Certified Secure Software Lifecycle Professional (CSSLP)

7,000.00 ৳ 

Start Date: 24 March , 2023
Time: Friday (8.00 PM – 11:00 PM),
Duration: 28 Hours
Course Fee: 28,000/-
Contact: 01847179477, 01811448063


Trainer: Engr. Md. Mushfiqur Rahman [View Profile]

This training is jointly organized by BITM & LEADS Training & Consulting Ltd. Training will be held in LEADS Training & Consulting Ltd.

The ISC2 CSSLP certification is mainly targeted to those candidates who want to build their career in Cybersecurity domain. The ISC2 Certified Secure Software Lifecycle Professional (CSSLP) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of ISC2 CSSLP.

ISC2 CSSLP Exam Syllabus Topics: 

Domain 1: Secure Software Concepts

Domain 2: Secure Software Requirements

Domain 3: Secure Software Architecture and Design

Domain 4: Secure Software Implementation

Domain 5: Secure Software Testing

Domain 6: Secure Software Lifecycle Management

Domain 7: Secure Software Deployment, Operations, Maintenance

Domain 8: Secure Software Deployment, Operations, Maintenance

Who Should Attend:

  • Application Security Specialist
  • IT Director/Manager
  • Penetration Tester
  • Project Manager
  • Quality Assurance Tester
  • Security Manager Jobs that Typically Use or Require the CSSLP See “Pathway to CSSLP Certification”.
  • Software Architect
  • Software Developer
  • Software Engineer
  • Software Procurement Analyst
  • Software Program Manager

Course Outline:

Topic Details
Secure Software Concepts 10%
Core Concepts – Confidentiality (e.g., covert, overt, encryption)
– Integrity (e.g., hashing, digital signatures, code signing, reliability, alterations, authenticity)
– Availability (e.g., failover, replication, clustering, scalability, resiliency)
– Authentication (e.g., multifactor authentication, identity & access management, single sign-on, federated identity)
– Authorization (e.g., access controls, entitlements)
– Accountability (e.g., auditing, logging)
– Nonrepudiation (e.g., PKI, digital signatures)
Security Design Principles – Least privilege (e.g., access control, need-toknow, run-time privileges)
– Separation of duties (e.g., multi-party control, secret sharing and splitting)
– Defense in depth (e.g., layered controls, input validation, security zones)
– Fail safe (e.g., exception handling, non-verbose errors, deny by default)
– Economy of mechanism (e.g., single sign-on)
– Complete mediation (e.g., cookie management, session management, caching of credentials)
– Open design (e.g., peer reviewed algorithm)
– Least common mechanism (e.g., compartmentalization/isolation)
– Psychological acceptability (e.g., password complexity, screen layouts)
– Leveraging existing components (e.g., common controls, libraries)
– Eliminate single point of failure
Secure Software Requirements 14%
Identify Security Requirements – Functional
– Non-functional
– Policy decomposition (e.g., internal and external requirements)
– Legal, regulatory, and industry requirements
Interpret Data Classification Requirements – Data ownership (e.g., data owner, data custodian)
– Labeling (e.g., sensitivity, impact)
– Types of data (e.g., structured, unstructured data)
– Data life-cycle (e.g., generation, retention, disposal)
Identify Privacy Requirements – Data anonymization
– User consent
– Disposition
Develop Misuse and Abuse Cases
Include Security in Software Requirement Specifications
Develop Security Requirement Traceability Matrix
Secure Software Architecture and Design 14%
Perform Threat Modeling – Understand common threats (e.g., APT, insider threat, common malware, third party/supplier)
– Attack surface evaluation
Define the Security Architecture – Control identification and prioritization
– Distributed computing (e.g., client server, peer-topeer, message queuing)
– Service-oriented architecture (e.g., enterprise service bus, web services)
– Rich internet applications (e.g., client side exploits or threats, remote code execution, constant connectivity)
– Pervasive/ubiquitous computing (e.g., IoT, wireless, location-based, RFID, near field communication, sensor networks)
– Embedded (e.g., control systems, firmware)
– Cloud architectures (e.g., software as a service, platform as a service, infrastructure as a service)
– Mobile applications
– Hardware platform concerns
Performing Secure Interface Design – Security management interfaces, out-of-band management, log interfaces
– Upstream/downstream dependencies (e.g., key and data sharing between apps)
– Protocol design choices (e.g., APIs, weaknesses, state, models)
Performing Architectural Risk Assessment
Modeling (Non-Functional) Security Properties and Constraints
Model and Classify Data
Evaluate and Select Reusable Secure Design – Credential management (e.g., X.509 and SSO)
– Flow control (e.g., proxies, firewalls, protocols, queuing)
– Data loss prevention (DLP)
– Virtualization (e.g., software defined network, hypervisor)
– Trusted computing (e.g., TPM, TCB)
– Database security (e.g., encryption, triggers, views, privilege management)
– Programming language environment (e.g., CLR, JVM)
– Operating system controls and services
Perform Design Security Review
Design Secure Assembly Architecture for Component-Based Systems – Client side data storage
– Network attached storage
Use Security Enhancing Architecture and Design Tools
Use Secure Design Principles and Patterns
Secure Software Implementation 14%
Follow Secure Coding Practices – Declarative versus imperative (programmatic) security
– Concurrency
– Output sanitization (e.g., encoding)
– Error and exception handling
– Input validation
– Logging & auditing
– Session management
– Safe APIs
– Type safety
– Memory management (e.g., locality, garbage collection)
– Configuration parameter management (e.g., start-up options)
– Tokenizing
– Sandboxing
– Cryptography (e.g., storage, agility, encryption, algorithm selection)
Analyze Code for Security Vulnerabilities – Code reuse
– Vulnerability databases/lists (e.g., OWASP Top 10, CWE)
– Static analysis
– Dynamic analysis
– Manual code review
– Peer review
Implement Security Controls
Fix Security Vulnerabilities
Look for Malicious Code
Securely Reuse Third Party Code or Libraries
Securely Integrate Components – Systems-of-systems integration (e.g., security testing and analysis)
Apply Security during the Build Process – Anti-tampering techniques (e.g., code signing, obfuscation)
– Compiler switches
Debug Security Errors
Secure Software Testing 14%
Develop Security Test Cases – Attack surface validation
– Penetration
– Fuzzing (e.g., generated, mutated)
– Scanning (e.g., vulnerability, content, privacy)
– Simulation (e.g., environment and data)
– Failure (e.g., fault injection, stress testing, break testing)
– Cryptographic validation (e.g., PRNG)
– Regression
– Continuous (e.g., synthetic transactions)
– Unit testing
Develop Security Testing Strategy and Plan – Functional security testing (e.g., logic)
– Nonfunctional security testing (e.g., reliability, performance, scalability)
– Testing techniques (e.g., white box and black box)
– Environment (e.g., interoperability, test harness)
– Standards (e.g., ISO, OSSTMM, SEI)
Identify Undocumented Functionality
Interpret Security Implications of Test Results
Classify and Track Security Errors – Bug tracking (e.g., defects, errors and vulnerabilities)
– Risk Scoring (e.g., CVSS)
Secure Test Data – Privacy
– Referential integrity
Develop or Obtain Security Test Data
Perform Verification and Validation Testing (e.g., IV&V)
Secure Software Lifecycle Management 11%
Secure Configuration and Version Control
Establish Security Milestones
Choose a Secure Software Methodology
Identify Security Standards and Frameworks
Create Security Documentation
Develop Security Metrics
Decommission Software – End of life policies
– Credential removal, configuration removal, license cancellation
– Data destruction
Report Security Status
Support Governance, Risk, and Compliance (GRC) – Regulations and compliance
– Legal (e.g., intellectual property, breach notification)
– Standards and guidelines (e.g., ISO, PCI, NIST, OWASP, SAFECODE, OpenSAMM, BSIMM)
– Risk management
– Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)
– Technical risk vs business risk
– Strategies (e.g., mitigate, accept, transfer, avoid)
Secure Software Deployment, Operations, and Maintenance 12%
Perform Implementation Risk Analysis
Release Software Securely
Securely Store and Manage Security Data – Credentials
– Secrets
– Keys/certificates
– Configurations
Ensure Secure Installation – Bootstrapping (e.g., key generation, access, management)
– Least privilege
– Environment hardening
– Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing, etc.)
Perform Post-Deployment Security Testing
Obtain Security Approval to Operate – Risk acceptance (e.g., exception policy, sign-off)
Perform Security Monitoring (e.g., managing error logs, audits, meeting SLAs, CIA metrics)
Support Incident Response – Root cause analysis
Support Patch and Vulnerability Management
Support Continuity of Operations – Backup, archiving, retention
– Disaster recovery
Secure Software Supply Chain 11%
Analyze Security of Third Party Software
Verify Pedigree and Provenance – Secure transfer
– System sharing/interconnections
– Code repository security
– Build environment security
– Cryptographically- hashed, digitally signed components
Provide Security Support to the Acquisition Process – Audit of security policy compliance
– Vulnerability/incident response and reporting
– Service-level agreements (SLAs)
– Maintenance and support structure (e.g., community versus commercial)
– Assessment of software engineering/SDLC approaches
– Information systems security policy compliance
– Security track record
– Product deployment and sustainment controls (e.g., upgrades, secure configuration, custom code extension, operational readiness, GPL requirements)