Read more
2Month/20 Hours Price:90,000
80,000
ISC CSSLP Certified Secure Software Lifecycle Professional
Certified Secure Software Lifecycle Professional (CSSLP) has been built to validate software professionals with the expertise to incorporate security practices – authentication, authorization and auditing – into each phase of the software development lifecycle (SDLC), from software design and implementation to testing and deployment. CSSLP Common Body of Knowledge (CBK) ensures the relevancy across all disciplines in the field of information security. Certified Candidate are expected to hold expertise in.
Certified Secure Software Lifecycle Professional (CSSLP) has been built to validate software professionals with the expertise to incorporate security practices authentication, authorization and auditing – into each phase of the software development lifecycle (SDLC), from software design and implementation to testing and deployment.
Key Learnings:
Understand core security concepts and design principles to create a robust security posture within the software development lifecycle (SDLC).Define and integrate software security requirements while ensuring compliance with relevant regulations and data classification standards.
Develop competence in threat modeling and defining security architecture to mitigate potential risks in software design.
Learn secure coding practices and analyze code for vulnerabilities to maintain code integrity during implementation.
Devise a comprehensive security testing strategy, including the development of security test cases and analysis of test results for impact.
Manage secure software lifecycle management by incorporating security in configuration, defining security roadmaps, and promoting a security culture.
Ensure secure software deployment, operations, maintenance, and disposal adhering to best practices.
Course Content:
Domain 1: Secure Software Concepts (12%)
1.1: Understand Core Concepts
Confidentiality (e.g., Encryption)
Integrity (e.g., Hashing, Digital Signatures, Code Signing, Reliability, Modifications, Authenticity)
Availability (e.g., Redundancy, Replication, Clustering, Scalability, Resiliency)
Authentication (e.g., Multi-Factor Authentication (MFA), Identity & Access Management (IAM), Single Sign-On (SSO), Federated Identity, Biometrics)
Authorization (e.g., Access Controls, Permissions, Entitlements)
Accountability (e.g., Auditing, Logging)
Nonrepudiation (e.g., Digital Signatures, Blockchain)
Governance, Risk and Compliance (GRC) Standards (e.g., Regulatory Authority, Legal, Industry)
1.2: Understand Security Design Principles
Least Privilege (e.g., Access Control, Need-to-Know, Run-Time Privileges, Zero Trust)
Segregation of Duties (SoD) (e.g., Multi-Party Control, Secret Sharing, Split Knowledge)
Defense in Depth (e.g., Layered Controls, Geographical Diversity, Technical Diversity, Distributed Systems)
Resiliency (e.g., Fail Safe, Fail Secure, No Single Point of Failure, Failover)
Economy of Mechanism (e.g., Single Sign-On (SSO), Password Vaults, Resource Efficiency)
Complete Mediation (e.g., Cookie Management, Session Management, CCaching of Credentials)
Open Design (e.g., Kerckhoffs’s Principle, Peer Review, Open Source, Crowd Source)
Least Common Mechanism (e.g., Compartmentalization/Isolation, Allow/Accept List)
Psychological Acceptability (e.g., Password Complexity, Passwordless Authentication, Screen Layouts, Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA))
Component Reuse (e.g., Common Controls, Libraries)
Domain 2: Secure Software Lifecycle Management (11%)
2.1: Manage Security within a Software Development Methodology (e.g., Agile, Waterfall)
2.2: Identify and Adopt Security Standards (e.g., Implementing Security Frameworks, Promoting
Security Awareness)
2.3: Outline Strategy and Roadmap
Security Milestones and Checkpoints (e.g., Control Rate, break/build criteria)
2.4: Define and Develop Security Documentation
2.5: Define Security Metrics (e.g., Criticality Level, Average Remediation Time, Complexity, Key Performance Indicators (KPI), Objectives and Key Results)
2.6: Decommission Applications
End of Life (EOL) Policies (e.g., Credential Removal, Configuration Removal, License Cancellation, Archiving, Service-Level Agreements (SLA))
Data Disposition (e.g., Retention, Destruction, Dependencies)
2.7: Create Security Reporting Mechanisms (e.g., Reports, Dashboards, Feedback Loops)
2.8: Incorporate Integrated Risk Management Methods
Regulations, Standards and Guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security in Maturity Model (BSIMM))
Legal (e.g., Intellectual Property, Breach Notification)
Risk Management (e.g., Risk Assessment, Risk Analysis)
Technical Risk vs. Business Risk
2.9: Implement Secure Operation Practices
Change Management Process
Incident Response Plan
Verification and Validation
Assessment and Authorization (A&A) Process
Security Milestones and Checkpoints (e.g., Control Rate, break/build criteria)
2.4: Define and Develop Security Documentation
2.5: Define Security Metrics (e.g., Criticality Level, Average Remediation Time, Complexity, Key Performance Indicators (KPI), Objectives and Key Results)
2.6: Decommission Applications
End of Life (EOL) Policies (e.g., Credential Removal, Configuration Removal, License Cancellation, Archiving, Service-Level Agreements (SLA))
Data Disposition (e.g., Retention, Destruction, Dependencies)
2.7: Create Security Reporting Mechanisms (e.g., Reports, Dashboards, Feedback Loops)
2.8: Incorporate Integrated Risk Management Methods
Regulations, Standards and Guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security in Maturity Model (BSIMM))
Legal (e.g., Intellectual Property, Breach Notification)
Risk Management (e.g., Risk Assessment, Risk Analysis)
Technical Risk vs. Business Risk
2.9: Implement Secure Operation Practices
Change Management Process
Incident Response Plan
Verification and Validation
Assessment and Authorization (A&A) Process
Domain 3: Secure Software Requirements (13%)
3.1: Define Software Security Requirements
Functional (e.g., Business Requirements, Use Cases, Stories)
Non-Functional (e.g., Security, Operational, Continuity, Deployment)
3.2: Identify Compliance Requirements
Regulatory Authority
Legal
Industry-Specific (e.g., Defense, Healthcare, Commercial, Financial, Payment Card Industry (PCI))
Company-Wide (e.g., Development Tools, Standards, Frameworks, Protocols)
3.3: Identify Data Classification Requirements
Data Ownership (e.g., Data Dictionary, Data Owner, Data Custodian)
Data Labeling (e.g., Sensitivity, Impact)
Data Types (e.g., Structured, Unstructured)
Data Lifecycle (e.g., Generation, Storage, Retention, Disposal)
Data Handling (e.g., Personally Identifiable Information (PII), Publicly Available Information)
3.4: Identify Privacy Requirements
Data Collection Scope
Data Anonymization (e.g., Pseudo Anonymous, Fully Anonymous)
User Rights (Legal) and Preferences (e.g., Data Disposal, Right to be Forgotten, Marketing Preferences, Sharing and Using Third Parties, Terms of Service)
Data Retention (e.g., How Long, Where, What)
Cross-Border Requirements (e.g., Data Residency, Jurisdiction, Multi-National Data Processing Boundaries)
3.5: Define Data Access Provisioning
User Provisioning
Service Accounts
Reapproval Process
3.6: Develop Misuse and Abuse
Mitigating Control Identification
3.7: Develop Security Requirement Traceability Matrix
3.8: Define Third-Party Vendor Security Requirements
Domain 4: Secure Software Architecture and Design (15%)
4.1: Define the Security Architecture
Secure Architecture and Design Patterns (e.g., Sherwood Applied Business Security Architecture (SABSA), Security Chain of Responsibility, Federated Identity)
Security Controls Identification and Prioritization
Distributed Computing (e.g., Client Server, Peer-to-Peer (P2P), Message Queuing, N-Tier)
Service-Oriented Architecture (SOA) (e.g., Enterprise Service Bus, Web Services, Microservices)
Rich Internet Applications (e.g., Client-Side Exploits or Threats, Remote Code Execution, Constant Connectivity)
Pervasive/Ubiquitous Computing (e.g., Internet of Things (IoT), Wireless, Location-Based, Radio-Frequency Identification (RFID), Near Field Communication (NFC), Sensor Networks, Mesh)
Embedded Software (e.g., Secure Boot, Secure Memory, Secure Update)
Cloud Architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS))
Mobile Applications (e.g., Implicit Data Collection Privacy)
Hardware Platform Concerns (e.g., Side-Channel Mitigation, Speculative Execution Mitigation, Secure Element, Firmware, Drivers)
Cognitive Computing (e.g., Artificial Intelligence (AI), Virtual Reality, Augmented Reality)
Industrial Internet of Things (IoT) (e.g., Facility-Related, Automotive, Robotics, Medical Devices, Software-Defined Production Processes)
4.2: Perform Secure Interface Design
Security Management Interfaces, Out-of-Band Management, Log Interfaces
Upstream/Downstream Dependencies (e.g., Key and Data Sharing Between Apps)
Protocol Design Choices (e.g., Application Programming Interfaces (API), Weaknesses, State, Models)
4.3: Evaluate and Select Reusable Technologies
Credential Management (e.g., X.509, Single Sign-On (SSO))
Flow Control (e.g., Proxies, Firewalls, Protocols, Queuing)
Data Loss Prevention (DLP)
Virtualization (e.g., Infrastructure as code (IaC), Hypervisor, Containers)
Trusted Computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB))
Database Security (e.g., Encryption, Triggers, Views, Privilege Management, Secure Connections)
Programming Language Environment (e.g., Common Language Runtime, Java Virtual Machine (VM), Python, PowerShell)
Operating System (OS) Controls and Services
Secure Backup and Restoration Planning
Secure Data Retention, Retrieval, and Destruction
4.4: Perform Threat Modeling
Threat Modeling Methodologies (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Process for Attack Simulation and Threat Analysis (PASTA), Hybrid Threat Modeling Method, Common Vulnerability Scoring System (CVSS))
Common Threats (e.g., Advanced Persistent Threat (APT), Insider Threat, Common Malware, Third-Party Suppliers)
Attack Surface Evaluation
Threat Analysis
Threat Intelligence (e.g., Identify Credible Relevant Threats, Predict)
4.5: Perform architectural risk assessment and design reviews
4.6: Model (non-functional) security properties and constraints
4.7: Define secure operational architecture (e.g., deployment topology, operational interfaces, Continuous Integration and Continuous Delivery (CI/CD))
Domain 5: Secure Software Implementation (14%)
5.1: Adhere to Relevant Secure Coding Practices (e.g., Standards, Guidelines, Regulations)
Declarative Versus Imperative (Programmatic) Security
Concurrency (e.g., Thread Safety, Database Concurrency Controls)
Input Validation and Sanitization
Error and Exception Handling
Output Sanitization (e.g., Encoding, Obfuscation)
Secure Logging & Auditing (e.g., Confidentiality, Privacy)
Session Management
Trusted/Untrusted Application Programming Interfaces (API), and Libraries
Resource Management (e.g., Compute, Storage, Network, Memory Management)
Secure Configuration Management (e.g., Baseline Security Configuration, Credentials Management)
Tokenization
Isolation (e.g., Sandboxing, Virtualization, Containerization, Separation Kernel Protection Profiles)
Cryptography (e.g., Payload, Field Level, Transport, Storage, Agility, Encryption, Algorithm Selection)
Access Control (e.g., Trust Zones, Function Permissions, Role-Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC))
Processor Microarchitecture Security Extensions
5.2: Analyze Code for Security Risks
Secure Code Reuse
Vulnerability Databases/Lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumerations (CWE), SANS Top 25 Most Dangerous Software Errors)
Static Application Security Testing (SAST) (e.g., Automated Code Coverage, Linting)
Manual Code Review (e.g., Peer Review)
Inspect for Malicious Code (e.g., Backdoors, Logic Bombs, High Entropy)
5.3: Implement Security Controls (e.g., Watchdogs, File Integrity Monitoring, Anti-Malware)
5.4: Address the Identified Security Risks (e.g., Risk Strategy)
5.5: Evaluate and Integrate Components
Systems-of-Systems Integration (e.g., Trust Contracts, Security Testing, Analysis)
Reusing Third-Party Code or Open-Source Libraries in a Secure Manner (e.g., Software Composition Analysis)
5.6: Apply Security During the Build Process
Anti-Tampering Techniques (e.g., Code Signing, Obfuscation)
Compiler Switches
Address Compiler Warnings
Domain 6: Secure Software Testing (14%)
6.1: Develop Security Testing Strategy & Plan
Standards (e.g., International Organization for Standardization (ISO), Open Source Security Testing Methodology Manual, Software Engineering Institute)
Functional Security Testing (e.g., Logic)
Non Functional Security Testing (e.g., Reliability, Performance, Scalability)
Testing Techniques (e.g., Known Environment Testing, Unknown Environment Testing, Functional Testing, Acceptance Testing)
Testing Environment (e.g., Interoperability, Test Harness)
Security Researcher Outreach (e.g., Bug Bounties)
6.2: Develop Security Test Cases
Attack Surface Validation
Automated Vulnerability Testing (e.g., Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST))
Penetration Tests (e.g., Security Controls, Known Vulnerabilities, Known Malware)
Fuzzing (e.g., Generated, Mutated)
Simulation (e.g., Simulating Production Environment and Production Data, Synthetic Transactions)
Failure (e.g., Fault Injection, Stress Testing, Break Testing))
Cryptographic Validation (e.g., Pseudorandom Number Generators, Entropy)
Unit Testing and Code Coverage
Regression Tests
Integration Tests
Continuous Testing
Misuse and Abuse Test Cases
6.3: Verify and Validate Documentation (e.g., Installation and Setup Instructions, Error Messages, User Guides, Release Notes)
6.4: Identify Undocumented Functionality
6.5: Analyze Security Implications of Test Results (e.g., Impact on Product Management, Prioritization, Break/Build Criteria)
6.6: Classify and Track Security Errors
Bug Tracking (e.g., Defects, Errors, and Vulnerabilities)
Risk Scoring (e.g., Common Vulnerability Scoring System (CVSS))
6.7: Secure Test Data
Generate Test Data (e.g., Referential Integrity, Statistical Quality, Production Representative)
Reuse of Production Data (e.g., Obfuscation, Sanitization, Anonymization, Tokenization, Data Aggregation Mitigation)
6.8: Perform Verification and Validation Testing (e.g., Independent/Internal Verification and Validation, Acceptance Test)
Domain 7: Secure Software Deployment, Operations, Management (11%)
7.1: Perform Operational Risk Analysis
Deployment Environment (e.g., Staging, Production, Quality Assurance (QA))
Personnel Training (e.g., Administrators vs. Users)
Legal Compliance (e.g., Adherence to Guidelines, Regulations, Privacy Laws, Copyright, etc.)
System Integration
7.2: Secure Configuration and Version Control
Hardware
Baseline Configuration
Version Control/Patching
Documentation Practices
7.3: Release Software Securely
Secure Continuous Integration and Continuous Delivery (CI/CD) Pipeline (e.g., DevSecOps)
Application Security Toolchain
Build Artifact Verification (e.g., Code Signing, Hashes)
7.4: Store and Manage Security Data
Credentials
Secrets
Keys/Certificates
Configurations
7.5: Ensure Secure Installation
Secure Boot (e.g., key Generation, Access, Management)
Least Privilege
Environment Hardening (e.g., Configuration Hardening, Secure Patch/Updates, Firewall)
Secure Provisioning (e.g., Credentials, Configuration, Licensing, Infrastructure as Code (IaC))
Security Policy Implementation
7.6: Obtain Security Approval to Operate (e.g., Risk Acceptance, Sign-Off at Appropriate Level)
7.7: Perform Information Security Continuous Monitoring
Observable Data (e.g., Logs, Events, Telemetry, Trace Data, Metrics)
Threat Intelligence
Intrusion Detection/Response
Regulation and Privacy Changes
Integration Analysis (e.g., Security Information and Event Management (SIEM))
7.8: Execute the Incident Response Plan
Incident Triage
Forensics
Remediation
Root Cause Analysis
7.9: Perform Patch Management (e.g. Secure Release,Testing)
7.10: Perform Vulnerability Management (e.g., Tracking, Triaging, Common Vulnerabilities and Exposures (CVE))
7.11: Incorporate Runtime Protection (e.g., Runtime Application Self Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR), Dynamic Execution Prevention)
7.12: Support Continuity of Operations
Backup, Archiving, Retention
Disaster Recovery Plan (DRP)
Resiliency (e.g., Operational Redundancy, Erasure Code, Survivability, Denial-of-Service (DoS))
Business Continuity Plan (BCP)
7.13: Integrate Service Level Objectives and Service-Level Agreements (SLA) (e.g., Maintenance, Performance, Availability, Qualified Personnel)
Domain 8: Secure Software Supply Chain (10%)
8.1: Implement Software Supply Chain Risk Management (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST))
Identification and Selection of the Components
Risk Assessment of the Components (e.g., Mitigate, Accept)
Maintaining Third-Party Components List (e.g., Software bill of Materials)
Monitoring for Changes and Vulnerabilities
8.2: Analyze Security of Third-Party Software
Certifications
Assessment Reports (e.g., Cloud Controls Matrix)
Origin and Support
Pre-Requisites
Candidates should have at least 4 or more years of Software Development Lifecycle (SDLC) experience in one or more of the eight domains of the CSSLP CBK.
Alternatively, candidates with 3 years of SDLC experience in one or more domains of the CSSLP CBK can attempt the exam if they hold a 4-year bachelor’s degree in Computer Science or a related field.
Target Audience
Application Security Specialist
IT Director/Manager
Penetration Tester
Project Manager
Quality Assurance Tester
Security Manager
Software Architect
Software Developer
Software Engineer
Software Procurement Analyst
Software Program Manager
IT Director/Manager
Penetration Tester
Project Manager
Quality Assurance Tester
Security Manager
Software Architect
Software Developer
Software Engineer
Software Procurement Analyst
Software Program Manager
Job Interview Preparation (Soft Skills Questions & Answers)
Tough Open-Ended Job Interview Questions
What to Wear for Best Job Interview Attire
Job Interview Question- What are You Passionate About?
How to Prepare for a Job Promotion Interview
Stay connected even when you’re apart
Join our WhatsApp Channel – Get discount offers
500+ Free Certification Exam Practice Question and Answers
Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
Join Internships and Referral Program (click for details)
Work as Freelancer or Full-Time Employee (click for details)
Job Interview Preparation (Soft Skills Questions & Answers)
Tough Open-Ended Job Interview Questions
What to Wear for Best Job Interview Attire
Job Interview Question- What are You Passionate About?
How to Prepare for a Job Promotion Interview
Stay connected even when you’re apart
Join our WhatsApp Channel – Get discount offers
500+ Free Certification Exam Practice Question and Answers
Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
Join Internships and Referral Program (click for details)
Work as Freelancer or Full-Time Employee (click for details)
Flexible Class Options
Week End Classes For Professionals SAT | SUN
Corporate Group Trainings Available
Online Classes – Live Virtual Class (L.V.C), Online Training
Related Courses
ISC CAP CAP – Certified Authorization Professional Version: 4.0 Exam Dump Practice Test
0 Reviews