(ISC)² CSSLP Training Boot Camp

Secure software concepts

• Core concepts
• Security design principles

Secure software requirements

• Define software security requirements
• Identify and analyze compliance requirements
• Identify and analyze data classification requirements
• Identify and analyze privacy requirements
• Develop misuse and abuse cases
• Develop security requirement traceability matrix (SRTM)
• Ensure security requirements flow down to suppliers/providers

Secure software architecture and design

• Perform threat modeling
• Define the security architecture
• Performing secure interface design
• Performing architectural risk assessment
• Modeling (non-functional) security properties and constraints
• Model and classify data
• Evaluate and select reusable secure design
• Perform security architecture and design review
• Define secure operational architecture (e.g., deployment topology, operational interfaces)
• Use secure architecture and design principles, patterns and tools

Secure software implementation

• Adhere to relevant secure coding practices (e.g., standards, guidelines and regulations)
• Analyze code for security risks
• Implement security controls (e.g., watchdogs, file integrity monitoring (FIM), anti-malware)
• Address security risks (e.g. remediation, mitigation, transfer, accept)
• Securely reuse third-party code or libraries (e.g., software composition analysis (SCA))
• Securely integrate components
• Apply security during the build process

Secure software testing

• Develop security test cases
• Develop security testing strategy and plan
• Verify and validate documentation (e.g., installation and setup instructions, error messages, user guides, release notes)
• Identify undocumented functionality
• Analyze security implications of test results (e.g., impact on product management, prioritization, break build criteria)
• Classify and track security errors
• Secure test data
• Perform verification and validation testing

Secure software lifecycle management

• Secure configuration and version control (e.g., hardware, software, documentation, interfaces, patching)
• Define strategy and roadmap
• Manage security within a software development methodology
• Identify security standards and frameworks
• Define and develop security documentation
• Develop security metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)
• Decommission software
• Report security status (e.g., reports, dashboards, feedback loops)
• Incorporate integrated risk management (IRM)
• Promote security culture in software development
• Implement continuous improvement (e.g., retrospective, lessons learned)

Secure software deployment, operations and maintenance

• Perform operational risk analysis
• Release software securely
• Securely store and manage security data
• Ensure secure installation
• Perform post-deployment security testing
• Obtain security approval to operate (e.g., risk acceptance, sign-off at appropriate level)
• Perform information security continuous monitoring (ISCM)
• Support incident response
• Perform patch management (e.g. secure release, testing)
• Perform vulnerability management (e.g., scanning, tracking, triaging)
• Runtime protection (e.g., runtime application self-protection (RASP), web application firewall (WAF), address space layout randomization (ASLR))
• Support continuity of operations
• Integrate service level objectives (SLO) and service level agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)

Secure software supply chain

• Implement software supply chain risk management
• Analyze security of third-party software
• Verify pedigree and provenance
• Ensure supplier security requirements in the acquisition process
• Support contractual requirements (e.g., intellectual property (IP) ownership, code escrow, liability, warranty, end-user license agreement (EULA), service level agreements (SLA))