Providing 100% coverage of the latest CSSLP exam, this self-study guide offers everything you need to ace the exam
CSSLP Certification All-in-One Exam Guide, Third Edition covers all eight exam domains of the challenging CSSLP exam, developed by the International Information Systems Security Certification Consortium (ISC)®. Thoroughly revised and updated for the latest exam release, this guide includes real-world examples and comprehensive coverage on all aspects of application security within the entire software development lifecycle. It also includes hands-on exercises, chapter review summaries and notes, tips, and cautions that provide real-world insight and call out potentially harmful situations.
With access to 350 exam questions online, you can practice either with full-length, timed mock exams or by creating your own custom quizzes by chapter or exam objective.
CSSLP Certification All-in-One Exam Guide, Third Edition provides thorough coverage of all eight exam domains
Secure Software Concepts
Secure Software Requirements
Secure Software Design
Secure Software Implementation Programming
Secure Software Testing
Secure Lifecycle Management
Software Deployment, Operations, and Maintenance
Supply Chain and Software Acquisition
Author(s): Wm. Arthur Conklin; Daniel Paul Shoemaker
Series: ALL IN ONE IS ALL YOU NEED
Edition: 3
Publisher: McGraw-Hill
Year: 2022
Language: English
Pages: 416
Cover
Title Page
Copyright Page
Dedication
About the Authors
Contents at a Glance
Contents
Acknowledgments
Introduction
Exam Objective Map
Part I Secure Software Concepts
Chapter 1 Core Concepts
Confidentiality
Implementing Confidentiality
Integrity
Implementing Integrity
Availability
Authentication
Multifactor Authentication
Identity Management
Identity Provider
Identity Attributes
Certificates
Identity Tokens
SSH Keys
Smart Cards
Implementing Authentication
Credential Management
Authorization
Access Control Mechanisms
Accountability (Auditing and Logging)
Logging
Syslog
Nonrepudiation
Secure Development Lifecycle
Security vs. Quality
Security Features != Secure Software
Secure Development Lifecycle Components
Software Team Awareness and Education
Gates and Security Requirements
Bug Tracking
Threat Modeling
Fuzzing
Security Reviews
Mitigations
Chapter Review
Quick Tips
Questions
Answers
Chapter 2 Security Design Principles
System Tenets
Session Management
Exception Management
Configuration Management
Secure Design Tenets
Good Enough Security
Least Privilege
Separation of Duties
Defense in Depth
Fail-Safe
Economy of Mechanism
Complete Mediation
Open Design
Least Common Mechanism
Psychological Acceptability
Weakest Link
Leverage Existing Components
Single Point of Failure
Security Models
Access Control Models
Multilevel Security Model
Integrity Models
Information Flow Models
Adversaries
Adversary Type
Adversary Groups
Threat Landscape Shift
Chapter Review
Quick Tips
Questions
Answers
Part II Secure Software Requirements
Chapter 3 Define Software Security Requirements
Functional Requirements
Role and User Definitions
Objects
Activities/Actions
Subject-Object-Activity Matrix
Use Cases
Sequencing and Timing
Secure Coding Standards
Operational and Deployment Requirements
Connecting the Dots
Chapter Review
Quick Tips
Questions
Answers
Chapter 4 Identify and Analyze Compliance Requirements
Regulations and Compliance
Security Standards
ISO
NIST
FISMA
Sarbanes-Oxley
Gramm-Leach-Bliley
HIPAA and HITECH
Payment Card Industry Data Security Standard
Other Regulations
Legal Issues
Intellectual Property
Data Classification
Data States
Data Usage
Data Risk Impact
Data Lifecycle
Generation
Data Ownership
Data Owner
Data Custodian
Labeling
Sensitivity
Impact
Privacy
Privacy Policy
Personally Identifiable Information
Personal Health Information
Breach Notifications
General Data Protection Regulation
California Consumer Privacy Act 2018 (AB 375)
Privacy-Enhancing Technologies
Data Minimization
Data Masking
Tokenization
Anonymization
Pseudo-anonymization
Chapter Review
Quick Tips
Questions
Answers
Chapter 5 Misuse and Abuse Cases
Misuse/Abuse Cases
Requirements Traceability Matrix
Software Acquisition
Definitions and Terminology
Build vs. Buy Decision
Outsourcing
Contractual Terms and Service Level Agreements
Requirements Flow Down to Suppliers/Providers
Chapter Review
Quick Tips
Questions
Answers
Part III Secure Software Architecture and Design
Chapter 6 Secure Software Architecture
Perform Threat Modeling
Threat Model Development
Attack Surface Evaluation
Attack Surface Measurement
Attack Surface Minimization
Threat Intelligence
Threat Hunting
Define the Security Architecture
Security Control Identification and Prioritization
Distributed Computing
Service-Oriented Architecture
Web Services
Rich Internet Applications
Pervasive/Ubiquitous Computing
Embedded
Cloud Architectures
Mobile Applications
Hardware Platform Concerns
Cognitive Computing
Control Systems
Chapter Review
Quick Tips
Questions
Answers
Chapter 7 Secure Software Design
Performing Secure Interface Design
Logging
Protocol Design Choices
Performing Architectural Risk Assessment
Model (Nonfunctional) Security Properties and Constraints
Model and Classify Data
Types of Data
Structured
Unstructured
Evaluate and Select Reusable Secure Design
Creating a Practical Reuse Plan
Credential Management
Flow Control
Data Loss Prevention
Virtualization
Trusted Computing
Database Security
Programming Language Environment
Operating System Controls and Services
Secure Backup and Restoration Planning
Secure Data Retention, Retrieval, and Destruction
Perform Security Architecture and Design Review
Define Secure Operational Architecture
Use Secure Architecture and Design Principles, Patterns, and Tools
Chapter Review
Quick Tips
Questions
Answers
Part IV Secure Software Implementation
Chapter 8 Secure Coding Practices
Declarative vs. Imperative Security
Bootstrapping
Cryptographic Agility
Handling Configuration Parameters
Memory Management
Type-Safe Practice
Locality
Error Handling
Interface Coding
Primary Mitigations
Learning from Past Mistakes
Secure Design Principles
Good Enough Security
Least Privilege
Separation of Duties
Defense in Depth
Fail Safe
Economy of Mechanism
Complete Mediation
Open Design
Least Common Mechanism
Psychological Acceptability
Weakest Link
Leverage Existing Components
Single Point of Failure
Interconnectivity
Session Management
Exception Management
Configuration Management
Cryptographic Failures
Hard-Coded Credentials
Missing Encryption of Sensitive Data
Use of a Broken or Risky Cryptographic Algorithm
Download of Code Without Integrity Check
Use of a One-Way Hash Without a Salt
Input Validation Failures
Buffer Overflow
Canonical Form
Missing Defense Functions
Output Validation Failures
General Programming Failures
Sequencing and Timing
Technology Solutions
Chapter Review
Quick Tips
Questions
Answers
Chapter 9 Analyze Code for Security Risks
Code Analysis (Static and Dynamic)
Static Application Security Testing
Dynamic Application Security Testing
Interactive Application Security Testing
Runtime Application Self-Protection
Code/Peer Review
Code Review Objectives
Additional Sources of Vulnerability Information
CWE/SANS Top 25 Vulnerability Categories
OWASP Vulnerability Categories
Common Vulnerabilities and Countermeasures
Injection Attacks
Chapter Review
Quick Tips
Questions
Answers
Chapter 10 Implement Security Controls
Security Risks
Implement Security Controls
Applying Security via the Build Environment
Integrated Development Environment
Anti-tampering Techniques
Code Signing
Configuration Management: Source Code and Versioning
Code Obfuscation
Defensive Coding Techniques
Declarative vs. Programmatic Security
Bootstrapping
Cryptographic Agility
Handling Configuration Parameters
Interface Coding
Memory Management
Primary Mitigations
Secure Integration of Components
Secure Reuse of Third-Party Code or Libraries
System-of-Systems Integration
Chapter Review
Quick Tips
Questions
Answers
Part V Secure Software Testing
Chapter 11 Security Test Cases
Security Test Cases
Attack Surface Evaluation
Penetration Testing
Common Methods
Fuzzing
Scanning
Simulations
Failure Modes
Cryptographic Validation
Regression Testing
Integration Testing
Continuous Testing
Chapter Review
Quick Tips
Questions
Answers
Chapter 12 Security Testing Strategy and Plan
Develop a Security Testing Strategy and a Plan
Functional Security Testing
Unit Testing
Nonfunctional Security Testing
Testing Techniques
White-Box Testing
Black-Box Testing
Gray-Box Testing
Testing Environment
Environment
Standards
ISO/IEC 25010:2011
SSE-CMM
OSSTMM
Crowd Sourcing
Chapter Review
Quick Tips
Questions
Answers
Chapter 13 Software Testing and Acceptance
Perform Verification and Validation Testing
Software Qualification Testing
Qualification Testing Hierarchy
Identify Undocumented Functionality
Analyze Security Implications of Test Results
Classify and Track Security Errors
Bug Tracking
Defects
Errors
Bug Bar
Risk Scoring
Secure Test Data
Generate Test Data
Reuse of Production Data
Chapter Review
Quick Tips
Questions
Answers
Part VI Secure Software Lifecycle Management
Chapter 14 Secure Configuration and Version Control
Secure Configuration and Version Control
Define Strategy and Roadmap
Manage Security Within a Software Development Methodology
Security in Adaptive Methodologies
Security in Predictive Methodologies
Identify Security Standards and Frameworks
Define and Develop Security Documentation
Develop Security Metrics
Decommission Software
End-of-Life Policies
Data Disposition
Report Security Status
Chapter Review
Quick Tips
Questions
Answers
Chapter 15 Software Risk Management
Incorporate Integrated Risk Management
Regulations and Compliance
Legal
Standards and Guidelines
Risk Management
Terminology
Technical Risk vs. Business Risk
Promote Security Culture in Software Development
Security Champions
Security Education and Guidance
Implement Continuous Improvement
Chapter Review
Quick Tips
Questions
Answers
Part VII Secure Software Deployment, Operations, Maintenance
Chapter 16 Secure Software Deployment
Perform Operational Risk Analysis
Deployment Environment
Personnel Training
Safety Criticality
System Integration
Release Software Securely
Secure Continuous Integration and Continuous Delivery Pipeline
Secure Software Tool Chain
Build Artifact Verification
Securely Store and Manage Security Data
Credentials
Secrets
Keys/Certificates
Configurations
Ensure Secure Installation
Bootstrapping
Least Privilege
Environment Hardening
Secure Activation
Security Policy Implementation
Secrets Injection
Perform Post-Deployment Security Testing
Chapter Review
Quick Tips
Questions
Answers
Chapter 17 Secure Software Operations and Maintenance
Obtain Security Approval to Operate
Perform Information Security Continuous Monitoring
Collect and Analyze Security Observable Data
Threat Intel
Intrusion Detection/Response
Secure Configuration
Regulation Changes
Support Incident Response
Root-Cause Analysis
Incident Triage
Forensics
Perform Patch Management
Perform Vulnerability Management
Runtime Protection
Support Continuity of Operations
Backup, Archiving, Retention
Disaster Recovery
Resiliency
Integrate Service Level Objectives and Service Level Agreements
Chapter Review
Quick Tips
Questions
Answers
Part VIII Secure Software Supply Chain
Chapter 18 Software Supply Chain Risk Management
Implement Software Supply Chain Risk Management
Analyze Security of Third-Party Software
Verify Pedigree and Provenance
Secure Transfer
System Sharing/Interconnections
Code Repository Security
Build Environment Security
Cryptographically Hashed, Digitally Signed Components
Right to Audit
Chapter Review
Quick Tips
Questions
Answers
Chapter 19 Supplier Security Requirements
Ensure Supplier Security Requirements in the Acquisition Process
Supplier Sourcing
Supplier Transitioning
Audit of Security Policy Compliance
Vulnerability/Incident Notification, Response, Coordination, and Reporting
Maintenance and Support Structure
Security Track Record
Support Contractual Requirements
Intellectual Property
Legal Compliance
Chapter Review
Quick Tips
Questions
Answers
Part IX Appendix and Glossary
Appendix About the Online Content
System Requirements
Your Total Seminars Training Hub Account
Privacy Notice
Single User License Terms and Conditions
TotalTester Online
Technical Support
Glossary
Index
