YoVDO

CSSLP Cert Prep: 1 Secure Software Concepts

Offered By: LinkedIn Learning

Tags

CSSLP (Certified Secure Software Lifecycle Professional) Courses Access Control Courses Application Security Courses Secure Software Development Courses Identity and Access Management Courses Defense in Depth Courses

Course Description

Overview

Prepare for the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) certification exam.

Syllabus

Introduction
  • Prepping for the CSSLP
1. Domain 1: Secure Software Concepts
  • Secure software concepts
  • What you should know
  • The goals of application security
2. The CIA Triad
  • Confidentiality
  • Integrity
  • Availability
3. Identity and Access Management
  • Authentication
  • Authorization
  • Accountability
  • Nonrepudiation
  • Governance, risk, and compliance
4. Access Controls
  • Least privilege
  • Separation of duties
  • Economy of mechanism
  • Complete mediation
5. Design Considerations
  • Defense in depth
  • Resiliency
  • Open design
  • Least common mechanism
  • Psychological acceptability
  • Leveraging existing components
  • Eliminate single point of failure
  • Diversity of defense
6. Domain 2: Secure Software Lifecycle Management
  • Secure software lifecycle management
7. Laying Your Foundation
  • Strategy and roadmap
  • Development methodologies
  • Integrated risk management
  • Promote security culture
8. Setting Expectations
  • Security standards and frameworks
  • Security documentation
  • Hardware and software configuration
  • Ongoing configuration management
9. Improving Over Time
  • Decommission software
  • Manage licenses and archives
  • Security metrics
  • Reporting security status
  • Continuous improvement
  • Implement secure operations practices
10. Domain 3: Secure Software Requirements
  • Determining security requirements
11. Security Requirements
  • Functional requirements
  • Nonfunctional requirements
  • Policy decomposition
  • Legal, regulatory, and industry
12. Privacy Requirements
  • Security vs. privacy
  • Data anonymization
  • User consent
  • Disposition
  • Private data storage
13. Data Classification Requirements
  • Data ownership
  • Labeling
  • Types of data
  • Data lifecycle
14. Validating Your Requirements
  • Misuse and abuse cases
  • Software requirement specifications
  • Security requirement traceability matrix
15. Domain 4: Secure Software Architecture and Design
  • Secure software design
16. Threat Modeling
  • What is threat modeling?
  • Understand common threats
  • Attack surface evaluation
17. Security Architecture
  • Secure architecture and design patterns
  • Identifying and prioritizing controls
  • Traditional application architectures
  • Pervasive and ubiquitous computing
  • Rich internet and mobile applications
  • Cloud architectures
  • Embedded system considerations
  • Architectural risk assessments
  • Component-based systems
  • Security enhancing tools
  • Cognitive computing
  • Control systems
18. Security Design
  • Components of a secure environment
  • Designing network and server controls
  • Designing data controls
  • Secure design principles and patterns
  • Secure interface design
  • Security architecture and design review
  • Secure operational architecture
19. Modeling
  • Nonfunctional properties and constraints
  • Data modeling and classification
20. Domain 5: Secure Software Implementation
  • Secure software implementation
21. Secure Coding Practices
  • Declaring variables
  • Inputs and outputs
  • Protecting secrets
  • Data-flow security
  • Deployment and operations
  • Isolation techniques
  • Processor microarchitecture security
22. Finding and Fixing Vulnerabilities
  • Identifying risks
  • The OWASP Top 10: 1-5
  • The OWASP Top 10: 6-10
  • Common Weakness Enumeration (CWE)
  • Addressing risks
23. Component Security
  • Third-party code and libraries
  • Component integration
  • Implementing security controls
  • Security in the build process
24. Domain 6: Secure Software Testing
  • Secure software testing
25. Developing Security Test Cases
  • Understanding your test environment
  • Automation vs. manual testing
  • Ensuring a comprehensive approach
  • Validating cryptography
26. Developing a Testing Strategy
  • Grouping your tests
  • Leveraging external resources
  • Verifying and validating documentation
27. Conducting Security Tests
  • Securing test data
  • Verification and validation testing
  • Identifying undocumented functionality
28. Reviewing the Results
  • Security implications of test results
  • Classifying and tracking security errors
29. Domain 7: Secure Software Deployment, Operations, and Maintenance
  • Secure software deployment, operations, and maintenance
30. Deploying Your Software
  • Performing an operational risk analysis
  • Releasing software securely
  • Storing and managing security data
  • Ensuring secure installation
  • Post-deployment security testing
31. Shifting Into Operations
  • Obtaining security approval to operate
  • Continuous security monitoring
  • Support incident response
  • Support continuity of operations
  • Service level objectives and agreements
32. Maintaining Your Software
  • Patch management
  • Vulnerability management
  • Runtime protection
33. Domain 8: Secure Software Supply Chain
  • Secure software supply chain
34. Supply Chain Risk Management
  • Identifying and selecting components
  • Assessing components' risks
  • Responding to those risks
  • Monitoring changes and vulnerabilities
  • Maintaining third-party components
35. Ensure Software Security
  • Analyzing third-party software security
  • Verifying pedigree and provenance
36. Get It in Writing
  • Security in the acquisition process
  • Contractual requirements
37. Exam Logistics
  • Registering for the exam
  • Exam environment
  • Passing the exam
  • Exam tips
  • Practice tests
  • Experience requirements
  • Continuing education requirements
Conclusion
  • Next steps

Taught by

Jerod Brennen

Related Courses

AZ-303 Part 2 - Implement Management and Security Solutions in Azure
A Cloud Guru
AZ-500 Microsoft Azure Security Technologies
A Cloud Guru
CompTIA CySA+ Certification
A Cloud Guru
CompTIA PenTest+ Certification
A Cloud Guru
Google Certified Professional Cloud Developer
A Cloud Guru