoombombing

Instant Messaging

Email

Email Security Goals

Email Security Solutions

Remote Access

Remote Access for Telecommuting

Remote Access Security Management

Authentication Approaches

Centralized Remote Authentication Services

Virtual Private Network

Tunneling

Common VPN Protocols

Point-to-Point Tunneling Protocol

Layer 2 Tunneling Protocol

Data Communications

Frame Relay

Asynchronous Transfer Mode

Multiprotocol Label Switching

Virtualized Networks

Third-Party Connectivity

SUMMARY

DOMAIN 5 Identity and Access Management

CONTROL PHYSICAL AND LOGICAL ACCESS TO ASSETS

Access Control Definitions

Information

Systems

Devices

Facilities

Physical Access Control Systems

An Expanded Definition of Facilities

Applications

MANAGE IDENTIFICATION AND AUTHENTICATION OF PEOPLE, DEVICES, AND SERVICES

Identity Management Implementation

Single/Multifactor Authentication

Type 1 Authentication Factors

Password Managers

Type 2 Authentication Factors

Type 3 Authentication Factors

Common Access Control Errors

Accountability

Session Management

Registration, Proofing, and Establishment of Identity

Federated Identity Management

Credential Management Systems

Single Sign-On

Just-In-Time

FEDERATED IDENTITY WITH A THIRD-PARTY SERVICE

On Premises

Cloud

Hybrid

IMPLEMENT AND MANAGE AUTHORIZATION MECHANISMS

Role-Based Access Control

Rule-Based Access Control

Mandatory Access Control

Discretionary Access Control

Attribute-Based Access Control

Risk-Based Access Control

MANAGE THE IDENTITY AND ACCESS PROVISIONING LIFECYCLE

Account Access Review

Account Usage Review

Provisioning and Deprovisioning

Role Definition

Privilege Escalation

IMPLEMENT AUTHENTICATION SYSTEMS

OpenID Connect/Open Authorization

Security Assertion Markup Language

Kerberos

Remote Authentication Dial-In User Service/Terminal Access Controller Access Control System Plus

SUMMARY

DOMAIN 6 Security Assessment and Testing

DESIGN AND VALIDATE ASSESSMENT, TEST, AND AUDIT STRATEGIES

Internal

Preparing for External Audits

External

Third-Party

CONDUCT SECURITY CONTROL TESTING

Vulnerability Assessment

Asset Inventory

Scanning Tool Functions and Considerations

Common Vulnerability Assessment Issues

Excessive Traffic and DoS

Alerts and Incidents

Cross-Functional Ownership

Data Integrity Pollution

Network Segmentation

Penetration Testing

Pen Test Scoping: It's Not Safe to Ignore Systems!

Pen Testing Rules

Pen Testing Phases

Phase 1: Discovery or Reconnaissance

Phase 2: Scanning and Probing

Phase 3: Exploitation

Phase 4: Post-exploitation

Phase 5: Reporting

Physical Penetration Testing

Log Reviews

Synthetic Transactions

Code Review and Testing

Misuse Case Testing

Abuse Cases

Test Coverage Analysis

Interface Testing

Breach Attack Simulations

Compliance Checks

COLLECT SECURITY PROCESS DATA

Technical Controls and Processes

Administrative Controls

Account Management

Management Review and Approval

Management Reviews for Compliance

Key Performance and Risk Indicators

Key Performance Indicators

Key Risk Indicators

Backup Verification Data

Training and Awareness

Disaster Recovery and Business Continuity

ANALYZE TEST OUTPUT AND GENERATE REPORT

Typical Audit Report Contents

Remediation

Exception Handling

Ethical Disclosure

CONDUCT OR FACILITATE SECURITY AUDITS

Designing an Audit Program

Common Audit Frameworks

Sampling

Internal Audits

External Audits

Third-Party Audits

SUMMARY

DOMAIN 7 Security Operations

UNDERSTAND AND COMPLY WITH INVESTIGATIONS

Evidence Collection and Handling

Collecting Digital Evidence

Handling Digital Evidence

Reporting and Documentation

Investigative Techniques

Digital Forensics Tools, Tactics, and Procedures

Tools

Techniques and Procedures

Forensics in the Cloud

Artifacts

Computer

Network

Mobile Devices

CONDUCT LOGGING AND MONITORING ACTIVITIES

Intrusion Detection and Prevention

False Positives—More Is Not Always Better!

Security Information and Event Management

Continuous Monitoring

Egress Monitoring

Log Management

Define Auditable Events and Thresholds

Protect Log Data

Threat Intelligence

Threat Feeds

Threat Hunting

User and Entity Behavior Analytics

PERFORM CONFIGURATION MANAGEMENT

The Two Meanings of CM

Provisioning

Hardening

Asset Inventory

Baselining

Automation

APPLY FOUNDATIONAL SECURITY OPERATIONS CONCEPTS

Need-to-Know/Least Privilege

Separation of Duties and Responsibilities

Key Signing Ceremonies During a Global Pandemic

Privileged Account Management

Job Rotation

Service-Level Agreements

APPLY RESOURCE PROTECTION

Media Management

Labeling and Marking

Handling

Media Protection Techniques

Transporting Media

Sanitization and Disposal

CONDUCT INCIDENT MANAGEMENT

Incident Management Plan

Incident Response Testing and Exercise

Third-Party Considerations

Detection

Response

Mitigation

Reporting

Internal Reporting

External Reporting

Breach Reporting

Recovery

Remediation

The Cost of a Breach

Lessons Learned

OPERATE AND MAINTAIN DETECTIVE AND PREVENTATIVE MEASURES

Firewalls

Intrusion Detection Systems and Intrusion Prevention Systems

Whitelisting/Blacklisting

Third-Party-Provided Security Services

Sandboxing

Honeypots/Honeynets

Anti-malware

Machine Learning and Artificial Intelligence Based Tools

IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT

Patch Management

Vulnerability Management

UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESSES

IMPLEMENT RECOVERY STRATEGIES

Backup Storage Strategies

The 3-2-1 Backup Strategy

Integrity and Confidentiality of Backups

RAID

Cloud

Recovery Site Strategies

Multiple Processing Sites

System Resilience, High Availability, Quality of Service, and Fault Tolerance

IMPLEMENT DISASTER RECOVERY PROCESSES

Response

Personnel

Food and Other Needs

Communications

Assessment

Restoration

Training and Awareness

Lessons Learned

TEST DISASTER RECOVERY PLANS

Read-through/Tabletop

Walkthrough

Simulation

Parallel

Full Interruption

Monkey Business

PARTICIPATE IN BUSINESS CONTINUITY PLANNING AND EXERCISES

IMPLEMENT AND MANAGE PHYSICAL SECURITY

Perimeter Security Controls

Public Areas

Site Ingress and Egress Points

External Facilities

Internal Security Controls

Operational Facilities

High-Security Facilities

ADDRESS PERSONNEL SAFETY AND SECURITY CONCERNS

Travel

Security Training and Awareness

Emergency Management

Duress

SUMMARY

DOMAIN 8 Software Development Security

UNDERSTAND AND INTEGRATE SECURITY IN THE SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

Development Methodologies

Software Development Lifecycle Phases

Waterfall

Agile

Agile Testing Approaches

Agile Development Methodologies

DevOps

DevSecOps

Other Methodologies

Maturity Models

Process Maturity Is No Guarantee of Success!

Common Maturity Model Components

Capability Maturity Model

Capability Maturity Model Integration

Software Assurance Maturity Model

Building Security-In Maturity Model

CMMC

Maturity Model Summary

Operation and Maintenance

Bug Fixes and SDLC Iteration

Change Management

Change Management Phases and Security Practices

Emergency Change Management

Integrated Product Team

IDENTIFY AND APPLY SECURITY CONTROLS IN SOFTWARE DEVELOPMENT ECOSYSTEMS

Programming Languages

Type Checking and Type Safe Languages

Programming Paradigms

Libraries

Toolsets

Integrated Development Environment

Runtime

Continuous Integration and Continuous Delivery

Emphasis on Testing in CI/CD Pipelines

Security Orchestration, Automation, and Response

Orchestration

Automation

Response

Software Configuration Management

Code Repositories

Protecting Source Code

Protecting the Repository

Application Security Testing

ASSESS THE EFFECTIVENESS OF SOFTWARE SECURITY

Auditing and Logging of Changes

Applications of Logging and Auditing

Software Development Auditing

Auditing CI/CD Environments

Risk Analysis and Mitigation

Risk Assessment and Treatment

Mitigation Strategies

ASSESS SECURITY IMPACT OF ACQUIRED SOFTWARE

Commercial Off-the-Shelf

Open Source

Third-Party

Managed Services (SaaS, IaaS, PaaS)

Assessing Shared Responsibilities

Audits and Assurance

DEFINE AND APPLY SECURE CODING GUIDELINES AND STANDARDS

Security Weaknesses and Vulnerabilities at the Source-Code Level

Common Weakness Enumeration

Common Weakness Scoring System

Common Vulnerabilities and Exposures

Common Vulnerability Scoring System

OWASP Top 10

Software Composition Analysis

Security of Application Programming Interfaces

API Security Best Practices

Authentication and Access Control

Input Validation and Sanitization

Protection of Resources

Protecting Communications

Cryptography

Security Logging, Monitoring, and Alerting

Security Testing APIs

Secure Coding Practices

Standards for Secure Software Development

Education and Culture

Software-Defined Security

SUMMARY

Index

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Sixth Edition

ARTHUR DEANE

.....

Consider this example of an investigation: The IT department contacts the security office to make a report of an employee misusing the organization's internet connection to engage in unauthorized file sharing, in direct violation of the organization's policy. The security office makes the situation known to management; management instructs the IT and security departments to gather information about the user's online activity. Personnel in the IT and security departments work together to gather log data about the user's account and machine, and they present this information to management. Management consults with the legal and human resources departments to evaluate courses of action. Management decides to terminate the employee.

This is strictly an administrative investigation.

.....

Добавление нового отзыва

Комментарий Поле, отмеченное звёздочкой  — обязательно к заполнению

Отзывы и комментарии читателей

Нет рецензий. Будьте первым, кто напишет рецензию на книгу The Official (ISC)2 CISSP CBK Reference
Подняться наверх