Control 18 Mapping to the NIST Cybersecurity Framework

00:00

Hey, everyone, welcome back to the core. So in the last video, we took a look at the overview of the application software security. So again, CIA's control 18. In this video, we're gonna take a look and see how it matches up to the NUS cybersecurity framework.

00:15

So sub control 18 1 We just want to establish secure coding practices. So best practices for secure coding to make sure that we're not developing vulnerable software. Now, does that mean it's 100% protected? No, of course not. But we want to use best practices to make sure we're developing the most secure possible software.

00:34

Some control. 18. To ensure explicit air checking is performed for all of our in house developed software, you'll notice that these aren't mapped up to the next cybersecurity framework is not really a direct 1 to 1 match there

00:48

Some control. 18 3 Just verify that the acquired software still supported I mentioned earlier in this course about some software I worked with in the health care industry That was outdated, and the company itself wasn't even in business anymore, so the software hadn't been supported. I actually think it was probably like

01:06

almost 10 years, the software hadn't been supported, so and with using that same software, the company couldn't actually upgrade to the cloud. Right? So there were some issues there, so they had to go find another solution that cost him, I think just under a 1,000,000 to do like a new software. So just make sure that any software your you've acquired is still supported.

01:26

And if not, you may want to start exploring.

01:29

What can you do to replace that particular software?

01:33

Some control? 18 4 only use up to date and trusted third party components. So just because something's free doesn't mean you should get it. So definitely just use trusted third party sites to download updates and that sort of stuff. So, for example, for Microsoft updates going to Microsoft to get him. Don't go to,

01:49

you know, some video link on like World Star hip hop or YouTube or something.

01:55

Go actually to the source and get that downloads that way.

02:00

Some control. 18 5 You standardized and extensively reviewed encryption algorithm. So used the best encryption algorithms you can for the current technology and again 10 years in the future when you're watching this course again. There might be something else out there, but things like a s right now. You can use that to protect the data.

02:19

And again, we want to always protect the data in transit and at rest

02:24

Sub Control. 18 6 Ensure the suffered development personnel So our software developers are actually trained in secure coding. There's a lot of people that can develop software, but they're not trained in secure coding. Best practices.

02:38

Self Control 87. Apply static and dynamic code analysis tools just so we can both look at the code and see how it see what happens when we actually run the code.

02:50

Sub Control 18 8 established processes to accept an address reports of any vulnerability. So a bug bounty programs a good idea to figure out how your organization can implement that to be alerted to any software vulnerabilities that you have.

03:02

What you don't want to see is that somebody post hey, here's an exploit for this software on like Twitter or something.

03:09

Sub Control 89. Separate the production and non production systems. So again just have, like a test environment where you can roll out new software updates, make sure there's no issues and then roll it out to the production environment.

03:23

Sub control 18 10 So deploying Web application firewalls gonna find that very beneficial, especially for organizations that are used in the cloud, which I think is most companies these days.

03:35

Some control 18 11 to go ahead and make sure your hardening rights to using hard hardening configuration templates for your databases.

03:45

So in this video, we just talked on control 18 and how that might map up to the next cybersecurity framework