Prepare for the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) certification exam.
Overview
Syllabus
Introduction
- Prepping for the CSSLP
- Secure software concepts
- What you should know
- The goals of application security
- Confidentiality
- Integrity
- Availability
- Authentication
- Authorization
- Accountability
- Nonrepudiation
- Governance, risk, and compliance
- Least privilege
- Separation of duties
- Economy of mechanism
- Complete mediation
- Defense in depth
- Resiliency
- Open design
- Least common mechanism
- Psychological acceptability
- Leveraging existing components
- Eliminate single point of failure
- Diversity of defense
- Secure software lifecycle management
- Strategy and roadmap
- Development methodologies
- Integrated risk management
- Promote security culture
- Security standards and frameworks
- Security documentation
- Hardware and software configuration
- Ongoing configuration management
- Decommission software
- Manage licenses and archives
- Security metrics
- Reporting security status
- Continuous improvement
- Implement secure operations practices
- Determining security requirements
- Functional requirements
- Nonfunctional requirements
- Policy decomposition
- Legal, regulatory, and industry
- Security vs. privacy
- Data anonymization
- User consent
- Disposition
- Private data storage
- Data ownership
- Labeling
- Types of data
- Data lifecycle
- Misuse and abuse cases
- Software requirement specifications
- Security requirement traceability matrix
- Secure software design
- What is threat modeling?
- Understand common threats
- Attack surface evaluation
- Secure architecture and design patterns
- Identifying and prioritizing controls
- Traditional application architectures
- Pervasive and ubiquitous computing
- Rich internet and mobile applications
- Cloud architectures
- Embedded system considerations
- Architectural risk assessments
- Component-based systems
- Security enhancing tools
- Cognitive computing
- Control systems
- Components of a secure environment
- Designing network and server controls
- Designing data controls
- Secure design principles and patterns
- Secure interface design
- Security architecture and design review
- Secure operational architecture
- Nonfunctional properties and constraints
- Data modeling and classification
- Secure software implementation
- Declaring variables
- Inputs and outputs
- Protecting secrets
- Data-flow security
- Deployment and operations
- Isolation techniques
- Processor microarchitecture security
- Identifying risks
- The OWASP Top 10: 1-5
- The OWASP Top 10: 6-10
- Common Weakness Enumeration (CWE)
- Addressing risks
- Third-party code and libraries
- Component integration
- Implementing security controls
- Security in the build process
- Secure software testing
- Understanding your test environment
- Automation vs. manual testing
- Ensuring a comprehensive approach
- Validating cryptography
- Grouping your tests
- Leveraging external resources
- Verifying and validating documentation
- Securing test data
- Verification and validation testing
- Identifying undocumented functionality
- Security implications of test results
- Classifying and tracking security errors
- Secure software deployment, operations, and maintenance
- Performing an operational risk analysis
- Releasing software securely
- Storing and managing security data
- Ensuring secure installation
- Post-deployment security testing
- Obtaining security approval to operate
- Continuous security monitoring
- Support incident response
- Support continuity of operations
- Service level objectives and agreements
- Patch management
- Vulnerability management
- Runtime protection
- Secure software supply chain
- Identifying and selecting components
- Assessing components' risks
- Responding to those risks
- Monitoring changes and vulnerabilities
- Maintaining third-party components
- Analyzing third-party software security
- Verifying pedigree and provenance
- Security in the acquisition process
- Contractual requirements
- Registering for the exam
- Exam environment
- Passing the exam
- Exam tips
- Practice tests
- Experience requirements
- Continuing education requirements
- Next steps
Taught by
Jerod Brennen