CISSP Last Minute Review

Domain 1:
Security and Risk Management

The major categories of intellectual property protection

include:
Y
LIT

• Trademarks protect words and symbols.

TIA

• Copyrights protect creative works.

EN
ID

• Patents protect inventions.

IN
NF

TE
CO

• Trade secrets require maintaining secrecy but don’t

GR
ITY

AVAILABILITY
expire.

Personnel security principles include:

The three main goals of information security are: • Need to know requires a legitimate business need
• Confidentiality prevents unauthorized disclosure to access information.
• Integrity prevents unauthorized alteration • Least privilege grants individuals the minimum
• Availability ensures authorized access necessary permissions to perform their jobs.
• Separation of duties blocks someone from having
Security activities must be aligned with business strategy, two sensitive privileges in combination.
mission, goals, and objectives. This requires strategic, • Two-person control requires two people to perform
tactical, and operational planning. a sensitive activity.
• Mandatory vacations and job rotation seek to
Security frameworks provide templates for security prevent fraudulent activity by uncovering malfeasance.
activities. These include COBIT, NIST CSF, and ISO 27001/2.
Risks are the combination of a threat and a corresponding
Due care is taking reasonable steps to protect the interest vulnerability.
of the organization. Due diligence ensures those steps
are carried out. Quantitative risk assessment uses the following formulas:
• SingleLossExpectancy =
Security governance is carried out through AssetValue * ExposureFactor
• Policies which state high-level objectives • AnnualizedLossExpectancy =
(mandatory compliance). AnnualizedRateofOccurence * SLE
• Standards which state detailed technical
requirements (mandatory compliance). Responses to a risk include:
• Procedures which provide step-by-step processes • Avoid risk by changing business practices
(mandatory compliance). • Mitigate risk by implementing controls
• Guidelines which offer advice and best practices • Accept risk and continue operations
(optional compliance). • Transfer risk through insurance or contract

Organizations are subject to a wide variety of legal and Security controls may be preventive, detective, or
regulatory compliance obligations from: corrective.
• Criminal laws that may involve prison or fines.
• Civil laws that regulate non-criminal disputes. Business continuity planning conducts a business impact
• Administrative laws set by government agencies. assessment and then implements controls designed to
• Regulations from industry bodies. keep the business running during adverse circumstances.

© 2021, CertMike.com 1
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 2:
Asset Security

Information should be classified based upon its Data should be retained no longer than necessary. Use
sensitivity to the organization. Assets should be sanitization technology to ensure that no traces of data
classified based upon the classification of information remain on media (data remnance) before discarding it.
that they store, process, and transmit.
• Erasing performs a delete operation on a file but the
Common classes of sensitive information include: data remains on disk.
• Clearing overwrites the data with random values to
Personally identifiable information (PII) which ensure that it is sanitized.
uniquely identifies individuals.
Data Role Responsibilities
Protected health information (PHI) which includes
Data Owner Senior-level executive who establishes rules and
individual health records. determines appropriate controls for information.
Data Controller Organization or person within an organization
Proprietary information which contains trade secrets. who determines the purpose and means of data
processing. Special significance under GDPR.
Data State Description Data Custodian Individuals who are responsible for managing data
and data security controls for an organization.
Data at Rest Data stored on a system or media device
This role is commonly found within IT teams.
Data in Motion Data in transit over a network Data Processor An organization that handles information on
behalf of another organization, typically a
Data in Use Data being actively processed in memory
business-to-business relationship.
Data User Individuals who interact with information during
the normal course of business.
TOP SECRET HIGHLY SENSITIVE
Data Subject Individuals who may be individually identified
by name or another identifier within the records
maintained by an organization.
INCREASING SENSITIVITY

PR
NT

SECRET SENSITIVE
IVA
ME

Digital rights management (DRM) systems are

RN

TE
SE
VE

CONFIDENTIAL INTERNAL technical controls that allow an organization to assert

CT
GO

data ownership rights while sharing information with

OR

individuals and other organizations.

UNCLASSIFIED PUBLIC

Security baselines, such as NIST SP 800-53, provide a

INFORMATION CLASSIFICATION standardized set of controls that an organization may
use as a benchmark.
Information should be labeled with its classification and
security controls should be defined and appropriate for Typically, organizations don’t adopt a baseline standard
each classification level. wholesale, but instead tailor a baseline to meet their
specific security requirements.
Collect only data that is necessary for legitimate
business purposes. This is known as data minimization.

© 2021, CertMike.com 2
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 3:
Security Architecture and Engineering

Least privilege is a security principle that says that Cryptographic Description

users should have the minimum set of permissions Attack
necessary to carry out their job functions. Brute Force Attempts to guess the decryption key by using
random attempts (brute force) to guess all possi-
ble key values until the correct one is found.
Separation of duties requires that no single individual
have the ability to perform two separate functions that, Ciphertext Attacks that work when the attacker only has
Only access to the ciphertext.
when combined, may undermine security.
Known Attacks that require the attacker to have access
Plaintext to both the ciphertext and the plaintext used to
Two-person control requires the concurrence of two create that ciphertext in an attempt to determine
individuals to perform a single sensitive function. the decryption key.
Chosen Attacks that require the attacker to have the ability
The defense-in-depth principle requires the use of Ciphertext to generate ciphertext of their own choosing.
overlapping controls to meet the same control objective, Chosen Attacks that require the attacker to have the
protecting against the failure of an individual control. Plaintext ability to generate ciphertext from plaintext of
their own choosing.
Fail securely is a design principle that requires that Frequency Attacks that analyze the number of times different
systems default to a secure state when security Analysis characters appear in the ciphertext in an attempt
mechanisms fail, preventing anyone from obtaining to determine the decryption key.
unauthorized access.
Anything encrypted with one key from a pair may only
The zero trust model of network architecture says that be decrypted with the other key from that same pair.
security decisions should not be made based upon a
user’s network location but should instead be based upon Symmetric Cryptography Asymmetric Cryptography
that user’s identity and other contextual information. Requires Requires

n(n-1)
The two basic cryptographic operations are substitution 2
keys 2n keys
which modifies characters and transposition, which
moves them around.
Secure symmetric algorithms include 3DES, AES, IDEA,
Symmetric encryption uses the same shared secret and Blowfish. DES is not secure.
key for encryption and decryption.
Secure asymmetric algorithms include RSA, El Gamal,
In asymmetric encryption, users each have their own and elliptic curve (ECC).
public/private keypair. Keys are used as follows:
Quantum computing uses the principles of quantum
Confidentiality Digital Signature mechanics to perform computing tasks. Quantum
cryptography applies quantum computing to encryption
Sender Encrypts with… Recipient’s public key Sender’s private key
and decryption and may have the ability to defeat odern
Recipient Decrypts with… Recipient’s private key Sender’s public key encryption algorithms when fully implemented.

© 2021, CertMike.com 3
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 3:
Security Architecture and Engineering

The Diffie-Hellman algorithm may be used for secure Dedicated System High Compartmented Multilevel

exchange of symmetric keys. Users must be Yes Yes Yes No

cleared for highest
level of info pro-
Hashes are one-way functions that produce a unique cessed by system.
value for every input and cannot be reversed. Users must have Yes Yes No No
access approval for
all info processed.
Digital certificates use the X.509 standard and contain
Users must have Yes No No No
a copy of an entity’s public key. They are digitally signed need to know all
by a certificate authority (CA). info processed by
system.

Transport Layer Security (TLS) is the replacement

for Secure Sockets Layer (SSL) and uses public key Two serious issues can occur when users are granted
cryptography to exchange a shared secret key used to limited access to information in databases or other
secure web traffic and other network communications. repositories. Aggregation attacks occur when a user is
able to summarize individual records to detect trends
The Trusted Computing Base (TCB) is the secure core that are confidential. Inference attacks occur when a
of a system that has a secure perimeter with access user is able to use several innocuous facts in combination
enforced by a reference monitor. to determine, or infer, more sensitive information.

CPUs support two modes of operation: user mode Mantraps use a set of double doors to restrict physical
for standard applications and privileged mode for access to a facility.
processes that require direct access to core resources.
TCP is a connection-oriented protocol, while UDP is
Model Bell-LaPadula Biba a connectionless protocol that does not guarantee
delivery.
Goal Confidentiality Integrity
Simple Property No read up No read down TCP Three-Way Handshake
*-Property No write down No write up
SYN
SYN/ACK
Certification is the process of evaluating and assigning
a security rating to a product. Accreditation is the ACK
approval of a specific configuration for a specific use.

© 2021, CertMike.com 4
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 4:
Communication and Network Security

OSI Model Network engineers make use of a variety of communications

technologies when wired networks are not available.
Layer Description These include:
• Wi-Fi networks provide wireless access using radio
Application Serves as the point of integration for user
applications with the network waves over short distances, such as within a building.
• Zigbee networks support the Internet of Things (IoT)
Presentation Transforms user-friendly data into machine-friendly
data; encryption and home automation deployments within a facility.
Session Establishes, maintains, and terminates sessions
• Cellular networks provide longer-range communications
within the line-of-sight of cellular towers. These include
Transport Manages connection integrity; TCP, UDP, SSL, TLS 4G networks, which are widely available, and 5G
Network Routing packets over the network; IP, ICMP, BGP, networks that provide extremely high data transfer
IPsec, NAT rates but currently have limited coverage.
Data Link Formats packets for transmission; Ethernet, ARP, • Satellite communications provide data service
MAC addresses wherever satellites are visible in the sky but are
Physical Encodes data into bits for transmission over wire, extremely expensive to use.
fiber, or radio

Content distribution networks (CDNs) are global

DNS converts between IP addresses and domain names. networks of servers that provide local caches of web
ARP converts between MAC addresses and IP addresses. and other content to relieve the burden on remote web
NAT converts between public and private IP addresses. servers and increase the speed of content delivery to users.

Wi-Fi networks should be secured with WPA2 or WPA3 When deploying services in the cloud, organizations
encryption rather than WEP or WPA. WPA2 uses the may choose from three major cloud strategies:
CCMP protocol, while WPA3 uses the simultaneous
authentication of equals (SAE) in conjunction with AES • Software-as-a-Service (SaaS) deploys entire
cryptography. applications to the cloud. The customer is only
responsible for supplying data and manipulating the
Network switches generally work at layer 2 and application.
connect directly to endpoints or other switches. • Infrastructure-as-a-Service (IaaS) sells basic
Switches may also create virtual LANs (VLANs) to building blocks, such as servers and storage. The
further segment internal networks at layer 2. customer manages the operating system and
configures and installs software.
Routers generally work at layer 3 and connect networks • Platform-as-a-Service (PaaS) provides the customer
to each other. Firewalls are the primary network security with a managed environment to run their own
control used to separate networks of differing security levels. software without concern for the underlying hardware.

© 2021, CertMike.com 5
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 4:
Communication and Network Security

Port(s) Service Most Virtual Private Networks (VPN) use either TLS
20, 21 FTP or IPsec. IPsec uses Authentication Headers (AH) to
22 SSH
provide authentication, integrity and nonrepudiation
and Encapsulating Security Payload (ESP) to provide
23 Telnet
confidentiality.
25 SMTP
53 DNS Cloud services may be built and/or purchased in several
80 HTTP forms:
• Public cloud providers sell services to many
110 POP3
different customers and many customers may share
123 NTP
the same physical hardware.
135, 137-139, 445 Windows File Sharing • Private cloud environments dedicate hardware to a
143 IMAP single user.
161/162 SNMP • Hybrid cloud environments combine elements of
public and private cloud in a single organization.
443 HTTPS
• Community cloud environments use a model
1433/1434 SQL Server similar to the public cloud but with access restricted
1521 Oracle to a specific set of customers.
1720 H.323
1723 PPTP
3389 RDP
9100 HP JetDirect Printing

© 2021, CertMike.com 6
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 5:
Identity and Access Management

The core activities of identity and access management are: Organizations often use centralized access control
• Identification where a user makes a claim of identity. systems to streamline authentication and authorization
• Authentication where the user proves the claim of and to provide users with a single sign on (SSO)
identity. experience. These solutions often leverage Kerberos
• Authorization where the system confirms that the which uses a multi step logon process:
user is permitted to perform the requested action.
1. User authenticates to a client on his or her device.
In access control systems, we seek to limit the access 2. Client sends the authentication credentials to the
that subjects (e.g. users, applications, processes) have Key Distribution Center (KDC).
to objects (e.g. information resources, systems) 3. KDC verifies the credentials and creates a ticket
granting ticket (TGT) and sends it to the user.
Access controls work in three different fashions: 4. Client makes a service access request to the KDC
• Technical (or logical) controls use hardware using the TGT.
and software mechanisms, such as firewalls and 5. KDC verifies the TGT, creates a service ticket (ST) for
intrusion prevention systems, to limit access. the user to use with the service, and sends the ST to
• Physical controls, such as locks and keys, limit the user.
physical access to controlled spaces. 6. User sends the ST to the service.
• Administrative controls, such as account reviews, 7. Service verifies the ST with the KDC and grants access.
provide management of personnel and business
practices.

Multifactor authentication systems combine authentication

technologies from two or more of the following categories:
• Something you know (Type 1 factors) rely upon
secret information, such as a password. FAR
• Something you have (Type 2 factors) rely upon physical FRR
possession of an object, such as a smartphone.
• Something you are (Type 3 factors) rely upon
Error Rate

biometric characteristics of a person, such as a face

scan or fingerprint.
CER
Authentication technologies may experience two types of
errors. False positive errors occur when a system accepts
an invalid user as correct. It is measured using the false
acceptance rate (FAR). False negative errors occur
when a system rejects a valid user, measured using the
false rejection rate (FRR). We evaluate the effectiveness
of an authentication technology using the crossover
error rate (CER), as shown in the diagram to the right: Sensitivity

© 2021, CertMike.com 7
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 5:
Identity and Access Management

RADIUS is an authentication protocol commonly Risk-based access control systems vary their access control
used for backend services. TACACS+ serves a similar decisions based upon the current threat environment.
purpose and is the only protocol from the TACACS
family that is still commonly used. Rule-based access control systems make access control
decisions based upon a set of predefined rules. Firewalls
The Security Assertion Markup Language (SAML) are a common example.
provides an open standard for different entities to
exchange authentication and authorization information Brute force attacks against password systems try to
when performing federation. guess all possible passwords. Dictionary attacks refine
this approach by testing combinations and permutations
OAuth is an authorization standard that allows users to of dictionary words. Rainbow table attacks precompute
log into applications using credentials provided by other hash values for use in comparison. Salting passwords
identity providers without providing the application with with a random value prior to hashing them reduces the
those credentials. OpenID Connect is a consumer- effectiveness of rainbow table attacks.
focused implementation of OAuth used by Google and
other cloud service providers. Man-in-the-middle attacks intercept a client’s initial
request for a connection to a server and proxy that
The implicit deny principle says that any action that is connection to the real service. The client is unaware
not explicitly authorized for a subject should be denied. that they are communicating through a proxy and the
attacker can eavesdrop on the communication and
Access control lists (ACLs) form the basis of many access inject commands.
management systems and provide a listing of subjects and
their permissions on objects and groups of objects.

Discretionary access control (DAC) systems allow the

owners of objects to modify the permissions that other
users have on those objects. Mandatory access control
(MAC) systems enforce predefined policies that users
may not modify.

Role-based access control assigns permissions to

individual users based upon their assigned role(s) in the
organization. For example, backup administrators might
have one set of permissions while sales representatives
have an entirely different set.

Attribute-based access control (ABAC) systems make

access control decisions based upon characteristics of
the user, system, information, or other attributes.

© 2021, CertMike.com 8
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 6:
Security Assessment and Testing

Security tests verify that a control is functioning • Common Vulnerabilities and Exposures (CVE)
properly. Security assessments are comprehensive • Common Vulnerability Scoring System (CVSS)
reviews of the security of a system, application, or other • Common Configuration Enumeration (CCE)
tested environment. • Common Platform Enumeration (CPE)
• Extensible Configuration Checklist Description
Security audits use testing and assessment techniques Format (XCCDF)
but are performed by independent auditors. There are • Open Vulnerability and Assessment Language (OVAL)
three types of security audits:
Network discovery scanning uses tools like nmap to
• Internal audits are performed by an organization’s check for active systems and open ports. Common
internal audit staff, normally led by a Chief Audit scanning techniques include:
Executive who reports directly to the CEO.
• External audits are performed by an outside • TCP SYN scans send a single packet with the SYN flag set.
auditing firm. • TCP Connect scans attempt to complete the three
• Third-party audits are conducted by, or on behalf way handshake.
of, another organization, such as a regulator. • TCP ACK scans seek to impersonate an established
connection.
Organizations that provide services to other organizations • Xmas scans set the FIN, PSH, and URG flags.
may conduct service organization control (SOC) audits
under SSAE 18. These engagements produce two different Network vulnerability scanning first discovers active
types of reports: services on the network and then probes those services
for known vulnerabilities. Web application vulnerability
• Type I reports provide a description of the controls scans use tools that specialize in probing for web
in place, as described by the audited organization, application weaknesses.
and the auditor’s opinion whether the controls
described are sufficient. The auditor does not test The vulnerability management workflow includes three
the controls. basic steps: detection, remediation, and validation.
• Type II reports results when the auditor actually
tests the controls and provides an opinion on their Penetration testing goes beyond vulnerability scanning and
effectiveness. attempts to exploit vulnerabilities. It includes five steps:

COBIT, ISO 27001, and ISO 27002 are commonly used Planning

standards for cybersecurity audits.

Vulnerability assessments seek to identify known

Information
Reporting Gathering &
Discovery
deficiencies in systems and applications.

The Security Content Automation Protocol (SCAP)

provides a standard framework for vulnerability
assessment. It includes the following components:
Vulnerability
Exploitation
Scanning

© 2021, CertMike.com 9
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 6:
Security Assessment and Testing

There are three different types of penetration tests: Static testing evaluates software code without
• During white box penetration tests, testers have full executing it, while dynamic testing executes the code
access to information about the target systems. during the test. Fuzz testing supplies invalid input to
• During black box penetration tests, testers conduct applications in an attempt to trigger an error state.
their work without any knowledge of the target
environment. Interface testing evaluates the connections between
• Gray box tests reside in the middle, providing different system components.
testers with partial knowledge about the environment.
Misuse case testing evaluates known avenues of attack
Code review provides an important software assurance in an application.
tool that allows peer review by fellow developers for
security, performance, and reliability issues. Test coverage analysis metrics evaluate the
completeness of testing efforts using the formula:
Fagan inspections are a formal code review process
that follows a rigorous six-step process with formalized (use cases tested)
test coverage =
entry and exit parameters for each step: (all use cases)

Common criteria for test coverage analysis include:

Planning • Branch coverage (if statements tested under all
conditions)
• Condition coverage (logical tests evaluated under
all inputs)
Overview • Function coverage (each function tested).
• Loop coverage (every loop executed multiple times,
once, and not at all)
• Statement coverage (every line of code executed)
Preparation

Inspection

Rework

Follow UP

© 2021, CertMike.com 10
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 7:
Security Operations

Security professionals are often called upon to participate Cybersecurity incident response efforts follow this process:
in a variety of investigations:
• Criminal investigations look into the violation of a
criminal law and use the beyond a reasonable doubt Detection
standard of proof.
• Civil investigations examine potential violations of
civil law and use the preponderance of the evidence Lessons
Response
standard. Learned
• Regulatory investigations examine the violation of
a private or public regulatory standard.
• Administrative investigations are internal to an Remediation Mitigation
organization, supporting administrative activities.

Investigations may use several different types of evidence:

• Real evidence consists of tangible objects that may Recovery Reporting
be brought into court.
• Documentary evidence consists of records and
other written items and must be authenticated by Tool Description
testimony.
• Testimonial evidence is evidence given by a witness, Intrusion Detection Monitor a host or network for signs of
System intrusion and report to administrators.
either verbally or in writing.
Intrusion Prevention Monitor a host or network for signs
System of intrusion and attempt to block
The best evidence rule states that, when using a malicious traffic automatically.
document as evidence, the original document must be
Security Information & Aggregate and correlate security
used unless there are exceptional circumstances. The Event Management System information received from other systems.
parol evidence rule states that a written agreement is
Firewall Restricts network traffic to authorized
assumed to be the complete agreement. connections.
Application Whitelisting Limits applications to those on an
Forensic investigators must take steps to ensure that approved list.
they do not accidentally tamper with evidence and
Application Blacklisting Blocks applications on an unapproved list.
that they preserve the chain of custody documenting
evidence handling from collection until use in court. Sandbox Provides a safe space to run potentially
malicious code.

The disaster recovery process begins when operations Honeypot System that serves as a decoy to
attract attackers.
are disrupted at the primary site and shifted to an
alternate capability. The process only concludes when Honeynet Unused network designed to capture
probing traffic.
normal operations are restored.

© 2021, CertMike.com 11
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 7:
Security Operations

Backups provide an important disaster recovery control. When managing the physical environment, you should
Remember that there are three major categories of backup: be familiar with common power issues:

Backup Type Description Power Issue Brief Duration Prolonged Duration

Full Backup Copies all files on a system. Loss of power Fault Blackout
Differential Backup Copies all files on a system that have Low voltage Sag Brownout
changed since the most recent full backup.
High voltage Spike Surge
Incremental Copies all files on a system that have
Disturbance Transient Noise
Backup changed since the most recent full or
incremental backup.

Fires require the combination of heat, oxygen, and fuel.

Disaster recovery sites fit into three major categories: They may be fought with fire extinguishers:
• Class A: common combustible fires
Site Type Support Systems Configured Servers Real-time Data • Class B: liquid fires
• Class C: electrical fires
Cold Site Yes No No
• Class D: metal fires
Warm Site Yes Yes No
Hot Site Yes Yes Yes Organizations may use wet pipe fire suppression systems
that always contain water, dry pipe systems that only fill
with water when activated, or preaction systems that fill
Disaster recovery plans require testing. There are five the pipes at the first sign of fire detection.
major test types:

DR Test Type Description

Read-through/ Plan participants review the plan and their
tabletop specific role, either as a group or individually.
Walkthrough The DR team gathers to walk through the steps
in the DR plan and verify that it is current and
matches expectations.
Simulation DR team participates in a scenario-based exercise
that uses the DR plan without implementing
technical recovery controls.
Parallel DR team activates alternate processing
capabilities without taking down the primary site.
Full DR team takes down the primary site to simulate
interruption a disaster.

© 2021, CertMike.com 12
Prepared exclusively for [email protected] Transaction: 0099506729
 CISSP Last Minute Review

Domain 8:
Software Development Security

The waterfall model of software development is fairly rigid, While the agile approach eschews this rigidity for
allowing the process to return only to the previous step: a series of incremental deliverables created using a
process that values:
System
• Individuals and interactions instead of processes
Requirements and tools
• Working software instead of comprehensive
Software
Requirements
documentation
• Customer collaboration instead of contract
Preliminary negotiation
Design
• Responding to change instead of following a plan
Detailed
Design Software testing follows two primary approaches. In
static testing, testers analyze the source code without
Code and executing it. Dynamic testing executes the source code
Debug
against test datasets.

Testing
Software testers can have varying degrees of knowledge
about the software they are testing. In a white box test,
Operations
and they have full knowledge of the software. In a black box
Maintenance
test, they have no knowledge, while grey box tests reside
in the middle, providing testers with partial knowledge.
The spiral model uses a more iterative approach:
The top ten security vulnerabilities in web applications,
Cumulative cost
according to OWASP are:
1. Determine Progress 2. Identity and 1. Injection attacks
objectives resolve risks
2. Broken authentication
3. Sensitive data exposure
4. XML external entities
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting
Requirements
Prototype 2
Operational
prototype
8. Insecure deserialization
9. Using components with known vulnerabilities.
plan Prototype 1

Concept of Concept of
Detailed
10. Insufficient logging and monitoring
operation Requirements
Requirements Draft
design

Development
Verification Code
In addition to maintaining current and patched platforms,
plan
& Validation

Test plan Verification

Integration
one of the most effective application security techniques
is input validation which ensures that user input matches
& Validation
Test

Implementation the expected pattern before using it in code.

4. Plan the Release 3. Development
next iteration and Test

© 2021, CertMike.com 13
Prepared exclusively for [email protected] Transaction: 0099506729