CSSLP Certified Secure Software Lifecycle Professional All-in-One Exam Guide, Third Edition
Exam Guide
1st Edition
Published on 4. February 2022
416 pages
978-1-264-25821-5 (ISBN)
Available for download
Description
Providing 100% coverage of the latest CSSLP exam, this self-study guide offers everything you need to ace the examCSSLP Certified Secure Software Lifecycle Professional All-in-One Exam Guide, Third Edition covers all eight exam domains of the challenging CSSLP exam, developed by the International Information Systems Security Certification Consortium (ISC) . Thoroughly revised and updated for the latest exam release, this guide includes real-world examples and comprehensive coverage on all aspects of application security within the entire software development lifecycle. It also includes hands-on exercises, chapter review summaries and notes, tips, and cautions that provide real-world insight and call out potentially harmful situations.With access to 350 exam questions online, you can practice either with full-length, timed mock exams or by creating your own custom quizzes by chapter or exam objective.CSSLP Certification All-in-One Exam Guide, Third Edition provides thorough coverage of all eight exam domains:Secure Software ConceptsSecure Software RequirementsSecure Software DesignSecure Software Implementation ProgrammingSecure Software TestingSecure Lifecycle ManagementSoftware Deployment, Operations, and MaintenanceSupply Chain and Software Acquisition
More details
Other editions
Additional editions
Wm. Arthur Conklin | Daniel Shoemaker
CSSLP Certified Secure Software Lifecycle Professional All-in-One Exam Guide, Third Edition
Book
03/2022
3rd Edition
McGraw-Hill Education
€67.00
Shipment within 15-20 days
Content
- Cover
- Title Page
- Copyright Page
- Dedication
- About the Authors
- Contents at a Glance
- Contents
- Acknowledgments
- Introduction
- Exam Objective Map
- Part I Secure Software Concepts
- Chapter 1 Core Concepts
- Confidentiality
- Implementing Confidentiality
- Integrity
- Implementing Integrity
- Availability
- Authentication
- Multifactor Authentication
- Identity Management
- Identity Provider
- Identity Attributes
- Certificates
- Identity Tokens
- SSH Keys
- Smart Cards
- Implementing Authentication
- Credential Management
- Authorization
- Access Control Mechanisms
- Accountability (Auditing and Logging)
- Logging
- Syslog
- Nonrepudiation
- Secure Development Lifecycle
- Security vs. Quality
- Security Features != Secure Software
- Secure Development Lifecycle Components
- Software Team Awareness and Education
- Gates and Security Requirements
- Bug Tracking
- Threat Modeling
- Fuzzing
- Security Reviews
- Mitigations
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 2 Security Design Principles
- System Tenets
- Session Management
- Exception Management
- Configuration Management
- Secure Design Tenets
- Good Enough Security
- Least Privilege
- Separation of Duties
- Defense in Depth
- Fail-Safe
- Economy of Mechanism
- Complete Mediation
- Open Design
- Least Common Mechanism
- Psychological Acceptability
- Weakest Link
- Leverage Existing Components
- Single Point of Failure
- Security Models
- Access Control Models
- Multilevel Security Model
- Integrity Models
- Information Flow Models
- Adversaries
- Adversary Type
- Adversary Groups
- Threat Landscape Shift
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part II Secure Software Requirements
- Chapter 3 Define Software Security Requirements
- Functional Requirements
- Role and User Definitions
- Objects
- Activities/Actions
- Subject-Object-Activity Matrix
- Use Cases
- Sequencing and Timing
- Secure Coding Standards
- Operational and Deployment Requirements
- Connecting the Dots
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 4 Identify and Analyze Compliance Requirements
- Regulations and Compliance
- Security Standards
- ISO
- NIST
- FISMA
- Sarbanes-Oxley
- Gramm-Leach-Bliley
- HIPAA and HITECH
- Payment Card Industry Data Security Standard
- Other Regulations
- Legal Issues
- Intellectual Property
- Data Classification
- Data States
- Data Usage
- Data Risk Impact
- Data Lifecycle
- Generation
- Data Ownership
- Data Owner
- Data Custodian
- Labeling
- Sensitivity
- Impact
- Privacy
- Privacy Policy
- Personally Identifiable Information
- Personal Health Information
- Breach Notifications
- General Data Protection Regulation
- California Consumer Privacy Act 2018 (AB 375)
- Privacy-Enhancing Technologies
- Data Minimization
- Data Masking
- Tokenization
- Anonymization
- Pseudo-anonymization
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 5 Misuse and Abuse Cases
- Misuse/Abuse Cases
- Requirements Traceability Matrix
- Software Acquisition
- Definitions and Terminology
- Build vs. Buy Decision
- Outsourcing
- Contractual Terms and Service Level Agreements
- Requirements Flow Down to Suppliers/Providers
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part III Secure Software Architecture and Design
- Chapter 6 Secure Software Architecture
- Perform Threat Modeling
- Threat Model Development
- Attack Surface Evaluation
- Attack Surface Measurement
- Attack Surface Minimization
- Threat Intelligence
- Threat Hunting
- Define the Security Architecture
- Security Control Identification and Prioritization
- Distributed Computing
- Service-Oriented Architecture
- Web Services
- Rich Internet Applications
- Pervasive/Ubiquitous Computing
- Embedded
- Cloud Architectures
- Mobile Applications
- Hardware Platform Concerns
- Cognitive Computing
- Control Systems
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 7 Secure Software Design
- Performing Secure Interface Design
- Logging
- Protocol Design Choices
- Performing Architectural Risk Assessment
- Model (Nonfunctional) Security Properties and Constraints
- Model and Classify Data
- Types of Data
- Structured
- Unstructured
- Evaluate and Select Reusable Secure Design
- Creating a Practical Reuse Plan
- Credential Management
- Flow Control
- Data Loss Prevention
- Virtualization
- Trusted Computing
- Database Security
- Programming Language Environment
- Operating System Controls and Services
- Secure Backup and Restoration Planning
- Secure Data Retention, Retrieval, and Destruction
- Perform Security Architecture and Design Review
- Define Secure Operational Architecture
- Use Secure Architecture and Design Principles, Patterns, and Tools
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part IV Secure Software Implementation
- Chapter 8 Secure Coding Practices
- Declarative vs. Imperative Security
- Bootstrapping
- Cryptographic Agility
- Handling Configuration Parameters
- Memory Management
- Type-Safe Practice
- Locality
- Error Handling
- Interface Coding
- Primary Mitigations
- Learning from Past Mistakes
- Secure Design Principles
- Good Enough Security
- Least Privilege
- Separation of Duties
- Defense in Depth
- Fail Safe
- Economy of Mechanism
- Complete Mediation
- Open Design
- Least Common Mechanism
- Psychological Acceptability
- Weakest Link
- Leverage Existing Components
- Single Point of Failure
- Interconnectivity
- Session Management
- Exception Management
- Configuration Management
- Cryptographic Failures
- Hard-Coded Credentials
- Missing Encryption of Sensitive Data
- Use of a Broken or Risky Cryptographic Algorithm
- Download of Code Without Integrity Check
- Use of a One-Way Hash Without a Salt
- Input Validation Failures
- Buffer Overflow
- Canonical Form
- Missing Defense Functions
- Output Validation Failures
- General Programming Failures
- Sequencing and Timing
- Technology Solutions
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 9 Analyze Code for Security Risks
- Code Analysis (Static and Dynamic)
- Static Application Security Testing
- Dynamic Application Security Testing
- Interactive Application Security Testing
- Runtime Application Self-Protection
- Code/Peer Review
- Code Review Objectives
- Additional Sources of Vulnerability Information
- CWE/SANS Top 25 Vulnerability Categories
- OWASP Vulnerability Categories
- Common Vulnerabilities and Countermeasures
- Injection Attacks
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 10 Implement Security Controls
- Security Risks
- Implement Security Controls
- Applying Security via the Build Environment
- Integrated Development Environment
- Anti-tampering Techniques
- Code Signing
- Configuration Management: Source Code and Versioning
- Code Obfuscation
- Defensive Coding Techniques
- Declarative vs. Programmatic Security
- Bootstrapping
- Cryptographic Agility
- Handling Configuration Parameters
- Interface Coding
- Memory Management
- Primary Mitigations
- Secure Integration of Components
- Secure Reuse of Third-Party Code or Libraries
- System-of-Systems Integration
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part V Secure Software Testing
- Chapter 11 Security Test Cases
- Security Test Cases
- Attack Surface Evaluation
- Penetration Testing
- Common Methods
- Fuzzing
- Scanning
- Simulations
- Failure Modes
- Cryptographic Validation
- Regression Testing
- Integration Testing
- Continuous Testing
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 12 Security Testing Strategy and Plan
- Develop a Security Testing Strategy and a Plan
- Functional Security Testing
- Unit Testing
- Nonfunctional Security Testing
- Testing Techniques
- White-Box Testing
- Black-Box Testing
- Gray-Box Testing
- Testing Environment
- Environment
- Standards
- ISO/IEC 25010:2011
- SSE-CMM
- OSSTMM
- Crowd Sourcing
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 13 Software Testing and Acceptance
- Perform Verification and Validation Testing
- Software Qualification Testing
- Qualification Testing Hierarchy
- Identify Undocumented Functionality
- Analyze Security Implications of Test Results
- Classify and Track Security Errors
- Bug Tracking
- Defects
- Errors
- Bug Bar
- Risk Scoring
- Secure Test Data
- Generate Test Data
- Reuse of Production Data
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part VI Secure Software Lifecycle Management
- Chapter 14 Secure Configuration and Version Control
- Secure Configuration and Version Control
- Define Strategy and Roadmap
- Manage Security Within a Software Development Methodology
- Security in Adaptive Methodologies
- Security in Predictive Methodologies
- Identify Security Standards and Frameworks
- Define and Develop Security Documentation
- Develop Security Metrics
- Decommission Software
- End-of-Life Policies
- Data Disposition
- Report Security Status
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 15 Software Risk Management
- Incorporate Integrated Risk Management
- Regulations and Compliance
- Legal
- Standards and Guidelines
- Risk Management
- Terminology
- Technical Risk vs. Business Risk
- Promote Security Culture in Software Development
- Security Champions
- Security Education and Guidance
- Implement Continuous Improvement
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part VII Secure Software Deployment, Operations, Maintenance
- Chapter 16 Secure Software Deployment
- Perform Operational Risk Analysis
- Deployment Environment
- Personnel Training
- Safety Criticality
- System Integration
- Release Software Securely
- Secure Continuous Integration and Continuous Delivery Pipeline
- Secure Software Tool Chain
- Build Artifact Verification
- Securely Store and Manage Security Data
- Credentials
- Secrets
- Keys/Certificates
- Configurations
- Ensure Secure Installation
- Bootstrapping
- Least Privilege
- Environment Hardening
- Secure Activation
- Security Policy Implementation
- Secrets Injection
- Perform Post-Deployment Security Testing
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 17 Secure Software Operations and Maintenance
- Obtain Security Approval to Operate
- Perform Information Security Continuous Monitoring
- Collect and Analyze Security Observable Data
- Threat Intel
- Intrusion Detection/Response
- Secure Configuration
- Regulation Changes
- Support Incident Response
- Root-Cause Analysis
- Incident Triage
- Forensics
- Perform Patch Management
- Perform Vulnerability Management
- Runtime Protection
- Support Continuity of Operations
- Backup, Archiving, Retention
- Disaster Recovery
- Resiliency
- Integrate Service Level Objectives and Service Level Agreements
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part VIII Secure Software Supply Chain
- Chapter 18 Software Supply Chain Risk Management
- Implement Software Supply Chain Risk Management
- Analyze Security of Third-Party Software
- Verify Pedigree and Provenance
- Secure Transfer
- System Sharing/Interconnections
- Code Repository Security
- Build Environment Security
- Cryptographically Hashed, Digitally Signed Components
- Right to Audit
- Chapter Review
- Quick Tips
- Questions
- Answers
- Chapter 19 Supplier Security Requirements
- Ensure Supplier Security Requirements in the Acquisition Process
- Supplier Sourcing
- Supplier Transitioning
- Audit of Security Policy Compliance
- Vulnerability/Incident Notification, Response, Coordination, and Reporting
- Maintenance and Support Structure
- Security Track Record
- Support Contractual Requirements
- Intellectual Property
- Legal Compliance
- Chapter Review
- Quick Tips
- Questions
- Answers
- Part IX Appendix and Glossary
- Appendix About the Online Content
- System Requirements
- Your Total Seminars Training Hub Account
- Privacy Notice
- Single User License Terms and Conditions
- TotalTester Online
- Technical Support
- Glossary
- Index
