ISC2 CSSLP domain 1: Secure software concepts

Howard Poston
August 23, 2021 by
Howard Poston

The Certified Secure Software Lifecycle Professional (CSSLP) certification offered by the International Information System Security Certification Consortium, ISC2, is divided into eight different domains. The first domain, secure software concepts, is weighted as 10% of the final exam score.

What are secure software concepts?

Domain 1 of the CSSLP focuses on the concepts of software security. These include the core concepts of secure software and best practices for achieving these software security goals.

How will learning secure software concepts help my career?

The information contained within Domain 1 of the CSSLP lays the foundation for the rest of the CSSLP domains. Without understanding these core concepts, it is much more difficult to understand the why and the how of secure coding.

By learning the information covered by CSSLP Domain 1, a student can gain immediate benefits. Most of the information contained within this Domain covers best practices for secure software development. Learning these foundational best practices and applying them within your code can help with avoiding common mistakes and vulnerabilities. This makes you a better developer and can help you stand out from developers that have not received the same secure coding training.

What’s covered in CSSLP Domain 1 of the exam?

CSSLP Domain 1 is focused on foundational definitions and knowledge. It is broken into two main sections: Core Concepts and Security Design Principles.

Core concepts

The core concepts section of Domain 1 is focused on some of the main objectives of cybersecurity. These include:

  • Confidentiality: protecting the privacy of data via encryption or other controls.
  • Integrity: verifying that data has not been modified by an unauthorized party using hashing, digital signatures and more.
  • Availability: ensuring that service remains up and available to users via redundancy, replication, etc.
  • Authentication: validating the identity of a user through multi-factor authentication (MFA), identity and access management (IAM), single sign-on (SSO) and federated identity.
  • Authorization: determining whether or not an access request is legitimate based on access controls, permissions and entitlements.
  • Accountability: performing logging and auditing to track activities on a system.
  • Non-Repudiation: preventing a user from denying that they took certain actions through the use of digital signatures, blockchain and more.

Security design principles

If the core concepts section outlines the “goals” of cybersecurity, the security design principles section of CSSLP Domain 1 focuses on best practices for achieving these goals. These include:

  • Least privilege: a user, application, system and more. should only have the access and permissions that are required to perform its duties. The least privilege can be enforced by access controls, need-to-know and runtime privilege management.
  • Separation of duties: no single user should have the ability to unilaterally perform critical processes. Duties should be separated across multiple parties using solutions such as multi-party control and secret sharing.
  • Defense in depth: security should not depend on a single line of detection and enforcement. Resources should be protected by layered controls and security zones.
  • Resiliency: systems should be designed to be resilient and to fail to a secure state. This includes implementing failsafes and eliminating single points of failure.
  • Economy of mechanism: security mechanisms should be as simple as possible to minimize the potential for error. Using SSO, password vaults and more. can help to encourage good security habits.
  • Complete mediation: all access requests should be checked to ensure that they are allowed. Session management, cookie management and credential caching are examples of mediation solutions. 
  • Open design: security should not depend on a design or algorithm that is kept secret. A system should remain secure even if everything but the secret keys are publicly known.
  • Least common mechanism: mechanisms used for access to resources should not be shared. Applications should use compartmentalization, isolation and whitelisting to enforce this.
  • Psychological acceptability: security solutions should not make it more difficult to access resources. Otherwise, users may try to find workarounds or refuse to use the solution. Solutions that “make sense” to users, such as passwords, CAPTCHAs and more, are more likely to be adopted.
  • Component reuse: when possible, use existing security libraries and controls rather than implementing them. These components are more likely to be correctly implemented and have integrated security.
  • Diversity of defense: security solutions should be diverse in terms of geography, technology and more. This decreases the probability that an event that causes one security control to fail will also impact others.

Getting started with secure software concepts

Domain 1 is designed to provide the foundation for learning the rest of the content covered by the CSSLP. For this reason, it is important to ensure that you have a firm grasp of the information contained within this domain.

A good starting point is to learn the definitions of the various core concepts and design principles. From there, you can work on identifying how various solutions can support these objectives, such as the use of MFA and SSO for authentication.



Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at