ISC2 CSSLP certification exam: Overview of domains

Patrick Mallory
August 16, 2021 by
Patrick Mallory

Even as cybersecurity threats seem to be increasing in size and scope, malicious actors are still looking for new and unique ways to exploit their victims for the data and valuable assets that they want. 

In addition to advanced network intrusions, social engineering and ransomware, cyber actors are still looking for bugs and vulnerabilities in software to exploit for their gain. This can be especially threatening for those organizations that rely on enterprise software for their core business processes or even to assist with their security. 

Although they are not intentional, either from a lacking quality engineering process, limited time and resources or just plain human error, software is distributed with loopholes in their code or functionality that, if found, can provide unintended access or behavior.

(ISC)² has updated their Certified Secure Software Lifecycle Professional (CSSLP) certification, which validates a security professional's ability and knowledge of security best practices surrounding the Software Development Lifecycle (SDLC), including the ability to set up a software security program in their organization. Ultimately, this can help reduce the frequency and impact of source code vulnerabilities and reduce production costs and schedules.

CSSLP domain overview

The CSSLP certification exam is a rigorous three-hour exam that confirms a candidate's understanding and ability to apply secure software best practices across eight different domains. 

According to the CSSLP Certification Overview, exam questions are developed from the skills, techniques and information contained within the CSSLP CBK with the following allocation:

  • Secure software concepts – 13%
  • Secure software requirements – 14%
  • Secure software Design – 16%
  • Secure software implementation/programming – 16%
  • Secure software testing – 14%
  • Secure lifecycle management – 10%
  • Software development, operations and maintenance – 9%
  • Supply chain and software acquisition – 8%

In addition to passing the CSSLP exam, the (ISC)² requires certification candidates to have a minimum of four years of combined full-time SDLC experience in at least one of the eight listed CSSLP domains. 

Domain 1: Secure software concepts

Domain 1, secure software concepts, lays the foundation for the rest of the CSSLP learning objectives, concepts and principles. Some of the key elements covered include:

  • Secure software core concepts: the C-I-A triad, authentication, authorization, accountability and nonrepudiation.
  • Security design principles: the following principles are covered, among others:
    • Least privilege
    • Separation of duties
    • Defense in depth
    • Psychological acceptability, including password management
    • Diversity of defense

Domain 2: Secure software requirements

Secure software development relies on the integration of security principles, especially those from Domain 1, into the entire SDLC, weaving security into every element instead of it being an afterthought. 

In practice, this emphasizes including security into the initial requirements of software and measuring acceptability during testing like other functional and non-functional requirements.

Key elements from Domain 2 include:

  • Define software security requirements: identifying security elements within functional and non-functional requirements.
  • Identify and analyze compliance requirements.
  • Identify and analyze data classification requirements: how data handling, storage and disposal play a role in secure software.
  • Identify and analyze privacy requirements: the practical elements of anonymity in data and user accounts as well as data retention, disposition and control across different regulatory jurisdictions.
  • Develop misuse and abuse cases.
  • Develop security requirement traceability matrix (STRM).
  • Ensure security requirements flow down to suppliers/providers.

Domain 3: Secure software architecture and design

Domain 3 takes a comprehensive look at secure software design, including the ideas of risk modeling and management, security characteristics of different architectures and the models, tools and principles that can facilitate the process from end-to-end.

Key elements from Domain 3 include:

  • Perform threat modeling: the role of threat intelligence and attack surface evaluation in preparing for potential threats.
  • Define the security architecture: the key characteristics of various software and service architectures and how they account for security requirements.
  • Perform secure interface design: how application and data interfaces contribute to secure software development.
  • Perform architectural risk assessment.
  • Model (non-functional) security properties and constraints.
  • Model and classify data.
  • Evaluate and select a reusable secure design: how existing security principles in other technology domains contribute to secure software, including ideas of data loss prevention, secure backup, trusted computing and programming language selection.
  • Perform security architecture and design review.
  • Define secure operational architecture.
  • Use secure architecture and design principles, patterns and tools.

Domain 4: Secure software implementation

Domain 4 brings all of Domains 1 through 3 together to give the CSSLP professional the knowledge and tools needed to facilitate the formation and development of secure software.

Key elements from Domain 4 include:

  • Adhere to relevant secure coding practices: utilizing coding best practices and techniques to integrate security controls, such as sandboxing, access controls, output sanitization and error handling to strengthen software.
  • Analyze code for security risks: manual and automated code analysis for known vulnerabilities and bugs.
  • Implement security controls.
  • Address security risks.
  • Securely reuse third-party code or libraries.
  • Securely integrate components.
  • Apply security during the build process: leveraging code signing and secure compilers to strengthen the build phase.

Domain 5: Secure software testing

When customer expectations place quality and speed on equal footing, testing plays a critical role in supporting the delivery of secure software. Domain 5 explores the range of tests that can be done and how to plan them and track and resolve identified issues.

In particular, Domain 5 includes:

  • Develop security test cases: based on your needs, how to use the following types of tests, among others, given their strengths and weaknesses:
    • Penetration testing
    • Fuzzing
    • Vulnerability scanning
    • Regression testing
    • Stress testing
  • Develop security testing strategy and plan: how to approach your testing efforts, including the environment, standards, testers and techniques.
  • Verify and validate documentation.
  • Identify undocumented functionality.
  • Analyze security implications of test results.
  • Classify and track security errors: Best practices in tracking bugs and risks.
  • Secure test data.
  • Perform verification and validation testing.

Domain 6: Secure software lifecycle management

Domain 6 ensures that CSSLPs can convey the importance of developing the key processes to manage the entire software lifecycle, always focusing on security. From defining the software roadmap to planning updates and patches and how to safely decommission software, secure software lifecycle management helps to further promote an organization's security mindset.

Key elements from Domain 6 include:

  • Secure configuration and version control.
  • Define strategy and roadmap.
  • Manage security within a software development methodology: how to integrate security within waterfall and agile development methodologies.
  • Identify security standards and frameworks.
  • Define and develop security documentation.
  • Develop security metrics.
  • Decommission software: putting features and documents in place to support the safe disposal of data and removing corporate or personally-identifying information.
  • Report security status.
  • Incorporate integrated risk management (IRM): an understanding of the key regulations, laws and policies as well as the terminology and tools to ensure compliance and support risk management.
  • Promote security culture in software development.
  • Implement continuous improvement.

Domain 7: Secure software deployment, operations and maintenance

Similar to Domain 6 and recognizing that software security doesn't end after release, Domain 7 focuses on the key processes, tools and techniques to securely install, maintain and update the software on an ongoing basis. 

Domain 7 includes the following topics:

  • Perform operational risk analysis: efforts to bolster user and environmental security where the software will be used.
  • Release software securely.
  • Securely store and manage security data: ensuring the use of keys, credentials and certificates to support data security.
  • Ensure secure installation.
  • Perform post-deployment security testing.
  • Obtain security approval to operate.
  • Perform continuous monitoring of information security (ISCM): utilizing ongoing threat intelligence, logging and intrusion detection tools to protect software proactively.
  • Support incident response.
  • Perform patch management.
  • Perform vulnerability management.
  • Runtime protection.
  • Support continuity of operations: the importance of backup, archiving and data retention for resiliency as well as Disaster Recovery planning.
  • Integrate service level objectives (SLO) and service level agreements (SLA).

Domain 8: Secure software supply chain

Domain 8 encapsulates the importance of understanding supply chain risks in the development and implementation of secure software. As the SolarWinds attack demonstrates, organizations cannot assume that the partners that make up their supply chain integrate the same level of rigor and security as they do. 

Therefore, Domain 8 emphasizes: 

  • Implement software supply chain risk management: the key elements of identifying, assessing, responding, and monitoring for risk in your supply chain.
  • Analyze the security of third-party software.
  • Verify pedigree and provenance: different methods to ensure the secure transfer and integrity of data and code passage.
  • Ensure supplier security requirements in the acquisition process: how to incorporate security requirements into vendor relationships and contracts, including incident notification, security policy compliance and maintenance expectations.
  • Support contractual requirements.

Take the next step toward the CSSLP

The CSSLP is a great way to show employers (and your peers) that you have the advanced knowledge and skills needed to secure each phase of the SDLC.

If you are ready to take the next step toward pursuing this established certification, take a moment to review these additional training resources and programs to accelerate your journey.



Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.