Time
5 hours 54 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

This lesson focuses on assessment and corrective actions. Corrective actions include the following: • Mitigation risk • Transfer risk • Avoid risk This lesson also discusses addressing defects; which focuses on correcting any defects that come up in the developmental stages as well as secure software testing.

Video Transcription

00:04
So we've looked at the vulnerabilities. We've done our stands. We've done our penetration test. We found some vulnerabilities. We were able to exploit them. We found issues of noncompliance with policy. What next? And the final step here really is documentation.
00:21
So we're going to assess the impact of what we found.
00:24
And then we'll also suggested a sort of corrective actions. So we're gonna produce a document called the Defect Report.
00:31
And for each of the defects that we find, we're gonna indicate how urgent and how severe the vulnerability is. When we talk about urgency, What we're talking about is criticality. We're talking about time sensitivity. How quickly is this that need? Is this something that needs to be,
00:51
uh,
00:52
modified or mitigated and then severity? What is the potential for loss based on the level of vulnerability that's discovered?
01:00
So this information is gonna submit it or is going to lead us to the corrective actions and the corrective actions go right back to risk management. What are we doing? We look to reduce except transfer risks. We can reduce the risks sometimes referred to as mitigating.
01:19
So if we determine the flaw, we can fix that flaw
01:22
and that will mitigate the risk associated with the flaw.
01:26
We could transfer the risk, and the idea of a high risk transference is, let's say that in our software we find a specific piece of function that has a vulnerability.
01:38
We don't have time to fix this problem, So what we could do is not include that specific piece of functionality. We could postpone that function until the next release of our system. Our of our application,
01:52
where we have the time in the effort in the resource is to fix that. So we're transferring the risk to our next project, and we'll feel will essentially deal with it. Then
02:01
we can avoid risk by not using the software at all. We're replacing the software or replacing the function or not even using the function at all would be risk avoidance. And at some point in time, we do risk acceptance. Remember, if we determine that the potential for loss is so low
02:20
that it doesn't justify the expense of mitigation and we'll just accept the risk.
02:24
And that's also Ah ah, very valid response. As a matter of fact, we accept many risks because when we look at the environment in which this system or the software's gonna be placed. We decide that even though there may be a an inherent vulnerability of the software, it may
02:42
be implemented in such a secure environment that that vulnerability really isn't a problem.
02:46
For instance, that this software is gonna be installed on a sub net that has no network access, no outsider external capabilities. Then we may go ahead and accept whatever risk is associated with the production of the code. So with the assessment, we want to figure out how critical or how urgent the flaw is,
03:07
and then water the corrective action strategies
03:09
fix the problem
03:12
when we talk about addressing the defects. The idea is, when we do find a defect, we want to fix the defect in the development environment or were writing the code. Let's find our problems and let's give it to the developers. The developers are gonna be the ones that are gonna want to correct the flaws.
03:30
Then we want to find out if the solution actually fixed the problem through testing. So we move on to the testing environment, and if things work now, it passes are penetration test our vulnerability stands, then we're good.
03:45
If not, we go right back to the drawing board and go right back to implementation.
03:49
Um, if it does pass the tests, then we're gonna take that software to use her acceptance testing and allow our users to test it for functionality.
04:00
User acceptance testing is really one of the last things that we do before the official release of the software. If the user's except the software and it meets all of their tests and all of their requirements, then we'll go through some of the final finishing stages. And we're very close to turning that software
04:18
over to the customer for their acceptance
04:20
and then implementing the software.
04:24
All right, this is gonna wrap up the secure software testing factor like I mentioned is not a very long chapter. Just go some of the through some of the principles off software testing. So we talk about quality. Assurance is roll. We talked about the testing artifacts like test case tests, planned test strategy,
04:43
and then we go through the various types of testing, whether it's scanning or penetration testing
04:47
and then our corrective action plan. So all of these elements describe the process of secure software testing

Up Next

ISC2 Certified Secure Software Life-cycle Professional (CSSLP)

This course helps professionals in the industry build their credentials to advance within their organization, allowing them to learn valuable managerial skills as well as how to apply the best practices to keep organizations systems running well.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor