Ever wondered how to secure your SaaS environment while mastering essential security testing techniques? Join me, Sean Gerber, on the CISSP Cyber Training Podcast as we navigate the complexities of cybersecurity, starting off with some personal July 4th reflections and an insightful Forbes article on the pressing threats and strategies in the SaaS landscape. With a staggering 96.7% of organizations relying on SaaS applications, the stakes have never been higher. You'll learn about conducting thorough risk assessments, the necessity of data encryption, and why multi-factor authentication is a must-have for safeguarding sensitive data.
In the subsequent chapters, we delve into the nuances of security testing—from the intricacies of black box and penetration testing to the importance of dynamic analysis and code reviews. Discover how fuzz testing can unearth hidden vulnerabilities and the critical role of false positive management in security assessments. We'll also dissect the purpose of threat modeling exercises, providing you with the tools to design robust security controls tailored to your organization's unique threat landscape. Tune in and fortify your cybersecurity arsenal with actionable insights and expert advice to ensure your SaaS environments are secure and resilient.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Ever wondered how to secure your SaaS environment while mastering essential security testing techniques? Join me, Sean Gerber, on the CISSP Cyber Training Podcast as we navigate the complexities of cybersecurity, starting off with some personal July 4th reflections and an insightful Forbes article on the pressing threats and strategies in the SaaS landscape. With a staggering 96.7% of organizations relying on SaaS applications, the stakes have never been higher. You'll learn about conducting thorough risk assessments, the necessity of data encryption, and why multi-factor authentication is a must-have for safeguarding sensitive data.
In the subsequent chapters, we delve into the nuances of security testing—from the intricacies of black box and penetration testing to the importance of dynamic analysis and code reviews. Discover how fuzz testing can unearth hidden vulnerabilities and the critical role of false positive management in security assessments. We'll also dissect the purpose of threat modeling exercises, providing you with the tools to design robust security controls tailored to your organization's unique threat landscape. Tune in and fortify your cybersecurity arsenal with actionable insights and expert advice to ensure your SaaS environments are secure and resilient.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge.
Speaker 2:
All right, let's get started. Hey, I'm Sean Gerber with CISSP, cyber Training, and hope you guys are having a beautiful, blessed day today. Today is July 4th, so here in the United States, if you're listening to this, it is our Independence Day, so it's a good reason to go out and blow up a lot of money, that people go and just explode stuff all over the skies of the United States. It is actually super impressive. Explode stuff all over the skies of the United States. It is actually super impressive.
Speaker 2:
I don't know if I mentioned this on one of my podcasts before. I'm a pilot by trade and so I would take up in the old days, I would take up my girlfriends and we would go look at fireworks as they're being shot off in my airplane and it is just beautiful. Now that I've been married for 30, how many years? Oh gosh, think about this on the radio or on the podcast. Yeah, a few years, 92. So, whatever, that is 32 years. Yes, I've been married 32 years, been my wife for 35 years. So, yes, I haven't taken a girl up in an airplane since my wife was the last person which is good which is very, very good.
Speaker 2:
That's why I've been married for 35 years or 33, whatever. It is a long time, really really long time. But yes, so yesterday I went out and got pictures taken with my family and it was fun, got a lot of those done, so it was an expensive endeavor, but we have a total of about 15 adults in my family now, so it's quite growing quite quickly. But you guys did not call and get on this podcast to hear about this, but you did hear. I wanted to hear about the CIS SP and domain six, and so that's what we're gonna get into is domain six of the CIS SP. But before we do is a couple, just one article I wanted to bring up that I saw as it relates to SAS cyber security.
Speaker 2:
So if you're not familiar with SAS, that's secure or a's software as a service, and majority of many different companies operate in the SaaS environment, and this comes from Forbes. There's an article out there about threats and mitigation strategies for SaaS environments. Now we've talked about all those in CISSP, cyber training, as far as many of these different ways, and I'm not going to go over anything that is new to you than what you may have not already heard, but again, a lot of people come and listen to this podcast. They come in, they go out, so it's new stuff to them on a routine basis. So real quickly around the SaaS, this article from Forbes talked about some of the different statistics around the overall SaaS environment and they're saying that around 96.7% of organizations will have at least one application within a SaaS environment. And I will tell you that when I was a CISO, it was growing exponentially on the number of applications that were ending up in these software as a service locations on the web, and so one of the things that came up was how do you deal with the security around these? Because what's happening is now the software, instead of being inside your network, protected by your stuff, it is now in somebody else's network, being protected by their stuff. So you want to make sure that you do a really good understanding or risk assessment of these SaaS providers, because in many cases, you may have some of your most important data sitting out there in somebody else's cloud. Now, again, this has become a bigger problem because over time, the article says that it's been overlooked for a while. It depends on the size of the organization. I will say maybe small organizations have overlooked them just because, hey, this is cool software and I can put it in place. A good example of a SaaS product would be for my businesses, I use QuickBooks, right? So QuickBooks is an accounting software and it takes care of all of that aspect. Well, that's SaaS. It's software that's in the cloud and it does with all of our accounting for our various businesses, and so that's the point of why it's become a bigger problem.
Speaker 2:
Well, now, as there's getting more regulatory pressure, ai expansion and then also the increased risk of overall breaches or incidents that may occur on the web, this is getting a little bit more focused. So, rather than spend a lot of time on this, I'm just going to kind of get down to the nuts and bolts of it. You have obviously different types of attacks, right? Your supply chain attacks, credential exploitation, multi-factor bypassing. There's different ways you can get into a sas environment, and, and so that's it's. You need to kind of understand what are some of these different attack vectors, and so they talk about what are some best practices that you can do. Well, one, obviously is data encryption. So you want to, when you talk to a SaaS provider now we mentioned this in saying, you know that it's in somebody else. Your stuff's in somebody else's stuff. What we're trying to talk about is you're going to have to do a risk assessment, and this is kind of what we go with.
Speaker 2:
Today's lesson or podcast is around 6.3, and we get into security assessments. You're going to want to do a security assessment of these SaaS providers and you're going to want to ask them some key questions. Now, there's a lot of things out there and I'm actually going to be putting out a security assessment questionnaire that'll be available to you on reduced cyber risk, so you can go out and get that and use that questionnaire to help you. But there's some key questions you're going to need to make sure that they're doing if they're going to be your SaaS provider, and one of those is relation of data encryption. You need to make sure that the data that they're storing is encrypted. But you need to ask questions a little bit deeper than just going, hey, are you protecting my data? And they're going yes, we give you encryption. Oh, thank you, and you walk off. No, you want to ask more questions than that. But data encryption is a key standard that you want them to make sure that they're putting in place, because if they get pwned which odds are high somebody's going to get pwned in many of your SaaS environments. You want to make sure that if the data gets stolen which it will okay, just make sure you set that up it will get stolen. It is protected to the highest level possible.
Speaker 2:
Multi-factor authentication need to make sure that they have enabled multi-factor authentication. Change healthcare good example of them. Not enabling multi-factor authentication and boom, you have a $22 million ransom payment and, yeah, lots of gnashing of teeth and after about a billion dollars later, they're going to finally get back to square one. That's really just burning a billion dollars. I'm sorry, it's just ludicrous. It is. It's not smart.
Speaker 2:
Account access protections you want to have IAM policies in place. Again, you want to have the ability to deny by default versus access controls. You want to understand their access controls. Who do they allow access to your data? How many people have access to your data? How many people have access to your data? Lots of questions that you're going to need to want to have answered, especially if you're looking to do any of their software is going to run in your. Actually your data is going to be inside their software, in their environment.
Speaker 2:
And then you want to make sure they have reliable authentication for their cloud providers. Who are their cloud providers? Those are another big factors you need to be aware of. And then real-time data protection and backups Understanding what is their backup strategy. How fast can you get backups recovered? What are they doing around their backups? Are my backups commingled with other backups? It's a lot of backups in one sentence, but bottom line is you want to make sure that they are doing their due diligence to protect your information.
Speaker 2:
So that's just the nuts, the basic skinny around a SaaS provider and the security that goes into this. You guys have plenty of applications that are out in SaaS environments. I know you do and you're going to have more and so, as you are studying for your CISSP, you obviously are going to be in a position where you're going to try to influence your organization's ability to protect this SaaS software. So here's a good way for you to begin the process Again go check it out. You can go to CISSP Cyber Training. You'll be able to see this video as well, as you'll be able to gain access to other resources that are there. Also, you'll be able to check out Reduce Cyber Risk. That is going to be the site that I'm just slowly getting it up and operational, but that is the site that will be offering up various services, such as virtual CISO, security architecture aspects and assessments, so that'll all be available to you as well. Okay, so let's get started on the CISSP training for today. Okay, so this is group seven questions, 15 questions, and this is. You'll be able to see this. This is part of the overall series that we have available on cissp cyber training, and all the videos will be there for your consumption.
Speaker 2:
Uh well, actually, before we get started, one interesting funny tale is since this is fourth of july, I've gotta have one digression. All right, had 4th of July at our house a couple years ago, right when they were building our home and had all my kids out there and we decided to shoot off a bunch of fireworks. Shot off some fireworks and we were done. Across the street was the dumpster that they had been using to build a house next to us. We threw all of our stuff into the dumpster. I made a poor decision and did not put water all over our fireworks. About 20 minutes later, I have a low-kitting dumpster fire in my front yard. It was pretty cool Actually. It was like flames shooting up. It was impressive, yes. And then try to put out a fully raging flames out of a dumpster fire when you have wood and all kinds of fun flammables inside there. Yeah, that was a good time, that was a great time, but so don't do that Piece of advice. Do not throw fireworks in trash cans without thoroughly dousing them and letting them sit out overnight. Good idea, just wait a day before you do that. Okay, group seven All right, this is when we're going to CISSP Cyber Training.
Speaker 2:
We are getting into domain 6.3. And here are some of the questions. Okay, so which of the following is a black box testing technique? A fuzz testing, b static analysis, c penetration testing or D code review? So which of the following is a black box testing technique? And the answer is C penetration testing. Black box testing focuses on assessing the system from an external perspective, or, basically, you don't even have a look, you don't know what it is. It's black box, it's an empty box, right, without the knowledge of its internal workings. Pen tests will fall under this category and it will simulate the real world attacks, obviously by attempting to exploit vulnerabilities that you discover. So that's the purpose of the black box. Is pen testing.
Speaker 2:
Question number two what is the primary purpose of a vulnerability assessment? A to identify security controls. B to evaluate risk exposure. C test application functionality or D validate encryption algorithms. Again, what is the primary purpose of a vulnerability assessment? And the answer? We'll go with the questions again Identify security controls, evaluate risk exposure, test application functionality or validate encryption algorithms. Now, all of those are good, right, they're all important to do, but the primary purpose of a vulnerability assessment is to evaluate the risk exposure. You identify weaknesses in the systems, the applications and the networks, and they do help evaluate the risk exposure by pinpointing vulnerabilities that potentially could be exploited by attackers.
Speaker 2:
Question three which type of testing assesses the effectiveness of security controls during system operation? Again, what type of testing assesses the effectiveness of security controls during system operation? A static analysis, b dynamic analysis, c regression testing or D user acceptance testing. So what type of testing assesses effectiveness of security controls during system operation? And the answer is B dynamic analysis. So dynamic analysis involves testing a system while it's running. Okay, we done this many times when I had a development team working for me and they would evaluate the security controls and the expected behavior that may be occurring. It does happen, like right now. I'm doing a contract work and we're doing application testing on some encryption capabilities, and so you wanna make sure that you're doing an effective assessment of that as well. So any sort of testing you want to occur, you really need to do some level of static analysis which would determine uh examines a code without the execution of it. So, and then you also want to have availability of doing regression and user acceptance testing, but those are different than your overall dynamic analysis testing.
Speaker 2:
Question four what is the primary goal of a code review?
Speaker 2:
A identify security vulnerabilities.
Speaker 2:
C optimize performance it's not C, it's B, sorry. B optimize performance. C ensure compliance with coding standards. Or D validate business logic.
Speaker 2:
So what is the primary goal of a code review? A identify security vulnerabilities. You want to look for vulnerabilities. That is how you do it and you're doing a code review. Now you want to make sure they adhere to your coding standards that you have set up and your best practices, and the ultimate goal is that you're looking through there to see if you can find any vulnerabilities. Potentially, again, that depends on the size of your code and your sprint. It may be a very daunting task and you may miss some things, but at least you're doing. The ultimate goal is to go through there. When your code reviews you will usually have a second party, somebody else Like. So if I wrote the code, I'll have Bill, my neighbor, look at the code. It's always good to have someone get a fresh set of eyes on your code because you have a tendency of when you're doing your code, to overlook potential errors because, one, you have bias around your development capabilities and then, two, after you look at something for 100 times, you just kind of gloss over it. So it's always good to do a code review to have somebody else if not the group look at your code.
Speaker 2:
Question five which testing technique involves sending malformed or unexpected data to an application to discover vulnerabilities? Again, malformed or unexpected data to an application to discover vulnerabilities, again, malformed or unexpected data to an application to discover vulnerabilities? A fuzz testing, b regression testing, c boundary testing or D stress testing. So which technique involves malformed or unexpected data sent to the application? And that is fuzz testing or fuzzing. It involves sending random or unexpected inputs to an application to trigger an unexpected behavior. Question number six During a security assessment, what does a false positive indicate?
Speaker 2:
Okay, what does a false positive indicate A a valid vulnerability, b an incorrect vulnerability report, c a successful attack. Or D a misconfigured firewall. So during a security assessment, what does a false positive indicate? And the answer is B an incorrect vulnerability report. Okay, that's a false positive. So basically, what it comes down to is identifies a vulnerability that didn't actually exist. Had plenty of times where you would do a report, come out and say that yes, this web application is vulnerable to X, and you start digging a little bit deeper and it's like, yeah, no, that's not it. But what a lot of times happened when we got a lot of false positives is we would have to do some sort of authentication scanning, and when you do an unauthenticated scan, you can get a lot of really squirrely responses. So authenticated scans are usually your best, but they do take more work to make those happen.
Speaker 2:
Question seven which type of testing focuses on the interaction between the different system components? A integration testing, b regression testing, c unit testing or D acceptance testing. So which type of testing focuses on the interaction between different system components? And the answer is integration testing. Integration testing verifies the interaction and compatibility of various system components and ensures that they all work together as you are expecting them to do so. Question eight what is the primary purpose of a security audit? A evaluate system performance, b assess user satisfaction, c validate encryption algorithms or D verify compliance with policies. So what is the primary purpose of a security audit? And the answer is D compliance with policies. That is the order to verify the compliance with your policies. That's the ultimate goal of a security audit is to make sure that your policies, controls or standards are there and that they're being followed by your organization.
Speaker 2:
Question nine which testing technique aims to identify vulnerabilities by analyzing the application's source code? So which testing technique identifies vulnerabilities by analyzing the application's source code? A dynamic analysis, b penetration testing, c static analysis or D regression testing? So which testing technique aims to identify vulnerabilities by analyzing the application's source code? And the answer is C static analysis. Static analysis examines source code, configuration files or other artifacts to look for vulnerabilities, and you will want to do some level of static analysis on your code.
Speaker 2:
Question 10. What is the purpose of a threat modeling exercise? A Identify vulnerabilities, b Evaluate risk exposure, c Design security controls or D Validate encryption algorithms. Okay, purpose of a threat modeling exercise what do you think it is? And the answer is C design security controls right. So you want to make sure that when you do a threat modeling exercise, you're identifying potential threats, right risks to your organization and the vulnerabilities and possibly even the way they come in, and therefore you're going to look at your overall security controls and determine if these threats or these vulnerabilities were existent, how would that affect your organization? How would you mitigate the risk? So it's a threat modeling exercise. We'll kind of help you with that. Question 11. What is the primary purpose of a security control assessment? A validate encryption algorithms. B evaluate risk exposure. C test application functionality or D assess compliance with policies. So what is the primary purpose of a security control assessment? And the answer is D assess compliance with the various policies that you have in place. That's the security control assessment. Now, again, you have to decide. I talked about before where Audits I usually typically consider that a third party, someone outside your organization, and assessments are internal. Now, when it comes to wording for the CISSP, the main thing you're going to want to understand is what is the output? That's going to be a big factor in determining if it's an assessment or an audit. But personally and real world kind of situation, I like to use an assessment as something that I conduct internally, by my people, by me doing it, whereas the audit is usually a third party, whether it could be an audit from your own company or somebody that is actually paid to do this for you, but an audit is usually somebody that's a third party that's looking at it. Question 12, during a vulnerability scan, what does a false negative indicate? A a valid vulnerability. B an incorrect vulnerability report. C a successful attack. Or D a misconfigured firewall. So again the question is during a vulnerability scan, what does a false negative mean? It means a valid vulnerability. See, it's that double negative thing, right? False and negative is double negative. What does that mean? It's a positive, so two negatives makes a positive. Aha, right, that's like electricity type stuff. No, so it's right. You really basically want to come down to is if it's a false negative, it is a valid vulnerability. And this false negative occurs when the security tool fails to detect the actual vulnerability. And it's essential to minimize the false negatives to ensure you actually have the right security setup. But that's where you find it says, hey, oh, you're good, no problem. And then you realize, oh crap, there's something wrong there. That would be a false, negative. Okay. So question 13, which type of testing focuses on behavior of an application under stress or load conditions? So what type of testing focuses on the behavior of an application under stress or load conditions? A fuzz testing, b regression testing, c stress testing or D boundary testing? Again, what type of behavior under stress or load conditions? And it is C stress testing, right? So that type of testing is when the behavior of the application is under a stress or load position or condition. Question 14, what is the primary goal of a vulnerability scan? What is the primary goal of a vulnerability scan? A identify security controls. B evaluate risk exposure. C test application functionality or D validate encryption algorithms. So what's the primary goal of a vulnerability scan? And the answer is B evaluate your risk exposure. Again, that's the ultimate goal of these scans is to look for weaknesses and therefore it can help ensure of what is your overall risk exposure to the world. Because, again, you need to know what's going on in your environment and you may not have a good handle, but it's better to know something than to know nothing. So, just not running scans, just going. Hey, I'm going to put my head in the sand and hope that everything works out. Yeah, that usually doesn't go well. You can try that. You can try it, but I would not recommend it. Just don't work in security for any company that I work with, because that would be bad. That would be really bad. Question 15. Which testing technique involves analyzing the flow of data within an application? Which testing technique involves analyzing the flow of data within an application? A Data flow analysis, B Code review, c Penetration testing or D Fuzz testing? Which testing technique involves analyzing the flow data within an application? Look for the words data flow analysis right. A data flow analysis examines the data how it moves through your application, looking for potential security issues, input validations, data leakage and other access control challenges. I will say that you do testing, I've done testing and you look for data flow analysis. It's a very important factor in all of your security toolbox that you may have within your organization and what you use. So you will do it, you will do data flow analysis and if you're a good security architect, you will definitely do data flow analysis. Okay, that's all I have for you today. Guys, we are excited Again. Go to CISSP Cyber Training. Head on over there. Anything you purchase at CISSP Training, cissp Cyber Training. Hit on over there. Anything you purchase at CISSP Training, any of the products that you purchase there, all of that goes to charity. It's all heading to our charity, our nonprofit for adoptive families. The ultimate goal of that is to provide resources available for families who wish to adopt children, because it can be very expensive I mean adopting a child can be $20,000, $30,000, $50,000 to do that, depending upon where you get your child and other different situations. So we want to provide a nonprofit available for these folks to be able to request money, either on loans or potentially even a grant, depending upon their need. But we believe in adopting kids is the most important thing in this world. I've been called to do that and therefore we want to put that out there, and any money that is brought in for any of the CISSP training will go directly to that nonprofit. So we're pretty excited about that. Still got to get the name right, though we have been too busy with the 4th of July to actually hunt down a name, but the name has been. It's close, it's really really close, but I'll let you know once I have the name. You all will be the first to know about it. All right, have a wonderful day and we will catch you on the flip side, see you.
