CSSLP Cert Prep: 1 Secure Software Concepts

Introduction

• Prepping for the CSSLP

1. Domain 1: Secure Software Concepts

• Secure software concepts
• What you should know
• The goals of application security

2. The CIA Triad

• Confidentiality
• Integrity
• Availability

3. Identity and Access Management

• Authentication
• Authorization
• Accountability
• Nonrepudiation
• Governance, risk, and compliance

4. Access Controls

• Least privilege
• Separation of duties
• Economy of mechanism
• Complete mediation

5. Design Considerations

• Defense in depth
• Resiliency
• Open design
• Least common mechanism
• Psychological acceptability
• Leveraging existing components
• Eliminate single point of failure
• Diversity of defense

6. Domain 2: Secure Software Lifecycle Management

• Secure software lifecycle management

7. Laying Your Foundation

• Strategy and roadmap
• Development methodologies
• Integrated risk management
• Promote security culture

8. Setting Expectations

• Security standards and frameworks
• Security documentation
• Hardware and software configuration
• Ongoing configuration management

9. Improving Over Time

• Decommission software
• Manage licenses and archives
• Security metrics
• Reporting security status
• Continuous improvement
• Implement secure operations practices

10. Domain 3: Secure Software Requirements

• Determining security requirements

11. Security Requirements

• Functional requirements
• Nonfunctional requirements
• Policy decomposition
• Legal, regulatory, and industry

12. Privacy Requirements

• Security vs. privacy
• Data anonymization
• User consent
• Disposition
• Private data storage

13. Data Classification Requirements

• Data ownership
• Labeling
• Types of data
• Data lifecycle

14. Validating Your Requirements

• Misuse and abuse cases
• Software requirement specifications
• Security requirement traceability matrix

15. Domain 4: Secure Software Architecture and Design

• Secure software design

16. Threat Modeling

• What is threat modeling?
• Understand common threats
• Attack surface evaluation

17. Security Architecture

• Secure architecture and design patterns
• Identifying and prioritizing controls
• Traditional application architectures
• Pervasive and ubiquitous computing
• Rich internet and mobile applications
• Cloud architectures
• Embedded system considerations
• Architectural risk assessments
• Component-based systems
• Security enhancing tools
• Cognitive computing
• Control systems

18. Security Design

• Components of a secure environment
• Designing network and server controls
• Designing data controls
• Secure design principles and patterns
• Secure interface design
• Security architecture and design review
• Secure operational architecture

19. Modeling

• Nonfunctional properties and constraints
• Data modeling and classification

20. Domain 5: Secure Software Implementation

• Secure software implementation

21. Secure Coding Practices

• Declaring variables
• Inputs and outputs
• Protecting secrets
• Data-flow security
• Deployment and operations
• Isolation techniques
• Processor microarchitecture security

22. Finding and Fixing Vulnerabilities

• Identifying risks
• The OWASP Top 10: 1-5
• The OWASP Top 10: 6-10
• Common Weakness Enumeration (CWE)
• Addressing risks

23. Component Security

• Third-party code and libraries
• Component integration
• Implementing security controls
• Security in the build process

24. Domain 6: Secure Software Testing

• Secure software testing

25. Developing Security Test Cases

• Understanding your test environment
• Automation vs. manual testing
• Ensuring a comprehensive approach
• Validating cryptography

26. Developing a Testing Strategy

• Grouping your tests
• Leveraging external resources
• Verifying and validating documentation

27. Conducting Security Tests

• Securing test data
• Verification and validation testing
• Identifying undocumented functionality

28. Reviewing the Results

• Security implications of test results
• Classifying and tracking security errors

29. Domain 7: Secure Software Deployment, Operations, and Maintenance

• Secure software deployment, operations, and maintenance

30. Deploying Your Software

• Performing an operational risk analysis
• Releasing software securely
• Storing and managing security data
• Ensuring secure installation
• Post-deployment security testing

31. Shifting Into Operations

• Obtaining security approval to operate
• Continuous security monitoring
• Support incident response
• Support continuity of operations
• Service level objectives and agreements

32. Maintaining Your Software

• Patch management
• Vulnerability management
• Runtime protection

33. Domain 8: Secure Software Supply Chain

• Secure software supply chain

34. Supply Chain Risk Management

• Identifying and selecting components
• Assessing components' risks
• Responding to those risks
• Monitoring changes and vulnerabilities
• Maintaining third-party components

35. Ensure Software Security

• Analyzing third-party software security
• Verifying pedigree and provenance

36. Get It in Writing

• Security in the acquisition process
• Contractual requirements

37. Exam Logistics

• Registering for the exam
• Exam environment
• Passing the exam
• Exam tips
• Practice tests
• Experience requirements
• Continuing education requirements

Conclusion

• Next steps