ISC2 CSSLP domain 8: Secure software supply chain

Greg Belding
September 2, 2021 by
Greg Belding

The Certified Secure Software Lifecycle Professional (CSSLP) is a certification hosted by ISC2 intended for software (or application) professionals that have the expertise and knowledge to bake in security practices into the software development lifecycle. CSSLP tests a broad spectrum of topics involved in secure software development in its common body of knowledge (CBK). There are eight domains of knowledge in the CSSLP CBK. 

CSSLP domains of knowledge

The CSSLP certification exam is based upon the CSSLP CBK. This knowledge is spread among eight domains of knowledge. There are a few changes in the 2020 version of the exam since the previous version, such as an increase in CSSLP domain 8 exam content percentage from 8% to 11%. You may also notice that this domain name has changed since the last exam version from “Supply Chain and Software Acquisition” to “Secure Software Supply Chain.” This change has brought with it new objectives and the renaming of one of the old ones (we will explore the new objectives below). The current CSSLP domains of knowledge, and their respective exam content weight percentages, are below:

  1. Secure software concepts 10%
  2. Secure software requirements 14%
  3. Secure software architecture and design 14%
  4. Secure software implementation 14%
  5. Secure software testing 14%
  6. Secure software lifecycle management 11%
  7. Secure software deployment, operations and maintenance 12%
  8. Secure software supply chain 11%

What is a secure software supply chain?

Quite simply, a secure software supply chain refers to the supply chain that is used in the course of the secure software development lifecycle. The use of third parties in the development of secure software is a matter of fact in today’s fast-paced secure software development, and this can include the following:

  • Open-source software (OSS)
  • Commercial off the shelf (COTS) software
  • As-a-service-providers, such as SaaS, PaaS or IaaS

This is grounded in the reality that no one in your secure software supply chain is immune to compromise or attack. The purpose of this domain is to focus on those supply chain participants that could have a downstream impact on your software or application.

How will a secure software supply chain help your career?

CSSLP candidates all have one thing in common: their career focus is on the secure software development lifecycle. Being an effective secure software development professional requires not only proficiency in incorporating secure software development processes and concepts into the software development lifecycle but also expertise in managing the risks and security issues related to the supply chain related to your software/application. For example, your development team uses code that was created by a third party (this is a very vanilla example but one that applies to nearly every development team today). With this comes potential security issues and risks from the third party that created the code with your software being downstream and potentially exposed.

What’s covered in CSSLP domain 8 of the exam?

CSSLP domain 8 of the certification exam covers a broad array of topics related to secure software supply chains such as risk management, pedigree and provenance verification and supplier security requirements in the acquisition process. Below are the objectives of CSSLP domain 8.

8.1 Implement software supply chain risk management

Software supply chain risk management is pivotal to ensuring a secure software supply chain. CSSLP candidates will be expected to explain how to implement the steps of the software supply chain risk management:

  • Identify
  • Assess
  • Respond
  • Monitor

8.2 Analyze security of third-party software

Using third-party software in the secure software development lifecycle is nearly unavoidable as is analyzing the security of the third-party software.

8.3 Verify pedigree and provenance

  • Secure transfer (e.g., interdiction mitigation)
  • System sharing/interconnections
  • Code repository security
  • Build environment Security
  • Cryptographically hashed, digitally-signed components
  • Right to audit

8.4 Ensure supplier security requirements in the acquisition process

Software supply chain security does not stop at the third-party’s software security but extends to the security requirements used in the acquisition process. CSSLP candidates should be ready to explain the following on the exam:

  • Audit of security policy compliance (e.g., secure software development practices)
  • Vulnerability/incident notification, response, coordination and reporting
  • Maintenance and support structure (e.g., community versus commercial and licensing)
  • Security track record

8.5 Support contractual requirements (e.g., intellectual property (IP) ownership, code escrow, liability, warranty, End-User License Agreement (EULA) and Service Level Agreements (SLA))

The software supply chain includes the support contractual agreements that are part and parcel of the secure software development lifecycle. CSSLP candidates are expected to know how to support contractual requirements that impact the software supply chain and to explain it if required.

Learning CSSLP domain 8

The CSSLP certification is intended for secure software development professionals and the CSSLP certification exam covers 8 domains of knowledge. CSSLP domain 8 covers secure software supply chain, which is a key area to consider for the secure software development lifecycle. This is the final domain of the knowledge for the CSSLP certification exam and once you have mastered it you are well on your way to passing the CSSLP certification exam.



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.