Sign In

There will be limited access to Member pages December 4-9, 2015, for routine maintenance.

CSSLP Domains

The CSSLP domains are drawn from various application security topics within the (ISC)² CBK. The CSSLP CBK consists for the following 8 domains:

Secure Software Concepts – understand secure software concepts, methodologies, and implementation within centralized and decentralized environments across the enterprise’s computer systems.

  • Core Concepts
  • Security Design Principles
  • Privacy (e.g., data anonymization, user content, disposition, test data management)
  • Governance, Risk and Compliance (GRC)
  • Software Development Methodologies (e.g., Waterfall, Agile)

Secure Software Requirements – understand the security controls required during the requirements gathering phase of the Secure Software Development Lifecycle. 

  • Policy Decomposition (e.g., Internal and External Requirements)
  • Data Classification and Categorization
  • Functional Requirements (e.g., Use Cases and Abuse Cases)
  • Operational Requirements (e.g., how the software is deployed, operated, managed)

Secure Software Design – understand the techniques of performing attach surface analysis and conducting threat modeling, as well as being able to identify and review the countermeasures that mitigate risk. 

  • Design Processes
  • Design Considerations
  • Securing Commonly Used Architecture
  • Technologies

Secure Software Implementation/Coding – know the coding standards that help developers avoid introducing flaws that can lead to security vulnerabilities, understand common software vulnerabilities and countermeasures, and apply security testing tools. 

  • Declarative versus Imperative (Programmatic) Security
  • Vulnerability Databases/Lists (e.g., OWASP Top 10, CWE)
  • Defensive Coding Practices and Controls
  • Source Code and Versioning
  • Development and Build Environment (e.g., build tools, automatic build script)
  • Code/Peer Review
  • Code Analysis (e.g., static, dynamic)
  • Anti-tampering Techniques (e.g., code signing, obfuscation)

Secure Software Testing – know the standards for software quality assurance, and understand the concepts of functional and security testing, interoperability testing, bug tracking and testing of high priority code. 

  • Testing Artifacts (e.g., strategies, plans, cases)
  • Testing for Security and Quality Assurance
  • Types of Testing
  • Impact Assessment and Corrective Action
  • Test Data Lifecycle Management (e.g., privacy, dummy data, referential integrity)

Software Acceptance – know the methods for determining completion criteria, risk acceptance and documentation (e.g., DRP and BCP), Common Criteria and methods of independent testing. 

  • Pre-release and Pre-deployment
  • Post-release

Software Deployment, Operations, Maintenance and Disposal – know how to evaluate reports of vulnerabilities and release security advisories and updates when appropriate, know how to conduct a post-mortem of reported vulnerabilities and take action as necessary, be familiar with procedures and security measures when a product reaches its end of life. 

  • Installation and Deployment
  • Operations and Maintenance
  • Software Disposal (e.g., retirement, end of life policies, decommissioning)

Supply Chain and Software Acquisition – know how to establish a process for interacting with suppliers on issues such as: vulnerability management, service level agreement monitoring, and chain of custody throughout the source code development and maintenance lifecycle. 

  • Supplier Risk Assessment (e.g., managing the enterprise risk of outsourcing)
  • Supplier Sourcing
  • Software Development and Test
  • Software Delivery, Operations and Maintenance
  • Supplier Transitioning (e.g., code escrow, data exports, contracts, disclosure)