CSSLP Training

(ISC)2 CSSLP Certification Training Course - 4 Days

(ISC)2 CSSLP Overview

The (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) certification validates that software professionals have the expertise to incorporate security practices - authentication, authorization and auditing - into each phase of the software development lifecycle, from software design and implementation to testing and deployment.

Please fill out the contact form on this page for an initial free consultation.

(ISC)2 CSSLP Requirements

1. Obtain the Required Experience

The (ISC)2 CSSLP certification requires a minimum of four (4) years of cumulative paid full-time Software Development Lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)2 CSSLP CBK, or three (3) years of cumulative paid full-time SDLC professional work experience in one or more of the eight domains of the CSSLP CBK with a four-year degree leading to a Baccalaureate, or regional equivalent, in Computer Science, Information Technology (IT) or related fields. If you do not have the required experience, you may still sit for the exam and become an Associate of (ISC)2 until you have gained the experience.

2. Study for the Exam

Use this 4-day training course and associated course materials to learn the CSSLP CBK and prepare you for the exam.

3. Register for the Exam

Visit the Pearson Vue (ISC)2 page to schedule an exam date and submit the examination fee.

4. Pass the Exam

Pass the CSSLP examination with a scaled score of 700 points or greater.

5. Complete the Endorsement Process

Once you are notified you have successfully passed the examination, you will have nine months from the date you sat for the exam to complete the following endorsement process:

  • Complete an Application Endorsement Form
  • Subscribe to the (ISC)2 code of ethics
  • Have your form endorsed by an (ISC)2 member
The credential can be awarded once the steps above have been completed and your form has been submitted.

6. Maintain the Certification

Recertification is required every three years, with ongoing requirements to maintain your credentials in good standing. This is accomplished through earning and posting a minimum of 30 Continuing Professional Education (CPE) credits (of the 90 CPE credits required in the three-year certification cycle) and paying the Annual Maintenance Fee (AMF) of US $100 during each year of the three-year certification cycle before your certification or recertification annual anniversary.

(ISC)2 CSSLP Course Materials

  1. Workbooks available for students
  2. Highly recommended (sold separately): Official (ISC)2 Guide to the CSSLP, 2nd edition by Paul Mano

(ISC)2 CSSLP Course Outline

Domain 1 - Secure Software Concepts

The goal of the Security Software Concepts module is to provide the learner with concepts related to the core software security requirements and foundational design principles as they relate to issues of privacy, governance, risk and compliance. Learners will understand the software methodologies needed in order to develop software that is secure and resilient to attacks.

After completing this domain, participants will be able to:

  • Define the concepts of secure software and how it applies to the design.
  • Identify and apply information system security concepts to the development of software.
  • Identify design aspects needed in order to develop hack-resilient software.
  • Describe the regulatory, privacy, compliance, risk, and governance requirements for software development, and the effects of noncompliance.
  • Describe development methodologies for the development of software.

Module Outline:

  • Module 1: Concepts of secure software
  • Module 2: Principles of secure design
  • Module 3: Security and Privacy
  • Module 4: Governance, Risk, and Compliance

Domain 2 - Security Software Requirements

The goal of the Security Software Requirements domain is to provide the learner with concepts related to understanding the importance of identifying and developing software with secure requirements. The learner will be able to incorporate security requirements in the development of software in order to produce software that is reliable, resilient, and recoverable.

After completing this domain, participants will be able to:

  • Identify the process for breaking down internal and external policies in order to develop software that meets stakeholder requirements.
  • Describe data classification as mechanism to produce software security requirements from functional business requirements.
  • Identify the different types of security requirements for software.
  • Develop misuse and abuse cases in order to define functional security requirements.
  • Describe the operational level secure software requirements.

Module Outline:

  • Module 1: Policy decomposition
  • Module 2: Classification and categorization
  • Module 3: Functional requirements - Use cases and abuse cases
  • Module 4: Secure software operational requirements

Domain 3 - Secure Software Design

The design phase of software development is one of the most important phases in the Software Development Life Cycle. The Security Software Design domain will provide the learner with an understanding on how to ensure that software security requirements are included in the design of the software. Learners will gain knowledge of secure design principles and processes, and be exposed to different architectures and technologies for securing software.

After completing this domain, participants will be able to:

  • Explain reasons for including security in the design of software.
  • Define secure design principles and how they are incorporated into the software design.
  • Describe the software design process.
  • Identify software security design considerations required for the development of secure software.
  • Compare and contrast the architectures that exist for secure software design.
  • Describe the technologies and computing environments and their impact on design decisions regarding security.

Module Outline:

  • Module 1: Importance of secure design
  • Module 2: Design considerations
  • Module 3: The design process
  • Module 4: Securing commonly used architecture

Domain 4 - Secure Software Coding

The Security Software Implementation/Coding domain will provide the learner with an understanding the importance of programming concepts that can effectively protect software from vulnerabilities. Learners will touch on topics such as software coding vulnerabilities, defensive coding techniques and processes, code analysis and protection, and environmental security considerations that should be factored into software.

After completing this domain, participants will be able to:

  • Explain the fundamentals of programming and different software development methodologies.
  • Identify common software attacks and vulnerabilities.
  • Describe defensive coding practices and controls.
  • Implement programming safeguards using defensive coding principles.
  • Explain the difference between static and dynamic code analysis.
  • Describe how to build software with security mechanisms in place.

Module Outline:

  • Module 1: Fundamental programming concepts
  • Module 2: Vulnerability databases and lists
  • Module 3: Defensive coding practices and controls
  • Module 4: Secure software processes

Domain 5 - Security Software Testing

The Security Software Testing domain will address issues pertaining to proper testing of software for security, including the overall strategies and plans. Learners will gain an understanding of the different types of functional and security testing should be performed, what are the criteria for testing, concepts related to impact assessment and corrective actions, and understanding the test data lifecycle.

After completing this domain, participants will be able to:

  • Identify the different artifacts of testing and their importance for the process.
  • Describe the importance of testing and its impact on secure software.
  • Describe the types of testing and the benefits and weaknesses of each.
  • Identify impact and assessment and the respective corrective actions for secure software development.
  • Describe the Test Data Lifecycle Management.

Module Outline:

  • Module 1: Artifacts of testing
  • Module 2: Testing for security and quality assurance
  • Module 3: Types of testing
  • Module 4: Test Data Lifecycle Management

Domain 6 - Software Acceptance

The Software Acceptance domain provides an understanding of the requirements for software acceptance paying specific attention to compliance, quality, functionality, and assurance. Participants will learn about pre- and post-release validation requirements and well as pre-deployment criteria.

After completing this domain, participants will be able to:

  • Identify how software assurance relates to pre-deployment and pre-release acceptance criteria.
  • Describe the risk acceptance process related to software acceptance.
  • Define post-release validation and verification process and how they relate to software acceptance.
  • Identify the importance of third party testing.

Module Outline:

  • Module 1: Software acceptance considerations
  • Module 2: Post-release

Domain 7 - Software Deployment, Operation, Maintenance and Disposal

The Software Deployment, Operations, Maintenance and Disposal domain provides the learner with knowledge pertaining to the deployment, operations, maintenance, and disposal of software from a secure perspective. This is achieved by identifying processes during installation and deployment, operations and maintenance, and disposal that can affect the ability of the software to remain reliable, resilient, and recoverable in its prescribed manner.

After completing this domain, participants will be able to:

  • Describe the parameters of a secure installation and deployment.
  • Identify secure start up an bootstrapping concepts.
  • Define configuration management concepts and they will impact software security.
  • Describe the important aspects of operations and maintenance pertaining to continuous monitoring, incident, problem, and change management.
  • Identify process specific to software disposal.

Module Outline:

  • Module 1: Installation and deployment
  • Module 2: Operations and maintenance
  • Module 3: Disposal of software

Domain 8 - Supply Chain Risk and Software Acquisition

The goal of this Supply chain and software acquisition domain is to provide the learner knowledge to ensure that the software developed in a supply chain is secure. The learner will learn some of the industry standards and practices that must applied to provide a high level of assurance that the supply chain is secure - both upstream and downstream. In addition to the practices discussed in previous modules the learner will understand how to assess supplier practices, installation and deployment, monitoring considerations for suppliers, identify risks, and understand the use of contractual obligations for suppliers.

After completing this domain, participants will be able to:

  • Understand the complexity and issues surrounding supply chain security
  • Describe the industry standards that are used to in securing the supply chain.
  • Take the steps necessary for assessing a supplier's security practices.
  • Describe a process for ensuring the software from a supplier is securely delivered and deployed.
  • Gain the confidence to certify supplier delivered software

Module Outline:

  • Module 1: Supplier Risk Assessment
  • Module 2: Supplier Sourcing
  • Module 3: Software Development and Test
  • Module 4: Software Delivery, Operations and Maintenance
  • Module 5: Supplier Transitioning

This (ISC)2 CSSLP training course provided by Robert Hurlbut of Robert Hurlbut is available for on-site or remote training.

Please fill out the contact form on this page for an initial free consultation.

Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook   

Hi, I am Robert Hurlbut, a software security architect, speaker, trainer, and Microsoft MVP. I help teams design secure software and applications using Threat Modeling, write secure software, and make sure developers and other staff are secure through speaking and training. Learn more about me.
View Robert Hurlbut's profile on LinkedIn

Contact for CSSLP Training

Free Initial Consultation





Thank you,
Robert Hurlbut