Official (ISC)2 Guide to the CSSLP CBK, 2nd Edition

Official (ISC)2 Guide to the CSSLP CBK, 2nd Edition

by Mano Paul
Released August 2013
Publisher(s): Auerbach Publications
ISBN: 9781000758115

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Application vulnerabilities continue to top the list of cyber security concerns. While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. The text allows readers to learn about software security from a renowned security practitioner who is the appointed software assurance advisor for (ISC)2. Complete with numerous illustrations, it makes complex security concepts easy to understand and implement. In addition to being a valuable resource for those studying for the CSSLP examination, this book is also an indispensable software security reference for those already part of the certified elite. A robust and comprehensive appendix makes this book a time-saving resource for anyone involved in secure software development.

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Table of Contents
  6. Foreword
  7. About the Author
  8. Contributors
  9. Introduction
  10. Domain 1 - Secure Software Concepts
    1. Holistic Security
      1. Implementation Challenges
        1. Iron Triangle Constraints
        2. Security as an Afterthought
        3. Security vs. Usability
      2. Quality and Security
        1. Security Profile – What Makes Software Secure?
    2. Core Security Concepts
    3. Design Security Concepts
    4. Risk Management
      1. Terminology and Definitions
      2. Risk Management for Software
      3. Handling Risk
      4. Risk Management Concept: Summary
    5. Security Policies: The ‘What’ and ‘Why’ for Security
      1. Scope of the Security Policies
      2. Prerequisites for Security Policy Development
      3. Security Policy Development Process
      4. Security Standards
        1. Types of Security Standards
        2. Internal Coding Standards
        3. NIST Standards
        4. Federal Information Processing (FIPS) standards
        5. ISO Standards
        6. PCI Standards
        7. Organization for the Advancement of Structured Information Standards (OASIS)
        8. Benefits of Security Standards
      5. Best Practices
        1. Open Web Application Security Project (OWASP)
        2. Information Technology Infrastructure Library (ITIL)
    6. Software Development Methodologies
      1. Waterfall Model
      2. Iterative Model
      3. Spiral Model
      4. Agile Development Methodologies
      5. Software Assurance Methodologies
        1. Socratic Methodology
        2. Six Sigma (6 σ)
        3. Capability Maturity Model Integration (CMMI)
        4. Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE®)
        5. STRIDE and DREAD
        6. Open Source Security Testing Methodology Manual (OSSTMM)
        7. Flaw Hypothesis Method (FHM)
      6. Enterprise Application and Security Frameworks
        1. Zachman Framework
        2. Control Objectives for Information and related Technology (COBIT®)
        3. Committee of Sponsoring Organizations (COSO)
        4. Sherwood Applied Business Security Architecture (SABSA)
    7. Regulations, Privacy and Compliance
      1. Significant Regulations and Privacy Acts
        1. Sarbanes-Oxley Act (SOX)
        2. BASEL II
        3. Gramm-Leach-Bliley Act (GLB Act)
        4. Health Insurance Portability and Accountability Act (HIPAA)
        5. Data Protection Act
        6. Computer Misuse Act
        7. Mobile Device Privacy Act
        8. State Security Breach Laws
      2. Privacy and Software Development
        1. Data Anonymization
        2. Disposition
        3. Security Models
      3. Trusted Computing
        1. Ring Protection
        2. Trust Boundary (or Security Perimeter)
        3. Trusted Computing Base (TCB)
        4. Reference Monitor
      4. Acquisitions
  11. Domain 2 - Secure Software Requirements
    1. Sources for Security Requirements
      1. Types of Security Requirements
        1. Core Security Requirements
        2. General Requirements
        3. Operational Requirements
        4. Other Requirements
      2. Protection Needs Elicitation (PNE)
        1. Brainstorming
        2. Surveys (Questionnaires and Interviews)
    2. Policy Decomposition
    3. Data Classification
    4. Subject/Object Matrix
      1. Use Case & Misuse Case Modeling
    5. Requirements Traceability Matrix (RTM)
  12. Domain 3 - Secure Software Design
    1. The Need for Secure Design
      1. Flaws versus Bugs
      2. Architecting Software with Core Security Concepts
        1. Confidentiality Design
      3. Integrity Design
        1. Availability Design
        2. Authentication Design
        3. Authorization Design
        4. Accountability Design
      4. Architecting Software with Secure Design Principles
        1. Least Privilege
        2. Separation of Duties
        3. Defense in Depth
        4. Fail Secure
        5. Economy of Mechanisms
        6. Complete Mediation
        7. Open Design
        8. Least Common Mechanisms
        9. Psychological Acceptability
        10. Weakest Link
        11. Leveraging Existing Components
        12. Balancing Secure Design Principles
      5. Other Design Considerations
        1. Interface Design
        2. Interconnectivity
    2. Design Processes
      1. Attack Surface Evaluation
      2. Threat Modeling
    3. Architectures
      1. Mainframe Architecture
      2. Distributed Computing
      3. Service Oriented Architecture
      4. Rich Internet Applications
      5. Pervasive/Ubiquitous Computing
      6. Cloud Computing
      7. Mobile Applications
      8. Integration with Existing Architectures
    4. Technologies
      1. Authentication
      2. Identity Management
      3. Credential Management
      4. Flow Control
      5. Auditing (Logging)
      6. Trusted Computing
      7. Database Security
      8. Programming Language Environment
      9. Operating Systems
      10. Embedded Systems
      11. Secure Design and Architecture Review
  13. Domain 4 - Secure Software Implementation/Coding
    1. Who is to be Blamed for Insecure Software?
      1. Fundamental Concepts of Programming
        1. Computer Architecture
        2. Evolution of Programming Languages
    2. Common Software Vulnerabilities and Controls
      1. Buffer Overflow
      2. Stack Overflow
      3. Heap Overflow
      4. Injection Flaws
      5. Broken Authentication and Session Management
      6. Cross-Site Scripting (XSS)
      7. Non-persistent or Reflected XSS
      8. Persistent or Stored XSS
      9. DOM based XSS
      10. Insecure Direct Object References
      11. Security Misconfiguration
      12. Sensitive Data Exposure
      13. Missing Function Level Checks
      14. Cross-Site Request Forgery (CSRF)
      15. Using Known Vulnerable Components
      16. Unvalidated Redirects and Forwards
      17. File Attacks
      18. Race Condition
      19. Side Channel Attacks
    3. Defensive Coding Practices – Concepts and Techniques
      1. Input Validation
      2. Canonicalization
      3. Sanitization
      4. Error Handling
      5. Safe APIs
      6. Memory Management
      7. Exception Management
      8. Session Management
      9. Configuration Parameters Management
      10. Secure Startup
      11. Cryptography
      12. Concurrency
      13. Tokenization
      14. Sandboxing
      15. Anti-Tampering
    4. Secure Software Processes
      1. Version (Configuration Management)
      2. Code Analysis
      3. Code/Peer Review
      4. Securing Build Environments
  14. Domain 5 - Secure Software Testing
    1. Quality Assurance
      1. Testing Artifacts
        1. Test Strategy
        2. Test Plan
        3. Test Case
        4. Test Script
        5. Test Suite
        6. Test Harness
      2. Types of Software QA Testing
        1. Functional Testing
        2. Non-Functional Testing
        3. Other Testing
    2. Attack Surface Validation (Security Testing)
      1. Motives, Opportunities and Means
      2. Testing of Security Functionality versus Security Testing
      3. The Need for Security Testing
      4. Security Testing Methods
        1. White Box Testing
        2. Black Box Testing
        3. White Box Testing versus Black Box Testing
      5. Types of Security Testing
        1. Cryptographic Validation Testing
        2. Scanning
        3. Fuzzing
      6. Software Security Testing
        1. Testing for Input Validation
        2. Testing for Injection Flaws Controls
        3. Testing for Scripting Attacks Controls
        4. Testing for Non-repudiation Controls
        5. Testing for Spoofing Controls
        6. Testing for Error and Exception Handling Controls (Failure Testing)
        7. Testing for Privileges Escalations Controls
        8. Anti-Reversing Protection Testing
      7. Tools for Security Testing
    3. Test Data Management
      1. Defect Reporting and Tracking
        1. Reporting Defects
        2. Tracking Defects
        3. Impact Assessment and Corrective Action
  15. Domain 6 - Software Acceptance
    1. Guidelines for Software Acceptance
      1. Benefits of Accepting Software Formally
      2. Software Acceptance Considerations
        1. Completion Criteria
        2. Change Management
        3. Approval to Deploy or Release
        4. Risk Acceptance and Exception Policy
        5. Documentation of Software
    2. Verification and Validation (V&V)
      1. Reviews
      2. Testing
      3. Certification and Accreditation (C&A)
  16. Domain 7 - Software Deployment, Operations, Maintenance, and Disposal
    1. Installation and Deployment
      1. Hardening
      2. Environment Configuration
      3. Release Management
      4. Bootstrapping and Secure Startup
    2. Operations and Maintenance
      1. Monitoring
      2. Incident Management
      3. Problem Management
      4. Change Management
      5. Backups, Recovery and Archiving
    3. Disposal
      1. End-of-Life Policies
      2. Sun-Setting Criteria
      3. Sun-setting Processes
      4. Information Disposal and Media Sanitization
  17. Domain 8 - Supply Chain and Software Acquisition
    1. Software Acquisition and the Supply Chain
      1. Acquisition Lifecycle
      2. Software Acquisition Models and Benefits
      3. Supply Chain Software Goals
      4. Threats to Supply Chain Software
      5. Software Supply Chain Risk Management (SCRM)
      6. Supplier Risk Assessment and Management
      7. Supplier Sourcing
      8. Contractual Controls
      9. Intellectual Property (IP) Ownership and Responsibilities
        1. Types of Intellectual Property (IP)
        2. Licensing (Usage and Redistribution Terms)
    2. Software Development and Testing
      1. Assurance Requirement Conformance Validation
      2. Code Review
        1. Code Repository Security
        2. Build Tools and Environment Integrity
        3. Testing for Code Security
      3. Software SCRM during Acceptance
        1. Anti-Tampering Resistance and Controls
        2. Authenticity and Anti-Counterfeiting Controls
        3. Supplier Claims Verification
    3. Software SCRM during Delivery (Handover)
      1. Chain of Custody
        1. Secure Transfer
        2. Code Escrows
        3. Export Control and Foreign Trade Data Regulations Compliance
      2. Software SCRM during Deployment (Installation/Configuration)
        1. Secure Configuration
        2. Perimeter (Network) Security Controls
        3. System-of-Systems (SoS) Security
      3. Software SCRM during Operations and Maintenance
        1. Runtime Integrity Assurance
        2. Patching and Upgrades
        3. Termination Access Controls
        4. Custom Code Extensions Checks
        5. Continuous Monitoring and Incident Management
    4. Software SCRM during Retirement
  18. Appendix A - Answers to Review Questions
  19. Appendix B - Security Models
  20. Appendix C - Threat Modeling
  21. Appendix D - Commonly Used Opcodes in Assembly
  22. Appendix E - HTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)
  23. Appendix F - Security Testing Tools
  24. Index

Product information

  • Title: Official (ISC)2 Guide to the CSSLP CBK, 2nd Edition
  • Author(s): Mano Paul
  • Release date: August 2013
  • Publisher(s): Auerbach Publications
  • ISBN: 9781000758115