top of page
This site was designed with the
.com
website builder. Create your website today.Start Now
Search
  • Writer's pictureKaty Morgan
    • Apr 17, 2021
    • 8 min read

Introduction to ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Exam

The ISC2 CSSLP Exam is challenging and thorough preparation is essential for success. This exam study guide is designed to help you prepare for the CSSLP certification exam. It contains a detailed list of the topics covered on the Professional exam, as well as a detailed list of preparation resources. These study guides for the ISC2 Secure Software Lifecycle Professional will help guide you through the study process for your certification.

CSSLP ISC2 Secure Software Lifecycle Professional Exam Summary

Exam Name: ISC2 Secure Software Lifecycle Professional

Exam Code: CSSLP

Exam Price: $599 (USD)

Duration: 180 mins

Number of Questions: 125

Passing Score: 700/1000

Schedule Exam: Pearson VUE

Sample Questions: ISC2 CSSLP Sample Questions

Recommended Practice: ISC2 CSSLP Certification Practice Exam

Exam Syllabus: CSSLP ISC2 Certified Secure Software Lifecycle Professional

1. Secure Software Concepts - 10%

Core Concepts

- Confidentiality (e.g., covert, overt, encryption)

- Integrity (e.g., hashing, digital signatures, code signing, reliability, modifications, authenticity)

- Availability (e.g., redundancy, replication, clustering, scalability, resiliency)

- Authentication (e.g., multifactor authentication (MFA), identity & access management (IAM), single sign-on (SSO), federated identity)

- Authorization (e.g., access controls, permissions, entitlements)

- Accountability (e.g., auditing, logging)

- Nonrepudiation (e.g., digital signatures, block chain)

Security Design Principles

- Least privilege (e.g., access control, need-to-know, run-time privileges)

- Separation of duties (e.g., multi-party control, secret sharing and split knowledge)

- Defense in depth (e.g., layered controls, input validation, security zones)

- Resiliency (e.g., fail safe, fail secure, no Single Point of Failure (SPOF))

- Economy of mechanism (e.g., Single Sign-On (SSO), password vaults, resource)

- Complete mediation (e.g., cookie management, session management, caching of credentials)

- Open design (e.g., Kerckhoffs's principle)

- Least common mechanism (e.g., compartmentalization/isolation, white-listing)

- Psychological acceptability (e.g., password complexity, screen layouts, Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), biometrics)

- Component reuse (e.g., common controls, libraries)

- Diversity of defense (e.g., geographical diversity, technical diversity, distributed systems)

2. Secure Software Requirements - 14%

Define Software Security Requirements

- Functional (e.g., business requirements, use cases, stories)

- Non-functional (e.g., operational, deployment, systemic qualities)

Identify and Analyze Compliance Requirements

Identify and Analyze Data Classification Requirements

- Data ownership (e.g., data owner, data custodian)

- Labeling (e.g., sensitivity, impact)

- Types of data (e.g., structured, unstructured data)

- Data life-cycle (e.g., generation, retention, disposal)

Identify and Analyze Privacy Requirements

Data anonymization

- User consent

- Disposition (e.g., right to be forgotten)

- Data retention

- Cross borders (e.g., data residency, jurisdiction, multi-national data processing boundaries)

Develop Misuse and Abuse Cases

Develop Security Requirement Traceability Matrix (STRM)

Ensure Security Requirements Flow Down to Suppliers/Providers


3. Secure Software Architecture and Design - 14%

Perform Threat Modeling

- Understand common threats (e.g., Advance Persistent Threat (APT), insider threat, common malware, third-party/supplier)

- Attack surface evaluation

- Threat intelligence (e.g., Identify credible relevant threats)

Define the Security Architecture

- Security control identification and prioritization

- Distributed computing (e.g., client server, peer-to-peer (P2P), message queuing)

- Service-oriented architecture (SOA) (e.g., Enterprise Service Bus (ESB), web services)

- Rich internet applications (e.g., client-side exploits or threats, remote code execution, constant connectivity)

- Pervasive/ubiquitous computing (e.g., Internet of Things (IoT), wireless, location-based, Radio-Frequency Identification (RFID), near field communication, sensor networks)

- Embedded (e.g., secure update, Field-Programmable Gate Array (FPGA) security features, microcontroller security)

- Cloud architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS))

- Mobile applications (e.g., implicit data collection privacy)

- Hardware platform concerns (e.g., side-channel mitigation, speculative execution mitigation, embedded Hardware Security Modules (HSM))

- Cognitive computing (e.g., Machine Learning (ML), Artificial Intelligence (AI))

- Control systems (e.g., industrial, medical, facility-related, automotive)

Performing Secure Interface Design

- Security management interfaces, Out-of-Band (OOB) management, log interfaces

- Upstream/downstream dependencies (e.g., key and data sharing between apps)

- Protocol design choices (e.g., Application Programming Interface (APIs), weaknesses, state, models)

Performing Architectural Risk Assessment

Model (Non-Functional) Security Properties and Constraints

Model and Classify Data

Evaluate and Select Reusable Secure Design

- Credential management (e.g., X.509 and Single Sign-On (SSO))

- Flow control (e.g., proxies, firewalls, protocols, queuing)

- Data loss prevention (DLP)

- Virtualization (e.g., software defined infrastructure, hypervisor, containers)

- Trusted computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB))

- Database security (e.g., encryption, triggers, views, privilege management)

- Programming language environment (e.g., Common Language Runtime (CLR), Java Virtual Machine (JVM))

- Operating System (OS) controls and services

- Secure backup and restoration planning

- Secure data retention, retrieval, and destruction

Perform Security Architecture and Design Review

Define Secure Operational Architecture (e.g., deployment topology, operational interfaces)

Use Secure Architecture and Design Principles, Patterns, and Tools


4. Secure Software Implementation - 14%

Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines and regulations)

- Declarative versus imperative (programmatic) security

- Concurrency (e.g., thread safety, database concurrency controls)

- Output sanitization (e.g., encoding, obfuscation)

- Error and exception handling

- Input validation

- Secure logging & auditing

- Session management

- Trusted/Untrusted Application Programming Interface (APIs), and libraries

- Type safety

- Resource management (e.g., compute, storage, network, memory management)

- Secure configuration management (e.g., parameter, default options, credentials)

- Tokenizing

- Isolation (e.g., sandboxing, virtualization, containers, Separation Kernel Protection Profiles (SKPP))

- Cryptography (e.g., payload, field level, transport, storage, agility, encryption, algorithm selection)

- Access control (e.g., trust zones, function permissions, Role Based Access Control (RBAC))

- Processor microarchitecture security extensions (e.g., Software Guard Extensions (SGX), Advanced Micro Devices (AMD) Secure Memory Encryption(SME)/Secure Encrypted Virtualization(SEV), ARM TrustZone)

Analyze Code for Security Risks

- Secure code reuse

- Vulnerability databases/lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumeration (CWE))

- Static Application Security Testing (SAST) (e.g., automated code coverage, linting)

- Dynamic Application Security Testing (DAST)

- Manual code review (e.g., individual, peer)

- Look for malicious code (e.g., backdoors, logic bombs, high entropy)

- Interactive Application Security Testing (IAST)

Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware)

Address Security Risks (e.g. remediation, mitigation, transfer, accept)

Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))

Securely Integrate Components

- Systems-of-systems integration (e.g., trust contracts, security testing and analysis)

Apply Security During the Build Process

- Anti-tampering techniques (e.g., code signing, obfuscation)

- Compiler switches

- Address compiler warnings


5. Secure Software Testing - 14%

Develop Security Test Cases

- Attack surface validation

- Penetration tests

- Fuzzing (e.g., generated, mutated)

- Scanning (e.g., vulnerability, content, privacy)

- Simulation (e.g., simulating production environment and production data, synthetic workloads)

- Failure (e.g., fault injection, stress testing, break testing)

- Cryptographic validation (e.g., Pseudo-Random Number Generator (PRNG), entropy)

- Regression tests

- Integration tests

- Continuous (e.g., synthetic transactions)

Develop Security Testing Strategy and Plan

- Functional security testing (e.g., logic)

- Nonfunctional security testing (e.g., reliability, performance, scalability)

- Testing techniques (e.g., white box and black box)

- Environment (e.g., interoperability, test harness)

- Standards (e.g., International Organization for Standardization (ISO), Open Source Security Testing Methodology Manual (OSSTMM), Software Engineering Institute (SEI))

- Crowd sourcing (e.g., bug bounty)

Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes)

Identify Undocumented Functionality

Analyze Security Implications of Test Results (e.g., impact on product management, prioritization, break build criteria)

Classify and Track Security Errors

- Bug tracking (e.g., defects, errors and vulnerabilities)

- Risk Scoring (e.g., Common Vulnerability Scoring System (CVSS))

Secure Test Data

- Generate test data (e.g., referential integrity, statistical quality, production representative)

Perform Verification and Validation Testing

- Reuse of production data (e.g., obfuscation, sanitization, anonymization, tokenization, data aggregation mitigation)


6. Secure Software Lifecycle Management - 11%

Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching)

Define Strategy and Roadmap

Manage Security Within a Software Development Methodology

- Security in adaptive methodologies (e.g., Agile methodologies)

- Security in predictive methodologies (e.g., Waterfall)

Identify Security Standards and Frameworks

Define and Develop Security Documentation

Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)

Decommission Software

- End of life policies (e.g., credential removal, configuration removal, license cancellation, archiving)

- Data disposition (e.g., retention, destruction, dependencies)

Report Security Status (e.g., reports, dashboards, feedback loops)

Incorporate Integrated Risk Management (IRM)

- Regulations and compliance

- Legal (e.g., intellectual property, breach notification)

- Standards and guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), OWASP, Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM))

- Risk management (e.g., mitigate, accept, transfer, avoid)

- Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)

- Technical risk vs. business risk

Promote Security Culture in Software Development

- Security champions

- Security education and guidance

Implement Continuous Improvement (e.g., retrospective, lessons learned)


7. Secure Software Deployment, Operations, Maintenance - 12%

Perform Operational Risk Analysis

- Deployment environment

- Personnel training (e.g., administrators vs. users)

- Safety criticality

- System integration

Release Software Securely

- Secure Continuous Integration and Continuous Delivery (CI/CD) pipeline

- Secure software tool chain

- Build artifact verification (e.g., code signing, checksums, hashes)

Securely Store and Manage Security Data

- Credentials

- Secrets

- Keys/certificates

- Configurations

Ensure Secure Installation

- Bootstrapping (e.g., key generation, access, management)

- Least privilege

- Environment hardening

- Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing)

- Security policy implementation

- Secrets injection (e.g., certificate, Open Authorization (OAUTH) tokens, Secure Shell (SSH) keys)

Perform Post-Deployment Security Testing

Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at appropriate level)

Perform Information Security Continuous Monitoring (ISCM)

- Collect and analyze security observable data (e.g., logs, events, telemetry, and trace data)

- Threat intel

- Intrusion detection/response

- Secure configuration

- Regulation changes

Support Incident Response

- Root cause analysis

- Incident triage

- Forensics

Perform Patch Management (e.g. secure release, testing)

Perform Vulnerability Management (e.g., scanning, tracking, triaging)

Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR))

Support Continuity of Operations

- Backup, archiving, retention

- Disaster recovery (DR)

- Resiliency (e.g., operational redundancy, erasure code, survivability)

Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)


8. Secure Software Supply Chain - 11%

Implement Software Supply Chain Risk Management

- Identify

- Assess

- Respond

- Monitor

Analyze Security of Third-Party Software

- Secure transfer (e.g., interdiction mitigation)

- System sharing/interconnections

- Code repository security

- Build environment security

- Cryptographically-hashed, digitally-signed components

- Right to audit

Verify Pedigree and Provenance

Ensure Supplier Security Requirements in the Acquisition Process

- Audit of security policy compliance (e.g., secure software development practices)

- Vulnerability/incident notification, response, coordination, and reporting

- Maintenance and support structure (e.g., community versus commercial, licensing)

- Security track record

Support contractual requirements (e.g., Intellectual Property (IP) ownership, code escrow, liability, warranty, End-User License Agreement (EULA), Service Level Agreements (SLA))

ISC2 CSSLP Certification Sample Questions and Answers

To make you familiar with ISC2 Secure Software Lifecycle Professional (CSSLP) certification exam structure, we have prepared this sample question set. We suggest you to try our Sample Questions for CSSLP Certification to test your understanding of the ISC2 CSSLP process with the real ISC2 certification exam environment.


CSSLP ISC2 Secure Software Lifecycle Professional Sample Questions:-


01. Functional testing is used to determine which of the following characteristics?

a) Reliability, bugs, performance, and scalability

b) Resiliency, logic, security, and testability

c) Resiliency, bugs, requirements, and scalability

d) Reliability, logic, performance, and scalability


02. Which of the following is a security standard associated with the collection, processing, and storing of credit card data?

a) Gramm-Leach-Bliley

b) PCI DSS

c) HIPAA

d) HITECH


03. What was described in the chapter as being essential in order to implement discretionary access control?

a) Object owner–defined security access

b) Certificates

c) Labels

d) Security classifications


04. A security policy that is associated with securing PII is an example of what type of computer security policy?

a) System-specific policy

b) Program policy

c) Organizational policy

d) Issue-specific policy


05. Designing a system so all parties can easily understand design objectives and maintaining a simple design embrace the principle of?

a) Single point of failure

b) Least common mechanism

c) Fail safe

d) Open design


06. Backups are an example of what type of control?

a) Preventive

b) Detective

c) Corrective

d) Operational


07. Input strings similar to %2e%2e%2f are indicative of what type of attack?

a) Command injection

b) SQL injection

c) Directory traversal

d) Buffer overflow


08. To match the level of protection desired for data, which of the following elements is used?

a) Data classification

b) Impact analysis

c) Data usage

d) Security rules


09. The attack surface of your project seems to grow faster than it should. Which of the following is probably not a fruitful place to look?

a) Number of modules/routines in the project

b) Privilege level of the credentials used to run the application

c) Network address space from which the program is addressable

d) Privilege level of users using the application


10. An activity designed to clarify requirements through the modeling of expected behaviors of a system is called what?

a) Functional requirement decomposition

b) Requirement traceability matrix

c) Threat modeling

d) Use-case modeling


Answers:-


Answer 1:- d

Answer 2:- b

Answer 3:- a

Answer 4:- d

Answer 5:- d

Answer 6:- c

Answer 7:- c

Answer 8:- a

Answer 9:- a

Answer 10:- d

16 views0 comments
bottom of page