2 cissp ® Official Study Guide Eighth Edition

Review Questions 
869
19.
According to the (ISC)
2
Code of Ethics, how are CISSPs expected to act?
A.
Honestly, diligently, responsibly, and legally
B.
Honorably, honestly, justly, responsibly, and legally
C.
Upholding the security policy and protecting the organization
D.
Trustworthy, loyally, friendly, courteously
20.
Which of the following actions are considered unacceptable and unethical according to 
RFC 1087, “Ethics and the Internet”?
A.
Actions that compromise the privacy of classified information
B.
Actions that compromise the privacy of users
C.
Actions that disrupt organizational activities
D.
Actions in which a computer is used in a manner inconsistent with a stated
security policy

Chapter 
20
Software 
Development Security
The CISSP exam ToPICS CovereD In 
ThIS ChaPTer InCluDe:
✓
Domain 8: Software Development Security
■
8.1 Understand and integrate security in the software 
development lifecycle (SDLC)
■
8.1.1 Development methodologies
■
8.1.2 Maturity models
■
8.1.3 Operation and maintenance
■
8.1.4 Change management
■
8.1.5 Integrated product team
■
8.2 Identify and apply security controls in development 
environments
■
8.2.1 Security of the software environments
■
8.2.2 Configuration management as an aspect of secure 
coding
■
8.2.3 Security of code repositories
■
8.3 Assess the effectiveness of software security
■
8.3.1 Auditing and logging of changes
■
8.3.2 Risk analysis and mitigation
■
8.4 Assess security impact of acquired software
■
8.5 Define and apply secure coding guidelines and 
standards
■
8.5.2 Security of application programming interfaces
■
8.5.3 Secure coding practices

Software development is a complex and challenging task 
undertaken by developers with many different skill levels and 
varying security awareness. Applications created and modified 
by these developers often work with sensitive data and interact with members of the gen-
eral public. This presents significant risks to enterprise security, and information security 
professionals must understand these risks, balance them with business requirements, and 
implement appropriate risk mitigation mechanisms.
Introducing Systems Development 
Controls
Many organizations use custom-developed software to achieve their unique business objec-
tives. These custom solutions can present great security vulnerabilities as a result of mali-
cious and/or careless developers who create backdoors, buffer overflow vulnerabilities, or 
other weaknesses that can leave a system open to exploitation by malicious individuals.
To protect against these vulnerabilities, it’s vital to introduce security controls into the 
entire systems development lifecycle. An organized, methodical process helps ensure that 
solutions meet functional requirements as well as security guidelines. The following sec-
tions explore the spectrum of systems development activities with an eye toward security 
concerns that should be foremost on the mind of any information security professional 
engaged in solutions development.

Download 19,3 Mb.

Do'stlaringiz bilan baham: