Book description
The first test prep guide for the new ISC2 Certified Secure Software Lifecycle Professional exam
The CSSLP (Certified Secure Software Lifecycle Professional) is a new certification that incorporates government standards and best practices for secure software development. It emphasizes the application of secure software methodologies during the software development cycle. If you're an IT professional, security professional, software developer, project manager, software assurance tester, executive manager or employee of a government agency in a related field, your career may benefit from this certification.
Written by experts in computer systems and security, The CSSLP Prep Guide thoroughly covers all aspects of the CSSLP certification exam, with hundreds of sample test questions and answers available on the accompanying CD.
The Certified Secure Software Lifecycle Professional (CSSLP) is an international certification incorporating new government, commercial, and university derived secure software development methods; it is a natural complement to the CISSP credential
The study guide covers the seven domains of the CSSLP Common Body of Knowledge (CBK), namely Secure Software Concepts, Secure Software Requirements, Secure Software Design, and Secure Software Implementation/Coding and Testing,Secure Software Testing, Software Acceptance, and Software Deployment, Operations, Maintenance and Disposal
Provides in-depth exploration and explanation of the seven CSSLP domains
Includes a CD with hundreds of practice exam questions and answers
The CSSLP Prep Guide prepares you for the certification exam and career advancement.
Table of contents
- Copyright
- About the Authors
- Credits
- Acknowledgments
- Introduction
-
1. Secure Software Concepts
- 1.1. Confidentiality, Integrity, and Availability
- 1.2. Authentication, Authorization, Auditing, and Accountability
- 1.3. Security Design Principles
- 1.4. Risk Management
- 1.5. Regulations, Privacy, and Compliance
- 1.6. Software Architecture
- 1.7. Software Development Methodologies
- 1.8. Intellectual Property and Privacy Legal Issues
- 1.9. Standards and Guidelines
- 1.10. Information Security Models
- 1.11. Trusted Computing
- 1.12. Acquisition Assurance Issues
- 1.13. Summary
- 1.14. Assessment Questions
-
2. Secure Software Requirements
- 2.1. Approaches to Software Requirements Engineering
-
2.2. Security Policy Decomposition
- 2.2.1. Considerations in the SDLC
- 2.2.2. NIST 33 Security Principles
- 2.2.3. Information Security Policy Implementation and Decomposition
- 2.3. Identification of Data and Gathering of Threat Information
- 2.4. Summary
- 2.5. Assessment Questions
-
3. Secure Software Design
- 3.1. Design Processes
-
3.2. Design Considerations
- 3.2.1. Confidentiality, Integrity, and Availability
- 3.2.2. Authentication, Authorization, and Auditing
-
3.2.3. Security Design Principles
- 3.2.3.1. General Principle 1: Minimize the Number of High-Consequence Targets
-
3.2.3.2. General Principle 2: Don't Expose Vulnerable or High-Consequence Components
- 3.2.3.2.1. Keep Program Data, Executables, and Program Control/Configuration Data Separated
- 3.2.3.2.2. Segregate Trusted Entities from Untrusted Entities
- 3.2.3.2.3. Minimize the Number of Entry and Exit Points into and out of Any Entity
- 3.2.3.2.4. Assume Environment Data Is Not Trustworthy
- 3.2.3.2.5. Use Only Safe Interfaces to Environment Resources
-
3.2.3.3. General Principle 3: Deny Attackers the Means to Compromise
- 3.2.3.3.1. Simplify the Design
- 3.2.3.3.2. Hold All Actors Accountable, Not Just Human Users
- 3.2.3.3.3. Avoid Timing, Synchronization, and Sequencing Issues
- 3.2.3.3.4. Make Secure States Easy to Enter and Vulnerable States Difficult to Enter
- 3.2.3.3.5. Design for Controllability
- 3.2.3.3.6. Design for Secure Failure
- 3.2.3.3.7. Design for Survivability
- 3.2.3.3.8. Do Not Trust Client-Originated Data
- 3.2.4. Security Design Patterns
- 3.2.5. Interconnectivity
- 3.2.6. Security Management Interfaces
- 3.2.7. Identity Management
- 3.3. Architecture
- 3.4. Technologies
- 3.5. Design and Architecture Technical Review
- 3.6. Summary
- 3.7. Assessment Questions
-
4. Secure Software Implementation/Coding
- 4.1. Declarative versus Programmatic Security
- 4.2. Common Software Vulnerabilities and Countermeasures
- 4.3. Defensive Coding Practices
- 4.4. Exception Handling
- 4.5. Configuration Management
- 4.6. Build Environment
- 4.7. Code/Peer Review
- 4.8. Code Analysis
- 4.9. Anti-tampering Techniques
- 4.10. Interface Coding
- 4.11. Summary
- 4.12. Assessment Questions
-
5. Secure Software Testing
- 5.1. Testing for Security Quality Assurance
-
5.2. Test Types
- 5.2.1. Testing Concepts
- 5.2.2. Penetration Testing
- 5.2.3. Fuzzing
- 5.2.4. Scanning
- 5.2.5. Simulation Testing
- 5.3. Testing for Failure
- 5.4. Cryptographic Validation
- 5.5. Impact Assessment and Corrective Action
- 5.6. Standards for Software Quality Assurance
- 5.7. Regression Testing
- 5.8. Summary
- 5.9. Assessment Questions
-
6. Software Acceptance
- 6.1. Pre-release or Pre-deployment Activities
-
6.2. Post-release Activities
- 6.2.1. Verification and Validation
-
6.2.2. Certification and Accreditation
- 6.2.2.1. International Organization for Standardization Certification
- 6.2.2.2. BITS Certification
- 6.2.2.3. ICSA Labs Antivirus Product Certification
- 6.2.2.4. Election Assistance Commission Certification
- 6.2.2.5. Defense Information Assurance Certification and Accreditation Process
- 6.2.2.6. Intelligence Community Directive 503
- 6.2.2.7. Federal Information Security Management Act
- 6.2.2.8. FIPS 199
- 6.2.2.9. Section 508 Compliance
- 6.2.2.10. FIPS 140 Certification
- 6.2.2.11. Certification and Accreditation (C&A) Transformation Initiative
- 6.2.3. Independent Testing
- 6.3. Summary
- 6.4. Assessment Questions
-
7. Software Deployment, Operations, and Maintenance
- 7.1. Installation and Deployment
- 7.2. Operations and Maintenance
-
7.3. Monitoring and Auditing
- 7.3.1. Monitoring
- 7.3.2. Auditing
- 7.3.3. INCIDENT MANAGEMENT
- 7.3.4. Layered Security and IDS
- 7.3.5. Computer Security and Incident Response Teams
- 7.3.6. Security Incident Notification Process
- 7.3.7. Automated Notice and Recovery Mechanisms
- 7.3.8. PROBLEM MANAGEMENT
- 7.3.9. Maintenance
- 7.3.10. Patching
- 7.4. END-O-LIFE POLICIES
- 7.5. Summary
- 7.6. Assessment Questions
- A. Answers to Assessment Questions
- Glossary of Terms and Acronyms
Product information
- Title: The CSSLP™ Prep Guide: Mastering the Certified Secure Software Lifecycle Professional
- Author(s):
- Release date: August 2009
- Publisher(s): Wiley
- ISBN: 9780470461907
You might also like
book
CISM Certified Information Security Manager Practice Exams
Publisher's Note: Products purchased from Third Party sellers are not guaranteed by the publisher for quality, …
book
CSSLP Certification All-in-One Exam Guide
Get complete coverage of all the material included on the Certified Secure Software Lifecycle Professional exam. …
book
Network Security Assessment, 3rd Edition
How secure is your network? The best way to find out is to attack it, using …
book
CISSP (ISC)² Certification Practice Exams and Tests
Pass the Certified Information Systems Security Professional Exam with our all-new set of practice exams designed …