Home > Store

CISSP Cert Guide, 4th Edition

Register your product to gain access to bonus material or receive a coupon.

CISSP Cert Guide, 4th Edition

Best Value Purchase

Book + eBook Bundle

  • Your Price: $80.49
  • List Price: $139.98
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

    Your purchase will deliver:

    • Link to download the enhanced Pearson IT Certification Practice Test exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    The eBooks require no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

    eBook Download Instructions

More Purchase Options

Book

  • Your Price: $55.99
  • List Price: $69.99
  • Usually ships in 24 hours.

Premium Edition eBook

  • Your Price: $55.99
  • List Price: $69.99
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Tests. Click on the "Premium Edition" tab (on the left side of this page) to learn more about this product.

    Your purchase will deliver:

    • Link to download the enhanced Pearson IT Certification Practice Test exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    The eBooks require no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    Watermarked eBook FAQ

    eBook Download Instructions

Description

  • Copyright 2023
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 928
  • Edition: 4th
  • Book
  • ISBN-10: 0-13-750747-X
  • ISBN-13: 978-0-13-750747-4

Learn, prepare, and practice for CISSP exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning.

  • Master the latest CISSP exam topics
  • Assess your knowledge with chapter-ending quizzes
  • Review key concepts with exam preparation tasks
  • Practice with realistic exam questions
  • Get practical guidance for test taking strategies

CISSP Cert Guide, Fourth Edition is a comprehensive exam study guide. Leading IT certification experts Robin Abernathy and Darren Hayes share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.

The companion website contains the powerful Pearson Test Prep practice test software engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.

Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this CISSP study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time.

This study guide helps you master all the topics on the CISSP exam, including

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Premium Edition

The CISSP Cert Guide, Premium Edition eBook and Practice Test, Fourth Edition is a digital-only certification preparation product combining an eBook with enhanced Pearson Test Prep practice test software. The Premium Edition eBook and Practice Test contains the following items:

  • The CISSP Premium Edition Practice Test, including four full practice exams and enhanced practice test features
  • PDF and EPUB formats of the CISSP Cert Guide, Fourth Edition from Pearson IT Certification, which are accessible via your PC, tablet, and smartphone

About the Premium Edition Practice Test

This Premium Edition contains an enhanced version of the Pearson Test Prep practice test software with four full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package

  • Enables you to focus on individual topic areas or take complete, timed exams
  • Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
  • Provides unique sets of exam-realistic practice questions
  • Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Pearson Test Prep practice test software minimum system requirements:

Pearson Test Prep online system requirements:

Browsers: Chrome version 73 and above, Safari version 12 and above, Microsoft Edge 44 and above.

Devices: Desktop and laptop computers, tablets running on Android v8.0 and iOS v13, smartphones with a minimum screen size of 4.7. Internet access required.

Pearson Test Prep offline system requirements:

Windows 10, Windows 8.1; Microsoft .NET Framework 4.5 Client; Pentium-class 1 GHz processor (or equivalent); 512 MB RAM; 650 MB disk space plus 50 MB for each downloaded practice exam; access to the Internet to register and download exam databases.

About the Premium Edition eBook

Learn, prepare, and practice for CISSP exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning.

  • Master the latest CISSP exam topics
  • Assess your knowledge with chapter-ending quizzes
  • Review key concepts with exam preparation tasks
  • Practice with realistic exam questions
  • Get practical guidance for test taking strategies

CISSP Cert Guide, Fourth Edition is a best-of-breed exam study guide. Leading IT certification experts Robin Abernathy and Darren Hayes share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.

The companion website contains the powerful Pearson Test Prep practice test software engine, complete with hundreds of exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.

Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this CISSP study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time.

This study guide helps you master all the topics on the CISSP exam, including

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Sample Content

Table of Contents

Introduction xlvii
Chapter 1 Security and Risk Management 5
Security Terms 6
    CIA 6
    Auditing and Accounting 7
    Non-repudiation 8
    Default Security Posture 8
    Defense in Depth 9
    Abstraction 10
    Data Hiding 10
    Encryption 10
Security Governance Principles 10
    Security Function Alignment 12
    Organizational Processes 14
    Organizational Roles and Responsibilities 16
    Security Control Frameworks 20
    Due Care and Due Diligence 38
Compliance 38
    Contractual, Legal, Industry Standards, and Regulatory Compliance 40
    Privacy Requirements Compliance 40
Legal and Regulatory Issues 41
    Computer Crime Concepts 41
    Major Legal Systems 43
    Licensing and Intellectual Property 46
    Cyber Crimes and Data Breaches 50
    Import/Export Controls 51
    Trans-Border Data Flow 51
    Privacy 52
Investigation Types 62
    Operations/Administrative 63
    Criminal 63
    Civil 64
    Regulatory 64
    Industry Standards 64
    eDiscovery 67
Professional Ethics 67
     (ISC)2 Code of Ethics 67
    Computer Ethics Institute 68
    Internet Architecture Board 68
    Organizational Code of Ethics 69
Security Documentation 69
    Policies 70
    Processes 72
    Procedures 72
    Standards 73
    Guidelines 73
    Baselines 73
Business Continuity 73
    Business Continuity and Disaster Recovery Concepts 73
    Scope and Plan 77
    BIA Development 81
Personnel Security Policies and Procedures 85
    Candidate Screening and Hiring 85
    Employment Agreements and Policies 87
    Employee Onboarding and Offboarding Policies 88
    Vendor, Consultant, and Contractor Agreements and Controls 88
    Compliance Policy Requirements 89
    Privacy Policy Requirements 89
    Job Rotation 89
    Separation of Duties 89
Risk Management Concepts 90
    Asset and Asset Valuation 90
    Vulnerability 91
    Threat 91
    Threat Agent 91
    Exploit 91
    Risk 91
    Exposure 92
    Countermeasure 92
    Risk Appetite 92
    Attack 93
    Breach 93
    Risk Management Policy 94
    Risk Management Team 94
    Risk Analysis Team 94
    Risk Assessment 95
    Implementation 100
    Control Categories 100
    Control Types 102
    Controls Assessment, Monitoring, and Measurement 108
    Reporting and Continuous Improvement 108
    Risk Frameworks 109
    A Risk Management Standard by the Federation of European Risk Management Associations (FERMA) 128
Geographical Threats 129
    Internal Versus External Threats 129
    Natural Threats 130
    System Threats 131
    Human-Caused Threats 133
    Politically Motivated Threats 135
Threat Modeling 137
    Threat Modeling Concepts 138
    Threat Modeling Methodologies 138
    Identifying Threats 141
    Potential Attacks 142
    Remediation Technologies and Processes 143
Security Risks in the Supply Chain 143
    Risks Associated with Hardware, Software, and Services 144
    Third-Party Assessment and Monitoring 144
    Minimum Service-Level and Security Requirements 145
    Service-Level Requirements 146
Security Education, Training, and Awareness 147
    Levels Required 147
    Methods and Techniques 148
    Periodic Content Reviews 148
Review All Key Topics 148
Complete the Tables and Lists from Memory 150
Define Key Terms 150
Answers and Explanations 157
Chapter 2 Asset Security 165
Asset Security Concepts 166
    Asset and Data Policies 166
    Data Quality 167
    Data Documentation and Organization 168
Identify and Classify Information and Assets 169
    Data and Asset Classification 170
    Sensitivity and Criticality 170
    Private Sector Data Classifications 175
    Military and Government Data Classifications 176
Information and Asset Handling Requirements 177
    Marking, Labeling, and Storing 178
    Destruction 178
Provision Resources Securely 179
    Asset Inventory and Asset Management 179
Data Life Cycle 180
    Databases 182
    Roles and Responsibilities 188
    Data Collection and Limitation 191
    Data Location 192
    Data Maintenance 192
    Data Retention 193
    Data Remanence and Destruction 193
    Data Audit 194
Asset Retention 195
Data Security Controls 197
    Data Security 197
    Data States 197
    Data Access and Sharing 198
    Data Storage and Archiving 199
    Baselines 200
    Scoping and Tailoring 201
    Standards Selection 201
    Data Protection Methods 202
Review All Key Topics 205
Define Key Terms 205
Answers and Explanations 207
Chapter 3 Security Architecture and Engineering 213
Engineering Processes Using Secure Design Principles 214
    Objects and Subjects 215
    Closed Versus Open Systems 215
    Threat Modeling 215
    Least Privilege 216
    Defense in Depth 216
    Secure Defaults 216
    Fail Securely 217
    Separation of Duties (SoD) 217
    Keep It Simple 218
    Zero Trust 218
    Privacy by Design 218
    Trust but Verify 219
    Shared Responsibility 219
Security Model Concepts 220
    Confidentiality, Integrity, and Availability 220
    Confinement 220
    Bounds 221
    Isolation 221
    Security Modes 221
    Security Model Types 222
    Security Models 226
    System Architecture Steps 230
    ISO/IEC 42010:2011 231
    Computing Platforms 231
    Security Services 234
    System Components 235
System Security Evaluation Models 244
    TCSEC 245
    ITSEC 248
    Common Criteria 250
    Security Implementation Standards 252
    Controls and Countermeasures 255
Certification and Accreditation 256
Control Selection Based on Systems Security Requirements 256
Security Capabilities of Information Systems 257
    Memory Protection 257
    Trusted Platform Module 258
    Interfaces 259
    Fault Tolerance 259
    Policy Mechanisms 260
    Encryption/Decryption 260
Security Architecture Maintenance 261
Vulnerabilities of Security Architectures, Designs, and Solution Elements 261
    Client-Based Systems 262
    Server-Based Systems 263
    Database Systems 264
    Cryptographic Systems 265
    Industrial Control Systems 265
    Cloud-Based Systems 268
    Large-Scale Parallel Data Systems 274
    Distributed Systems 275
    Grid Computing 275
    Peer-to-Peer Computing 275
    Internet of Things 276
    Microservices 280
    Containerization 281
    Serverless Systems 281
    High-Performance Computing Systems 282
    Edge Computing Systems 282
    Virtualized Systems 283
Vulnerabilities in Web-Based Systems 283
    Maintenance Hooks 284
    Time-of-Check/Time-of-Use Attacks 284
    Web-Based Attacks 285
    XML 285
    SAML 285
    OWASP 286
Vulnerabilities in Mobile Systems 286
    Device Security 287
    Application Security 287
    Mobile Device Concerns 287
    NIST SP 800-164 290
Vulnerabilities in Embedded Systems 291
Cryptographic Solutions 292
    Cryptography Concepts 292
    Cryptography History 294
    Cryptosystem Features 298
    NIST SP 800-175A and B 299
    Cryptographic Mathematics 300
    Cryptographic Life Cycle 302
Cryptographic Types 304
    Running Key and Concealment Ciphers 305
    Substitution Ciphers 305
    Transposition Ciphers 307
    Symmetric Algorithms 308
    Asymmetric Algorithms 310
    Hybrid Ciphers 311
    Elliptic Curves 312
    Quantum Cryptography 312
Symmetric Algorithms 312
    DES and 3DES 313
    AES 316
    IDEA 317
    Skipjack 317
    Blowfish 317
    Twofish 318
    RC4/RC5/RC6/RC7 318
    CAST 318
Asymmetric Algorithms 319
    Diffie-Hellman 320
    RSA 320
    El Gamal 321
    ECC 321
    Knapsack 322
    Zero-Knowledge Proof 322
Public Key Infrastructure and Digital Certificates 322
    Certificate Authority and Registration Authority 323
    Certificates 323
    Certificate Life Cycle 324
    Certificate Revocation List 327
    OCSP 327
    PKI Steps 327
    Cross-Certification 328
Key Management Practices 328
Message Integrity 332
    Hashing 333
    Message Authentication Code 337
    Salting 339
Digital Signatures and Non-repudiation 339
    DSS 340
    Non-repudiation 340
Applied Cryptography 340
    Link Encryption Versus End-to-End Encryption 340
    Email Security 340
    Internet Security 341
Cryptanalytic Attacks 341
    Ciphertext-Only Attack 342
    Known Plaintext Attack 342
    Chosen Plaintext Attack 342
    Chosen Ciphertext Attack 342
    Social Engineering 342
    Brute Force 343
    Differential Cryptanalysis 343
    Linear Cryptanalysis 343
    Algebraic Attack 343
    Frequency Analysis 343
    Birthday Attack 344
    Dictionary Attack 344
    Replay Attack 344
    Analytic Attack 344
    Statistical Attack 344
    Factoring Attack 344
    Reverse Engineering 344
    Meet-in-the-Middle Attack 345
    Ransomware Attack 345
    Side-Channel Attack 345
    Implementation Attack 345
    Fault Injection 345
    Timing Attack 346
    Pass-the-Hash Attack 346
Digital Rights Management 346
    Document DRM 347
    Music DRM 347
    Movie DRM 347
    Video Game DRM 348
    E-book DRM 348
Site and Facility Design 348
    Layered Defense Model 348
    CPTED 348
    Physical Security Plan 350
    Facility Selection Issues 351
Site and Facility Security Controls 353
    Doors 353
    Locks 355
    Biometrics 356
    Type of Glass Used for Entrances 356
    Visitor Control 357
    Wiring Closets/Intermediate Distribution Facilities 357
    Restricted and Work Areas 357
    Environmental Security and Issues 358
    Equipment Physical Security 362
Review All Key Topics 364
Complete the Tables and Lists from Memory 366
Define Key Terms 366
Answers and Explanations 372
Chapter 4 Communication and Network Security 377
Secure Network Design Principles 378
    OSI Model 378
    TCP/IP Model 383
IP Networking 389
    Common TCP/UDP Ports 389
    Logical and Physical Addressing 391
    IPv4 392
    Network Transmission 399
    IPv6 403
    Network Types 416
Protocols and Services 421
    ARP/RARP 422
    DHCP/BOOTP 423
    DNS 424
    FTP, FTPS, SFTP, and TFTP 424
    HTTP, HTTPS, and S-HTTP 425
    ICMP 425
    IGMP 426
    IMAP 426
    LDAP 426
    LDP 426
    NAT 426
    NetBIOS 426
    NFS 427
    PAT 427
    POP 427
    CIFS/SMB 427
    SMTP 427
    SNMP 427
    SSL/TLS 428
    Multilayer Protocols 428
Converged Protocols 429
    FCoE 429
    MPLS 430
    VoIP 431
    iSCSI 431
Wireless Networks 431
    FHSS, DSSS, OFDM, VOFDM, FDMA, TDMA, CDMA, OFDMA, and GSM 432
    WLAN Structure 435
    WLAN Standards 436
    WLAN Security 439
Communications Cryptography 445
    Link Encryption 445
    End-to-End Encryption 446
    Email Security 446
    Internet Security 448
Secure Network Components 450
    Hardware 450
    Transmission Media 471
    Network Access Control Devices 491
    Endpoint Security 493
    Content-Distribution Networks 494
Secure Communication Channels 495
    Voice 495
    Multimedia Collaboration 495
    Remote Access 497
    Data Communications 507
    Virtualized Networks 507
Network Attacks 509
    Cabling 509
    Network Component Attacks 510
    ICMP Attacks 512
    DNS Attacks 514
    Email Attacks 516
    Wireless Attacks 518
    Remote Attacks 519
    Other Attacks 519
Review All Key Topics 521
Define Key Terms 522
Answers and Explanations 529
Chapter 5 Identity and Access Management (IAM) 535
Access Control Process 536
    Identify Resources 536
    Identify Users 536
    Identify the Relationships Between Resources and Users 537
Physical and Logical Access to Assets 537
    Access Control Administration 538
    Information 539
    Systems 539
    Devices 540
    Facilities 540
    Applications 541
Identification and Authentication Concepts 541
    NIST SP 800-63 542
    Five Factors for Authentication 546
    Single-Factor Versus Multifactor Authentication 557
    Device Authentication 557
Identification and Authentication Implementation 558
    Separation of Duties 558
    Least Privilege/Need-to-Know 559
    Default to No Access 560
    Directory Services 560
    Single Sign-on 561
    Session Management 566
    Registration, Proof, and Establishment of Identity 566
    Credential Management Systems 567
    Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+) 568
    Accountability 568
    Just-In-Time (JIT) 570
Identity as a Service (IDaaS) Implementation 571
Third-Party Identity Services Integration 571
Authorization Mechanisms 572
    Permissions, Rights, and Privileges 572
    Access Control Models 572
    Access Control Policies 580
Provisioning Life Cycle 580
    Provisioning 581
    User, System, and Service Account Access Review 582
    Account Transfers 582
    Account Revocation 583
    Role Definition 583
    Privilege Escalation 583
Access Control Threats 584
    Password Threats 585
    Social Engineering Threats 586
    DoS/DDoS 588
    Buffer Overflow 588
    Mobile Code 588
    Malicious Software 589
    Spoofing 589
    Sniffing and Eavesdropping 589
    Emanating 590
    Backdoor/Trapdoor 590
    Access Aggregation 590
    Advanced Persistent Threat 591
Prevent or Mitigate Access Control Threats 591
Review All Key Topics 592
Define Key Terms 593
Answers and Explanations 596
Chapter 6 Security Assessment and Testing 601
Design and Validate Assessment and Testing Strategies 602
    Security Testing 602
    Security Assessments 603
    Red Team versus Blue Team 603
    Security Auditing 604
    Internal, External, and Third-party Security Assessment, Testing, and Auditing 604
Conduct Security Control Testing 605
    Vulnerability Assessment 605
    Penetration Testing 609
    Log Reviews 611
    Synthetic Transactions 616
    Code Review and Testing 616
    Misuse Case Testing 619
    Test Coverage Analysis 619
    Interface Testing 620
Collect Security Process Data 620
    NIST SP 800-137 620
    Account Management 621
    Management Review and Approval 622
    Key Performance and Risk Indicators 622
    Backup Verification Data 623
    Training and Awareness 623
    Disaster Recovery and Business Continuity 624
Analyze Test Outputs and Generate a Report 624
Conduct or Facilitate Security Audits 624
Review All Key Topics 626
Define Key Terms 627
Answers and Explanations 630
Chapter 7 Security Operations 637
Investigations 638
    Forensic and Digital Investigations 638
    Evidence Collection and Handling 646
    Digital Forensic Tools, Tactics, and Procedures 651
Logging and Monitoring Activities 654
    Audit and Review 654
    Log Types 655
    Intrusion Detection and Prevention 656
    Security Information and Event Management (SIEM) 656
    Continuous Monitoring 657
    Egress Monitoring 657
    Log Management 658
    Threat Intelligence 658
    User and Entity Behavior Analytics (UEBA) 659
Configuration and Change Management 659
    Resource Provisioning 661
    Baselining 664
    Automation 664
Security Operations Concepts 664
    Need to Know/Least Privilege 664
    Managing Accounts, Groups, and Roles 665
    Separation of Duties and Responsibilities 666
    Privilege Account Management 666
    Job Rotation and Mandatory Vacation 666
    Two-Person Control 667
    Sensitive Information Procedures 667
    Record Retention 667
    Information Life Cycle 668
    Service-Level Agreements 668
Resource Protection 669
    Protecting Tangible and Intangible Assets 669
    Asset Management 671
Incident Management 680
    Event Versus Incident 680
    Incident Response Team and Incident Investigations 681
    Rules of Engagement, Authorization, and Scope 681
    Incident Response Procedures 682
    Incident Response Management 682
    Detect 683
    Respond 683
    Mitigate 683
    Report 684
    Recover 684
    Remediate 684
    Review and Lessons Learned 684
Detective and Preventive Measures 684
    IDS/IPS 685
    Firewalls 685
    Whitelisting/Blacklisting 685
    Third-Party Security Services 686
    Sandboxing 686
    Honeypots/Honeynets 686
    Anti-malware/Antivirus 686
    Clipping Levels 686
    Deviations from Standards 687
    Unusual or Unexplained Events 687
    Unscheduled Reboots 687
    Unauthorized Disclosure 687
    Trusted Recovery 688
    Trusted Paths 688
    Input/Output Controls 688
    System Hardening 688
    Vulnerability Management Systems 689
    Machine Learning and Artificial Intelligence (AI)-Based Tools 689
Patch and Vulnerability Management 689
Recovery Strategies 690
    Create Recovery Strategies 691
    Backup Storage Strategies 699
    Recovery and Multiple Site Strategies 700
    Redundant Systems, Facilities, and Power 703
    Fault-Tolerance Technologies 704
    Insurance 704
    Data Backup 705
    Fire Detection and Suppression 705
    High Availability 705
    Quality of Service 706
    System Resilience 706
Disaster Recovery 706
    Response 707
    Personnel 707
    Communications 709
    Assessment 710
    Restoration 710
    Training and Awareness 710
    Lessons Learned 710
Testing Disaster Recovery Plans 711
    Read-Through Test 711
    Checklist Test 712
    Table-Top Exercise 712
    Structured Walk-Through Test 712
    Simulation Test 712
    Parallel Test 712
    Full-Interruption Test 712
    Functional Drill 713
    Evacuation Drill 713
Business Continuity Planning and Exercises 713
Physical Security 713
    Perimeter Security Controls 713
    Building and Internal Security Controls 719
Personnel Safety and Security 719
    Duress 720
    Travel 720
    Monitoring 720
    Emergency Management 721
    Security Training and Awareness 721
Review All Key Topics 722
Define Key Terms 723
Answers and Explanations 727
Chapter 8 Software Development Security 733
Software Development Concepts 734
    Machine Languages 734
    Assembly Languages and Assemblers 734
    High-Level Languages, Compilers, and Interpreters 734
    Object-Oriented Programming 735
    Distributed Object-Oriented Systems 737
    Mobile Code 739
Security in the System and Software Development Life Cycle 743
    System Development Life Cycle 743
    Software Development Life Cycle 746
    DevSecOps 750
    Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) 750
    Security Orchestration and Automated Response (SOAR) 751
    Software Development Methods and Maturity Models 751
    Operation and Maintenance 762
    Integrated Product Team 763
Security Controls in Development 764
    Software Development Security Best Practices 764
    Software Environment Security 765
    Source Code Analysis Tools 766
    Code Repository Security 766
    Software Threats 766
    Software Protection Mechanisms 772
Assess Software Security Effectiveness 774
    Auditing and Logging 774
    Risk Analysis and Mitigation 774
    Regression and Acceptance Testing 775
Security Impact of Acquired Software 775
Secure Coding Guidelines and Standards 776
    Security Weaknesses and Vulnerabilities at the Source Code Level 776
    Security of Application Programming Interfaces 780
    Secure Coding Practices 780
Review All Key Topics 782
Define Key Terms 782
Answers and Explanations 786
Chapter 9 Final Preparation 791
Tools for Final Preparation 791
    Pearson Test Prep Practice Test Engine and Questions on the Website 791
    Customizing Your Exams 793
    Updating Your Exams 794
    Memory Tables 795
    Chapter-Ending Review Tools 795
Suggested Plan for Final Review/Study 795
Summary 796
Online Elements
Appendix A
Memory Tables
Appendix B Memory Tables Answer Key
Glossary

9780137507474   TOC   9/19/2022

Updates

Submit Errata

More Information

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020