CCT 223: Practice CISSP Questions - Software Development Security for CISSP (D8.2)

Get ready for an eye-opening deep dive into the world of cybersecurity! This episode reveals the alarming speed at which hackers adapt and exploit vulnerabilities, with over 61% of them leveraging new exploits within 48 hours of discovery. We discuss enlightening insights from InfoSecurity Magazine and showcase the new Netflix documentary "Zero Day," which delves into the insidious realm of malware and cyberattacks. 

Things take a darker turn as we recount a chilling story about a local priest whose voice was hijacked by criminals using AI to swindle desperate individuals claiming to need exorcisms. This event highlights the surreal intersections of faith, vulnerability, and technology in today’s world. 

For small and medium-sized businesses, the conversation explores the additional risks posed by ransomware, which accounts for a staggering 95% of healthcare breaches. We dissect the unique challenges these entities face and the importance of investing in robust security measures. 

We also bring you a series of CISSP questions that challenge listeners to consider their knowledge and preparedness in combating emerging cyber threats. These questions encompass important topics, including risk mitigation, insider threats, and security protocols. 

Join us on this critical journey through today's cybersecurity landscape, and make sure to take proactive steps for your safety. Don’t forget to subscribe, share, and leave a review to keep the conversation going!

Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started cybersecurity knowledge.

Speaker 2: 0:28 

All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday and we're going to be getting into the CISSP questions associated with the podcast prior, which happened on Monday, which is over domain 8.2. So we're going to be getting into those questions related to that domain here in just a minute, but before we do, kind of wanted to show you or talk to you about an article that I saw, which I feel is really appropriate, especially as it relates to domain 8, and that is from InfoSecurity Magazine. So what they're saying is 61% of hackers use new exploit code within 48 hours of an attack. Now, I don't know if you all have been watching, but there on Netflix there is this new video, or new video. It's a new program called Zero Day, and it's actually pretty good Coming from a bunch of hackers and people that can understand what they're talking about. It is very interesting. I would say that it's obviously made for movies and it's pretty substantial for somebody to be able to do everything that this can do, but it's a really good video for you to watch and it's entertaining. So, but, that being said it's all about malware. Right, baby, it's all about the malware. Well, there's in this situation in InfoSec security.

Speaker 2: 1:41 

What they made this comment was was 60% of hackers use new exploit code within 48 hours of the attack, which basically means of discovering a vulnerability, that within about 61% of the hackers will start using the new exploit code. So in the past it took time for that to occur, but now it's happening in a much quicker format than it used to happen in the past, happening in a much quicker format than it used to happen in the past. And they're saying now, specifically, ransomware is responsible for about 95% of all air quotes breaches and impacting more than 198 million US folks. So that's a pretty big deal, especially when it comes down to the healthcare industry is what they were kind of talking about, and that's substantial right 95% of all the breaches in the healthcare industry, impacting over 198 million US patients. That's a lot of people. But the ultimate goal is that when something hits the streets, what do people do? They launch the attack. Now they also make a comment in here.

Speaker 2: 2:36 

It's extremely difficult for small and medium businesses to defend themselves, and I am a total agreement on that one because obviously, what I do with the cybersecurity consulting. I deal a lot with small and medium businesses, and large ones as well. But the small and medium-sized businesses, they really will struggle just because of the fact they don't have the deep pockets to be able to buy the tools and the people they need to be successful, and so, therefore, they are a huge target. We've mentioned that time and again on CISSP Cyber Training. So something to kind of consider as you're looking in this overall space. One thing they also mentioned was the AI-enabled and file-based attacks. You're probably going some people are going what is that? Well, they're basically using AI-driven tools to make the cyber attacks more accessible and more complex, and they're using business email compromise attacks that are using generative AI to help these guys and gals create very highly convincing phishing emails, and then, in regards to that, they have malware-laced PDFs and so forth that are inside these emails. Now I'll give you an example of how this can be very, very interesting this world that we live in.

Speaker 2: 3:46 

So I live in Wichita, kansas, and there is a local priest that Catholic priest who does exorcisms. Now, as you know, we are not talking about exorcisms in this podcast. We are talking about CISSP questions. That being said, one of the things that this priest is complaining about and rightfully so is the fact that folks have been the Catholic and I might be talking out of turn, but the Catholic world they will do exorcisms for free. They do that right? That's what they do as part of their overall mantra. They don't charge people for it. However, what's been happening lately is somebody has been using this priest's voice image through AI and has been swindling people out of money to do exorcisms because they're using the AI-driven voice capability and it sounds just like this priest, and this priest AI-driven priest is asking for money and people that are struggling with this whether it's mental illness or whether it is a fact that they have a demon-possessed person they are willing to spend the money to get away from this pain. So what's happening is they are being taken advantage of and, I will be honest, this is the first time I've heard somebody actually getting manipulated based on AI words or AI voice recognition not recognition voice software that is out there. So it's just crazy and, as you're seeing, as this world is changing, I go back to zero day going. Well, it's a little far-fetched. Yeah, I don't know how far-fetched it is. It's getting pretty close to being within another five to 10 years, it's going to be even more doable. Now, I'm.

Speaker 2: 5:21 

One of the big factors we talk about in CISSP, cyber training, is the fact that business networks and process networks typically aren't on the same kind of network or they're not the same type of technology, which is added as because of security through obfuscation or security through not understanding the technology I guess there's probably a word for that but bottom line is there is some potential merit, keeping that they all wouldn't be compromised at the same time. That being said, with AI being as capable as it is yeah, I don't know. It will be interesting to see how that plays out, and I think it's going to be something that our lawmakers really need to take a focus on and make sure that they are doing everything they can to protect the various countries that we all live in. Again, this isn't just a United States problem. This is a China problem, it's a North Korea Well, not really North Korea, that's not true but it's an Australian problem, it's a European problem. Everybody's going to deal with this. So, again, very, very interesting. I highly recommend you go check out this article and also that you go check out Zero Day. Yes, it is an amazing tale of malware in your world. Yeah, that's pretty cool, right? Okay, we're moving on.

Speaker 2: 6:30 

So let's get into the CISSP questions for today. So, as we know, this is over domain 8.2. And these are the questions you can get access to at CISSP Cyber Training. You go there, you pay for it. You can get access to all of my questions, every one of them. You can get them, not a problem, easy peasy, lemon squeezy. But you also can get them through, just if you listen to the podcast and or you go to the website and gain access to what I have out there. So it is, it's possible as well. But if you really want to get all of it, everything you need, you can go to CISSP Cyber Training and, in addition, if you want to sign up for my membership aspects, I am willing to sit down with you and we can chat and we can talk about what are your goals in cyber, how do you want to be a security professional and basically help you with some of the CISSP aspects as well. So it's all there and available to you at CISSP Cyber Training. All right, enough of a plug, all right, this is group 11. Again, 15 questions, and this is based on domain 8.2. Okay, question one During the security review of a DevSecOps pipeline, you discovered that a security testing is only performed in the final phase of before development or deployment.

Speaker 2: 7:39 

What is the primary security risk associated with this practice? Again, security review it's in the final phases, but the security testing was only done in the final phases. But the security testing was only done in the final testing phase before deployment. What is the primary security risk associated with this practice? A increased cost due to delayed security testing. B higher risk of security misconfiguration in production. C decreased visibility into the software vulnerabilities. Or D reduced agility in responding to functional defects. And the answer is B higher risk of security misconfigurations while it's in production. Okay, so, as you're dealing with SDLC, which is your software development lifecycle, that's the typical and you might see SSDLC, but it's basically secure software development lifecycle. This is where it's you're performing this testing only in the final phase increases the risk of misconfiguration and potential vulnerabilities that go undetected before they get pushed out into production. So, again, it's an important part. Now, by doing this and waiting to the end, there's some risks in that right. You have to really have the ability of your folks to understand what's going on while you do it at the beginning and it can delay the deployment if you don't, if you're waiting to the end and you don't find, and you find vulnerabilities. So in this bottom line is, is it will add some level of misconfigurations or it'll add delays because there's a higher risk of misconfigurations if you deploy that later on in the deployments process.

Speaker 2: 9:03 

Question two a software development team using an infrastructure as code or IAC approach to deploy cloud resources. What is the most effective security measure to prevent misconfigurations in this environment? Again, we're talking software development team, infrastructure as code. And what is the most effective security measure to prevent misconfigurations in this environment? A manually security reviews of deployment scripts before executing, encrypting all configuration files at rest. C is implementing automated security scanning tools for the IAC templates. Or D restricting administrative access to the IAC deployment environment. So again, you're dealing with IAC, which is your infrastructure as code. What is the most effective, most most effective security measure to prevent misconfigurations in this environment? And it would be C implementing automated security scanning tools for the templates that are set out. So, again, if you have these templates done and you do automated testing on them, you run the or not the risk, but you increase your ability for you to reduce the potential vulnerabilities that will get passed on to future templates or to future configurations. So again, have a template scan. It makes you in a much better position. You then can push that on into production.

Speaker 2: 10:25 

Question three which of the following best describes the purpose of a secure software repository in a continuous integration, continuous deployment environment? So again, we're looking for a secure software repository in a CICD environment A to enforce software licensing compliance. B to ensure that all code changes are peer-reviewed before deploying. C to improve software build speed and efficiency. Or D to ensure that all code changes are peer-reviewed before deploying. C to improve software build speed and efficiency. Or D to prevent the introduction of unauthorized or vulnerable dependencies. So again, which of the following best describes the purpose of a secure software repository in a continuous integration, continuous deployment, cicd environment? And the answer is C, to prevent the introduction of unauthorized or vulnerable dependencies. As we all know, those libraries are tied to the various code repositories that you have, and so therefore you want to make sure that if you have that already in place, you already have a secure software repository. It will help prevent the introduction of unauthorized or vulnerable dependencies.

Speaker 2: 11:25 

Question four what is the primary security risk of using third-party libraries in software development? Again, what is the primary security risk of using third-party libraries in software development? A increased attack surface due to unverified code. B licensing issues leading to potential legal consequences. C difficulty in integrating with proprietary code bases. Or. D reducing code maintainability and scalability. So, again, what is the primary security risk of using third-party libraries in software development? It is A increased attack surface due to unverified code, right? So third-party libraries can contain vulnerabilities at backdoors and potentially outdated software or, basically, code. This does increase the risk of having any sort of supply chain attacks as well as it causes a compliance concern. So you want to make sure that you have up-to-date libraries and you also want to make sure they come from a trusted resource.

Speaker 2: 12:23 

Question five A company is developing a web application using a microservices architecture. What is the most repeat most effective way to secure inter-service communications? Okay, so a company is developing a web app they're using microservices and what's the best way to secure inter-service communications? A use API keys for authentication. C implement TLS encryption for all communications between services. C place all microservices in a single trusted network. Or D use static IP filtering to restrict service-to-service communications. Okay, so all of those are very good, right. I mean not all of them, but most of them are all good right. So what is the most effective way to secure it, though? And that would be to implement TLS encryption for all communications between services. So, again, if you have the, at least at a minimum you have, the data between those locations is encrypted, and so, therefore, over those different networks, you're avoiding the ability for them to be intercepted.

Speaker 2: 13:21 

Question six what is the primary security risk of implementing feature flags in software applications? What is the primary security risk of implementing feature flags in software applications? So feature flags can expose? Or A can expose sensitive configurations and settings on the client side code. B attackers can exploit these feature flags by bypassing authentication controls. C feature flags increase the risk of privilege escalation. Or D feature flags inherently bypassing authentication controls. C feature flags increase the risk of privilege escalation. Or D feature flags inherently introduce SQL injection vulnerabilities. Okay, so what is a feature flag? Well, okay, you have to know that before you can really answer the question. But the answer is A feature flags can expose sensitive configuration settings in client-side code, so they are often stored in the client-side code, especially JavaScript, with the local storage, making them accessible to attackers, and there's a lot of times, configurations that are in these feature flags that are all set up and ready to go.

Speaker 2: 14:17 

Question seven what is the primary security benefit of adapting a zero-trust architecture in software development environments? So what is the primary security benefit of adopting a zero-trust architecture in software development environments? A ensures only authorized users can access the software repository. B it simplifies security patching across all development assets. C it introduces or reduces the number of security tools needed for monitoring. Or D it minimizes reduces the number of security tools needed for monitoring. Or D it minimizes lateral movement within the development network. So what is the primary security benefit of adopting a zero-trust architecture in software development environments? It is D it minimizes lateral movement within the development network. But basically, if they get into the development network, they are stuck, they can't get out because it's of a zero-trust environment, basically means you don't trust anything outside of that environment, and so therefore, it's a great way for you to limit it, and also having it segregated is a great option as well. So the ultimate point of this is that by doing that, you have to assume one, you don't want folks to get into your development environment. But two if they do, they are stuck. They're limited on what they can do. They may be able to limit or take advantage of credentials that are there or maybe some of the data that's there, but if they can't get outside of it, that's all they get.

Speaker 2: 15:36 

Question eight a developer accidentally commits a private API key to a public Git repository. What is the most effective immediate mitigation? So, again, a private API key basically private secrets to a public Git repository. A rotate the compromise key and revoke the access of the old key. B remove the API key from the repository and push a new commit which doesn't fix anything. C delete the entire repository and create a new one. Oh, that would be bad. You could do that, but it'd be bad. C notify all users the key may have been exposed. Yeah, that's probably not good, because you're telling them that the answer is A rotate the compromise key and revoke access for the old key. Again, great thing to do, but you got to see it and you got to deal with it.

Speaker 2: 16:22 

Question nine how does static application security testing, sas, improve security, software security, that is A by identifying runtime vulnerabilities during the application's execution. B by preventing zero-day exploits in production environments. C by detecting security flaws in source code before compilation, or. D by ensuring compliance with secure coding standards during deployment. And the answer is C, by detecting security flaws in the source code before it's actually compiled. Gets it done then right. So that's what it looks at it and that will help you in those situations to help avoid insecure coding practices and the like.

Speaker 2: 17:01 

Okay, question 10. Question 10, which security control is most effective in protecting against interdependence or against dependency confusion attacks? Again, which security control is most effective in protecting against a dependency confusion attacks? Again, which security control is most effective in protecting against a dependency confusion attack? A enforcing signed package verification and dependency pinning. B by blocking the use of external package repositories. C requiring developers to manually review all third-party libraries, or D implementing a perimeter firewall to filter malicious packages? Again, which security control is most effective in protecting against dependency confusion attacks? Well, basically, dependency confusion attacks occur when the attackers publish malicious packages with the same name as the internal ones. That is what they call a dependency confusion attack. I mean, honestly, that's kind of new to me. I didn't really know what that was until I did a little bit of digging and the answer is A right Enforcing signed package verification and dependency pinning. If you have a signed package, verification you now had ensures that only trusted packages are used, whereas if you don't do that, you could have something that you weren't anticipating.

Speaker 2: 18:10 

Question 11, an organization is implementing role-based access controls, or RBAC, in its software development environment. What is the primary security benefit of this approach? So what is the primary security benefit of using RBAC within your company? A it enforces segregation of duties by restricting access based on job functions. B it eliminates the risk of privilege escalation attacks in production environments. C it prevents external attackers from accessing internal development tools. Or. D it reduces the complexity of managing individual user permissions and using of RBAC. The primary security benefit is A it enforces segregation of duties by restricting access based on job functions, which we have talked about routinely in CISSP cyber training.

Speaker 2: 18:57 

Question 12. A development team follows the Agile methodology and frequently releases updates to its application. What is the most effective way to integrate security into the process without slowing down development? Again, a development team follows Agile and it frequently releases updates to its application because Agile does that. What is the most effective way to integrate security into this process without slowing down development? A Require security sign-off before every production deployment. B Conduct security assessments only for major software releases. C Implement automated security testing into a CI-CD pipeline. D Use dedicated security sprints at the end of each development lifecycle. And the answer is C. You are correct. It is a CICD pipeline and automating. That will be wonderful for you if you're using Agile. It makes it much, much, much easier. Did I say that enough? Yeah, much easier if you use the CICD pipeline in an automated format.

Speaker 2: 19:56 

Question 13. A developer discovers a critical vulnerability in an application just before deployment. The project manager insists they insist on releasing the software on time and the patching in its next and do the patching in its next update. What is the best course of action? Okay, the project manager is running it all. What is the best course of action? A proceed with deployment but include a temporary mitigation. C delay deployment until the vulnerability is remediated. C perform additional security testing after the deployment to assess the risk. Or. D escalate the issue to senior management and document the risk. Yeah, it's. D. Yeah, you want to just raise it up the flagpole, say, yeah, this isn't smart, let's not do that and that's a much better option. At least, if anything, you know what you all talk about it. And then they finally all everybody agrees and says, yeah, we're just going to accept the risk. Okay, cool, then everybody's in the boat together as it sinks. So again, it's all good, everybody's rearranging the deck chairs on the Titanic.

Speaker 2: 20:49 

Question 14, which of the following is the most effective way to mitigate insider threat in a software development environment? Again, which is the following most most effective way to mitigate insider threats in a software development environment? A enforcing multi-factor authentication for all code repository access. B implementing strict audit, logging and anomaly detection in development tools. C conducting regular security awareness training for all developers. Or. D rotating the developer access credentials every 30 days. And the answer is B the most effective way is implementing strict audit, logging and anomaly detection in the development tools. Again, you want to have all that set up. That's the most effective way. Question 15. The last melon A company adopts containerized applications using Docker and Kubernetes.

Speaker 2: 21:39 

These are cool. They work really well. What is the most effective way to secure the software supply chain in this environment? So, again, they adopt containerized applications using Docker and Kubernetes. What is the most effective way to secure the software chain in this environment? A deploy all containers in a private cloud and reduce exposure. B use lightweight container images to reduce attack surface. C to encrypt all container network traffic using TLS or. D. Regularly scan container images for vulnerabilities before deployment. All of those work right, but the most effective is scanning the container images for vulnerabilities before they actually get deployed. By doing that, you are actually staying on the bleeding edge, the cutting edge of ensuring that everything is as secure as it possibly can. So, again, that's the best thing to do.

Speaker 2: 22:28 

Go on over to CISSP Cyber Training. You can gain access to all of my questions, all of my content. My blueprint will walk you through the CISSP step by step by step. It's a perfect thing and it works Well. It's not perfect, but it's pretty cool, it works pretty good, and so that is the blueprint that is there for you to follow to help you get through the CISSP exam, help you get through the test, or studying for it, and then be ready and prepared for the test and the exam itself. Also, you can get access to my mentorship program and I have mentorship that's available to you. If you sign up for it, you can gain access to directly to me and I will set up times and we'll chat. We'll do chitty chats and we'll talk through your CISSP, your career or whatever else you wish to chat about. That's the mentorship tier that I have. And then, finally, I have a tier if you are a professional that's looking for more hands-on, you get a, you get a bite. Basically, get me for about 12 different sessions.

Speaker 2: 23:16 

It's getting your CISO in a box. That's kind of how that works, and then also the ability to help you on your CISSP. So it's pretty cool. It's actually very inexpensive for getting a CISO in a box, but it's something you can add, use and and take care of. Yeah, I don't know what I really meant to say with that, but anyway, check it out, it's pretty cool. Go to CISSP Cyber Training. If you are looking for a consultant, go to reducecyberriskcom and you can check out all the stuff that's there at reducecyberriskcom. Okay, thanks so much for joining me today. I hope you guys have a wonderful and beautiful day and we will catch you all on.