Watch the Free Webcast
CSSLP Domain 8: Supply Chain and Software Acquisition
Domain 8 Description
The eight CSSLP Domain, Supply Chain and Software Acquisition, provides a holistic outline of the knowledge and tasks required to manage risk for the outsourced development, acquisition, and procurement of software and related services (e.g., Cloud Computing, Mobile Application development). This domain defines what the expectations of an organization should be when acquiring software to assure third-party products will not act maliciously, whether intended or not, nor disrupt the organization's business and result in negative financial impact.
Domain 8 is where the CSSLP candidate applies their accumulated knowledge of the Secure Software Development Life Cycle (SDLC) to evaluate suppliers and communicate with them on security issues, including vulnerability management, service level agreement monitoring, and chain of custody throughout the source code development and maintenance life cycle. The CSSLP candidiate should understand the legalities surrounding the use and reuse of open source libraries and the security vulnerabilities that may or may not exist in the code.
View the Domain 8 Software Supply Chain Management Processes Chart
Key Areas of Knowledge
8.A. Supplier Risk Assessment (e.g., managing the enterprise risk of outsourcing)
- 8.A.1 Risk Assessment for Code Reuse
- 8.A.2 Intellectual Property (e.g., Open Source License, Closed Source License, Third Party Proprietary)
- 8.A.3 Legal Compliance
8.A.4 Supplier Pre-Qualification (e.g., assessment of software engineering/SDLC approaches, information systems security policy compliance)
Download the Latest White Paper:
Risk Analysis and Management for the Software Supply Chain
8.B. Supplier Sourcing
- 8.B.1 Contractual integrity controls (e.g., audit of security policy compliance, vulnerability/incident response)
- 8.B.2 Vendor technical integrity controls for third-party suppliers (e.g. secure transfer, system sharing/interconnections, secure storage, code exchange)
- 8.B.3 Managed Services (e.g., cloud, outsourcing)
- 8.B.4 Service-Level Agreements (SLA's) (e.g., monitoring plans, KPIs, performance metrics, targets)
8.C. Software Development and Test
- 8.C.1 Technical Controls (e.g., code repository security, build environment security)
8.C.2 Code Testing and Verification (e.g., backdoor detection, embedded malware detection)
What Do You Need to Know about Domain 8?
Download the Infographic to Find Out!
- 8.C.3 Security Testing Controls (e.g., peer review, secure code review)
- 8.C.4 Software Requirements Verification and Validation
8.D. Software Delivery, Operations and Maintenance
- 8.D.1 Chain of Custody (e.g., each change and transfer made during the source codes lifetime is authorized, transparent and verifiable).
- 8.D.2 Publishing and dissemination controls (e.g., code signing, delivery, transfer, tamper resistance)
- 8.D.3 Systems-of-Systems integration (e.g., security testing and analysis)
- 8.D.4 Software Authenticity and Integrity (e.g., cryptographically hashed, digitally signed components, software integrity is verified at run-time)
- 8.D.5 Product deployment and sustainment controls (e.g., upgrades, secure configuration, custom code extension, operational readiness)
- 8.D.6 Monitoring and Incident Management (e.g., supplier, components, SLAs, IDS/IPS)
- 8.D.7 Vulnerability Management, Tracking and Resolution (e.g., patching)
8.E. Supplier Transitioning (e.g., code escrow, data exports, contracts, disclosure)
CSSLP Exam Outline
For a downloadable description of CSSLP Domain 8 and all of the CSSLP Domains, visit the (ISC)²® Exam Outline page, select CSSLP, and fill out the required form fields.
The CSSLP Exam Outline includes:
- An outline of major topics
- A suggested reference list
- An overview of the exam format
- Registration policies