Certified in Cybersecurity
A couple of months ago, I saw a post made by somebody on LinkedIn talking about the (ISC)2 organization's new certification in Cybersecurity.
It is an entry-level certification designed for people who may work in the IT field or are in the process of changing careers and do not hold any sort of certification in cybersecurity. The goal is to have one million people Certified in Cybersecurity, so they're offering free self-paced classes, as well as one free exam voucher
(To read more about it, click here: ISC2 Certified in Cybersecurity).
The domains covered in this exam are 1) Security Principles, 2) Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts, 3) Access Controls Concepts, 4) Network Security, 5) Security Operations
I decided to sign up and take the self-placed classes and I will be taking the exam soon. I am familiar with all of these concepts as I have come across them several times when it comes to cloud computing, but what I like is that I am now learning about these things from the perspective of security.
Switching to the field of cybersecurity has helped me finally understand how it all works together. I think that every software developer should learn the very basics and start incorporating security principles as soon as they start typing code.
When it comes to cybersecurity, everything is built on the CIA triad. When I first read this I thought they were talking about the US government agency, but I was very wrong! The meaning of CIA is confidentiality, integrity, and availability. These are the very basic concepts of information assurance.
We must make sure that the software we write keeps the data confidential, and only accessible to those who need it, data needs to be protected! We must ensure that the integrity of the data is intact, the data has not been corrupted, or altered in an unauthorized manner. And lastly, the data must be available to authorized users when and where it is needed, and in the form and format that is required.
When we take these concepts and apply them to the cloud, we have to make sure we know how each cloud service provider handles IAM.
What do I mean by that? I will use AWS and GCP as my main examples.
With AWS, we create users, and we attach permission policies directly to each user. If this user needs to do something differently, then we can create a role, assign the said role to the user, and once they are done with the specific task, the role is deleted. Roles in AWS are temporary. With GCP, access to a resource is not granted to the user directly, we must create a role, and this role is granted to an authenticated principal. Roles in GCP are permanent.
When creating the users, roles, and permission rules we have to make sure we keep the CIA triad in mind. To minimize any risk, we must always remember the principle of least privilege. We give people access to the things necessary to do their jobs, and nothing else.
There is also the principle of zero-trust, and this is a more rigorous process where we may ask the user(s) to authenticate their identity every step of the way before being able to access databases and servers, just to name a couple of examples.
I know I jumped ahead so how do I bring it back to software development? How do we ensure the code we write is secure?
We must make sure the code we write does not have any bugs. And how do we make sure the code is free of bugs? Say it with me: TESTS.
I know as developers the last thing we want to do is write any sort of test for our software, but the only way to make sure that our software is secure is to make sure we do not accidentally write any bugs! If there is a bug, we must make sure we work quickly and efficiently to fix it. We must make sure our software is up to date, and any patches implemented must be first deployed in a test environment before going live (yes, it's that word again... TEST).
Lastly, I truly believe every developer should learn the TCP/IP protocol and how data moves through the network. Learn the secure internet protocols and secure ports; learn about packets and packet tracing. Knowing how data is transported and the different tools used to keep track of this, will make only make you better!
I took a little detour to study for this exam, but I will try to finish the GCP series I started about a month ago. I am looking forward to writing more articles about cybersecurity and how I apply all of this to the cloud!
Stay tuned :)