quyennv.com

Senior DevOps Engineer · Healthcare, Fanance
Detecting…

Guide to the CSSLP CBK

#security#CSSLP#software-security#secure-SDLC#books

0

The Official (ISC)² Guide to the CSSLP CBK, Second Edition is the primary reference for the Certified Secure Software Lifecycle Professional (CSSLP) exam. It is organized around eight domains that together cover the end‑to‑end secure software development lifecycle: from security concepts and requirements through design, implementation, testing, deployment/operations, and supply chain.

This note condenses the book’s structure into a CSSLP study aid and secure SDLC checklist, not a replacement for reading the full text.

Domain 1 – Secure Software Concepts

Domain 1 establishes the foundations of software security and how they integrate into development practices.

  • Holistic security and implementation challenges

    • Security must consider people, process, and technology; it cannot be bolted on at the end.
    • The “iron triangle” of scope, time, and cost often pushes teams to treat security as an afterthought, and there is constant tension between security and usability.
    • Implementation challenges include legacy systems, inconsistent tooling, limited security expertise on dev teams, and organizational resistance to change.

  • Security profile and core security concepts

    • A security profile describes what makes a given piece of software “secure enough” in its context: assets, threats, environment, and acceptable risk.
    • Core objectives: confidentiality, integrity, availability, authentication, authorization, accountability (and supporting concepts such as non‑repudiation and privacy).
    • Design concepts like trust boundaries, least privilege, and segmentation are introduced here and elaborated later.

  • Risk management for software

    • Definitions: threat, vulnerability, impact, likelihood, risk; qualitative vs quantitative assessment.
    • Risk management activities: identify, analyze, evaluate, treat (avoid, transfer, mitigate, accept), and monitor.
    • The book stresses continuous risk management, not a one‑time activity, and mapping risk decisions directly into requirements, design, and operational controls.

  • Security policies, standards, and best practices

    • Policies provide the “what and why”; standards, baselines, and procedures provide “how and who/when”.
    • Internal coding standards and secure configuration baselines sit alongside external standards such as NIST, FIPS, ISO 2700x/27034, PCI DSS, and OASIS specifications.
    • Best‑practice bodies and frameworks include OWASP (Top 10, ASVS, testing guides) and ITIL for service management, which influence how security is run in production.

  • Software development and assurance methodologies

    • Classic SDLC models: waterfall, iterative, spiral, and agile; how security activities map onto each (e.g. security stories in agile sprints).
    • Software assurance methodologies: CMMI maturity levels, Six Sigma (6σ) for defect reduction, OCTAVE® for risk, STRIDE/DREAD for threat modeling and risk ranking, OSSTMM, and Flaw Hypothesis Method.
    • These are positioned as toolkits to systematically improve and measure software security over time.

  • Enterprise frameworks, regulations, privacy, and security models

    • Enterprise frameworks (Zachman, COBIT®, COSO, SABSA) link technical security with governance, risk, and compliance.
    • Regulations and privacy: SOX, Basel II, GLBA, HIPAA, data protection acts, breach notification laws, mobile device privacy acts; how they translate into concrete security requirements and audit trails.
    • Security models: trusted computing, ring protection, trusted computing base (TCB), reference monitors, and multilevel models that later influence operating system and application design.

Domain 2 – Secure Software Requirements

Domain 2 focuses on eliciting, specifying, and managing security requirements.

  • Sources and types of security requirements

    • Sources: business goals, risk assessments, regulations, policies, standards, and stakeholder needs (business, legal, operations, customers).
    • Types: core security requirements (CIA, authn/authz, non‑repudiation), general requirements, operational requirements, and environment‑specific needs (e.g. jurisdictional privacy rules, export controls).
    • The book emphasizes making security requirements testable and measurable, not vague (“the system shall be secure”).

  • Eliciting protection needs

    • Techniques: brainstorming, interviews and questionnaires, workshops, checklists derived from standards, and policy decomposition (breaking high‑level policies into concrete requirements).
    • Data classification (public, internal, confidential, secret, etc.) ties directly into handling rules, encryption requirements, and retention/disposition policies.
    • Subject/object matrices model which identities (subjects) can perform which operations on which data or resources (objects), forming a foundation for access control design.

  • Use and misuse cases, and traceability

    • Use cases describe intended behavior; misuse/abuse cases capture how an attacker might misuse the system and reveal missing or weak controls.
    • Requirements validation includes stakeholder walkthroughs, conflict detection (e.g. usability vs. security), and prioritization based on risk.
    • A Requirements Traceability Matrix (RTM) links business requirements → security requirements → design components → implementation → tests, enabling coverage checks and impact analysis when something changes.

Domain 3 – Secure Software Design

Domain 3 turns requirements into secure architectures and design decisions.

  • Need for secure design

    • Distinguishes flaws vs. bugs: design flaws (e.g. missing authorization layer, insecure trust assumptions) are often more damaging and harder to fix than coding bugs.
    • Encourages security to be a first‑class design concern, integrated into architecture reviews, not handled only in code reviews or pen tests.
    • Introduces design review checklists and the idea of security design patterns vs anti‑patterns.

  • Architecting with core security concepts

    • Designs for confidentiality (data classification, encryption at rest/in transit, key management, masking), integrity (checksums, MACs, digital signatures, transactional integrity), and availability (redundancy, clustering, graceful degradation, DoS resilience).
    • Authentication and identity: single sign‑on, federation, strong authentication factors, and identity proofing.
    • Authorization: role‑based access control (RBAC), attribute‑based access control (ABAC), and policy decision/administration points.
    • Accountability: logging, non‑repudiation, digital signatures, and time synchronization.

  • Secure design principles

    • Classic principles: least privilege, separation of duties, defense in depth, fail secure, economy of mechanism, complete mediation, open design, least common mechanism, psychological acceptability, and weakest link awareness.
    • The book provides examples of how violating these principles leads to vulnerabilities (e.g. sharing admin accounts breaks accountability, complex mechanisms are hard to review).
    • Emphasis on reusing vetted components, building in configurability for security controls, and balancing competing principles (e.g. usability vs strict authentication).

  • Architectures, technologies, and threat modeling

    • Compares mainframe, distributed, SOA/service‑oriented architectures, Rich Internet Applications (RIA), pervasive/ubiquitous computing, cloud (IaaS/PaaS/SaaS), and mobile applications.
    • Discusses attack surface for each architecture, including APIs, middleware, message buses, and integration points.
    • Covers attack surface evaluation and threat modeling as core design activities, not optional extras.
    • Technology topics: authentication and identity, credential management, flow control, logging/auditing, trusted computing, database security, language/runtime considerations, operating systems, and embedded systems.

Domain 4 – Secure Software Implementation / Coding

Domain 4 addresses secure coding practices, common vulnerabilities, and process controls.

  • Programming fundamentals and evolution

    • Reviews computer architecture (CPU, memory, stack/heap, execution flow) and how low‑level behavior influences vulnerabilities.
    • Language generations and paradigms (procedural, object‑oriented, functional, scripting) and their typical security pitfalls (manual memory management, dynamic typing, unsafe reflection, etc.).

  • Common software vulnerabilities and controls

    • Memory issues: buffer overflows, stack vs heap overflows, use‑after‑free, and unsafe pointer arithmetic.
    • Injection flaws: SQL, OS command, LDAP, XML/XPath, and injection into interpreters or templating engines.
    • Broken authentication and session management: weak credential storage, predictable session IDs, missing logout/timeout, insecure “remember me” features.
    • Cross‑Site Scripting (XSS): reflected, stored, and DOM‑based; encoding/escaping strategies and Content Security Policy (CSP).
    • Access control weaknesses: insecure direct object references, missing function‑level checks, vertical/horizontal privilege escalation.
    • Configuration and data issues: security misconfigurations, sensitive data exposure, insecure file handling, race conditions, and side‑channel attacks.
    • Component risk: using vulnerable third‑party components and libraries; importance of dependency management and patching.
    • The focus is on recognizing patterns and applying appropriate controls and mitigations.

  • Defensive coding techniques

    • Robust input validation (whitelisting, canonicalization, context‑appropriate sanitization) at trust boundaries.
    • Error and exception handling that avoids verbose error messages, stack traces, or configuration leaks in production.
    • Safe APIs and patterns for memory management, concurrency control (locks, immutability), and thread safety.
    • Secure session handling, configuration parameter management, secure startup and initialization sequences.
    • Correct use of cryptography (prefer well‑vetted libraries, strong algorithms, secure key management), tokenization, sandboxing, and anti‑tampering mechanisms.

  • Secure software processes

    • Version/configuration management: tagging, baselining, change history, and rollback plans for security‑sensitive components.
    • Static and dynamic code analysis: linters, SAST/DAST, and other tools; integrating them into build pipelines.
    • Peer reviews and pair programming with specific secure coding checklists.
    • Securing build environments, CI/CD pipelines, signing artifacts, and protecting secrets used in builds.
    • Emphasizes continuous integration of security into everyday development workflows.

Domain 5 – Secure Software Testing

Domain 5 integrates quality assurance and security testing across the SDLC.

  • Testing artifacts and strategy

    • Test artifacts: test strategy, test plan, test cases, test scripts, test suites, and test harnesses; how each contributes to coverage and repeatability.
    • Types of testing: functional (does the system do what it should?) vs non‑functional (performance, reliability, usability, portability, maintainability).
    • Aligning test design with risk and requirements, including explicit coverage of security requirements and abuse/misuse cases.

  • Security testing and attack surface validation

    • Differentiates testing of security functionality (e.g. “does access control work under normal conditions?”) from security testing aimed at uncovering vulnerabilities and breaking assumptions.
    • White‑box (code‑assisted, structural) vs black‑box (external, behavioral) testing, plus gray‑box approaches that mix both.
    • Security testing types: cryptographic validation (algorithm/configuration checks), scanning (vulnerability scanners, dependency scanners), fuzzing, and application‑specific security tests for input validation, injection, scripting attacks, non‑repudiation, spoofing, privilege escalation, and failure/exception handling.
    • Discusses tool support and how to integrate security tests into regression suites.

  • Defect management and reporting

    • Test data management: generating realistic, privacy‑respecting datasets, and protecting test data that contains sensitive information.
    • Defect lifecycle: reporting, triage, classification (severity, priority), tracking, and closure criteria.
    • Impact assessment (technical and business) and corrective actions, including verifying that fixes do not introduce regressions or new vulnerabilities.
    • Ensures that security findings are triaged, prioritized, and re‑tested before release.

Domain 6 – Software Acceptance

Domain 6 covers formal acceptance of software before deployment.

  • Acceptance guidelines and benefits

    • Defines guidelines for when and how software is accepted, including explicit security verification and validation (V&V) steps.
    • Benefits include documented accountability, reduced risk at go‑live, and clearer change control and rollback options.

  • Acceptance considerations and completion criteria

    • Completion criteria: all critical/major defects addressed, risk acceptance documented, required documents delivered (architecture, design, operations runbooks, user/admin guides).
    • Change management around acceptance: tracking late changes, their impact on testing, and updated acceptance decisions.
    • Approval to deploy or release, including who signs off and how exceptions and risk acceptances are recorded.
    • Documentation expectations to support operations, support, and audits.

  • Reviews, testing, and certification

    • Formal reviews (technical design reviews, security reviews, management reviews) as pre‑conditions for acceptance.
    • Targeted testing (including UAT and security regression) tied directly to acceptance criteria.
    • Certification and accreditation concepts where applicable (especially in regulated or government environments), and how third‑party attestations (audit reports, pen‑test reports) fit into acceptance.

Domain 7 – Software Deployment, Operations, Maintenance, and Disposal

Domain 7 follows software into production and through end‑of‑life.

  • Installation, deployment, and hardening

    • Secure installation procedures, hardening of hosts, networks, and application platforms (disabling unused services, least‑privilege service accounts, secure defaults).
    • Environment configuration and release management (promotion between environments, change windows, rollback plans).
    • Secure startup and bootstrapping to ensure integrity from the first instruction executed (secure boot, integrity checks, configuration validation).

  • Operations and maintenance

    • Monitoring and logging for performance, availability, and security events; log retention and protection.
    • Incident management (detection, analysis, containment, eradication, recovery) and problem management for root cause and long‑term fixes.
    • Change management that considers security impact, plus backup, recovery, and archiving processes that meet RPO/RTO objectives and protect data at rest and in transit.
    • Ongoing patch and configuration management to keep software and platforms up‑to‑date without destabilizing production.

  • Disposal and end‑of‑life

    • Policies and processes for retiring systems and software, including data and media sanitization in line with standards.
    • Sun‑setting criteria, decommissioning plans, and coordination with business and compliance stakeholders.
    • Ensuring that residual data, credentials, and access paths (accounts, VPNs, certificates) are securely removed.

Domain 8 – Supply Chain and Software Acquisition

Domain 8 addresses third‑party software, suppliers, and the broader supply chain.

  • Acquisition lifecycle and models

    • Acquisition lifecycle: needs analysis, market research, RFP/RFQ, evaluation, negotiation, contract, delivery, and acceptance.
    • Models for obtaining software: COTS, open source, custom development, SaaS and other cloud services, and hybrid approaches.
    • Aligns acquisition decisions with supply chain security goals and governance requirements.

  • Supply chain threats and risk management

    • Threats to supply chain software: malicious or compromised suppliers, counterfeit software, tampered code, unvetted open‑source dependencies, and insecure delivery channels.
    • Software Supply Chain Risk Management (SCRM): identifying critical suppliers, assessing their security posture, and planning mitigations.
    • Supplier risk assessment and management, including periodic reassessments as environments, products, or regulations change.

  • Contracts, IP, and compliance

    • Contractual controls: minimum security requirements, incident notification timelines, right to audit, vulnerability disclosure obligations, and SLAs tied to security and availability.
    • Intellectual property (IP) topics: ownership, licensing, redistribution rights, and restrictions.
    • Compliance considerations, including export controls and foreign trade data regulations where applicable.

  • Secure development, testing, and delivery with suppliers

    • Expectations for supplier secure development practices, code review, repository security, build integrity, and security testing (including sharing relevant evidence).
    • Software SCRM activities during acceptance, delivery/hand‑over (chain of custody, secure transfer, escrows), deployment, operations, maintenance, and retirement.
    • Anti‑tampering and authenticity/anti‑counterfeiting controls plus continuous monitoring and incident coordination obligations between customer and supplier.

How to Use This Book for CSSLP Preparation

  • Map study time to domains

    • The book’s eight domains mirror the CSSLP exam blueprint; plan your study schedule domain by domain, emphasizing weaker areas.

  • Create your own artifacts

    • Use the guidance on requirements, design, coding, testing, and acceptance to create sample policies, RTMs, threat models, and test plans for systems you know.

  • Connect practice to operations and supply chain

    • Go beyond development: tie your secure SDLC practices into operations (monitoring, incident response, patching) and supply chain (vendor due diligence, contracts, SCRM).

Read alongside the official CSSLP exam outline and current standards/regulations to ensure you are up‑to‑date; this guide provides the structured conceptual backbone for becoming a secure software lifecycle professional.

← All posts

Comments