Application vulnerabilities continue to top the list of cyber security concerns. While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. For example, SQL injection and cross-site scripting (XSS) have appeared on the Open Web Application Security Project (OWASP) Top 10 list year after year over the past decade. This high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and a clear shortage of qualified professionals with application security skills exists. Without action, this soft underbelly of business and governmental entities has and will continue to be exposed with serious consequences-data breaches, disrupted operations, lost business, brand damage, and regulatory fines. This is why it is essential for software professionals to stay current on the latest advances in software development and the new security threats they create. Recognized as one of the best application security tools available for professionals involved in software development, the Official (ISC)2 (R) Guide to the CSSLP (R) CBK (R), Second Edition, is both up-to-date and relevant, reflecting the latest developments in this ever-changing field and providing an intuitive approach to the CSSLP Common Body of Knowledge (CBK). It provides a robust and comprehensive study of the 8 domains of the CBK, covering everything from ensuring software security requirements are included in the software design phase to programming concepts that can effectively protect software from vulnerabilities to addressing issues pertaining to proper testing of software for security, and implementing industry standards and practices to provide a high level of assurance that the supply chain is secure-both up-stream. The book discusses the issues facing software professionals today, such as mobile app development, developing in the cloud, software supply chain risk management, and more. Numerous illustrated examples and practical exercises are included in this book to help the reader understand the concepts within the CBK and to enable them to apply these concepts in real-life situations. Endorsed by (ISC)2 and written and reviewed by CSSLPs and other (ISC)2 members, this book serves as an unrivaled study tool for the certification exam and an invaluable career reference. Earning your CSSLP is an esteemed achievement that validates your efforts in security leadership to help your organization build resilient software capable of combating the security threats of today and tomorrow.
Domain 1 - Secure Software ConceptsHolistic SecurityImplementation ChallengesIron Triangle ConstraintsSecurity as an AfterthoughtSecurity vs. UsabilityQuality and SecuritySecurity Profile - What Makes Software Secure?Core Security Concepts Design Security ConceptsRisk ManagementTerminology and DefinitionsRisk Management for SoftwareHandling RiskRisk Management Concept: SummarySecurity Policies: The 'What' and 'Why' for SecurityScope of the Security PoliciesPrerequisites for Security Policy DevelopmentSecurity Policy Development Process Security StandardsTypes of Security StandardsInternal Coding StandardsNIST StandardsFederal Information Processing (FIPS) standardsISO StandardsPCI StandardsOrganization for the Advancement of Structured Information Standards (OASIS)Benefits of Security Standards Best PracticesOpen Web Application Security Project (OWASP)Information Technology Infrastructure Library (ITIL)Software Development MethodologiesWaterfall ModelIterative ModelSpiral ModelAgile Development MethodologiesSoftware Assurance MethodologiesSocratic MethodologySix Sigma (6 ) Capability Maturity Model Integration (CMMI)Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE (R))STRIDE and DREADOpen Source Security Testing Methodology Manual (OSSTMM)Flaw Hypothesis Method (FHM)Enterprise Application and Security FrameworksZachman FrameworkControl Objectives for Information and related Technology (COBIT (R))Committee of Sponsoring Organizations (COSO)Sherwood Applied Business Security Architecture (SABSA) Regulations, Privacy and Compliance Significant Regulations and Privacy ActsSarbanes-Oxley Act (SOX) BASEL II Gramm-Leach-Bliley Act (GLB Act)Health Insurance Portability and Accountability Act (HIPAA)Data Protection Act Computer Misuse ActMobile Device Privacy ActState Security Breach LawsPrivacy and Software DevelopmentData AnonymizationDispositionSecurity ModelsTrusted ComputingRing ProtectionTrust Boundary (or Security Perimeter)Trusted Computing Base (TCB) Reference MonitorAcquisitionsDomain 2 - Secure Software RequirementsSources for Security RequirementsTypes of Security RequirementsCore Security RequirementsGeneral RequirementsOperational RequirementsOther RequirementsProtection Needs Elicitation (PNE)BrainstormingSurveys (Questionnaires and Interviews)Policy Decomposition Data ClassificationSubject/Object Matrix Use Case & Misuse Case ModelingRequirements Traceability Matrix (RTM)Domain 3 - Secure Software DesignThe Need for Secure DesignFlaws versus BugsArchitecting Software with Core Security ConceptsConfidentiality DesignIntegrity DesignAvailability DesignAuthentication DesignAuthorization DesignAccountability DesignArchitecting Software with Secure Design PrinciplesLeast PrivilegeSeparation of Duties Defense in Depth Fail Secure Economy of MechanismsComplete MediationOpen DesignLeast Common Mechanisms Psychological Acceptability Weakest LinkLeveraging Existing Components Balancing Secure Design PrinciplesOther Design ConsiderationsInterface Design InterconnectivityDesign ProcessesAttack Surface EvaluationThreat ModelingArchitecturesMainframe ArchitectureDistributed ComputingService Oriented Architecture Rich Internet ApplicationsPervasive/Ubiquitous ComputingCloud Computing Mobile ApplicationsIntegration with Existing ArchitecturesTechnologies Authentication Identity ManagementCredential ManagementFlow Control Auditing (Logging)Trusted Computing Database SecurityProgramming Language EnvironmentOperating Systems Embedded SystemsSecure Design and Architecture ReviewDomain 4 - Secure Software Implementation/CodingWho is to be Blamed for Insecure Software?Fundamental Concepts of ProgrammingComputer ArchitectureEvolution of Programming LanguagesCommon Software Vulnerabilities and Controls Buffer Overflow Stack OverflowHeap OverflowInjection FlawsBroken Authentication and Session ManagementCross-Site Scripting (XSS) Non-persistent or Reflected XSSPersistent or Stored XSSDOM based XSSInsecure Direct Object ReferencesSecurity MisconfigurationSensitive Data ExposureMissing Function Level ChecksCross-Site Request Forgery (CSRF)Using Known Vulnerable ComponentsUnvalidated Redirects and Forwards File Attacks Race ConditionSide Channel AttacksDefensive Coding Practices - Concepts and TechniquesInput Validation Canonicalization SanitizationError Handling Safe APIs Memory Management Exception ManagementSession ManagementConfiguration Parameters ManagementSecure StartupCryptography ConcurrencyTokenizationSandboxingAnti-Tampering Secure Software ProcessesVersion (Configuration Management)Code AnalysisCode/Peer ReviewSecuring Build EnvironmentsDomain 5 -Secure Software TestingQuality AssuranceTesting ArtifactsTest StrategyTest PlanTest CaseTest ScriptTest SuiteTest HarnessTypes of Software QA TestingFunctional TestingNon-Functional TestingOther TestingAttack Surface Validation (Security Testing)Motives, Opportunities and MeansTesting of Security Functionality versus Security TestingThe Need for Security TestingSecurity Testing MethodsWhite Box TestingBlack Box TestingWhite Box Testing versus Black Box TestingTypes of Security TestingCryptographic Validation TestingScanningFuzzingSoftware Security TestingTesting for Input Validation Testing for Injection Flaws ControlsTesting for Scripting Attacks ControlsTesting for Non-repudiation ControlsTesting for Spoofing ControlsTesting for Error and Exception Handling Controls (Failure Testing)Testing for Privileges Escalations ControlsAnti-Reversing Protection TestingTools for Security TestingTest Data Management Defect Reporting and TrackingReporting DefectsTracking DefectsImpact Assessment and Corrective ActionDomain 6 - Software AcceptanceGuidelines for Software AcceptanceBenefits of Accepting Software FormallySoftware Acceptance Considerations Completion CriteriaChange ManagementApproval to Deploy or ReleaseRisk Acceptance and Exception PolicyDocumentation of SoftwareVerification and Validation (V&V) ReviewsTestingCertification and Accreditation (C&A)Domain 7 - Software Deployment, Operations, Maintenance, and DisposalInstallation and DeploymentHardening Environment Configuration Release ManagementBootstrapping and Secure StartupOperations and Maintenance Monitoring Incident Management Problem Management Change ManagementBackups, Recovery and ArchivingDisposal End-of-Life Policies Sun-Setting CriteriaSun-setting ProcessesInformation Disposal and Media SanitizationDomain 8 - Supply Chain and Software AcquisitionSoftware Acquisition and the Supply Chain Acquisition Lifecycle Software Acquisition Models and Benefits Supply Chain Software GoalsThreats to Supply Chain SoftwareSoftware Supply Chain Risk Management (SCRM) Supplier Risk Assessment and ManagementSupplier SourcingContractual ControlsIntellectual Property (IP) Ownership and ResponsibilitiesTypes of Intellectual Property (IP) Licensing (Usage and Redistribution Terms)Software Development and TestingAssurance Requirement Conformance ValidationCode ReviewCode Repository SecurityBuild Tools and Environment IntegrityTesting for Code SecuritySoftware SCRM during AcceptanceAnti-Tampering Resistance and Controls Authenticity and Anti-Counterfeiting ControlsSupplier Claims VerificationSoftware SCRM during Delivery (Handover)Chain of Custody Secure TransferCode EscrowsExport Control and Foreign Trade Data Regulations ComplianceSoftware SCRM during Deployment (Installation/Configuration)Secure ConfigurationPerimeter (Network) Security ControlsSystem-of-Systems (SoS) SecuritySoftware SCRM during Operations and MaintenanceRuntime Integrity AssurancePatching and UpgradesTermination Access ControlsCustom Code Extensions ChecksContinuous Monitoring and Incident ManagementSoftware SCRM during RetirementAppendices Answers to Review QuestionsSecurity ModelsThreat ModelingCommonly Used Opcodes in AssemblyHTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)Security Testing Tools
Auerbach Publishers Inc.
01, 05, G, U