(ISC)² | Certified Secure Software Lifecycle Professional |CSSLP

Description

The Certified Secure Software Lifecycle Professional (CSSLP®) certification validates that software professionals
have the expertise to incorporate security practices – authentication, authorization and auditing – into each phase of
the software development lifecycle, from software design and implementation to testing and deployment.

Application vulnerabilities continue to top the list of cyber security concerns. While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. This high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and a clear shortage of qualified professionals with application security skills exists. Without action, this soft underbelly of business and governmental entities has and will continue to be exposed with serious consequences—data breaches, disrupted operations, lost business, brand damage, and regulatory fines. This is why it is essential for software professionals to stay current on the latest advances in software development and the new security threats they create.

WHO SHOULD  OBTAIN A CSSLP?

• Software Architect
• Software Engineer
• Penetration Tester
• Application Security Specialist
• Project Manager
• Security Manager
• IT Director/Manager
• Quality Assurance Tester

The Benefits of CSSLP Certification to the Professional

Many organizations have adopted the CSSLP as the preferred credential to convey one’s expertise on security in the software development lifecycle. In today’s interconnected world, security must be included within each phase of the software lifecycle. The CSSLP CBK contains the largest, most comprehensive, collection of best practices, policies, and procedures, to ensure a security initiative across all phases of application development, regardless of methodology.

CSSLP Domains

Secure Software Concepts – understand secure software concepts, methodologies, and implementation within centralized and decentralized environments across the enterprise’s computer systems.

• Core Concepts
• Security Design Principles
• Privacy (e.g., data anonymization, user content, disposition, test data management)
• Governance, Risk and Compliance (GRC)
• Software Development Methodologies (e.g., Waterfall, Agile)

Secure Software Requirements – understand the security controls required during the requirements gathering phase of the Secure Software Development Lifecycle.

• Policy Decomposition (e.g., Internal and External Requirements)
• Data Classification and Categorization
• Functional Requirements (e.g., Use Cases and Abuse Cases)
• Operational Requirements (e.g., how the software is deployed, operated, managed)

Secure Software Design – understand the techniques of performing attack surface analysis and conducting threat modeling, as well as being able to identify and review the countermeasures that mitigate risk.

• Design Processes
• Design Considerations
• Securing Commonly Used Architecture
• Technologies

Secure Software Implementation/Coding – know the coding standards that help developers avoid introducing flaws that can lead to security vulnerabilities, understand common software vulnerabilities and countermeasures, and apply security testing tools.

• Declarative versus Imperative (Programmatic) Security
• Vulnerability Databases/Lists (e.g., OWASP Top 10, CWE)
• Defensive Coding Practices and Controls
• Source Code and Versioning
• Development and Build Environment (e.g., build tools, automatic build script)
• Code/Peer Review
• Code Analysis (e.g., static, dynamic)
• Anti-tampering Techniques (e.g., code signing, obfuscation)

Secure Software Testing – know the standards for software quality assurance, and understand the concepts of functional and security testing, interoperability testing, bug tracking and testing of high priority code.

• Testing Artifacts (e.g., strategies, plans, cases)
• Testing for Security and Quality Assurance
• Types of Testing
• Impact Assessment and Corrective Action
• Test Data Lifecycle Management (e.g., privacy, dummy data, referential integrity)

Software Acceptance – know the methods for determining completion criteria, risk acceptance and documentation (e.g., DRP and BCP), Common Criteria and methods of independent testing.

• Pre-release and Pre-deployment
• Post-release

Software Deployment, Operations, Maintenance and Disposal – know how to evaluate reports of vulnerabilities and release security advisories and updates when appropriate, know how to conduct a post-mortem of reported vulnerabilities and take action as necessary, be familiar with procedures and security measures when a product reaches its end of life.

• Installation and Deployment
• Operations and Maintenance
• Software Disposal (e.g., retirement, end of life policies, decommissioning)

Supply Chain and Software Acquisition – know how to establish a process for interacting with suppliers on issues such as: vulnerability management, service level agreement monitoring, and chain of custody throughout the source code development and maintenance lifecycle.

• Supplier Risk Assessment (e.g., managing the enterprise risk of outsourcing)
• Supplier Sourcing
• Software Development and Test
• Software Delivery, Operations and Maintenance
• Supplier Transitioning (e.g., code escrow, data exports, contracts, disclosure)

Who Needs CSSLP?

Each software lifecycle stakeholder is responsible for certain phase(s) of the SDLC, but all phases must have security built into them. CSSLP is for all the stakeholders involved in the process. Each of the 8 CSSLP Domains covers how to build security into the different phases.

for any inquires , please contact us