Certified Secure Software Lifecycle Professional (CSSLP)
7,000.00 ৳
Start Date: 24 March , 2023
Time: Friday (8.00 PM – 11:00 PM),
Duration: 28 Hours
Course Fee: 28,000/-
Contact: 01847179477, 01811448063
Trainer: Engr. Md. Mushfiqur Rahman [View Profile]
This training is jointly organized by BITM & LEADS Training & Consulting Ltd. Training will be held in LEADS Training & Consulting Ltd.
The ISC2 CSSLP certification is mainly targeted to those candidates who want to build their career in Cybersecurity domain. The ISC2 Certified Secure Software Lifecycle Professional (CSSLP) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of ISC2 CSSLP.
ISC2 CSSLP Exam Syllabus Topics:
Domain 1: Secure Software Concepts
Domain 2: Secure Software Requirements
Domain 3: Secure Software Architecture and Design
Domain 4: Secure Software Implementation
Domain 5: Secure Software Testing
Domain 6: Secure Software Lifecycle Management
Domain 7: Secure Software Deployment, Operations, Maintenance
Domain 8: Secure Software Deployment, Operations, Maintenance
Who Should Attend:
- Application Security Specialist
- IT Director/Manager
- Penetration Tester
- Project Manager
- Quality Assurance Tester
- Security Manager Jobs that Typically Use or Require the CSSLP See “Pathway to CSSLP Certification”.
- Software Architect
- Software Developer
- Software Engineer
- Software Procurement Analyst
- Software Program Manager
Course Outline:
Topic | Details |
Secure Software Concepts 10% | |
Core Concepts | – Confidentiality (e.g., covert, overt, encryption) – Integrity (e.g., hashing, digital signatures, code signing, reliability, alterations, authenticity) – Availability (e.g., failover, replication, clustering, scalability, resiliency) – Authentication (e.g., multifactor authentication, identity & access management, single sign-on, federated identity) – Authorization (e.g., access controls, entitlements) – Accountability (e.g., auditing, logging) – Nonrepudiation (e.g., PKI, digital signatures) |
Security Design Principles | – Least privilege (e.g., access control, need-toknow, run-time privileges) – Separation of duties (e.g., multi-party control, secret sharing and splitting) – Defense in depth (e.g., layered controls, input validation, security zones) – Fail safe (e.g., exception handling, non-verbose errors, deny by default) – Economy of mechanism (e.g., single sign-on) – Complete mediation (e.g., cookie management, session management, caching of credentials) – Open design (e.g., peer reviewed algorithm) – Least common mechanism (e.g., compartmentalization/isolation) – Psychological acceptability (e.g., password complexity, screen layouts) – Leveraging existing components (e.g., common controls, libraries) – Eliminate single point of failure |
Secure Software Requirements 14% | |
Identify Security Requirements | – Functional – Non-functional – Policy decomposition (e.g., internal and external requirements) – Legal, regulatory, and industry requirements |
Interpret Data Classification Requirements | – Data ownership (e.g., data owner, data custodian) – Labeling (e.g., sensitivity, impact) – Types of data (e.g., structured, unstructured data) – Data life-cycle (e.g., generation, retention, disposal) |
Identify Privacy Requirements | – Data anonymization – User consent – Disposition |
Develop Misuse and Abuse Cases | |
Include Security in Software Requirement Specifications | |
Develop Security Requirement Traceability Matrix | |
Secure Software Architecture and Design 14% | |
Perform Threat Modeling | – Understand common threats (e.g., APT, insider threat, common malware, third party/supplier) – Attack surface evaluation |
Define the Security Architecture | – Control identification and prioritization – Distributed computing (e.g., client server, peer-topeer, message queuing) – Service-oriented architecture (e.g., enterprise service bus, web services) – Rich internet applications (e.g., client side exploits or threats, remote code execution, constant connectivity) – Pervasive/ubiquitous computing (e.g., IoT, wireless, location-based, RFID, near field communication, sensor networks) – Embedded (e.g., control systems, firmware) – Cloud architectures (e.g., software as a service, platform as a service, infrastructure as a service) – Mobile applications – Hardware platform concerns |
Performing Secure Interface Design | – Security management interfaces, out-of-band management, log interfaces – Upstream/downstream dependencies (e.g., key and data sharing between apps) – Protocol design choices (e.g., APIs, weaknesses, state, models) |
Performing Architectural Risk Assessment | |
Modeling (Non-Functional) Security Properties and Constraints | |
Model and Classify Data | |
Evaluate and Select Reusable Secure Design | – Credential management (e.g., X.509 and SSO) – Flow control (e.g., proxies, firewalls, protocols, queuing) – Data loss prevention (DLP) – Virtualization (e.g., software defined network, hypervisor) – Trusted computing (e.g., TPM, TCB) – Database security (e.g., encryption, triggers, views, privilege management) – Programming language environment (e.g., CLR, JVM) – Operating system controls and services |
Perform Design Security Review | |
Design Secure Assembly Architecture for Component-Based Systems | – Client side data storage – Network attached storage |
Use Security Enhancing Architecture and Design Tools | |
Use Secure Design Principles and Patterns | |
Secure Software Implementation 14% | |
Follow Secure Coding Practices | – Declarative versus imperative (programmatic) security – Concurrency – Output sanitization (e.g., encoding) – Error and exception handling – Input validation – Logging & auditing – Session management – Safe APIs – Type safety – Memory management (e.g., locality, garbage collection) – Configuration parameter management (e.g., start-up options) – Tokenizing – Sandboxing – Cryptography (e.g., storage, agility, encryption, algorithm selection) |
Analyze Code for Security Vulnerabilities | – Code reuse – Vulnerability databases/lists (e.g., OWASP Top 10, CWE) – Static analysis – Dynamic analysis – Manual code review – Peer review |
Implement Security Controls | |
Fix Security Vulnerabilities | |
Look for Malicious Code | |
Securely Reuse Third Party Code or Libraries | |
Securely Integrate Components | – Systems-of-systems integration (e.g., security testing and analysis) |
Apply Security during the Build Process | – Anti-tampering techniques (e.g., code signing, obfuscation) – Compiler switches |
Debug Security Errors | |
Secure Software Testing 14% | |
Develop Security Test Cases | – Attack surface validation – Penetration – Fuzzing (e.g., generated, mutated) – Scanning (e.g., vulnerability, content, privacy) – Simulation (e.g., environment and data) – Failure (e.g., fault injection, stress testing, break testing) – Cryptographic validation (e.g., PRNG) – Regression – Continuous (e.g., synthetic transactions) – Unit testing |
Develop Security Testing Strategy and Plan | – Functional security testing (e.g., logic) – Nonfunctional security testing (e.g., reliability, performance, scalability) – Testing techniques (e.g., white box and black box) – Environment (e.g., interoperability, test harness) – Standards (e.g., ISO, OSSTMM, SEI) |
Identify Undocumented Functionality | |
Interpret Security Implications of Test Results | |
Classify and Track Security Errors | – Bug tracking (e.g., defects, errors and vulnerabilities) – Risk Scoring (e.g., CVSS) |
Secure Test Data | – Privacy – Referential integrity |
Develop or Obtain Security Test Data | |
Perform Verification and Validation Testing (e.g., IV&V) | |
Secure Software Lifecycle Management 11% | |
Secure Configuration and Version Control | |
Establish Security Milestones | |
Choose a Secure Software Methodology | |
Identify Security Standards and Frameworks | |
Create Security Documentation | |
Develop Security Metrics | |
Decommission Software | – End of life policies – Credential removal, configuration removal, license cancellation – Data destruction |
Report Security Status | |
Support Governance, Risk, and Compliance (GRC) | – Regulations and compliance – Legal (e.g., intellectual property, breach notification) – Standards and guidelines (e.g., ISO, PCI, NIST, OWASP, SAFECODE, OpenSAMM, BSIMM) – Risk management – Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact) – Technical risk vs business risk – Strategies (e.g., mitigate, accept, transfer, avoid) |
Secure Software Deployment, Operations, and Maintenance 12% | |
Perform Implementation Risk Analysis | |
Release Software Securely | |
Securely Store and Manage Security Data | – Credentials – Secrets – Keys/certificates – Configurations |
Ensure Secure Installation | – Bootstrapping (e.g., key generation, access, management) – Least privilege – Environment hardening – Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing, etc.) |
Perform Post-Deployment Security Testing | |
Obtain Security Approval to Operate | – Risk acceptance (e.g., exception policy, sign-off) |
Perform Security Monitoring (e.g., managing error logs, audits, meeting SLAs, CIA metrics) | |
Support Incident Response | – Root cause analysis |
Support Patch and Vulnerability Management | |
Support Continuity of Operations | – Backup, archiving, retention – Disaster recovery |
Secure Software Supply Chain 11% | |
Analyze Security of Third Party Software | |
Verify Pedigree and Provenance | – Secure transfer – System sharing/interconnections – Code repository security – Build environment security – Cryptographically- hashed, digitally signed components |
Provide Security Support to the Acquisition Process | – Audit of security policy compliance – Vulnerability/incident response and reporting – Service-level agreements (SLAs) – Maintenance and support structure (e.g., community versus commercial) – Assessment of software engineering/SDLC approaches – Information systems security policy compliance – Security track record – Product deployment and sustainment controls (e.g., upgrades, secure configuration, custom code extension, operational readiness, GPL requirements) |