CSSLP Certification All-in-One Exam Guide, Second Edition, 2nd Edition

Book description

Publisher's Note: Products purchased from Third Party sellers are not guaranteed by the publisher for quality, authenticity, or access to any online entitlements included with the product.

This self-study guide delivers 100% coverage of all domainsin the the CSSLP exam

Get complete coverage of all the material included on the Certified Secure Software Lifecycle Professional exam. CSSLP Certification All-in-One Exam Guide, Second Edition covers all eight exam domains developed by the International Information Systems Security Certification Consortium (ISC)2®. You’ll find learning objectives at the beginning of each chapter, exam tips, practice questions, and in-depth explanations. Designed to help you pass the exam with ease, this definitive resource also serves as an essential on-the-job reference.

Covers all eight exam domains:

•Secure Software Concepts
•Secure Software Requirements
•Secure Software Design
•Secure Software Implementation/Programming
•Secure Software Testing
•Software Lifecycle Management
•Software Deployment, Operations, and Maintenance
•Supply Chain and Software Acquisition

Online content includes:

•Test engine that provides full-length practice exams or customized quizzes by chapter or exam domain

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Acknowledgments
  7. Introduction
  8. Exam Readiness Checklist
  9. Part I Secure Software Concepts
    1. Chapter 1 General Security Concepts
      1. General Security Concepts
        1. Security Basics
        2. System Tenets
        3. Secure Design Tenets
      2. Security Models
        1. Access Control Models
        2. Multilevel Security Model
        3. Integrity Models
        4. Information Flow Models
      3. Adversaries
        1. Adversary Type
        2. Adversary Groups
        3. Threat Landscape Shift
      4. Chapter Review
      5. Quick Tips
      6. Questions
      7. Answers
    2. Chapter 2 Risk Management
      1. Definitions and Terminology
        1. General Terms
        2. Quantitative Terms
        3. Risk Management Statements
      2. Types of Risk
        1. Business Risk
        2. Technology Risk
        3. Risk Controls
        4. Qualitative Risk Management
        5. Qualitative Matrix
        6. Quantitative Risk Management
        7. Comparison of Qualitative and Quantitative Methods
      3. Governance, Risk, and Compliance
        1. Regulations and Compliance
        2. Legal
        3. Standards
      4. Risk Management Models
        1. General Risk Management Model
        2. Software Engineering Institute Model
        3. Model Application
      5. Risk Options
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 3 Security Policies and Regulations
      1. Regulations and Compliance
        1. FISMA
        2. Sarbanes-Oxley
        3. Gramm-Leach-Bliley
        4. HIPAA and HITECH
        5. Payment Card Industry Data Security Standard (PCI DSS)
        6. Other Regulations
      2. Legal Issues
        1. Intellectual Property
      3. Privacy
        1. Privacy Policy
        2. Personally Identifiable Information
        3. Personal Health Information
        4. Breach Notifications
        5. Data Protection Principles
        6. California Consumer Privacy Act 2018 (AB 375)
      4. Security Standards
        1. ISO
        2. NIST
      5. Secure Software Architecture
        1. Security Frameworks
      6. Trusted Computing
        1. Principles
        2. Trusted Computing Base
        3. Trusted Platform Module
        4. Microsoft Trustworthy Computing Initiative
      7. Acquisition
        1. Definitions and Terminology
        2. Build vs. Buy Decision
        3. Outsourcing
        4. Contractual Terms and Service Level Agreements
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    4. Chapter 4 Software Development Methodologies
      1. Secure Development Lifecycle
        1. Principles
        2. Security vs. Quality
        3. Security Features != Secure Software
      2. Secure Development Lifecycle Components
        1. Software Team Awareness and Education
        2. Gates and Security Requirements
        3. Bug Tracking
        4. Threat Modeling
        5. Fuzzing
        6. Security Reviews
        7. Mitigations
      3. Software Development Models
        1. Waterfall
        2. Spiral
        3. Prototype
        4. Agile Methods
        5. Open Source
      4. Microsoft Security Development Lifecycle
        1. History
        2. SDL Foundation
        3. SDL Components
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  10. Part II Secure Software Requirements
    1. Chapter 5 Policy Decomposition
      1. Confidentiality, Integrity, and Availability Requirements
        1. Confidentiality
        2. Integrity
        3. Availability
      2. Authentication, Authorization, and Auditing Requirements
        1. Identification and Authentication
        2. Authorization
        3. Access Control Mechanisms
        4. Auditing
      3. Internal and External Requirements
        1. Internal
        2. External
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 6 Data Classification and Categorization
      1. Data Classification
        1. Data States
        2. Data Usage
        3. Data Risk Impact
      2. Data Ownership
        1. Data Owner
        2. Data Custodian
      3. Labeling
        1. Sensitivity
        2. Impact
      4. Types of Data
        1. Structured
        2. Unstructured
      5. Data Lifecycle
        1. Generation
        2. Retention
        3. Disposal
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 7 Requirements
      1. Functional Requirements
        1. Role and User Definitions
        2. Objects
        3. Activities/Actions
        4. Subject-Object-Activity Matrix
        5. Use Cases
        6. Abuse Cases (Inside and Outside Adversaries)
        7. Sequencing and Timing
        8. Secure Coding Standards
      2. Operational Requirements
        1. Deployment Environment
      3. Requirements Traceability Matrix
      4. Connecting the Dots
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  11. Part III Secure Software Design
    1. Chapter 8 Design Processes
      1. Attack Surface Evaluation
        1. Attack Surface Measurement
        2. Attack Surface Minimization
      2. Threat Modeling
        1. Threat Model Development
      3. Control Identification and Prioritization
      4. Risk Assessment for Code Reuse
      5. Documentation
      6. Design and Architecture Technical Review
      7. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 9 Design Considerations
      1. Application of Methods to Address Core Security Concepts
        1. Confidentiality, Integrity, and Availability
        2. Authentication, Authorization, and Auditing
        3. Secure Design Principles
        4. Interconnectivity
      2. Interfaces
      3. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 10 Securing Commonly Used Architecture
      1. Distributed Computing
        1. Client Server
        2. Peer-to-Peer
        3. Message Queuing
      2. Service-Oriented Architecture
        1. Enterprise Service Bus
        2. Web Services
      3. Rich Internet Applications
        1. Client-Side Exploits or Threats
        2. Remote Code Execution
      4. Pervasive/Ubiquitous Computing
        1. Wireless
        2. Location-Based
        3. Constant Connectivity
        4. Radio Frequency Identification
        5. Near-Field Communication
        6. Sensor Networks
      5. Mobile Applications
      6. Integration with Existing Architectures
      7. Cloud Architectures
        1. Software as a Service
        2. Platform as a Service
        3. Infrastructure as a Service
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    4. Chapter 11 Technologies
      1. Authentication and Identity Management
        1. Identity Management
        2. Authentication
      2. Credential Management
        1. X.509 Credentials
        2. Single Sign-On
      3. Flow Control (Proxies, Firewalls, Middleware)
        1. Firewalls
        2. Proxies
        3. Application Firewalls
        4. Queuing Technology
      4. Logging
        1. Syslog
      5. Data Loss Prevention
      6. Virtualization
      7. Digital Rights Management
      8. Trusted Computing
        1. TCB
        2. TPM
        3. Malware
        4. Code Signing
      9. Database Security
        1. Encryption
        2. Triggers
        3. Views
        4. Privilege Management
      10. Programming Language Environment
        1. CLR
        2. JVM
        3. Compiler Switches
        4. Sandboxing
        5. Managed vs. Unmanaged Code
      11. Operating Systems
      12. Embedded Systems
        1. Control Systems
        2. Firmware
      13. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  12. Part IV Secure Software Implementation/Programming
    1. Chapter 12 Common Software Vulnerabilities and Countermeasures
      1. CWE/SANS Top 25 Vulnerability Categories
      2. OWASP Vulnerability Categories
      3. Common Vulnerabilities and Countermeasures
        1. Injection Attacks
        2. Cryptographic Failures
      4. Input Validation Failures
        1. Buffer Overflow
        2. Canonical Form
        3. Missing Defense Functions
        4. General Programming Failures
      5. Common Enumerations
        1. Common Weakness Enumerations (CWE)
        2. Common Vulnerabilities and Exposures (CVE)
      6. Virtualization
      7. Embedded Systems
      8. Side Channel
      9. Social Engineering Attacks
        1. Phishing
      10. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 13 Defensive Coding Practices
      1. Declarative vs. Programmatic Security
        1. Bootstrapping
        2. Cryptographic Agility
        3. Handling Configuration Parameters
      2. Memory Management
        1. Type-Safe Practice
        2. Locality
      3. Error Handling
        1. Exception Management
      4. Interface Coding
      5. Primary Mitigations
      6. Learning from Past Mistakes
      7. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 14 Secure Software Coding Operations
      1. Code Analysis (Static and Dynamic)
        1. Static
        2. Dynamic
      2. Code/Peer Review
      3. Build Environment
        1. Integrated Development Environment (IDE)
      4. Antitampering Techniques
      5. Configuration Management: Source Code and Versioning
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  13. Part V Secure Software Testing
    1. Chapter 15 Security Quality Assurance Testing
      1. Standards for Software Quality Assurance
        1. ISO 9216
        2. SSE-CMM
        3. OSSTMM
      2. Testing Methodology
      3. Functional Testing
        1. Unit Testing
        2. Integration or Systems Testing
        3. Performance Testing
        4. Regression Testing
      4. Security Testing
        1. White-Box Testing
        2. Black-Box Testing
        3. Grey-Box Testing
      5. Environment
      6. Bug Tracking
        1. Defects
        2. Errors
        3. Vulnerabilities
        4. Bug Bar
      7. Attack Surface Validation
      8. Testing Artifacts
      9. Test Data Lifecycle Management
        1. Chapter Review
        2. Quick Tips
        3. Questions
        4. Answers
    2. Chapter 16 Security Testing
      1. Scanning
        1. Attack Surface Analyzer
      2. Penetration Testing
      3. Fuzzing
      4. Simulation Testing
      5. Testing for Failure
      6. Cryptographic Validation
        1. FIPS 140-2
      7. Regression Testing
      8. Impact Assessment and Corrective Action
      9. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  14. Part VI Secure Lifecycle Management
    1. Chapter 17 Secure Lifecycle Management
      1. Introduction to Acceptance
        1. Software Qualification Testing
        2. Qualification Testing Plan
        3. Qualification Testing Hierarchy
      2. Pre-release Activities
        1. Implementing the Pre-release Testing Process
        2. Completion Criteria
        3. Risk Acceptance
      3. Post-release Activities
        1. Validation and Verification
        2. Independent Testing
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  15. Part VII Software Deployment, Operations, and Maintenance
    1. Chapter 18 Secure Software Installation and Deployment
      1. Secure Software Installation and Its Subsequent Deployment
        1. Installation Validation and Verification
        2. Planning for Operational Use
      2. Configuration Management
        1. Organizing the Configuration Management Process
        2. Configuration Management Roles
        3. The Configuration Management Plan
        4. The Configuration Management Process
      3. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 19 Secure Software Operations and Maintenance
      1. Secure Software Operations
        1. Operations Process Implementation
      2. The Software Maintenance Process
        1. Monitoring
        2. Incident Management
        3. Problem Management
        4. Change Management
        5. Backup, Recovery, and Archiving
      3. Secure DevOps
      4. Secure Software Disposal
        1. Software Disposal Planning
        2. Software Disposal Execution
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  16. Part VIII Supply Chain and Software Acquisition
    1. Chapter 20 Supply Chain and Software Acquisition
      1. Supplier Risk Assessment
        1. What Is Supplier Risk Assessment?
        2. Risk Assessment for Code Reuse
        3. Intellectual Property
        4. Legal Compliance
        5. Supplier Prequalification
      2. Supplier Sourcing
        1. Contractual Integrity Controls
        2. Vendor Technical Integrity Controls for Third-Party Suppliers
        3. Managed Services
        4. Service Level Agreements
      3. Software Development and Testing
        1. Code Testing
        2. Security Testing Controls
        3. Software Requirements Testing and Validation
        4. Software Requirements Testing and Validation for Subcontractors
      4. Software Delivery, Operations, and Maintenance
        1. Chain of Custody
        2. Publishing and Dissemination Controls
        3. System-of-Systems Integration
        4. Software Authenticity and Integrity
        5. Product Deployment and Sustainment Controls
        6. Monitoring and Incident Management
        7. Vulnerability Management, Tracking, and Resolution
      5. Supplier Transitioning
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Appendix About the Online Content
      1. System Requirements
      2. Your Total Seminars Training Hub Account
        1. Privacy Notice
      3. Single User License Terms and Conditions
      4. TotalTester Online
      5. Technical Support
  17. Glossary
  18. Index

Product information

  • Title: CSSLP Certification All-in-One Exam Guide, Second Edition, 2nd Edition
  • Author(s): Wm. Arthur Conklin, Daniel Paul Shoemaker
  • Release date: March 2019
  • Publisher(s): McGraw-Hill
  • ISBN: 9781260441697