CSSLP SECURE SOFTWARE LIFECYCLE PROFESSIONAL ALL-IN-ONE EXAM GUIDE, Third Edition, 3rd Edition

CSSLP SECURE SOFTWARE LIFECYCLE PROFESSIONAL ALL-IN-ONE EXAM GUIDE, Third Edition, 3rd Edition

by Wm. Arthur Conklin, Daniel Paul Shoemaker
Released February 2022
Publisher(s): McGraw-Hill
ISBN: 9781264258215

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Providing 100% coverage of the latest CSSLP exam, this self-study guide offers everything you need to ace the exam

CSSLP Certification All-in-One Exam Guide, Third Edition covers all eight exam domains of the challenging CSSLP exam, developed by the International Information Systems Security Certification Consortium (ISC)²®. Thoroughly revised and updated for the latest exam release, this guide includes real-world examples and comprehensive coverage on all aspects of application security within the entire software development lifecycle. It also includes hands-on exercises, chapter review summaries and notes, tips, and cautions that provide real-world insight and call out potentially harmful situations.

With access to 350 exam questions online, you can practice either with full-length, timed mock exams or by creating your own custom quizzes by chapter or exam objective.

CSSLP Certification All-in-One Exam Guide, Third Edition provides thorough coverage of all eight exam domains:

  • Secure Software Concepts
  • Secure Software Requirements
  • Secure Software Design
  • Secure Software Implementation Programming
  • Secure Software Testing
  • Secure Lifecycle Management
  • Software Deployment, Operations, and Maintenance
  • Supply Chain and Software Acquisition

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Authors
  6. Contents at a Glance
  7. Contents
  8. Acknowledgments
  9. Introduction
  10. Exam Objective Map
  11. Part I Secure Software Concepts
    1. Chapter 1 Core Concepts
      1. Confidentiality
        1. Implementing Confidentiality
      2. Integrity
        1. Implementing Integrity
      3. Availability
      4. Authentication
        1. Multifactor Authentication
        2. Identity Management
        3. Identity Provider
        4. Identity Attributes
        5. Certificates
        6. Identity Tokens
        7. SSH Keys
        8. Smart Cards
        9. Implementing Authentication
        10. Credential Management
      5. Authorization
        1. Access Control Mechanisms
      6. Accountability (Auditing and Logging)
        1. Logging
        2. Syslog
      7. Nonrepudiation
      8. Secure Development Lifecycle
        1. Security vs. Quality
        2. Security Features != Secure Software
      9. Secure Development Lifecycle Components
        1. Software Team Awareness and Education
        2. Gates and Security Requirements
        3. Bug Tracking
        4. Threat Modeling
        5. Fuzzing
        6. Security Reviews
        7. Mitigations
      10. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 2 Security Design Principles
      1. System Tenets
        1. Session Management
        2. Exception Management
        3. Configuration Management
      2. Secure Design Tenets
        1. Good Enough Security
        2. Least Privilege
        3. Separation of Duties
        4. Defense in Depth
        5. Fail-Safe
        6. Economy of Mechanism
        7. Complete Mediation
        8. Open Design
        9. Least Common Mechanism
        10. Psychological Acceptability
        11. Weakest Link
        12. Leverage Existing Components
        13. Single Point of Failure
      3. Security Models
        1. Access Control Models
        2. Multilevel Security Model
        3. Integrity Models
        4. Information Flow Models
      4. Adversaries
        1. Adversary Type
        2. Adversary Groups
        3. Threat Landscape Shift
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  12. Part II Secure Software Requirements
    1. Chapter 3 Define Software Security Requirements
      1. Functional Requirements
        1. Role and User Definitions
        2. Objects
        3. Activities/Actions
        4. Subject-Object-Activity Matrix
        5. Use Cases
        6. Sequencing and Timing
        7. Secure Coding Standards
      2. Operational and Deployment Requirements
      3. Connecting the Dots
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 4 Identify and Analyze Compliance Requirements
      1. Regulations and Compliance
        1. Security Standards
        2. ISO
        3. NIST
        4. FISMA
        5. Sarbanes-Oxley
        6. Gramm-Leach-Bliley
        7. HIPAA and HITECH
        8. Payment Card Industry Data Security Standard
        9. Other Regulations
        10. Legal Issues
        11. Intellectual Property
      2. Data Classification
        1. Data States
        2. Data Usage
        3. Data Risk Impact
        4. Data Lifecycle
        5. Generation
        6. Data Ownership
        7. Data Owner
        8. Data Custodian
        9. Labeling
        10. Sensitivity
        11. Impact
      3. Privacy
        1. Privacy Policy
        2. Personally Identifiable Information
        3. Personal Health Information
        4. Breach Notifications
        5. General Data Protection Regulation
        6. California Consumer Privacy Act 2018 (AB 375)
        7. Privacy-Enhancing Technologies
        8. Data Minimization
        9. Data Masking
        10. Tokenization
        11. Anonymization
        12. Pseudo-anonymization
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 5 Misuse and Abuse Cases
      1. Misuse/Abuse Cases
      2. Requirements Traceability Matrix
      3. Software Acquisition
        1. Definitions and Terminology
        2. Build vs. Buy Decision
        3. Outsourcing
        4. Contractual Terms and Service Level Agreements
        5. Requirements Flow Down to Suppliers/Providers
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  13. Part III Secure Software Architecture and Design
    1. Chapter 6 Secure Software Architecture
      1. Perform Threat Modeling
        1. Threat Model Development
        2. Attack Surface Evaluation
        3. Attack Surface Measurement
        4. Attack Surface Minimization
        5. Threat Intelligence
        6. Threat Hunting
      2. Define the Security Architecture
        1. Security Control Identification and Prioritization
        2. Distributed Computing
        3. Service-Oriented Architecture
        4. Web Services
        5. Rich Internet Applications
        6. Pervasive/Ubiquitous Computing
        7. Embedded
        8. Cloud Architectures
        9. Mobile Applications
        10. Hardware Platform Concerns
        11. Cognitive Computing
        12. Control Systems
      3. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 7 Secure Software Design
      1. Performing Secure Interface Design
        1. Logging
        2. Protocol Design Choices
      2. Performing Architectural Risk Assessment
      3. Model (Nonfunctional) Security Properties and Constraints
      4. Model and Classify Data
        1. Types of Data
        2. Structured
        3. Unstructured
      5. Evaluate and Select Reusable Secure Design
        1. Creating a Practical Reuse Plan
        2. Credential Management
        3. Flow Control
        4. Data Loss Prevention
        5. Virtualization
        6. Trusted Computing
        7. Database Security
        8. Programming Language Environment
        9. Operating System Controls and Services
        10. Secure Backup and Restoration Planning
        11. Secure Data Retention, Retrieval, and Destruction
      6. Perform Security Architecture and Design Review
      7. Define Secure Operational Architecture
      8. Use Secure Architecture and Design Principles, Patterns, and Tools
      9. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  14. Part IV Secure Software Implementation
    1. Chapter 8 Secure Coding Practices
      1. Declarative vs. Imperative Security
        1. Bootstrapping
        2. Cryptographic Agility
        3. Handling Configuration Parameters
      2. Memory Management
        1. Type-Safe Practice
        2. Locality
      3. Error Handling
      4. Interface Coding
      5. Primary Mitigations
      6. Learning from Past Mistakes
      7. Secure Design Principles
        1. Good Enough Security
        2. Least Privilege
        3. Separation of Duties
        4. Defense in Depth
        5. Fail Safe
        6. Economy of Mechanism
        7. Complete Mediation
        8. Open Design
        9. Least Common Mechanism
        10. Psychological Acceptability
        11. Weakest Link
        12. Leverage Existing Components
        13. Single Point of Failure
      8. Interconnectivity
        1. Session Management
        2. Exception Management
        3. Configuration Management
      9. Cryptographic Failures
        1. Hard-Coded Credentials
        2. Missing Encryption of Sensitive Data
        3. Use of a Broken or Risky Cryptographic Algorithm
        4. Download of Code Without Integrity Check
        5. Use of a One-Way Hash Without a Salt
      10. Input Validation Failures
        1. Buffer Overflow
        2. Canonical Form
        3. Missing Defense Functions
        4. Output Validation Failures
      11. General Programming Failures
        1. Sequencing and Timing
      12. Technology Solutions
      13. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 9 Analyze Code for Security Risks
      1. Code Analysis (Static and Dynamic)
        1. Static Application Security Testing
        2. Dynamic Application Security Testing
        3. Interactive Application Security Testing
        4. Runtime Application Self-Protection
      2. Code/Peer Review
      3. Code Review Objectives
      4. Additional Sources of Vulnerability Information
      5. CWE/SANS Top 25 Vulnerability Categories
      6. OWASP Vulnerability Categories
      7. Common Vulnerabilities and Countermeasures
        1. Injection Attacks
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 10 Implement Security Controls
      1. Security Risks
      2. Implement Security Controls
      3. Applying Security via the Build Environment
        1. Integrated Development Environment
      4. Anti-tampering Techniques
        1. Code Signing
        2. Configuration Management: Source Code and Versioning
        3. Code Obfuscation
      5. Defensive Coding Techniques
        1. Declarative vs. Programmatic Security
        2. Bootstrapping
        3. Cryptographic Agility
        4. Handling Configuration Parameters
        5. Interface Coding
        6. Memory Management
      6. Primary Mitigations
      7. Secure Integration of Components
        1. Secure Reuse of Third-Party Code or Libraries
        2. System-of-Systems Integration
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  15. Part V Secure Software Testing
    1. Chapter 11 Security Test Cases
      1. Security Test Cases
      2. Attack Surface Evaluation
      3. Penetration Testing
      4. Common Methods
        1. Fuzzing
        2. Scanning
        3. Simulations
        4. Failure Modes
        5. Cryptographic Validation
        6. Regression Testing
        7. Integration Testing
        8. Continuous Testing
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 12 Security Testing Strategy and Plan
      1. Develop a Security Testing Strategy and a Plan
      2. Functional Security Testing
        1. Unit Testing
      3. Nonfunctional Security Testing
      4. Testing Techniques
        1. White-Box Testing
        2. Black-Box Testing
        3. Gray-Box Testing
        4. Testing Environment
      5. Environment
      6. Standards
        1. ISO/IEC 25010:2011
        2. SSE-CMM
        3. OSSTMM
      7. Crowd Sourcing
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 13 Software Testing and Acceptance
      1. Perform Verification and Validation Testing
        1. Software Qualification Testing
        2. Qualification Testing Hierarchy
      2. Identify Undocumented Functionality
      3. Analyze Security Implications of Test Results
      4. Classify and Track Security Errors
        1. Bug Tracking
        2. Defects
        3. Errors
        4. Bug Bar
        5. Risk Scoring
      5. Secure Test Data
        1. Generate Test Data
        2. Reuse of Production Data
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  16. Part VI Secure Software Lifecycle Management
    1. Chapter 14 Secure Configuration and Version Control
      1. Secure Configuration and Version Control
      2. Define Strategy and Roadmap
      3. Manage Security Within a Software Development Methodology
        1. Security in Adaptive Methodologies
        2. Security in Predictive Methodologies
      4. Identify Security Standards and Frameworks
      5. Define and Develop Security Documentation
      6. Develop Security Metrics
      7. Decommission Software
        1. End-of-Life Policies
        2. Data Disposition
      8. Report Security Status
      9. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 15 Software Risk Management
      1. Incorporate Integrated Risk Management
        1. Regulations and Compliance
        2. Legal
        3. Standards and Guidelines
        4. Risk Management
        5. Terminology
        6. Technical Risk vs. Business Risk
      2. Promote Security Culture in Software Development
        1. Security Champions
        2. Security Education and Guidance
      3. Implement Continuous Improvement
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  17. Part VII Secure Software Deployment, Operations, Maintenance
    1. Chapter 16 Secure Software Deployment
      1. Perform Operational Risk Analysis
        1. Deployment Environment
        2. Personnel Training
        3. Safety Criticality
        4. System Integration
      2. Release Software Securely
        1. Secure Continuous Integration and Continuous Delivery Pipeline
        2. Secure Software Tool Chain
        3. Build Artifact Verification
      3. Securely Store and Manage Security Data
        1. Credentials
        2. Secrets
        3. Keys/Certificates
        4. Configurations
      4. Ensure Secure Installation
        1. Bootstrapping
        2. Least Privilege
        3. Environment Hardening
        4. Secure Activation
        5. Security Policy Implementation
        6. Secrets Injection
      5. Perform Post-Deployment Security Testing
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 17 Secure Software Operations and Maintenance
      1. Obtain Security Approval to Operate
      2. Perform Information Security Continuous Monitoring
        1. Collect and Analyze Security Observable Data
        2. Threat Intel
        3. Intrusion Detection/Response
        4. Secure Configuration
        5. Regulation Changes
      3. Support Incident Response
        1. Root-Cause Analysis
        2. Incident Triage
        3. Forensics
      4. Perform Patch Management
      5. Perform Vulnerability Management
      6. Runtime Protection
      7. Support Continuity of Operations
        1. Backup, Archiving, Retention
        2. Disaster Recovery
        3. Resiliency
      8. Integrate Service Level Objectives and Service Level Agreements
      9. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  18. Part VIII Secure Software Supply Chain
    1. Chapter 18 Software Supply Chain Risk Management
      1. Implement Software Supply Chain Risk Management
      2. Analyze Security of Third-Party Software
      3. Verify Pedigree and Provenance
        1. Secure Transfer
        2. System Sharing/Interconnections
        3. Code Repository Security
        4. Build Environment Security
        5. Cryptographically Hashed, Digitally Signed Components
        6. Right to Audit
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 19 Supplier Security Requirements
      1. Ensure Supplier Security Requirements in the Acquisition Process
        1. Supplier Sourcing
        2. Supplier Transitioning
        3. Audit of Security Policy Compliance
        4. Vulnerability/Incident Notification, Response, Coordination, and Reporting
        5. Maintenance and Support Structure
        6. Security Track Record
      2. Support Contractual Requirements
        1. Intellectual Property
        2. Legal Compliance
      3. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  19. Part IX Appendix and Glossary
    1. Appendix About the Online Content
      1. System Requirements
      2. Your Total Seminars Training Hub Account
        1. Privacy Notice
      3. Single User License Terms and Conditions
      4. TotalTester Online
      5. Technical Support
  20. Glossary
  21. Index

Product information

  • Title: CSSLP SECURE SOFTWARE LIFECYCLE PROFESSIONAL ALL-IN-ONE EXAM GUIDE, Third Edition, 3rd Edition
  • Author(s): Wm. Arthur Conklin, Daniel Paul Shoemaker
  • Release date: February 2022
  • Publisher(s): McGraw-Hill
  • ISBN: 9781264258215