Most of the software used by organizations is not actually developed by internal software engineering teams but is, instead, purchased from vendors either as software or under the Software as a Service model of cloud computing. In this video, learn how security professionals assess the security of acquired software.
- [Instructor] Most of the software used by organizations…is not actually developed…by internal software engineering teams.…But is, instead, purchased from vendors,…either as software that runs on systems…managed by the customer,…or under the Software-as-a-Service model of cloud computing,…where the customer acts as a software…running on servers, managed by the vendor.…Security professionals must access…the security of acquired software…to ensure that it meets the organizations…security requirements.…
They should approach the assessment of acquired software…from a similar standpoint as any other security assessment.…Security professionals should begin…with a determination of the risk…posed by the software.…Looking at the likelihood of a security issue…and the impact of a software-related security incident…on the organization's operations.…The impact assessment should include…all three legs of the information security triad.…Confidentiality, integrity and availability.…
In most cases, the organization will not conduct…
This course—along with the others in this nine-part series—prepare you for the CISSP exam and provide you with a solid foundation for a career in information security.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Software development methodologies
- Operation, maintenance, and change management
- Cross-site scripting
- Preventing SQL injection
- Overflow attacks
- Malicious add-ons
- Secure coding practices
- Code signing
- Risk analysis and mitigation
- Software testing
- Acquired software