This is the fourth course in Domain 3 of the CSSLP certification and covers the essential ideas, concepts, and principles that you need to take into account when building secure software.
Learning Objectives
- Understand the process and controls available to secure your software
- Learn about the main security technologies available
Intended Audience
This course is intended for anyone looking to develop secure software as well as those studying for the CSSLP certification.
Prerequisites
Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.
Now, authentication can also be accomplished through the use of digital certificates, one of the central features of public key encryption. Now, these can be looked at as a special specific use message format, but these digital certificates typically are issued with the key pairs, public and private, and are attached to the public key when distributed that is published to other users to facilitate secure communications and exchanges between the two parties.
This particular digital certificate is valid for all of the four uses scene: authentication, non-repudiation, integrity, and confidentiality. Now, PKI makes secure communications, authentication, and cryptographic operations such as encryption and decryption possible. It is the security infrastructure that uses public key concepts to provide services for secure E-commerce transactions and end user communications. This makes use of the X.509 standard for certificates and makes possible strong authorization capabilities by providing privileged management infrastructure, using the X.509 attributes, attribute authorities, target gateways, and authorization policies.
Now, here you see the details of what is included that was employed to generate this digital certificate. It shows algorithms used, the various key links, and very importantly, the validity dates and the validity lifetime. Now, PKI manages the generation and distribution of public and private key pairs, which are sent along with the certificates.
Now, PKI itself consists of the following components. Visualize a pyramid. At the top of this pyramid, we'll set a certificate authority or CA which is the top-level trusted entity that issues the digital certificate that holds the public and private key-related information for the subject. Along with that or beneath that in this pyramid structure will be a registration authority, which functions as a verifier for the CA before a digital certificate is issued by the CA to the requester.
Now, the CA itself can perform that same service, but a registration authority could be seen as an administrative assistant to the CA for certain types of implementations. Within this structure is a certificate management system with directories in which the certificates can be held. And with revocation abilities to revoke certificates at any time whose private keys have been compromised or whose owner simply wishes to cancel them and perhaps get a new one.
Now, for each transaction, the CA will publish and make available a transaction to verify against the certificate revocation lists or CRL, which contain all certificates revoked by the CA. These CRLs make it possible to withdraw a certificate whose private key has been disclosed or in some other way compromised. In order to verify the validity of a certificate, the public key of the CA is required. And a check against the CA's CRL is made. The certificate authority itself, of course, needs to have its own certificates. These are self-signed, which means the subject data and the certificate is the same as the name of the authority who signs and issues the certificates.
Now, PKI management includes the creation of all these different components, including key pairs, certification and creation, private key revocation, and listing in the CRL when the key is compromised. Storage and archival of keys and certificates and the destruction of these certificates at their end of life. PKI is therefore a means to achieve intercompany trust and enforcement of restrictions on the usage of issued certificates.
Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.
Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.