The security engineering domain consists of security design principles that are the building blocks of secure software, hardware, and networking products. This domain also addresses best practices, proven models, and processes that can be adapted during product design. The focus of this domain is to ensure good security implementation. This domain also deals with technical vulnerabilities and mitigation techniques. Additionally, cryptography and physical security principles and practices are also covered in this domain.
A candidate appearing for a CISSP exam is expected to have foundational concepts and knowledge in the following key areas of the security engineering domain:
- Secure design principles
- Security engineering practices
- Security organizational processes
- Information security models
- Systems security evaluation models
- Security capabilities in information systems
- Vulnerability assessment and mitigation in information systems
- Vulnerability assessment and mitigation in web-based systems
- Vulnerability assessment and mitigation in mobile systems
- Vulnerability assessment and mitigation in embedded and cyber-physical systems
- The fundamentals of cryptography
- The application of cryptography
- Physical security principles for sites and facilities
- Environmental security practices for sites and facilities
To get the most out this chapter, you need to understand and memorize subtle differences between vulnerability testing and mitigation actions, security engineering and organizational processes, and information security models and systems security evaluation models.
Security engineering is based on design principles, practices, and models to ensure confidentiality, integrity, and the availability requirements of information assets. The end result could be the development of a product or supporting organizational processes. Further, the product could be hardware, software, or a combination of both.
Vulnerabilities are weaknesses in the process or product that might creep in during design stage, development, or in the end product. These weaknesses could be exploited for a myriad of reasons that include fraud, stealing trade secrets, the Denial-of-Services, and so on. Identifying vulnerabilities during design/development stage is critical to a secure an end product. Since the Information Technology environment is complex and diverse, it may not always be possible to foresee and identify all the possible vulnerabilities during the design/development stage itself. Hence, vulnerability identification remains essential even after the product or service roll-out. A robust security implementation needs mitigation plans and ongoing maintenance.
Observe the following illustration:
The following bullet points represent a brief overview of the preceding diagram. These points explain the overall structure of this chapter in a logical sequence:
- IT assets can be grouped as software, hardware, and networking related
- Software can be further grouped as operating systems, application software, embedded software, mobile applications, and web applications
- Hardware and networking systems may contain embedded software
- Security requirements should be addressed in a continual process through design, development, and integration phases
- Vulnerabilities might creep in during any of these phases
- By adhering to software development engineering practices and security organizational processes, vulnerability issues can be addressed