Online Training on Certified Secure Software Lifecycle Professional (CSSLP)

Online Training on Certified Secure Software Lifecycle Professional (CSSLP)

CSSLPĀ® certification is a globally recognized standard of achievement that confirms an individual's knowledge in the field of information security.

course at a glance

  • Date : 30 Oct - 28 Nov 2020
  • No. of Classes/ Sessions : 13
  • Total Hours : 60
  • Last Date of Registration : 29 Oct 2020
  • Class Schedule :
    • Saturday - 5.30PM - 10.30PM
    • Friday - 7.15 PM - 11.00PM
  • venue : Online Platform

Price: TK. 8,000
(Excluding VAT & TAX)

ISC2 CSSLP Exam Syllabus Topics: 

Domain 1: Secure Software Concepts

Domain 2: Secure Software Requirements

Domain 3: Secure Software Architecture and Design

Domain 4: Secure Software Implementation

Domain 5: Secure Software Testing

Domain 6: Secure Software Lifecycle Management

Domain 7: Secure Software Deployment, Operations, Maintenance

Domain 8: Secure Software Deployment, Operations, Maintenance

Course Outline:
Topic Details
Secure Software Concepts 10%
Core Concepts – Confidentiality (e.g., covert, overt, encryption)
– Integrity (e.g., hashing, digital signatures, code signing, reliability, alterations, authenticity)
– Availability (e.g., failover, replication, clustering, scalability, resiliency)
– Authentication (e.g., multifactor authentication, identity & access management, single sign-on, federated identity)
– Authorization (e.g., access controls, entitlements)
– Accountability (e.g., auditing, logging)
– Nonrepudiation (e.g., PKI, digital signatures)
Security Design Principles – Least privilege (e.g., access control, need-toknow, run-time privileges)
– Separation of duties (e.g., multi-party control, secret sharing and splitting)
– Defense in depth (e.g., layered controls, input validation, security zones)
– Fail safe (e.g., exception handling, non-verbose errors, deny by default)
– Economy of mechanism (e.g., single sign-on)
– Complete mediation (e.g., cookie management, session management, caching of credentials)
– Open design (e.g., peer reviewed algorithm)
– Least common mechanism (e.g., compartmentalization/isolation)
– Psychological acceptability (e.g., password complexity, screen layouts)
– Leveraging existing components (e.g., common controls, libraries)
– Eliminate single point of failure
Secure Software Requirements 14%
Identify Security Requirements – Functional
– Non-functional
– Policy decomposition (e.g., internal and external requirements)
– Legal, regulatory, and industry requirements
Interpret Data Classification Requirements – Data ownership (e.g., data owner, data custodian)
– Labeling (e.g., sensitivity, impact)
– Types of data (e.g., structured, unstructured data)
– Data life-cycle (e.g., generation, retention, disposal)
Identify Privacy Requirements – Data anonymization
– User consent
– Disposition
Develop Misuse and Abuse Cases  
Include Security in Software Requirement Specifications  
Develop Security Requirement Traceability Matrix  
Secure Software Architecture and Design 14%
Perform Threat Modeling – Understand common threats (e.g., APT, insider threat, common malware, third party/supplier)
– Attack surface evaluation
Define the Security Architecture – Control identification and prioritization
– Distributed computing (e.g., client server, peer-topeer, message queuing)
– Service-oriented architecture (e.g., enterprise service bus, web services)
– Rich internet applications (e.g., client side exploits or threats, remote code execution, constant connectivity)
– Pervasive/ubiquitous computing (e.g., IoT, wireless, location-based, RFID, near field communication, sensor networks)
– Embedded (e.g., control systems, firmware)
– Cloud architectures (e.g., software as a service, platform as a service, infrastructure as a service)
– Mobile applications
– Hardware platform concerns
Performing Secure Interface Design – Security management interfaces, out-of-band management, log interfaces
– Upstream/downstream dependencies (e.g., key and data sharing between apps)
– Protocol design choices (e.g., APIs, weaknesses, state, models)
Performing Architectural Risk Assessment  
Modeling (Non-Functional) Security Properties and Constraints  
Model and Classify Data  
Evaluate and Select Reusable Secure Design – Credential management (e.g., X.509 and SSO)
– Flow control (e.g., proxies, firewalls, protocols, queuing)
– Data loss prevention (DLP)
– Virtualization (e.g., software defined network, hypervisor)
– Trusted computing (e.g., TPM, TCB)
– Database security (e.g., encryption, triggers, views, privilege management)
– Programming language environment (e.g., CLR, JVM)
– Operating system controls and services
Perform Design Security Review  
Design Secure Assembly Architecture for Component-Based Systems – Client side data storage
– Network attached storage
Use Security Enhancing Architecture and Design Tools  
Use Secure Design Principles and Patterns  
Secure Software Implementation 14%
Follow Secure Coding Practices – Declarative versus imperative (programmatic) security
– Concurrency
– Output sanitization (e.g., encoding)
– Error and exception handling
– Input validation
– Logging & auditing
– Session management
– Safe APIs
– Type safety
– Memory management (e.g., locality, garbage collection)
– Configuration parameter management (e.g., start-up options)
– Tokenizing
– Sandboxing
– Cryptography (e.g., storage, agility, encryption, algorithm selection)
Analyze Code for Security Vulnerabilities – Code reuse
– Vulnerability databases/lists (e.g., OWASP Top 10, CWE)
– Static analysis
– Dynamic analysis
– Manual code review
– Peer review
Implement Security Controls  
Fix Security Vulnerabilities  
Look for Malicious Code  
Securely Reuse Third Party Code or Libraries  
Securely Integrate Components – Systems-of-systems integration (e.g., security testing and analysis)
Apply Security during the Build Process – Anti-tampering techniques (e.g., code signing, obfuscation)
– Compiler switches
Debug Security Errors  
Secure Software Testing 14%
Develop Security Test Cases – Attack surface validation
– Penetration
– Fuzzing (e.g., generated, mutated)
– Scanning (e.g., vulnerability, content, privacy)
– Simulation (e.g., environment and data)
– Failure (e.g., fault injection, stress testing, break testing)
– Cryptographic validation (e.g., PRNG)
– Regression
– Continuous (e.g., synthetic transactions)
– Unit testing
Develop Security Testing Strategy and Plan – Functional security testing (e.g., logic)
– Nonfunctional security testing (e.g., reliability, performance, scalability)
– Testing techniques (e.g., white box and black box)
– Environment (e.g., interoperability, test harness)
– Standards (e.g., ISO, OSSTMM, SEI)
Identify Undocumented Functionality  
Interpret Security Implications of Test Results  
Classify and Track Security Errors – Bug tracking (e.g., defects, errors and vulnerabilities)
– Risk Scoring (e.g., CVSS)
Secure Test Data – Privacy
– Referential integrity
Develop or Obtain Security Test Data  
Perform Verification and Validation Testing (e.g., IV&V)  
Secure Software Lifecycle Management 11%
Secure Configuration and Version Control  
Establish Security Milestones  
Choose a Secure Software Methodology  
Identify Security Standards and Frameworks  
Create Security Documentation  
Develop Security Metrics  
Decommission Software – End of life policies
– Credential removal, configuration removal, license cancellation
– Data destruction
Report Security Status  
Support Governance, Risk, and Compliance (GRC) – Regulations and compliance
– Legal (e.g., intellectual property, breach notification)
– Standards and guidelines (e.g., ISO, PCI, NIST, OWASP, SAFECODE, OpenSAMM, BSIMM)
– Risk management
– Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)
– Technical risk vs business risk
– Strategies (e.g., mitigate, accept, transfer, avoid)
Secure Software Deployment, Operations, and Maintenance 12%
Perform Implementation Risk Analysis  
Release Software Securely  
Securely Store and Manage Security Data – Credentials
– Secrets
– Keys/certificates
– Configurations
Ensure Secure Installation – Bootstrapping (e.g., key generation, access, management)
– Least privilege
– Environment hardening
– Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing, etc.)
Perform Post-Deployment Security Testing  
Obtain Security Approval to Operate – Risk acceptance (e.g., exception policy, sign-off)
Perform Security Monitoring (e.g., managing error logs, audits, meeting SLAs, CIA metrics)  
Support Incident Response – Root cause analysis
Support Patch and Vulnerability Management  
Support Continuity of Operations – Backup, archiving, retention
– Disaster recovery
Secure Software Supply Chain 11%
Analyze Security of Third Party Software  
Verify Pedigree and Provenance – Secure transfer
– System sharing/interconnections
– Code repository security
– Build environment security
– Cryptographically- hashed, digitally signed components
Provide Security Support to the Acquisition Process – Audit of security policy compliance
– Vulnerability/incident response and reporting
– Service-level agreements (SLAs)
– Maintenance and support structure (e.g., community versus commercial)
– Assessment of software engineering/SDLC approaches
– Information systems security policy compliance
– Security track record
– Product deployment and sustainment controls (e.g., upgrades, secure configuration, custom code extension, operational readiness, GPL requirements)

Curriculum

Online Training on Certified Secure Software Lifecycle Professional (CSSLP) Online Training on Certified Secure Software Lifecycle Professional (CSSLP) 60 Hours Hrs

Tentative Class Start

30th October, 2020

Available Seat

10 / 20

who can join

Who Should Attend:
  • Application Security Specialist
  • IT Director/Manager
  • Penetration Tester
  • Project Manager
  • Quality Assurance Tester
  • Security Manager Jobs that Typically Use or Require the CSSLP See “Pathway to CSSLP Certification”.
  • Software Architect
  • Software Developer
  • Software Engineer
  • Software Procurement Analyst
  • Software Program Manager

Meet the Instructor