You are previewing CSSLP Certification All-in-One Exam Guide.
O'Reilly logo
CSSLP Certification All-in-One Exam Guide

Book Description

Get complete coverage of all the material included on the Certified Secure Software Lifecycle Professional exam. CSSLP All-in-One Exam Guide covers all eight exam domains developed by the International Information Systems Security Certification Consortium (ISC2). You'll find learning objectives at the beginning of each chapter, exam tips, practice questions, and in-depth explanations. Designed to help you pass the exam with ease, this definitive resource also serves as an essential on-the-job reference.

COVERS ALL EIGHT CERTIFIED SECURE SOFTWARE LIFECYCLE PROFESSIONAL EXAM DOMAINS:

Secure software concepts
Secure software requirements
Secure software design
Secure software implementation/coding
Secure software testing
Software acceptance
Software deployment, operations, maintenance, and disposal
Supply chain and software acquisitions

ELECTRONIC CONTENT INCLUDES:

  • TWO PRACTICE EXAMS
  • PDF COPY OF THE BOOK

Table of Contents

  1. CoverĀ 
  2. Title Page
  3. Copyright Page
  4. About the Authors
    1. About the Technical Editor
  5. Contents at a Glance
  6. ContentsĀ 
  7. Acknowledgments
  8. Introduction
    1. Why Focus on Software Development?
    2. The Role of CSSLP
    3. How to Use This Book
    4. The Examination
    5. Exam Readiness Checklist
  9. Part I: Secure Software Concepts
    1. Chapter 1: General Security Concepts
      1. The CSSLP Knowledge Base
      2. General Security Concepts
        1. Security Basics
        2. Accounting (Auditing)
        3. System Tenets
        4. Secure Design Principles
      3. Security Models
        1. Access Control Models
        2. Multilevel Security Model
        3. Integrity Models
        4. Information Flow Models
      4. Adversaries
        1. Adversary Type
        2. Adversary Groups
        3. Threat Landscape Shift
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 2: Risk Management
      1. Definitions and Terminology
        1. General Terms
        2. Quantitative Terms
        3. Risk Management Statements
      2. Types of Risk
        1. Business Risk
        2. Technology Risk
        3. Risk Controls
        4. Qualitative Risk Management
        5. Qualitative Matrix
        6. Quantitative Risk Management
        7. Comparison of Qualitative and Quantitative Methods
      3. Governance, Risk, and Compliance
        1. Regulations and Compliance
        2. Legal
        3. Standards
      4. Risk Management Models
        1. General Risk Management Model
        2. Software Engineering Institute Model
        3. Model Application
      5. Risk Options
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 3: Security Policies and Regulations
      1. Regulations and Compliance
        1. FISMA
        2. Sarbanes-Oxley
        3. Gramm-Leach-Bliley
        4. HIPAA and HITECH
        5. Payment Card Industry Data Security Standard (PCI DSS)
        6. Other Regulations
      2. Legal Issues
        1. Intellectual Property
      3. Privacy
        1. Privacy Policy
        2. Personally Identifiable Information
        3. Personal Health Information
        4. Breach Notifications
        5. Data Protection Principles
      4. Security Standards
        1. ISO
        2. NIST
      5. Secure Software Architecture
        1. Security Frameworks
      6. Trusted Computing
        1. Principles
        2. Trusted Computing Base
        3. Trusted Platform Module
        4. Microsoft Trustworthy Computing Initiative
      7. Acquisition
        1. Definitions and Terminology
        2. Build vs. Buy Decision
        3. Outsourcing
        4. Contractual Terms and Service Level Agreements
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    4. Chapter 4: Software Development Methodologies
      1. Secure Development Lifecycle
        1. Principles
        2. Security vs. Quality
        3. Security Features != Secure Software
      2. Secure Development Lifecycle Components
        1. Software Team Awareness and Education
        2. Gates and Security Requirements
        3. Bug Tracking
        4. Threat Modeling
        5. Fuzzing
        6. Security Reviews
      3. Software Development Models
        1. Waterfall
        2. Spiral
        3. Prototype
        4. Agile Methods
        5. Open Source
      4. Microsoft Security Development Lifecycle
        1. History
        2. SDL Foundation
        3. SDL Components
      5. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  10. Part II: Secure Software Requirements
    1. Chapter 5: Policy Decomposition
      1. Confidentiality, Integrity, and Availability Requirements
        1. Confidentiality
        2. Integrity
        3. Availability
      2. Authentication, Authorization, and Auditing Requirements
        1. Identification and Authentication
        2. Authorization
        3. Auditing
      3. Internal and External Requirements
        1. Internal
        2. External
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 6: Data Classification and Categorization
      1. Data Classification
        1. Data States
        2. Data Usage
        3. Data Risk Impact
      2. Data Ownership
        1. Data Owner
        2. Data Custodian
      3. Labeling
        1. Sensitivity
        2. Impact
      4. Types of Data
        1. Structured
        2. Unstructured
      5. Data Lifecycle
        1. Generation
        2. Retention
        3. Disposal
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 7: Requirements
      1. Functional Requirements
        1. Role and User Definitions
        2. Objects
        3. Activities/Actions
        4. Subject-Object-Activity Matrix
        5. Use Cases
        6. Abuse Cases (Inside and Outside Adversaries)
        7. Sequencing and Timing
        8. Secure Coding Standards
      2. Operational Requirements
        1. Deployment Environment
      3. Requirements Traceability Matrix
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  11. Part III: Secure Software Design
    1. Chapter 8: Design Processes
      1. Attack Surface Evaluation
        1. Attack Surface Measurement
        2. Attack Surface Minimization
      2. Threat Modeling
        1. Threat Model Development
      3. Control Identification and Prioritization
      4. Risk Assessment for Code Reuse
      5. Documentation
      6. Design and Architecture Technical Review
      7. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 9: Design Considerations
      1. Application of Methods to Address Core Security Concepts
        1. Confidentiality, Integrity, and Availability
        2. Authentication, Authorization, and Auditing
        3. Secure Design Principles
        4. Interconnectivity
      2. Interfaces
      3. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 10: Securing Commonly Used Architecture
      1. Distributed Computing
        1. Client Server
        2. Peer-to-Peer
        3. Message Queuing
      2. Service-Oriented Architecture
        1. Enterprise Service Bus
        2. Web Services
      3. Rich Internet Applications
        1. Client-Side Exploits or Threats
        2. Remote Code Execution
      4. Pervasive/Ubiquitous Computing
        1. Wireless
        2. Location-Based
        3. Constant Connectivity
        4. Radio Frequency Identification
        5. Near-Field Communication
        6. Sensor Networks
      5. Mobile Applications
      6. Integration with Existing Architectures
      7. Cloud Architectures
        1. Software as a Service
        2. Platform as a Service
        3. Infrastructure as a Service
      8. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    4. Chapter 11: Technologies
      1. Authentication and Identity Management
        1. Identity Management
        2. Authentication
      2. Credential Management
        1. X.509 Credentials
        2. Single Sign-On
      3. Flow Control (Proxies, Firewalls, Middleware)
        1. Firewalls
        2. Proxies
        3. Application Firewalls
        4. Queuing Technology
      4. Logging
        1. Syslog
      5. Data Loss Prevention
      6. Virtualization
      7. Digital Rights Management
      8. Trusted Computing
        1. TCB
        2. TPM
        3. Malware
        4. Code Signing
      9. Database Security
        1. Encryption
        2. Triggers
        3. Views
        4. Privilege Management
      10. Programming Language Environment
        1. CLR
        2. JVM
        3. Compiler Switches
        4. Sandboxing
        5. Managed vs. Unmanaged Code
      11. Operating Systems
      12. Embedded Systems
        1. Control Systems
        2. Firmware
      13. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  12. Part IV: Secure Software Implementation/Coding
    1. Chapter 12: Common Software Vulnerabilities and Countermeasures
      1. CWE/SANS Top 25 Vulnerability Categories
      2. OWASP Vulnerability Categories
      3. Common Vulnerabilities and Countermeasures
        1. Injection Attacks
        2. Cryptographic Failures
      4. Input Validation Failures
        1. Buffer Overflow
        2. Canonical Form
        3. Missing Defense Functions
        4. General Programming Failures
      5. Common Enumerations
        1. Common Weakness Enumerations (CWE)
        2. Common Vulnerabilities and Exposures (CVE)
      6. Virtualization
      7. Embedded Systems
      8. Side Channel
      9. Social Engineering Attacks
        1. Phishing
      10. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 13: Defensive Coding Practices
      1. Declarative vs. Programmatic Security
        1. Bootstrapping
        2. Cryptographic Agility
        3. Handling Configuration Parameters
      2. Memory Management
        1. Type Safe Practice
        2. Locality
      3. Error Handling
        1. Exception Management
      4. Interface Coding
      5. Primary Mitigations
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 14: Secure Software Coding Operations
      1. Code Analysis (Static and Dynamic)
        1. Static
        2. Dynamic
      2. Code/Peer Review
      3. Build Environment
        1. Integrated Development Environment (IDE)
      4. Antitampering Techniques
      5. Configuration Management: Source Code and Versioning
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  13. Part V: Secure Software Testing
    1. Chapter 15: Security Quality Assurance Testing
      1. Standards for Software Quality Assurance
        1. ISO 9216
        2. SSE-CMM
        3. OSSTMM
      2. Functional Testing
        1. Unit Testing
        2. Integration or Systems Testing
        3. Performance Testing
      3. Security Testing
        1. White-Box Testing
        2. Black-Box Testing
        3. Grey-Box Testing
      4. Environment
      5. Bug Tracking
        1. Defects
        2. Errors
        3. Vulnerabilities
        4. Bug Bar
      6. Attack Surface Validation
      7. Testing Artifacts
      8. Test Data Lifecycle Management
      9. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 16: Security Testing
      1. Scanning
        1. Attack Surface Analyzer
      2. Penetration Testing
      3. Fuzzing
      4. Simulation Testing
      5. Testing for Failure
      6. Cryptographic Validation
        1. FIPS 140-2
      7. Regression Testing
      8. Impact Assessment and Corrective Action
      9. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  14. Part VI: Secure Software Acceptance
    1. Chapter 17: Secure Software Acceptance
      1. Introduction to Acceptance
        1. Software Qualification Testing
        2. Qualification Testing Plan
        3. The Qualification Testing Hierarchy
      2. Pre-release Activities
        1. Implementing the Pre-release Testing Process
        2. Completion Criteria
        3. Risk Acceptance
      3. Post-release Activities
        1. Validation and Verification
        2. Independent Testing
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  15. Part VII: Secure Software Installation, Deployment, Operations, Maintenance, and Disposal
    1. Chapter 18: Secure Software Installation and Deployment
      1. Secure Software Installation and Its Subsequent Deployment
        1. Installation Validation and Verification
        2. Planning for Operational Use
      2. Configuration Management
        1. Organizing the Configuration Management Process
        2. Configuration Management Roles
        3. The Configuration Management Plan
        4. The Configuration Management Process
      3. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    2. Chapter 19: Secure Software Operations and Maintenance
      1. Secure Software Operations
        1. Operation Process Implementation
      2. The Software Maintenance Process
        1. Monitoring
        2. Incident Management
        3. Problem Management
        4. Change Management
        5. Backup, Recovery, and Archiving
      3. Secure Software Disposal
        1. Software Disposal Planning
        2. Software Disposal Execution
      4. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
    3. Chapter 20: Supply Chain and Software Acquisition
      1. Supplier Risk Assessment
        1. What Is Supplier Risk Assessment?
        2. Risk Assessment for Code Reuse
        3. Intellectual Property
        4. Legal Compliance
        5. Supplier Prequalification
      2. Supplier Sourcing
        1. Contractual Integrity Controls
        2. Vendor Technical Integrity Controls for Third-party Suppliers
        3. Managed Services
        4. Service Level Agreements
      3. Software Development and Testing
        1. Code Testing
        2. Security Testing Controls
        3. Software Requirements Testing and Validation
        4. Software Requirements Testing and Validation for Subcontractors
      4. Software Delivery, Operations, and Maintenance
        1. Chain of Custody
        2. Publishing and Dissemination Controls
        3. Systems-of-systems Integration
        4. Software Authenticity and Integrity
        5. Product Deployment and Sustainment Controls
        6. Monitoring and Incident Management
        7. Vulnerability Management, Tracking, and Resolution
      5. Supplier Transitioning
      6. Chapter Review
        1. Quick Tips
        2. Questions
        3. Answers
  16. Appendix A: About the Download
    1. Downloadable MasterExam
    2. System Requirements
      1. MasterExam
      2. Help
      3. Removing Installation
    3. Technical Support
      1. LearnKey Technical Support
      2. McGraw-Hill Education Technical Support and Customer Service
  17. Appendix B: Practice Exam
  18. Glossary
  19. Index