CISSP Domain 8

After the system preliminary design has been developed and the data security categorization has been performed

the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

System acquisition and development

System operations and maintenance

System initiation

System implementation

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

organization policy.

industry best practices.

industry laws and regulations.

management feedback.

By injecting malicious JavaScript code into a vulnerable web page (Cross-Site Scripting) that sends the victim’s cookie to the attacker’s server.

By capturing unencrypted HTTP traffic on a public Wi-Fi network and extracting the session ID contained in the cookie.

By creating a fake login page (phishing site) that tricks the user into submitting their credentials and automatically sets a session cookie known to the attacker.

By using malware installed on the hacker’s device that reads browser-stored cookies directly from the local file system

project initiation and planning phase

system design specification phase

development & documentation phase

acceptance phase

A developer places the database password directly in the source code and commits it to GitHub.

A user reuses the same password across multiple websites, making it vulnerable to credential stuffing.

An administrator leaves the default “admin/admin” login unchanged on a production server.

A system transmits credentials in clear text over HTTP instead of HTTPS.

Data masking creates substitute values that look real but are not the actual data, while encryption scrambles the data into unreadable ciphertext.

Data masking is mainly used in production systems, while encryption is only for development environments.

Data masking ensures confidentiality by using cryptographic algorithms, while encryption relies on substituting values that look genuine but are fake.

Both data masking and encryption can be reversed to reveal the original values, but encryption is faster for large datasets.