Certified Secure Software Lifecycle Professional (CSSLP®)

Course subjects

The broad spectrum of topics included in the CSSLP Common Body of Knowledge (CBK®) ensure its relevancy across all disciplines in the field of information security.

This course provides in-depth coverage of the eight domains required to prepare for the CSSLP exam. Refer to the CSSLP Exam Outline for a deeper dive into the CSSLP domains.

1. Secure Software Concepts

• Core Concepts

• Security Design Principles

2. Secure Software Requirements

• Define Software Security Requirements

• Identify and Analyse Compliance Requirements

• Identify and Analyse Data Classification Requirements

• Identify and Analyse Privacy Requirements

• Develop Misuse and Abuse Cases

• Develop Security Requirement Traceability Matrix (STRM)

• Ensure Security Requirements Flow Down to Suppliers/Providers

3. Secure Software Architecture and Design

• Perform Threat Modeling

• Define the Security Architecture

• Performing Secure Interface Design

• Performing Architectural Risk Assessment

• Model (Non-Functional) Security Properties and Constraints

• Model and Classify Data

• Evaluate and Select Reusable Secure Design

• Perform Security Architecture and Design Review

• Define Secure Operational Architecture (e.g., deployment topology, operational interfaces)

• Use Secure Architecture and Design Principles, Patterns, and Tools

4. Secure Software Implementation

• Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines and regulations)

• Analyse Code for Security Risks

• Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware)

• Address Security Risks (e.g. remediation, mitigation, transfer, accept)

• Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))

• Securely Integrate Components

• Apply Security During the Build Process

5. Secure Software Testing

• Develop Security Test Cases

• Develop Security Testing Strategy and Plan

• Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes)

• Identify Undocumented Functionality

• Analyse Security Implications of Test Results (e.g., impact on product management, prioritisation, break build criteria)

• Classify and Track Security Errors

• Secure Test Data

• Perform Verification and Validation Testing

6. Secure Software Lifecycle Management

• Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching)

• Define Strategy and Roadmap

• Manage Security Within a Software Development Methodology

• Identify Security Standards and Frameworks

• Define and Develop Security Documentation

• Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)

• Decommission Software

• Report Security Status (e.g., reports, dashboards, feedback loops)

• Incorporate Integrated Risk Management (IRM)

• Promote Security Culture in Software Development

• Implement Continuous Improvement (e.g., retrospective, lessons learned)

7. Secure Software Deployment, Operations, Maintenance

• Perform Operational Risk Analysis

• Release Software Securely

• Securely Store and Manage Security Data

• Ensure Secure Installation

• Perform Post-Deployment Security Testing

• Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at appropriate level)

• Perform Information Security Continuous Monitoring (ISCM)

• Support Incident Response

• Perform Patch Management (e.g. secure release, testing)

• Perform Vulnerability Management (e.g., scanning, tracking, triaging)

• Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomisation (ASLR))

• Support Continuity of Operations

• Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)

8. Secure Software Supply Chain

• Implement Software Supply Chain Risk Management

• Analyse Security of Third-Party Software

• Verify Pedigree and Provenance

• Ensure Supplier Security Requirements in the Acquisition Process

• Support contractual requirements (e.g., Intellectual Property (IP) ownership, code escrow, liability, warranty, End-User License Agreement (EULA), Service Level Agreements (SLA))