Table Of ContentESSENTIAL
CSSLP
Exam Guide
Updated for the 2nd Edition
ESSENTIAL
CSSLP
Exam Guide
Updated for the 2nd Edition
Phil Martin
Nearsighted
Ninja
Nonce Corp is an independent entity from (ISC)2 and is not affiliated with (ISC)2 in any
manner. This study/training guide and/or material is not sponsored by, endorsed by, or
affiliated with (ISC)2 in any manner. This publication may be used in assisting students to
prepare for the Certified Secure Software Lifecycle Professional (CSSLP®) exam. Neither
(ISC)2 nor Nonce Corp warrant that use of this publication will ensure passing any exam.
CSSLP is a trademark or registered trademark of (ISC)2. All other trademarks are trademarks
of their respective owners.
Look for the audio version of
this book on audible.com!
Essential CSSLP Exam Guide Copyright © 2018
by Nonce Corp. Printed in the United States of
America. All rights reserved. Except as permitted
under the Copyright Act of 1976, no part of this
publication may be reproduced or distributed in any
form or by any means, or stored in a database or
retrieval system, without the prior written
permission of the publisher.
All trademarks or copyrights mentioned herein are the possession of their respective owners
and Nonce Corp makes no claim of ownership by the mention of products that contain these
marks.
ISBN: 9781793828224
Information has been obtained by Nonce Corp from sources believed to be reliable. However,
because of the possibility of human or mechanical error by our sources, Nonce Corp does not
guarantee the accuracy, or completeness of any information and is not responsible for any
errors or omissions or the results obtained from the use of such information.
Contents - Overview
ABOUT THIS BOOK
INTRODUCTION
W D ‘S S ’ M ?
HAT OES ECURE OFTWARE EAN
W I T A ?
HO S THE YPICAL TTACKER
TLS . SSL
VS
SECTION 1: CORE SECURITY CONCEPTS
C 1: Q A
HAPTER UALITY TTRIBUTES
C 2: H S
HAPTER OLISTIC ECURITY
C 3: A G S P
HAPTER OOD ECURITY ROFILE
C 4: C
HAPTER ONFIDENTIALITY
C 5: E
HAPTER NCRYPTION
C 6: I
HAPTER NTEGRITY
C 7: B C
HAPTER USINESS ONTINUITY
C 8: S L A
HAPTER ERVICE EVEL GREEMENTS
C 9: A
HAPTER VAILABILITY
C 10: A
HAPTER UTHENTICATION
C 11: A
HAPTER UTHORIZATION
C 12: A
HAPTER CCOUNTABILITY
C 13: L P
HAPTER EAST RIVILEGE
C 14: S D
HAPTER EPARATION OF UTIES
C 15: D D
HAPTER EFENSE IN EPTH
C 16: F S
HAPTER AIL ECURE
C 17: E M
HAPTER CONOMY OF ECHANISMS
C 18: C M
HAPTER OMPLETE EDIATION
C 19: O D
HAPTER PEN ESIGN
C 20: L C M
HAPTER EAST OMMON ECHANISMS
C 21: P A
HAPTER SYCHOLOGICAL CCEPTABILITY
C 22: W L
HAPTER EAKEST INK
C 23: L E C
HAPTER EVERAGING XISTING OMPONENTS
C 24: T A S
HAPTER HE TTACK URFACE
C 25: OWASP
HAPTER
C 26: C
HAPTER ONTROLS
C 27: O S I R M
HAPTER PEN YSTEMS NTERCONNECTION EFERENCE ODEL
SECTION 2: SECURE SOFTWARE DEVELOPMENT
C 28: T D O R
HAPTER HE EV PS OLE
C 29: T I R
HAPTER HE NFRASTRUCTURE OLE
C 30: T DBA R
HAPTER HE OLE
C 31: T D R
HAPTER HE EVELOPMENT OLE
C 32: T P R
HAPTER HE RODUCT OLE
C 33: T A R
HAPTER HE RCHITECT OLE
C 34: T E M R
HAPTER HE NGINEERING ANAGEMENT OLE
C 35: T T R
HAPTER HE ESTING OLE
C 36: T P R
HAPTER HE ROJECT OLE
C 37: T S R
HAPTER HE ECURITY OLE
C 38: T C M R
HAPTER HE HANGE ANAGEMENT OLE
C 39: T A R
HAPTER HE UDITOR OLE
SECTION 3: SECURE SUPPLY CHAIN MANAGEMENT
C 40: A M
HAPTER CQUISITION ODELS
C 41: T S C S
HAPTER HREATS TO UPPLY HAIN OFTWARE
C 42: S S C R M (SCRM)
HAPTER OFTWARE UPPLY HAIN ISK ANAGEMENT
C 43: A L
HAPTER CQUISITION IFECYCLE
C 44: S 1 - P
HAPTER TEP LANNING
C 45: S 2 - C
HAPTER TEP ONTRACTING
C 46: S 3 - D T
HAPTER TEP EVELOPMENT AND ESTING
C 47: S 4 - A
HAPTER TEP CCEPTANCE
C 48: S 5 - D
HAPTER TEP ELIVERY
C 49: S 6 - D
HAPTER TEP EPLOYMENT
C 50: S 7 - O M
HAPTER TEP PERATIONS AND ONITORING
C 51: S 8 - R
HAPTER TEP ETIREMENT
INDEX
Contents - Details
ABOUT THIS BOOK
INTRODUCTION
W D ‘S S ’ M ?
HAT OES ECURE OFTWARE EAN
W I T A ?
HO S THE YPICAL TTACKER
TLS . SSL
VS
SECTION 1: CORE SECURITY CONCEPTS
C 1: Q A
HAPTER UALITY TTRIBUTES
C 2: H S
HAPTER OLISTIC ECURITY
C 3: A G S P
HAPTER OOD ECURITY ROFILE
C 4: C
HAPTER ONFIDENTIALITY
C 5: E
HAPTER NCRYPTION
Key Elements of Encryption Systems
Hashing
Quantum Cryptography
Symmetric vs. Asymmetric
Public Key Systems
Digital Signatures
Asymmetric Weaknesses
C 6: I
HAPTER NTEGRITY
C 7: B C
HAPTER USINESS ONTINUITY
C 8: S L A
HAPTER ERVICE EVEL GREEMENTS
C 9: A
HAPTER VAILABILITY
C 10: A
HAPTER UTHENTICATION
C 11: A
HAPTER UTHORIZATION
C 12: A
HAPTER CCOUNTABILITY
C 13: L P
HAPTER EAST RIVILEGE
C 14: S D
HAPTER EPARATION OF UTIES
C 15: D D
HAPTER EFENSE IN EPTH
C 16: F S
HAPTER AIL ECURE
C 17: E M
HAPTER CONOMY OF ECHANISMS
C 18: C M
HAPTER OMPLETE EDIATION
C 19: O D
HAPTER PEN ESIGN
C 20: L C M
HAPTER EAST OMMON ECHANISMS
C 21: P A
HAPTER SYCHOLOGICAL CCEPTABILITY
C 22: W L
HAPTER EAKEST INK
C 23: L E C
HAPTER EVERAGING XISTING OMPONENTS
C 24: T A S
HAPTER HE TTACK URFACE
C 25: OWASP
HAPTER
C 26: C
HAPTER ONTROLS
C 27: O S I R M
HAPTER PEN YSTEMS NTERCONNECTION EFERENCE ODEL
Protocol
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
SECTION 2: SECURE SOFTWARE DEVELOPMENT
C 28: T D O R
HAPTER HE EV PS OLE
Environments
Secure Build Environments
Building
Installation and Deployment
Hardening
Configuration
Bootstrapping and Secure Startup
C 29: T I R
HAPTER HE NFRASTRUCTURE OLE
Operational Requirements
CONOPS
Deployment Environment
Archiving
Anti-Piracy
Pervasive and Ubiquitous Computing
Embedded Systems
Operations and Maintenance
Monitoring
Incident Management
Problem Management
Change Management
Backups, Recovery and Archiving
Disposal
End-of-Life Policies
Sun-Setting Criteria
Sun-Setting Processes
Information Disposal and Media Sanitization
Electronic Social Engineering
C 30: T DBA R
HAPTER HE OLE
Inference and Aggregation
Polyinstantiation
Database Encryption
Normalization
Triggers
Views
Privilege Management
C 31: T D R
HAPTER HE EVELOPMENT OLE
Computer Architecture
Evolution of Programming Languages
The History
Compiled Languages
Interpreted Languages
Hybrid Languages
Programming Language Environment
Selecting the Right Programming Language
Primitive Data Types
Unmanaged vs. Managed Code
Encryption
Hashing
The One-Time Pad
Core Programming Concepts
Unit Testing
Software Vulnerabilities and Mitigation Options
Client Vulnerabilities
Network Vulnerabilities
System Vulnerabilities
Code Vulnerabilities
Code Reviews
C 32: T P R
HAPTER HE RODUCT OLE
Threat Modeling
Threat Sources and Agents
Prerequisites
The Process
Data Classification
Regulations, Privacy and Compliance
Significant Regulations and Privacy Acts
Privacy and Software Development
C 33: T A R
HAPTER HE RCHITECT OLE
The Need for Secure Design
Software Assurance Methodologies
Socratic Methodology
Six Sigma (6 σ)
Capability Maturity Model Integration (CMMI)
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
STRIDE
DREAD
Open Source Security Testing Methodology Manual (OSSTMM)
Flaw Hypothesis Method (FHM)
Operating Systems
Input/Output Device Management
CPU Architecture Integration
Operating System Architectures
Address Space Layout Randomization (ASLR)
Data Execution Prevention (DEP), and Executable Space Protection (ESP)
System Security Architecture
Security Architecture Requirements
Access Control Models
Security Models
Interface Design
Services
Web Services
Service Oriented Architecture (SOA)
Enterprise Services Bus (ESB)
Encryption
Certificate and Registration Authorities
X.509
Key Scalability
Applying Encryption in the Real World
Virtualization
Cloud Computing
Rich Internet Applications
Mobile Applications
Technologies
Authentication
Identity Management
Credential Management
Flow Control
Code Analysis
C 34: T E M R
HAPTER HE NGINEERING ANAGEMENT OLE
Versioning, or Configuration Management
