Welcome back to the Cloud Academy presentation of the CISSP Examination Preparation Review Seminar presented to you by Cloud Academy. Today we're going to get into the final domain, Software Development Security, Domain Eight. Although information security has traditionally emphasized system-level access controls, the security professional needs to ensure that the focus of the enterprise security architecture includes applications because many of the information security incidents now involve software vulnerabilities in one form or another.

Application vulnerabilities also allow an entry point to attack systems, sometimes at a very deep level. Web application vulnerabilities have frequently been used in this manner. Malware is much more than a mere nuisance now. It is now a major security risk faced by every enterprise that connects to the external networks and allows external data to be ported to their internal systems in some form. Development of in-house systems, commercial and off-the-shelf software and controls the choice, maintenance and configuration of application must be given greater attention than has been the case in the past.

Unfortunately, at the same time, too few security professionals have a significant programming or systems development background. In addition, training and programming in development tends to emphasize speed and productivity over quality, let alone considerations of security. From the perspective of many developers, security is an impediment, a roadblock. This perception is changing, and in the current development environment the security professional needs to take care not to be seen as a problem to be avoided.

When examined, most major incidents, breaches, and outages will be found to involve software vulnerabilities. Software continues to grow increasingly larger and more complex with each release. In addition, software is becoming much more standardized, both in terms of the programs and code used, as well as the protocols and interfaces involved. Although this provides benefits in training and productivity, it also means that a troublesome characteristic may affect computing and business environments quite broadly. Also, legacy code and design decisions taken decades ago are often still involved in current systems and interact with new technologies and operations in ways that may open up additional vulnerabilities that the security professional may or may not be aware of. The security professional needs to be aware of the important security concepts that apply during software development, operation and maintenance processes. Software includes both operating system software and application software, as we well know.

The computing environment is multiple layers of this kind of technology. The foundation, of course, is the hardware of the computer system and the functions that are built into that hardware. In some cases, a layer of microcode, or firmware is implemented to generate or ease the use of certain common operations. The operating system itself provides management of all computer hardware resources, as well as a number of software and data resources required for proper operation. In addition, the operating system manages a variety of utilities and functions that are necessary for overall system security and audit. The applications sit on top of the operating system and associated utilities. The user interacts with data and the network resources through these applications. In some cases, there are additional layers, very often in terms of the interface, either with user or between systems. In addition, these systems may now be built on a distributed basis, with portions or aspects of the programming running on a variety of different machines.

When examining application security, one must consider that the applications that users use to do their jobs interact with the operating system. However, also be aware that the fundamental concepts of application development also apply to operating system software development, even though most users purchase an operating system. Thus, although enterprises do not develop operating systems code, they do design, develop and operate and maintain proprietary applications relevant to their business needs. Analysis and mitigation of software vulnerabilities uses similar concepts in both cases, although the significance of the vulnerabilities in the operating system are rather greater. The information security professionals must, therefore, thoughtfully apply these concepts to the specifics of their own company or situation.

Software must be considered both an asset to be assessed early in the risk management process and as a tool with vulnerabilities that may require the addition of mitigation or specific controls and safeguards to the system. Thus the security professional must be conversant in the principles of software development and lifecycles so that he or she can apply the appropriate controls in contextually effective ways to ensure effective security and improve overall product quality and performance. The security professional must be able to grasp the impact imperfect software can have on the enterprise if it is exploited by a threat or misused by an untrained employee. He or she must be able to translate such impacts into action plans directed at prevention and remediation of these. The security professional must, therefore, be able to see themselves as a team member working alongside developers, QA personnel and operations staff to improve risk management, rapid response, better integration, and smoother operations in order to create a more productive and a more secure infrastructure.