CSSLP Exam Syllabus

CSSLP PDF, CSSLP Dumps, CSSLP VCE, Secure Software Lifecycle Professional Questions PDF, ISC2 Secure Software Lifecycle Professional VCEUse this quick start guide to collect all the information about ISC2 CSSLP Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the ISC2 Secure Software Lifecycle Professional (CSSLP) exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual ISC2 Certified Secure Software Lifecycle Professional (CSSLP) certification exam.

The ISC2 CSSLP certification is mainly targeted to those candidates who want to build their career in Cybersecurity domain. The ISC2 Certified Secure Software Lifecycle Professional (CSSLP) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of ISC2 CSSLP.

ISC2 CSSLP Exam Summary:

Exam Name ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Exam Code CSSLP
Exam Price $599 (USD)
Duration 240 mins
Number of Questions 175
Passing Score 700/1000
Schedule Exam Pearson VUE
Sample Questions ISC2 CSSLP Sample Questions
Practice Exam ISC2 CSSLP Certification Practice Exam

ISC2 CSSLP Exam Syllabus Topics:

Topic Details
Secure Software Concepts 13%
Core Concepts - Confidentiality (e.g., covert, overt, encryption)
- Integrity (e.g., hashing, digital signatures, code signing, reliability, alterations, authenticity)
- Availability (e.g., failover, replication, clustering, scalability, resiliency)
- Authentication (e.g., multifactor authentication, identity & access management, single sign-on, federated identity)
- Authorization (e.g., access controls, entitlements)
- Accountability (e.g., auditing, logging)
- Nonrepudiation (e.g., PKI, digital signatures)
Security Design Principles - Least privilege (e.g., access control, need-toknow, run-time privileges)
- Separation of duties (e.g., multi-party control, secret sharing and splitting)
- Defense in depth (e.g., layered controls, input validation, security zones)
- Fail safe (e.g., exception handling, non-verbose errors, deny by default)
- Economy of mechanism (e.g., single sign-on)
- Complete mediation (e.g., cookie management, session management, caching of credentials)
- Open design (e.g., peer reviewed algorithm)
- Least common mechanism (e.g., compartmentalization/isolation)
- Psychological acceptability (e.g., password complexity, screen layouts)
- Leveraging existing components (e.g., common controls, libraries)
- Eliminate single point of failure
Secure Software Requirements 14%
Identify Security Requirements - Functional
- Non-functional
- Policy decomposition (e.g., internal and external requirements)
- Legal, regulatory, and industry requirements
Interpret Data Classification Requirements - Data ownership (e.g., data owner, data custodian)
- Labeling (e.g., sensitivity, impact)
- Types of data (e.g., structured, unstructured data)
- Data life-cycle (e.g., generation, retention, disposal)
Identify Privacy Requirements - Data anonymization
- User consent
- Disposition
Develop Misuse and Abuse Cases  
Include Security in Software Requirement Specifications  
Develop Security Requirement Traceability Matrix  
Secure Software Design 16%
Perform Threat Modeling - Understand common threats (e.g., APT, insider threat, common malware, third party/supplier)
- Attack surface evaluation
Define the Security Architecture - Control identification and prioritization
- Distributed computing (e.g., client server, peer-topeer, message queuing)
- Service-oriented architecture (e.g., enterprise service bus, web services)
- Rich internet applications (e.g., client side exploits or threats, remote code execution, constant connectivity)
- Pervasive/ubiquitous computing (e.g., IoT, wireless, location-based, RFID, near field communication, sensor networks)
- Embedded (e.g., control systems, firmware)
- Cloud architectures (e.g., software as a service, platform as a service, infrastructure as a service)
- Mobile applications
- Hardware platform concerns
Performing Secure Interface Design
- Security management interfaces, out-of-band management, log interfaces
- Upstream/downstream dependencies (e.g., key and data sharing between apps)
- Protocol design choices (e.g., APIs, weaknesses, state, models)
Performing Architectural Risk Assessment  
Modeling (Non-Functional) Security Properties and Constraints  
Model and Classify Data  
Evaluate and Select Reusable Secure Design
- Credential management (e.g., X.509 and SSO)
- Flow control (e.g., proxies, firewalls, protocols, queuing)
- Data loss prevention (DLP)
- Virtualization (e.g., software defined network, hypervisor)
- Trusted computing (e.g., TPM, TCB)
- Database security (e.g., encryption, triggers, views, privilege management)
- Programming language environment (e.g., CLR, JVM)
- Operating system controls and services
Perform Design Security Review   
Design Secure Assembly Architecture for Component-Based Systems - Client side data storage
- Network attached storage
Use Security Enhancing Architecture and Design Tools  
Use Secure Design Principles and Patterns  
Secure Software Implementation/Programming 16%
Follow Secure Coding Practices - Declarative versus imperative (programmatic) security
- Concurrency
- Output sanitization (e.g., encoding)
- Error and exception handling
- Input validation
- Logging & auditing
- Session management
- Safe APIs
- Type safety
- Memory management (e.g., locality, garbage collection)
- Configuration parameter management (e.g., start-up options)
- Tokenizing
- Sandboxing
- Cryptography (e.g., storage, agility, encryption, algorithm selection)
Analyze Code for Security Vulnerabilities - Code reuse
- Vulnerability databases/lists (e.g., OWASP Top 10, CWE)
- Static analysis
- Dynamic analysis
- Manual code review
- Peer review
Implement Security Controls  
Fix Security Vulnerabilities  
Look for Malicious Code  
Securely Reuse Third Party Code or Libraries  
Securely Integrate Components
- Systems-of-systems integration (e.g., security testing and analysis)
Apply Security during the Build Process - Anti-tampering techniques (e.g., code signing, obfuscation)
- Compiler switches
Debug Security Errors  
Secure Software Testing 14%
Develop Security Test Cases - Attack surface validation
- Penetration
- Fuzzing (e.g., generated, mutated)
- Scanning (e.g., vulnerability, content, privacy)
- Simulation (e.g., environment and data)
- Failure (e.g., fault injection, stress testing, break testing)
- Cryptographic validation (e.g., PRNG)
- Regression
- Continuous (e.g., synthetic transactions)
- Unit testing
Develop Security Testing Strategy and Plan - Functional security testing (e.g., logic)
- Nonfunctional security testing (e.g., reliability, performance, scalability)
- Testing techniques (e.g., white box and black box)
- Environment (e.g., interoperability, test harness)
- Standards (e.g., ISO, OSSTMM, SEI)
Identify Undocumented Functionality  
Interpret Security Implications of Test Results
 
Classify and Track Security Errors - Bug tracking (e.g., defects, errors and vulnerabilities)
- Risk Scoring (e.g., CVSS)
Secure Test Data - Privacy
- Referential integrity
Develop or Obtain Security Test Data  
Perform Verification and Validation Testing (e.g., IV&V)  
Secure Lifecycle Management 10%
Secure Configuration and Version Control
 
Establish Security Milestones  
Choose a Secure Software Methodology  
Identify Security Standards and Frameworks  
Create Security Documentation  
Develop Security Metrics
 
Decommission Software - End of life policies
- Credential removal, configuration removal, license cancellation
- Data destruction
Report Security Status  
Support Governance, Risk, and Compliance (GRC) - Regulations and compliance
- Legal (e.g., intellectual property, breach notification)
- Standards and guidelines (e.g., ISO, PCI, NIST, OWASP, SAFECODE, OpenSAMM, BSIMM)
- Risk management
- Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)
- Technical risk vs business risk
- Strategies (e.g., mitigate, accept, transfer, avoid)
Software Deployment, Operations, and Maintenance 9%
Perform Implementation Risk Analysis  
Release Software Securely  
Securely Store and Manage Security Data
- Credentials
- Secrets
- Keys/certificates
- Configurations
Ensure Secure Installation
- Bootstrapping (e.g., key generation, access, management)
- Least privilege
- Environment hardening
- Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing, etc.)
Perform Post-Deployment Security Testing  
Obtain Security Approval to Operate - Risk acceptance (e.g., exception policy, sign-off)
Perform Security Monitoring (e.g., managing error logs, audits, meeting SLAs, CIA
metrics)
 
Support Incident Response - Root cause analysis
Support Patch and Vulnerability Management  
Support Continuity of Operations - Backup, archiving, retention
- Disaster recovery
Supply Chain and Software Acquisition 8%
Analyze Security of Third Party Software  
Verify Pedigree and Provenance - Secure transfer
- System sharing/interconnections
- Code repository security
- Build environment security
- Cryptographically- hashed, digitally signed components
Provide Security Support to the Acquisition Process - Audit of security policy compliance
- Vulnerability/incident response and reporting
- Service-level agreements (SLAs)
- Maintenance and support structure (e.g., community versus commercial)
- Assessment of software engineering/SDLC approaches
- Information systems security policy compliance
- Security track record
- Product deployment and sustainment controls (e.g., upgrades, secure configuration, custom code extension, operational readiness, GPL requirements)

To ensure success in ISC2 CSSLP certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for Secure Software Lifecycle Professional (CSSLP) exam.

Rating: 4.8 / 5 (52 votes)