CISSP Exam Cram: Models, Processes, and Frameworks

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

from risk management and incident response to threat models security models and the software development life cycle the cissp exam includes models processes and frameworks that represent a massive amount of memorization effort spread across all eight domains of the cissp and what if you'd like to actually understand their function and purpose today we're going to fix that i'll take you end to end through the eight domains covering the processes models and frameworks you need to know to clear the exam [Music] so coverage of security models processes and frameworks scattered throughout the eight domains of the cissp is one of the most requested topics we've had for the exam cram series so just a couple of minutes of housekeeping before we dig into the meat of this session so in terms of lessons in this series we have eight core lessons mapping one per domain but we also have now about half a dozen shorter supplemental lessons of which this is one there are a couple that i want to point to you here because they're fairly important i think in giving you a leg up in preparing for the exam and in your success on exam day so one of those is hacking your exam prep which is my process that i used to to prepare and pass the cissp exam pretty quickly i also have one in here for you that will answer that question how do i think like a manager so if you want insights into how you put on that security leader hat and break these questions down on exam day more effectively this video was described by one student recently as the most important video he watched in preparing for exam day also you'll find videos on quantitative risk analysis formulas memorization tips and a drill down on cryptography and as always i'll have a pdf copy of the presentation available in the video description do hit the bell if you'd like a heads up when we drop new free learning content and a thumbs up always helps us with the youtube algorithm if you haven't yet bought the official study guide i do have a 50 question practice quiz available for you no login required and of course as i always say the official exam study guide comes with well over a thousand questions hundreds of flash cards and at less than 60 bucks u.s is the best deal in the house to help you prepare for the cissp exam effectively and and inexpensively so let's dig in to processes and frameworks in domain one which is security and risk management and our discussion in domain one begins with risk management frameworks and there's really one primary risk management framework referenced on the cissp exam and that is nist 800-37 nist is the national institute of standards and technology that's a non-regulatory u.s agency so that's the risk management framework for information systems and organizations now i want to call out the steps in the process and i'll add a little functional detail as we move through so step one is categorizing your information systems then step two selecting your security controls step three implementing those controls step four assessing those security controls so assessing their effectiveness authorizing those controls so that's think of that as the stamp of approval and then monitoring their ongoing operation and assessing their efficacy their effectiveness and then of course we repeat this process as necessary there are six steps here that are mentioned now if you actually go read the nist 800-37 document it's a great big pdf and what you'll find is there are seven steps mentioned there and that's because sometimes some folks will consider preparing to execute the risk management framework as a step in the framework itself so the way you'll see that laid out in the official exam prep guide are our six steps and prepare as is mentioned before and and i tend to agree with that that six step assessment but this is the framework uh when it comes to risk management where you'll want to spend your time remembering this is where memorization should happen so also in the study guide you'll you'll see mentioned that you should look at some other risk management frameworks for use in the real world and they call out octave fair and tara so the key here is it mentions for use in the real world which is code for don't worry about these for the exam because they're not likely to come up so because it's mentioned briefly in domain one i thought i would just comment on business continuity planning right now and that's that you'll be expected to be familiar with bcp issues that pertain to security anywhere from the the strategy development phase of the the process all the way down to training and education after implementation we're going to talk about bcp and business impact analysis in domain seven so let's park this for now and focus on threat modeling so threat modeling can be proactive or reactive but the goals are are to eliminate or or at least reduce threats significantly and your threat modeling approaches can take one of three common forms they can focus on assets where asset valuation is is used to identify threats to valuable assets we want to to focus our our spending on assets that have value to the business right focusing on attackers is another common approach where the uh the process is focusing on the attacker's goals and then finally focused on software where considerations center on potential threat against the software the organization develops or implements so let's talk through a few of these models remembering that they can focus on assets attackers or software so one of the more common threat modeling frameworks and it's mentioned in the cissp is stride which was actually developed by microsoft so so remember that in case it gets called out as a detail in a question so the stride model focuses on the the potential threat so spoofing tampering repudiation information disclosure denial of service and elevation of privilege so because these were developed by microsoft we see this as a software focus right it's focused on potential threats to to software and i believe most of these are going to be pretty well known to you repudiation might be a term that you're not super familiar with and that's the ability of a user or an attacker to deny having performed an action or an activity and that often takes the form of the attacker staging the situation to blame someone else and then there's spoofing that involves falsified identity tampering which is data manipulation you know restaurant transit but remember stride is developed by microsoft and remember the terms there that that map to the acronym right all right so moving on in the threat modeling discussion let's talk about pasta which focuses on developing counter measures based on asset value and there are seven stages of pasta but the key here it's a threat modeling approach that focuses on asset value which really gets to the heart of the matter right because when we're dealing with with risk management it really comes down to implementing uh cost effective control so when we're modeling threats focusing on asset man on asset value is a great idea okay moving on there's the vast threat modeling approach which stands for visual agile simple threat so this is based on agile project management principles so the bottom line goal of vast is to integrate threat management into an agile programming environment so next up is the dread model which is based on the answers to five questions so damage potential so how severe is the damage likely to be of the threats realized uh reproducibility so how complicated is it for attackers to actually reproduce to implement the exploit exploitability so how difficult is it to perform the attack affected users this is really about headcount right how many users are likely to be affected by the attack as a percentage and that could mean internal users and that could mean you pay the bills users your customers and then discoverability so how difficult is it for an attacker to discover this weakness because a significant weakness five or six layers deep in our defense and depth may not be such a big problem for us so certainly something we might want to address but maybe will will push it down the priority list so rounding out our our threat modeling discussion is the trike model which focuses on acceptable risk it's an open source threat modeling process that implements a requirements model that essentially ensures the assigned level of risk for each asset is acceptable to stakeholders so remembering that trike is risk focused and it implements a requirements model should cover you if it comes up on the exam and to round out domain one i want to talk to you about cobit which stands for control objectives for information and related technology it's not a great mapping to the cobit acronym frankly and this is a security control framework sometimes described as a framework for i.t management and governance it's based on five principles so meeting stakeholder needs covering the enterprise end to end so treating our our enterprise as as the full scope of our focus uh applying a single integrated framework so so continuity of a centralized coordinated approach enabling a holistic approach and separating governance from management so holistic approach and and separating governance from management are key concepts i think and we're expecting to see little or no coverage on the cissp exam in fact the official study guide mentions it only briefly and goes on to promise that there's going to be no real depth of coverage on the cissp exam so this should get you through with the basics around cobit so let's move on to domain two which is asset security and i have just one model i'd like to put in front of you for domain two and that's the data classification model so we're going to look at data classification for government entities and non-government or public entities either the commercial space for example and this is government in the context of the us government right so bearing that in mind so we'll start with class zero which is unclassified information uh called public information on the the non-government side of the house which results in no damage if exposed and moving up the pyramid here we have confidential information called sensitive in the public space which could damage national security if exposed could damage the organization's ability to compete could expose the organization to liability or risk moving up the pyramid we have secret information called private information on the public side this could do serious damage to national security when i think of private information on the public side of the house i think financial data for example i think about identities and then moving up to class three we have top secret information and confidential or proprietary information so these would result in exceptionally grave damage to national security on the government side uh or or to a company's ability to compete on the public side when i think about confidential and proprietary i think about things like intellectual property like trade secrets and and you need to remember these two classification hierarchies individually but i wanted to put them on the same sheet here because you'll notice that they have some terminology in common right serious exceptionally grave etc and with that being said let's move into domain three which is security architecture and engineering so domain three includes some drill down on three sets of evaluation criteria designed to evaluate the security uh criteria around systems and products so the first of these is iso iec 15048 also known as the common criteria this was established to enable objective evaluation around a product or a system based on a defined set of security requirements okay this is really the gold standard so you're also going to see mentioned trusted computer system evaluation criteria which is an earlier system for evaluating computer security and then you'll also see information technology security evaluation criteria which was actually an attempt to create a security evaluation standard in europe basically though the common criteria has replaced both the trusted computer and information technology standards there so tc-sec and itsec have been supplanted by common criteria so that's where you're going to want to put your focus you can't forget about these other two entirely i'll explain why in a moment first though i want to drill down and break down common criteria for you just a bit i want to give you a quick visual of common criteria as a process so it starts with a description of the assets that we need to evaluate and then identifying the threats to those assets the potential threats and then analyzing and rating those threats quantifying prioritizing and based on the output of those first three steps then determining what our security objectives are for the for the situation for the product or the the the system that we're dealing with and ultimately establishing our functional requirements so really what you have here amounts to a five step process that you could then repeat and refine as necessary so you're making some assumptions establishing security policies based on the assets you're dealing with and the threats to those assets you're performing some risk analysis and then establishing your objectives based on on the system you're evaluating in the environment that it's going to operate and there are actually two flavors of common criteria there's uh the community protection profile or cpp which i think you're going to see a little less on on the exam it comes with it's a black box system that comes with pre-defined requirements or or let's call them standardized sets of requirements where whereas the eal the the white box flavor allows for greater scope and flexibility in defining the the set of claims now the the study guide says that you will need to be prepared to list the classes of tc sec itsec and common criteria so these are the the levels of each of those systems now remembering the tc second itsec are legacy right they've been supplanted they've been replaced by common criteria the official study guide calls out the evaluation assurance level the the eal the white box uh version of uh of the levels and they're listed for you here and i'm also going to put them for you here with a tighter description according to the common criteria from eal0 up to eal7 with eal7 being the more mature end of the scale so so as i mentioned you it's called out that you should be prepared to lift the levels within these three different standards for evaluation criteria but if i were going to prioritize my effort i'd be looking at common criteria because that's the current standard now we're going to shift gears and talk about security models now this is a big area of memorization for the cissp exam and i think there's a question that gets forgotten a lot of times when it comes to security models and that's what exactly is the purpose of a security model well it number one it provides a way for designers to map and abstract statements about security into a security policy so really at the end of the day i think this is the most plain english way i can i can explain it uh as i understand security models it determines how security will be implemented which subjects can access a system and which objects they will have access to remember the subjects are the the the people of the systems that are accessing and the objects are the resources that they have access to so we talked about these back in in domain three but subjects and objects so that that's a good base definition i think so the other thing you're going to see come up in in security models are three properties that will be mentioned repeatedly when you're when you're talking through the different uh security model so there's the simple security property which defines rules for read generally speaking then there's the star security property which describes rules for right and then there are there's the the invocation property which are rules around invocations calls such as calls to subjects so with that bit of context out of the way i want to to dive in here and talk about how i break up security models so i can i can remember all of this material more effectively so i start by looking at uh which security models focus on integrity and which focus on confidentiality because all the models that you're going to remember focus on one of the other integrity or confidentiality so if i can break these up into those two buckets i i'm kind of chunking the information and breaking the information into smaller chunks so on the integrity side we have biba which is a state based on a state machine model we'll talk about a state machine model here in just a bit clark wilson which features something called an access control triple so what i'm giving you here in these descriptions as well are are the most unique characteristics of that security model that might pop up in a question so so giving you something that you can an anchor you can use to readily identify these models there's goku and meseguir which is the non-interference model and sutherland which is also focused on preventing interference and it's also based on the the state machine model and the information flow model we're going to talk about information flow model and state machine model in in just a moment now on the confidentiality side of the house we have bell la padula which features no read up no write down and i call that out because no read up no write down that that's the the simple property and the star property right uh it's the opposite of most of the others uh most of the others are going to be no read down no write up particularly on the integrity side uh brewer nash also known as the chinese wall so the the brewer nash model was was actually developed by two two people named conveniently brewer and nash but the chinese wall is is the uh one of the the identifying terms you'll hear associated with that and then the take grant model which employs a directed graph basically that graph dictates how rights can be passed from from one subject to another or from a subject to an object but uh about bel la padula another another identifying characteristic here is is bellapadula is used by the government that's dod where most of the rest of these are going to be commercial but essentially what i started with here you know is is chunking right so we're breaking these out into integrity models and confidentiality models uh because that may actually come up on an exam question you may if you see a question that mentions confidentiality models if you know which fall into each bucket it's going to make filtering down to the right answer that much easier so bell lapadula this is a state machine model that enforces confidentiality so a state machine is a concept used in designing computer programs let me break that out for you separately in just a moment but bella padula is a state machine model that enforces confidentiality it uses mandatory access control to enforce the the dod multi-level security policy so so think government when when bella padula comes up so the simple security property it means a subject cannot read data at a higher level of classification that is no read up so think about uh secret classifications in the government all the way up to top secret so a subject that you know g14 can't read up to security at g15 i'm making up that classification but you get my point and then uh the star security property says the subject cannot write info down to a lower level of classification there's no write down so what that what that would mean is if i'm at g15 i can't just uh unilaterally declassify some information or down classify information from g15 to g14 so other people can read it so here's how i remember this i use a picmonic which is a memory device using a picture so bellapadoula so that gives me an obvious picture in my mind right a bell and so i know that this algorithm is no read up no write down so i think read up going up one side of the bell and no write down going the down the other and there's an acronym here so i like to try to take that no read up no write down and turn that into an acronym so no running under nets with dingo so you'll hear some of this over in my my memory devices uh video around cissp because the the security models and the algorithms that are in domain three here are really tough for people to memorize excuse me and they tend to be very common topics on the exam so the things you definitely need to remember but like i say because bella lapadula is unique from all the others and in a couple of ways i try to use this as my anchor to help remember everything else more easily so moving on the biba model this is another lattice based model so lattice base access control focusing on interaction between subjects and objects and this is an integrity based model it enforces integrity so the simple integrity property ensures a subject at one level is not permitted to read an object of lower integrity no read down and the star integrity property is an object at one level of integrity is not allowed to write to an object of higher integrity so no right up and there's an invocation property here prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity so i mentioned simple and star property the simple property is always the read property the star property is always the right property in these security models so another one likely to come up clark wilson so this is another lattice-based model developed to address to address integrity so so both integrity models both commercially used so simple integrity again no read down star integrity no write up so remember these are these are the opposite of the bella padula they're commercial and they're no read no read down no right up now clark wilson i mentioned features the access control triple and and that's a a definite distinction and now you're asking what the heck is an access control triple so the access control triple is composed of a user a procedure or a transformational procedure they call it and a constrained data item it was basically designed to protect integrity and prevent fraud and basically ensuring that authorized users can't change data in an inappropriate way all right so the take grant model another one i mentioned so take grant is another confidentiality based model that supports four basic operations take grant create and revoke brewer and nash also called the chinese wall model was developed to prevent conflict of interest problems it's another confidentiality based the graham denning model this model uses a formal set of protection rules for which each object has an owner and a controller and it's focused on secure creation uh and deletion of both subjects and objects and and it has a graham denning has a collection of eight primary protection rules that define the boundaries of certain secure actions it's actually worth remembering those because they're easy to remember you can securely create or delete a subject or an object and you can securely provide the read grant delete and transfer access rights so so these are the eight rules of graham denning worth committing those to memory as well i should think and there are two topics i want to touch on related to security models before we leave module three and the first of those is the state machine model which i said those security models that we talked about a minute ago are based on so a state machine model describes a system that's always secure no matter what state it's in so it's based on the computer science definition of a finite state machine so a state is a snapshot of a system at a specific moment in time and all your state transitions the transition from one state to another has to be evaluated like the transition from on to off for example but if each possible state transition results in another secure state then a system can be called a secure state machine so that's the key and an information flow model focuses on the flow of information uh information flow models are actually based on a state machine model so biba and bella padula are both in both information flow models remember they were looking at no read up no write down they're talking about the flow of information in read and write to simplify that bill la padula in preventing information flow from a high security level to a low security level right remember it was no right down and biba focuses on flow from low to high remember no right up so so bella padula focuses on enforces confidentiality biba focuses on integrity integrity now we're going to move on to domain four which is communication and network security and there's only one model i'm going to call out in domain four and that is the osi model you will be expected to be very familiar with the osi model so there are seven layers here going from physical up to the application layer at seven so the physical is typically considered layer one application layer seven i have two memory devices here two acronyms you can use to easily remember these layers if you struggle so if we look at going up we have please do not throw sausage pizza away and you can actually go the other direction with all people seem to need data processing i actually like this one better because it's also relevant to the topic at hand so that tends to make a memory device better when it's when it's relevant but those are some acronyms you can use to lock this in you'll also be expected to be familiar with the protocols and services that happen at each layer so as you see at the physical layer you have things like ethernet at the data link layer arp slip ppp network icmp ip of the tcpip pair layer four your transport layer we have tcp spx is actually the novell equivalent from from the old ipx spx days at the session layer server message block rpc network file system sql server when we get to presentation we have encryption protocols and format types and then then at the application layer a host of protocols so make sure you're familiar with where protocols fall in the stack it may come up on the exam so moving on to domain five which is identity and access management we have one life cycle management framework we need to talk about here and that's the identity and access provisioning lifecycle which refers to the creation management and deletion of accounts of identities essentially there's creation then management of that identity through its lifetime role-based access control uh ensuring least privilege and then deletion of that identity at the end of its life cycle and and key consideration there is that account should be de-provisioned promptly upon separation of that employee from the organization and moving on to domain six which is security assessment and testing and we have one framework we need to touch on here and that's nist 800-53a which is assessing security and privacy controls in federal information systems and organizations and and although this calls out federal information systems it can certainly be applied in non-government situations in the commercial space for sure but this publication calls out best practices in in conducting security and privacy assessments and under nist 800-53-a assessments can include four components so there are specifications these are the documents associated with the systems being audited their activities which are the actions carried out by the people within an information system there are mechanisms which are controls used within a system to meet the specifications and then finally the individuals the people who implement specifications mechanisms and activities so the people who implement the first three elements so make sure you're familiar with the purpose of nist 800-53a and these four components and i think you're in good shape and let's move on to domain seven which is a bit larger and domain seven focuses on security operation we have a few to uh to touch on in domain seven not surprising because security operations is a big topic uh so the first uh process or framework we want to talk about is change management and you want to commit to memory the the six steps of the change management process request review approve or reject test schedule and implement and document so you could come up with a memory device for change management i tend to just remember the first word in each of those steps because it's a pretty intuitive process right we request the change the change approval board reviews the change the board will approve or reject the change then we will test it then we will schedule an implement and then we will document the result so it's a pretty intuitive process i'm not sure you really need a memory device for this one next up is the information life cycle so information starts with creation of course and information can be created by users like a user creates a file information can be created by systems like a system logs access right after creation we have classification and to ensure it's handled properly properly it's important to ensure data is classified as soon as possible then we have storage and data should be protected by adequate security controls based on its classification uh of course in any case that's going to include basics like encryption right so so for example on a windows or a linux workstation our data drives are always encrypted right out of the gate then we have usage which refers to any time data is in use or in transit over a network then comes archival which is sometimes needed to comply with laws or regulations requiring data retention and then the last step in the information life cycle is destruction and when data is no longer needed it should be destroyed in such a way that it is not readable it is not recoverable information that hangs around longer than it is required creates risk and potential liability for the organization so destruction in a timely fashion and in an appropriately complete fashion is very important incident response is quite likely to come up on the exam and the primary incident response framework you can expect to hear about on the cissp exam is from nist 800-61 which is their guide to computer security incident handling it's a seven step process which in order the steps are detection response mitigation reporting recovery remediation and lessons learned we'll break down those steps in just a moment but first i want to touch on a memory device to help you remember these steps in order drm rrl the first letter of each of those steps drum roll not spelled exactly right but it certainly sounds the same when you look at it right so drum roll is how i commit those seven steps to to memory and if we break those out so we have detection which might include our monitoring tools intrusion prevention firewall users notification to management to the help desk we have response triage is it really an incident you know here we have a decision to declare yes this is an incident mitigation so this is our first containment effort or step this is where we create our our response team reporting to relevant stakeholders customers vendors law enforcement recovery returning to normal operations then in the remediation step we're addressing root cause and then lessons learned where we talk talk through what happened this helps prevent recurrence and improves our incident response process so the those seven steps if i just laid them out here again i want to just call out uh some key details that you want to commit to memory for the exam okay so limiting damage happens in the response phase that's where we initially respond to the incident mitigation is where we contain that incident we we contain the scope reporting and recovery are management decisions incidentally so just park that in the back of your mind and then remediation is where root cause analysis is addressed if you have questions that come up on the details beyond the seven steps these are the four areas that i think you'll see questions on so you may just want to commit these to mind so back in domain one i mentioned you know business continuity planning comes up in in domain one it also surfaces in security operations in domain seven so i thought we'd just cover it here and i want to talk a bit about business continuity uh the the steps in the process and disaster recovery so the four main steps of business continuity planning uh straight from your official study guide include project scope and planning then your business impact assessment then continuity planning and approval and implementation so assessment of business impact happens within uh the bcp process so so step two business impact assessment that's where where that key aspect of impact analysis happens so the goal really of bcp is efficient response to enhance a company's ability to recover from a disruptive event promptly so it's more than just the the technical aspects of recovery it's really looking at the business as a whole and the the communication within the different business units and the processes that uh need to occur the resources that are going to need to be available for people to resume work uh in a recovery scenario even if the business can't go right back to normal after day one you know recovery might mean uh that folks are working from home for a time for example or people are working from a branch a different branch office for a time so business continuity planning versus disaster recovery planning what's the difference is a pretty common question i hear and if i were to generalize this to just call it out in high level terms business continuity planning focuses on the whole business where disaster recovery planning tends to focus more on the technical aspects of recovery business continuity is going to cover communications and process more broadly in other words another way to think about it is is business continuity planning is this big umbrella policy and disaster recovery planning is is part of that for the exam definitely commit the the four steps of business continuity planning to to memory so those could well come up uh patch management is another life cycle you'll want to be familiar with and this is another one of those that's pretty intuitive so so you scan networks identify vulnerable systems download and deploy patches generate status reports and update you know vulnerability details from those vendors and then rinse and repeat you know in the world of windows this is something you do every month and certainly within that uh within that patch management system whether it's a windows-based patch deployment or or linux or your network devices generally speaking the system itself will have some sort of reporting mechanism to tell you if you're missing critical patches another way to do it though a nice uh you know additional layer of an external check if you will is vulnerability scans and quite typically i see in organizations when we we have that quarterly penetration test which which is usually accompanied by a vulnerability scan on the front end that will identify systems with with missing patches so so just note the self there moving on to domain 8 which is software development security so for the exam you're going to be expected to be familiar with software development maturity models so these models help organizations improve the the maturity of their their software development processes and ultimately the quality of their software by following an evolutionary path from ad hoc chaotic development processes to mature disciplined software processes so for the exam you want to know the the software capability maturity model or sometimes simply called the cmm the capability maturity model integration and the ideal model now cmmi is is one that was penciled in here later in the process and certainly you'll see it on a few of the cissp cheat sheets i'll explain why in just a moment so the capability maturity model for software development this is a five step model for measuring software development organizations developed at carnegie mellon university so level one is initial there's no plan this is this is ad hoc level two is repeatable where there's basic life cycle management so so the next round of development can you look and and end up with a result similar to the the first round that basic life cycle management where we can repeat a process level three is defined so and in this stage processes are formalized and documented level four is managed this is where quantitative measures come into play so measurable results reported back to the organization to gain an understanding of where we are and how we can improve and level five is optimizing which incorporates continuous development processes with feedback loop so this is really continuous improvement i think of uh continuous integration and continued continuous deployment uh as uh existing in in this level of maturity the capability maturity model integration also comes from carnegie mellon and you're going to recognize these five steps unpredictable poorly controlled and reactive is level one initial level two is repeatable characterized uh for for projects and and it's a managed process this is basic life cycle management is how it was defined in the software capability maturity model but so far we're two for two the same same uh titles for these levels a level three defined which which broadens the scope to the organization and incorporates a more proactive approach this is where we have a more formal documented process uh level four is quantitatively managed this is where we're seeing quantitative measurement and reporting and level five optimizing which is focused on continuous process improvement so you'll notice the language of cmmi is a little broader and a little more process focused and levels three through five do require peer reviews or called out and the question may come to your mind here how does cmmi really help us in a security context well the reality is we can only really improve when we know where we're starting from and where we need to go and the steps we need to take in between going from very immature to very mature and that's how the security industry uses the cmmi model they start at level one and security is very basic and chaotic in nature and processes are predictable and as the security team uh is reactive to issues that are arise they're not proactive so the model basically again we can work for a security team in a software context to mature their processes in supporting and securing the software development organization and the ideal model is another uh capability maturity model uh that implements quite a few of the uh the cmm attributes the uh the the software capability maturity model attributes so the uh the stages of the ideal model are initiating diagnosing establishing acting and learning so you'll notice that the the the title of each stage of the ideal model spells out the the acronym ideal and like the other capability maturity models you're moving from an area of a state of of low maturity to a state of high maturity and while the stages don't map one to one with what we saw in the the software capability maturity model or cmmi you can find some some overlap here for sure and the exam will expect that you're familiar with the software development life cycle the sdlc you'll hear some instructors call it the systems development lifecycle sdlc we're going to refer to it as the software development life cycle certainly both of those phrases appear in the official cissp study material in domain 8 when we're talking about software development security where we're a little more software focused for sure although these steps could certainly apply to development of of infrastructure or or infrastructurous code solutions so step one is requirements analysis followed by solution design and implementation and testing then evolution capturing new features new needs and repeating that process so one could certainly look at that and understand how that would apply equally well to software development or solution development for uh for infrastructure solutions or cloud infrastructure for example and and securing of both and that sort of iterative and and evolutionary process thinking appears in various forms and several software development models that may come up on the cissp exam so uh just just quickly here to give you an easy way to remember software development lifecycle created a little memory aid a little mnemonic device real developers ideas take effort just just to tie those stages into your memory there so let's talk about software development models that may come up on the exam so there's the agile model which is based on four principles individuals and interactions over processes and tools working software over comprehensive documentation customer collaboration over contract negotiation and responding to change over following a plan so the agile model is exactly that it's agile it's also very iterative and the focus is on on iterative improvements and taking that collaboration with the customer in the form of feedback uh responding to change uh you know in the wake of of changing customer needs or or sometimes honestly when when a customer uses software they gain new perspective that tells them what they really need versus what they thought they needed and agile really helps a development organization to be responsive in in all of the circumstances uh agile was first described in the manifesto for agile software development back in in 2001 but a very widely adopted model for software development so another software development model is the waterfall model so this is a seven stage process that allows for return to the previous stage for correction so it starts with system requirements then software requirements then design then a detailed design code and debug so we can think of that as implementation if we go back to the the software development life cycle testing and then operation and maintenance so so certainly more steps but if we go back to the software development life cycle we can see the the similarities right so waterfall is a a process that really requires analysis for the entire project and then designed for the entire project it's been criticized pretty widely waterfall's not used nearly as much as it used to be it was criticized for because it lacks feedback loops and changes become more difficult and costly in in part because we're going all the way through those processes so to go back and and if we if we have customer input that requires a change we may have to go all the way back uh to uh you know preliminary design and depending on where we pick up that customer feedback we may be further down the the waterfall model process then we're allowed to go back because you can only go go back you can only return one step in this process and finally we have the spiral model which is a life cycle model that allows for multiple iterations of a waterfall style process effectively known as a meta-model or a model of models and each loop in the spiral results and development of a new system prototype there's a word that comes to mind that i mentioned back in agile and it starts with an i let's see if you can guess what it is uh it really provides a solution to the major criticism of the waterfall model in that it allows developers to return to the planning stages as demands change so when the customer has that you know great realization late in the process the development team can easily circle back and iterate in the next spiral so the spiral model is in a word iterative and that does it for our deep dive into models processes and frameworks in the cissp exam i hope you're enjoying the series if you have any requests or questions feel free to leave a note in the comments give us a like and subscribe so you get a heads up every time we drop a new free learning video and until next time take care and stay safe

Info

Channel: Inside Cloud and Security

Views: 6,518

Rating: 5 out of 5

Keywords: #CISSP, #certification, #infosec

Id: mLuLtIsDjK8

Channel Id: undefined

Length: 52min 33sec (3153 seconds)

Published: Mon Apr 12 2021