You are previewing Official (ISC)2 Guide to the CSSLP.
O'Reilly logo
Official (ISC)2 Guide to the CSSLP

Book Description

As the global leader in information security education and certification, (ISC)has a proven track record of educating and certifying information security professionals. Its newest certification, the Certified Secure Software Lifecycle Professional (CSSLP®) is a testament to the organization’s ongoing commitment to information and software security.

The Official (ISC) Guide to the CSSLP® provides an all-inclusive analysis of the CSSLP Common Body of Knowledge (CBK®). As the first comprehensive guide to the CSSLP CBK, it facilitates the required understanding of the seven CSSLP domains—Secure Software Concepts, Secure Software Requirements, Secure Software Design, Secure Software Implementation/Coding, Secure Software Testing, Software Acceptance, and Software Deployment, Operations, Maintenance and Disposal—to assist candidates for certification and beyond.

  • Serves as the only official guide to the CSSLP professional certification
  • Details the software security activities that need to be incorporated throughout the software development lifecycle
  • Provides comprehensive coverage that includes the people, processes, and technology components of software, networks, and host defenses
  • Supplies a pragmatic approach to implementing software assurances in the real-world

The text allows readers to learn about software security from a renowned security practitioner who is the appointed software assurance advisor for (ISC)2. Complete with numerous illustrations, it makes complex security concepts easy to understand and implement. In addition to being a valuable resource for those studying for the CSSLP examination, this book is also an indispensable software security reference for those already part of the certified elite. A robust and comprehensive appendix makes this book a time-saving resource for anyone involved in secure software development.

Table of Contents

  1. Foreword
  2. About the Author
  3. Introduction
  4. Chapter 1 - Secure Software Concepts
    1. 1.1 Introduction
    2. 1.2 Objectives
    3. 1.3 Holistic Security
    4. 1.4 Implementation Challenges
      1. 1.4.1 Iron Triangle Constraints
      2. 1.4.2 Security as an Afterthought
      3. 1.4.3 Security versus Usability
    5. 1.5 Quality and Security
    6. 1.6 Security Profile: What Makes a Software Secure?
      1. 1.6.1 Core Security Concepts
        1. 1.6.1.1 Confidentiality
        2. 1.6.1.2 Integrity
        3. 1.6.1.3 Availability
      2. 1.6.2 General Security Concepts
        1. 1.6.2.1 Authentication
        2. 1.6.2.2 Authorization
        3. 1.6.2.3 Auditing/Logging
        4. 1.6.2.4 Session Management
        5. 1.6.2.5 Errors and Exception Management
        6. 1.6.2.6 Configuration Parameters Management
      3. 1.6.3 Design Security Concepts
    7. 1.7 Security Concepts in the SDLC
    8. 1.8 Risk Management
      1. 1.8.1 Terminology and Definitions
        1. 1.8.1.1 Asset
        2. 1.8.1.2 Vulnerability
        3. 1.8.1.3 Threat
        4. 1.8.1.4 Threat Source/Agent
        5. 1.8.1.5 Attack
        6. 1.8.1.6 Probability
        7. 1.8.1.7 Impact
        8. 1.8.1.8 Exposure Factor
        9. 1.8.1.9 Controls
        10. 1.8.1.10 Total Risk
        11. 1.8.1.11 Residual Risk
      2. 1.8.2 Calculation of Risk
      3. 1.8.3 Risk Management for Software
      4. 1.8.4 Handling Risk
      5. 1.8.5 Risk Management Concepts: Summary
    9. 1.9 Security Policies: The “What” and “Why” for Security
      1. 1.9.1 Scope of the Security Policies
      2. 1.9.2 Prerequisites for Security Policy Development
      3. 1.9.3 Security Policy Development Process
    10. 1.10 Security Standards
      1. 1.10.1 Types of Security Standards
        1. 1.10.1.1 Coding Standards
        2. 1.10.1.2 Payment Card Industry Data Security Standards
        3. 1.10.1.3 NIST Standards
        4. 1.10.1.4 ISO Standards
        5. 1.10.1.5 Federal Information Processing Standards (FIPS)
      2. 1.10.2 Benefits of Security Standards
    11. 1.11 Best Practices
      1. 1.11.1 Open Web Application Security Project (OWASP)
        1. 1.11.1.1 OWASP Development Guide
        2. 1.11.1.2 OWASP Code Review Guide
        3. 1.11.1.3 OWASP Testing Guide
        4. 1.11.1.4 Other OWASP Projects
    12. 1.12 Information Technology Infrastructure Library (ITIL)
    13. 1.13 Security Methodologies
      1. 1.13.1 Socratic Methodology
      2. 1.13.2 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®)
      3. 1.13.3 STRIDE and DREAD
      4. 1.13.4 Open Source Security Testing Methodology Manual (OSSTMM)
      5. 1.13.5 Flaw Hypothesis Method (FHM)
      6. 1.13.6 Six Sigma (6σ)
      7. 1.13.7 Capability Maturity Model Integration (CMMI)
    14. 1.14 Security Frameworks
      1. 1.14.1 Zachman Framework
      2. 1.14.2 Control Objectives for Information and Related Technology (COBIT®)
      3. 1.14.3 Committee of Sponsoring Organizations (COSO)
      4. 1.14.4 Sherwood Applied Business Security Architecture (SABSA)
    15. 1.15 Regulations, Privacy, and Compliance
      1. 1.15.1 Significant Regulations and Acts
        1. 1.15.1.1 Sarbanes–Oxley (SOX) Act
        2. 1.15.1.2 BASEL II
        3. 1.15.1.3 Gramm–Leach–Bliley Act (GLBA)
        4. 1.15.1.4 Health Insurance Portability and Accountability Act (HIPAA)
        5. 1.15.1.5 Data Protection Act
        6. 1.15.1.6 Computer Misuse Act
        7. 1.15.1.7 State Security Breach Laws
      2. 1.15.2 Challenges with Regulations and Privacy Mandates
      3. 1.15.3 Privacy and Software Development
    16. 1.16 Security Models
      1. 1.16.1 BLP Confidentiality Model
      2. 1.16.2 Biba Integrity Model
      3. 1.16.3 Clark and Wilson Model (Access Triple Model)
      4. 1.16.4 Brewer and Nash Model (Chinese Wall Model)
    17. 1.17 Trusted Computing
      1. 1.17.1 Ring Protection
      2. 1.17.2 Trust Boundary (or Security Perimeter)
      3. 1.17.3 Trusted Computing Base (TCB)
        1. 1.17.3.1 Process Activation
        2. 1.17.3.2 Execution Domain Switching
        3. 1.17.3.3 Memory Protection
        4. 1.17.3.4 Input/Output Operations
      4. 1.17.4 Reference Monitor
      5. 1.17.5 Rootkits
    18. 1.18 Trusted Platform Module (TPM)
    19. 1.19 Acquisitions
    20. 1.20 Summary
    21. 1.21 Review Questions
    22. References
  5. Chapter 2 - Secure Software Requirements
    1. 2.1 Introduction
    2. 2.2 Objectives
    3. 2.3 Sources for Security Requirements
    4. 2.4 Types of Security Requirements
      1. 2.4.1 Confidentiality Requirements
      2. 2.4.2 Integrity Requirements
      3. 2.4.3 Availability Requirements
      4. 2.4.4 Authentication Requirements
        1. 2.4.4.1 Anonymous Authentication
        2. 2.4.4.2 Basic Authentication
        3. 2.4.4.3 Digest Authentication
        4. 2.4.4.4 Integrated Authentication
        5. 2.4.4.5 Client Certificate-Based Authentication
        6. 2.4.4.6 Forms Authentication
        7. 2.4.4.7 Token-Based Authentication
        8. 2.4.4.8 Smart Cards–Based Authentication
        9. 2.4.4.9 Biometric Authentication
      5. 2.4.5 Authorization Requirements
        1. 2.4.5.1 Discretionary Access Control (DAC)
        2. 2.4.5.2 Nondiscretionary Access Control (NDAC)
        3. 2.4.5.3 Mandatory Access Control (MAC)
        4. 2.4.5.4 Role-Based Access Control (RBAC)
        5. 2.4.5.5 Resource-Based Access Control
      6. 2.4.6 Auditing/Logging Requirements
      7. 2.4.7 Session Management Requirements
      8. 2.4.8 Errors and Exception Management Requirements
      9. 2.4.9 Configuration Parameters Management Requirements
      10. 2.4.10 Sequencing and Timing Requirements
        1. 2.4.10.1 Race Condition Properties
        2. 2.4.10.2 Race Conditions Protection
      11. 2.4.11 Archiving Requirements
      12. 2.4.12 International Requirements
      13. 2.4.13 Deployment Environment Requirements
      14. 2.4.14 Procurement Requirements
      15. 2.4.15 Antipiracy Requirements
    5. 2.5 Protection Needs Elicitation
      1. 2.5.1 Brainstorming
      2. 2.5.2 Surveys (Questionnaires and Interviews)
      3. 2.5.3 Policy Decomposition
      4. 2.5.4 Data Classification
      5. 2.5.5 Use and Misuse Case Modeling
        1. 2.5.5.1 Use Cases
        2. 2.5.5.2 Misuse Cases
      6. 2.5.6 Subject–Object Matrix
      7. 2.5.7 Templates and Tools
    6. 2.6 Requirements Traceability Matrix (RTM)
    7. 2.7 Summary
    8. 2.8 Review Questions
    9. References
  6. Chapter 3 - Secure Software Design
    1. 3.1 Introduction
    2. 3.2 Objectives
    3. 3.3 The Need for Secure Design
    4. 3.4 Flaws versus Bugs
    5. 3.5 Design Considerations
      1. 3.5.1 Core Software Security Design Considerations
        1. 3.5.1.1 Confidentiality Design
      2. 3.5.2 Integrity Design
        1. 3.5.2.1 Hashing (Hash Functions)
        2. 3.5.2.2 Referential Integrity
        3. 3.5.2.3 Resource Locking
        4. 3.5.2.4 Code Signing
      3. 3.5.3 Availability Design
      4. 3.5.4 Authentication Design
      5. 3.5.5 Authorization Design
      6. 3.5.6 Auditing/Logging Design
    6. 3.6 Information Technology Security Principles and Secure Design
    7. 3.7 Designing Secure Design Principles
      1. 3.7.1 Least Privilege
      2. 3.7.2 Separation of Duties
      3. 3.7.3 Defense in Depth
      4. 3.7.4 Fail Secure
      5. 3.7.5 Economy of Mechanisms
      6. 3.7.6 Complete Mediation
      7. 3.7.7 Open Design
      8. 3.7.8 Least Common Mechanisms
      9. 3.7.9 Psychological Acceptability
      10. 3.7.10 Leveraging Existing Components
    8. 3.8 Balancing Secure Design Principles
    9. 3.9 Other Design Considerations
      1. 3.9.1 Programming Language
      2. 3.9.2 Data Type, Format, Range, and Length
      3. 3.9.3 Database Security
        1. 3.9.3.1 Polyinstantiation
        2. 3.9.3.2 Database Encryption
        3. 3.9.3.3 Normalization
        4. 3.9.3.4 Triggers and Views
      4. 3.9.4 Interface
        1. 3.9.4.1 User Interface
        2. 3.9.4.2 Security Management Interfaces (SMI)
      5. 3.9.5 Interconnectivity
    10. 3.10 Design Processes
      1. 3.10.1 Attack Surface Evaluation
        1. 3.10.1.1 Relative Attack Surface Quotient
      2. 3.10.2 Threat Modeling
        1. 3.10.2.1 Threat Sources/Agents
        2. 3.10.2.2 What Is Threat Modeling?
        3. 3.10.2.3 Benefits
        4. 3.10.2.4 Challenges
        5. 3.10.2.5 Prerequisites
        6. 3.10.2.6 What Can We Threat Model?
        7. 3.10.2.7 Process
        8. 3.10.2.8 Comparison of Risk Ranking Methodologies
        9. 3.10.2.9 Control Identification and Prioritization
    11. 3.11 Architectures
      1. 3.11.1 Mainframe Architecture
      2. 3.11.2 Distributed Computing
      3. 3.11.3 Service Oriented Architecture
      4. 3.11.4 Rich Internet Applications
      5. 3.11.5 Pervasive Computing
      6. 3.11.6 Software as a Service (SaaS)
      7. 3.11.7 Integration with Existing Architectures
    12. 3.12 Technologies
      1. 3.12.1 Authentication
      2. 3.12.2 Identity Management
      3. 3.12.3 Credential Management
      4. 3.12.4 Password Management
      5. 3.12.5 Certificate Management
      6. 3.12.6 Single Sign-On (SSO)
      7. 3.12.7 Flow Control
        1. 3.12.7.1 Firewalls and Proxies
        2. 3.12.7.2 Queuing Infrastructure and Technology
      8. 3.12.8 Auditing/Logging
        1. 3.12.8.1 Syslog
        2. 3.12.8.2 Intrusion Detection System (IDS)
        3. 3.12.8.3 Intrusion Prevention Systems (IPS)
      9. 3.12.9 Data Loss Prevention
      10. 3.12.10 Virtualization
      11. 3.12.11 Digital Rights Management
    13. 3.13 Secure Design and Architecture Review
    14. 3.14 Summary
    15. 3.15 Review Questions
    16. References
  7. Chapter 4 - Secure Software Implementation/Coding
    1. 4.1 Introduction
    2. 4.2 Objectives
    3. 4.3 Who Is to Be Blamed for Insecure Software?
    4. 4.4 Fundamental Concepts of Programming
      1. 4.4.1 Computer Architecture
      2. 4.4.2 Programming Languages
        1. 4.4.2.1 Compiled Languages
        2. 4.4.2.2 Interpreted Languages
        3. 4.4.2.3 Hybrid Languages
    5. 4.5 Software Development Methodologies
      1. 4.5.1 Waterfall Model
      2. 4.5.2 Iterative Model
      3. 4.5.3 Spiral Model
      4. 4.5.4 Agile Development Methodologies
      5. 4.5.5 Which Model Should We Choose?
    6. 4.6 Common Software Vulnerabilities and Controls
      1. 4.6.1 Injection Flaws
        1. 4.6.1.1 Injection Flaws Controls
      2. 4.6.2 Cross-Site Scripting (XSS)
        1. 4.6.2.1 XSS Controls
      3. 4.6.3 Buffer Overflow
        1. 4.6.3.1 Buffer Overflow Controls
      4. 4.6.4 Broken Authentication and Session Management
        1. 4.6.4.1 Broken Authentication and Session Management Controls
      5. 4.6.5 Insecure Direct Object References
        1. 4.6.5.1 Insecure Direct Object References Controls
      6. 4.6.6 Cross-Site Request Forgery (CSRF)
        1. 4.6.6.1 CSRF Controls
      7. 4.6.7 Security Misconfiguration
        1. 4.6.7.1 Security Misconfiguration Controls
      8. 4.6.8 Failure to Restrict URL Access
        1. 4.6.8.1 Failure to Restrict URL Access Controls
      9. 4.6.9 Unvalidated Redirects and Forwards
        1. 4.6.9.1 Unvalidated Redirects and Forwards Controls
      10. 4.6.10 Insecure Cryptographic Storage
        1. 4.6.10.1 Insecure Cryptographic Storage Controls
      11. 4.6.11 Insufficient Transport Layer Protection
        1. 4.6.11.1 Insufficient Transport Layer Protection Controls
      12. 4.6.12 Information Leakage and Improper Error Handling
        1. 4.6.12.1 Information Leakage and Improper Error Handling Controls
      13. 4.6.13 File Attacks
        1. 4.6.13.1 File Attacks Controls
      14. 4.6.14 Race Condition
        1. 4.6.14.1 Race Condition Controls
      15. 4.6.15 Side Channel Attacks
        1. 4.6.15.1 Side Channel Attacks Controls
    7. 4.7 Defensive Coding Practices—Concepts and Techniques
      1. 4.7.1 Attack Surface Evaluation and Reduction
      2. 4.7.2 Input Validation
        1. 4.7.2.1 How to Validate?
        2. 4.7.2.2 Where to Validate?
        3. 4.7.2.3 What to Validate?
      3. 4.7.3 Canonicalization
      4. 4.7.4 Code Access Security
        1. 4.7.4.1 Security Actions
        2. 4.7.4.2 Type Safety
        3. 4.7.4.3 Syntax Security (Declarative and Imperative)
        4. 4.7.4.4 Secure Class Libraries
      5. 4.7.5 Container (Declarative) versus Component (Programmatic) Security
      6. 4.7.6 Cryptographic Agility
      7. 4.7.7 Memory Management
        1. 4.7.7.1 Locality of Reference
        2. 4.7.7.2 Dangling Pointers
        3. 4.7.7.3 Address Space Layout Randomization (ASLR)
        4. 4.7.7.4 Data Execution Prevention (DEP)/Executable Space Protection (ESP)
        5. 4.7.7.5 /GS Flag
        6. 4.7.7.6 StackGuard
      8. 4.7.8 Exception Management
      9. 4.7.9 Anti-Tampering
      10. 4.7.10 Secure Startup
      11. 4.7.11 Embedded Systems
      12. 4.7.12 Interface Coding
    8. 4.8 Secure Software Processes
      1. 4.8.1 Versioning
      2. 4.8.2 Code Analysis
      3. 4.8.3 Code/Peer Review
    9. 4.9 Build Environment and Tools Security
    10. 4.10 Summary
    11. 4.11 Review Questions
    12. References
  8. Chapter 5 - Secure Software Testing
    1. 5.1 Introduction
    2. 5.2 Objectives
    3. 5.3 Quality Assurance
    4. 5.4 Types of Software QA Testing
      1. 5.4.1 Reliability Testing (Functional Testing)
        1. 5.4.1.1 Unit Testing
        2. 5.4.1.2 Integration Testing
        3. 5.4.1.3 Logic Testing
        4. 5.4.1.4 Regression Testing
      2. 5.4.2 Recoverability Testing
        1. 5.4.2.1 Performance Testing
        2. 5.4.2.2 Scalability Testing
      3. 5.4.3 Resiliency Testing (Security Testing)
        1. 5.4.3.1 Motives, Opportunities, and Means
        2. 5.4.3.2 Testing of Security Functionality versus Security Testing
        3. 5.4.3.3 The Need for Security Testing
    5. 5.5 Security Testing Methodologies
      1. 5.5.1 White Box Testing
      2. 5.5.2 Black Box Testing
      3. 5.5.3 Fuzzing
      4. 5.5.4 Scanning
      5. 5.5.5 Penetration Testing (Pen-Testing)
      6. 5.5.6 White Box Testing versus Black Box Testing
    6. 5.6 Software Security Testing
      1. 5.6.1 Testing for Input Validation
      2. 5.6.2 Injection Flaws Testing
      3. 5.6.3 Testing for Nonrepudiation
      4. 5.6.4 Testing for Spoofing
      5. 5.6.5 Failure Testing
      6. 5.6.6 Cryptographic Validation Testing
      7. 5.6.7 Testing for Buffer Overflow Defenses
      8. 5.6.8 Testing for Privilege Escalations Defenses
      9. 5.6.9 Anti-Reversing Protection Testing
    7. 5.7 Other Testing
      1. 5.7.1 Environment Testing
        1. 5.7.1.1 Interoperability Testing
        2. 5.7.1.2 Simulation Testing
        3. 5.7.1.3 Disaster Recovery (DR) Testing
      2. 5.7.2 Privacy Testing
      3. 5.7.3 User Acceptance Testing
    8. 5.8 Defect Reporting and Tracking
      1. 5.8.1 Reporting Defects
      2. 5.8.2 Tracking Defects
    9. 5.9 Impact Assessment and Corrective Action
    10. 5.10 Tools for Security Testing
    11. 5.11 Summary
    12. 5.12 Review Questions
    13. References
  9. Chapter 6 - Software Acceptance
    1. 6.1 Introduction
    2. 6.2 Objectives
    3. 6.3 Guidelines for Software Acceptance
    4. 6.4 Benefits of Accepting Software Formally
    5. 6.5 Software Acceptance Considerations
      1. 6.5.1 Considerations When Building Software
        1. 6.5.1.1 Completion Criteria
        2. 6.5.1.2 Change Management
        3. 6.5.1.3 Approval to Deploy/Release
        4. 6.5.1.4 Risk Acceptance and Exception Policy
        5. 6.5.1.5 Documentation of Software
      2. 6.5.2 When Buying Software
        1. 6.5.2.1 Procurement Methodology
    6. 6.6 Legal Protection Mechanisms
      1. 6.6.1 IP Protection
        1. 6.6.1.1 Patents (Inventions)
        2. 6.6.1.2 Copyright
        3. 6.6.1.3 Trademark
        4. 6.6.1.4 Trade Secret
      2. 6.6.2 Disclaimers
      3. 6.6.3 Validity Periods
      4. 6.6.4 Contracts and Agreements
        1. 6.6.4.1 Service Level Agreements (SLA)
        2. 6.6.4.2 Nondisclosure Agreements (NDA)
        3. 6.6.4.3 Noncompete Agreements
    7. 6.7 Software Escrow
    8. 6.8 Verification and Validation (V&V)
      1. 6.8.1 Reviews
      2. 6.8.2 Testing
      3. 6.8.3 Independent (Third Party) Verification and Validation
      4. 6.8.4 Checklists and Tools
    9. 6.9 Certification and Accreditation
    10. 6.10 Summary
    11. 6.11 Review Questions
    12. References
  10. Chapter 7 - Software Deployment, Operations, Maintenance, and Disposal
    1. 7.1 Introduction
    2. 7.2 Objectives
    3. 7.3 Installation and Deployment
      1. 7.3.1 Hardening
      2. 7.3.2 Enforcement of Security Principles
      3. 7.3.3 Environment Configuration
      4. 7.3.4 Bootstrapping and Secure Startup
    4. 7.4 Operations and Maintenance
      1. 7.4.1 Monitoring
        1. 7.4.1.1 Why Monitor?
        2. 7.4.1.2 What to Monitor?
        3. 7.4.1.3 Ways to Monitor
        4. 7.4.1.4 Metrics in Monitoring
        5. 7.4.1.5 Audits for Monitoring
      2. 7.4.2 Incident Management
        1. 7.4.2.1 Events, Alerts, and Incidents
        2. 7.4.2.2 Types of Incidents
        3. 7.4.2.3 Incident Response Process
      3. 7.4.3 Problem Management
        1. 7.4.3.1 Problem Management Process
      4. 7.4.4 Patching and Vulnerability Management
    5. 7.5 Disposal
      1. 7.5.1 End-of-Life Policies
      2. 7.5.2 Sunsetting Criteria
      3. 7.5.3 Sunsetting Processes
      4. 7.5.4 Information Disposal and Media Sanitization
    6. 7.6 Summary
    7. 7.7 Review Questions
    8. References
  11. Appendix A Answers to Practice Questions
    1. Chapter 1—Secure Software Concepts Questions
    2. Chapter 2—Secure Software Requirements Questions
    3. Chapter 3—Secure Software Design Questions
    4. Chapter 4—Secure Software Implementation/Coding Questions
    5. Chapter 5—Secure Software Testing Questions
    6. Chapter 6—Software Acceptance Questions
    7. Chapter 7—Software Deployment, Operations, Maintenance, and Disposal Questions
  12. Appendix B
  13. Threat Modeling—Zion, Inc.
  14. Appendix C
  15. Commonly Used Opcodes in Assembly
  16. Appendix D
  17. HTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)
  18. Appendix E
  19. Security Testing Tools
    1. E.1 Reconnaissance (Information Gathering) Tools
    2. E.2 Vulnerability Scanners
    3. E.3 Fingerprinting Tools
    4. E.4 Sniffers/Protocol Analyzers
    5. E.5 Password Crackers
    6. E.6 Web Security Tools: Scanners, Proxies, and Vulnerability Management
    7. E.7 Wireless Security Tools
    8. E.8 Reverse Engineering Tools (Assembler and Disassemblers, Debuggers, and Decompilers)
    9. E.9 Source Code Analyzers
    10. E.10 Vulnerability Exploitation Tools
    11. E.11 Security-Oriented Operating Systems
    12. E.12 Privacy Testing Tools