Sign In

Sign In here to pay AMFs, submit CPEs, update profile settings, review transactions, and more.

CSSLP Domains

The CSSLP domains are drawn from various application security topics within the (ISC)² CBK. The CSSLP CBK consists for the following 8 domains:

Secure Software Concepts – understand secure software concepts, methodologies, and implementation within centralized and decentralized environments across the enterprise’s computer systems.

  • Core Concepts
  • Security Design Principles
  • Privacy (e.g., data anonymization, user content, disposition, test data management)
  • Governance, Risk and Compliance (GRC)
  • Software Development Methodologies (e.g., Waterfall, Agile)

Secure Software Requirements – understand the security controls required during the requirements gathering phase of the Secure Software Development Lifecycle. 

  • Policy Decomposition (e.g., Internal and External Requirements)
  • Data Classification and Categorization
  • Functional Requirements (e.g., Use Cases and Abuse Cases)
  • Operational Requirements (e.g., how the software is deployed, operated, managed)

Secure Software Design – understand the techniques of performing attach surface analysis and conducting threat modeling, as well as being able to identify and review the countermeasures that mitigate risk. 

  • Design Processes
  • Design Considerations
  • Securing Commonly Used Architecture
  • Technologies

Secure Software Implementation/Coding – know the coding standards that help developers avoid introducing flaws that can lead to security vulnerabilities, understand common software vulnerabilities and countermeasures, and apply security testing tools. 

  • Declarative versus Imperative (Programmatic) Security
  • Vulnerability Databases/Lists (e.g., OWASP Top 10, CWE)
  • Defensive Coding Practices and Controls
  • Source Code and Versioning
  • Development and Build Environment (e.g., build tools, automatic build script)
  • Code/Peer Review
  • Code Analysis (e.g., static, dynamic)
  • Anti-tampering Techniques (e.g., code signing, obfuscation)

Secure Software Testing – know the standards for software quality assurance, and understand the concepts of functional and security testing, interoperability testing, bug tracking and testing of high priority code. 

  • Testing Artifacts (e.g., strategies, plans, cases)
  • Testing for Security and Quality Assurance
  • Types of Testing
  • Impact Assessment and Corrective Action
  • Test Data Lifecycle Management (e.g., privacy, dummy data, referential integrity)

Software Acceptance – know the methods for determining completion criteria, risk acceptance and documentation (e.g., DRP and BCP), Common Criteria and methods of independent testing. 

  • Pre-release and Pre-deployment
  • Post-release

Software Deployment, Operations, Maintenance and Disposal – know how to evaluate reports of vulnerabilities and release security advisories and updates when appropriate, know how to conduct a post-mortem of reported vulnerabilities and take action as necessary, be familiar with procedures and security measures when a product reaches its end of life. 

  • Installation and Deployment
  • Operations and Maintenance
  • Software Disposal (e.g., retirement, end of life policies, decommissioning)

Supply Chain and Software Acquisition – know how to establish a process for interacting with suppliers on issues such as: vulnerability management, service level agreement monitoring, and chain of custody throughout the source code development and maintenance lifecycle. 

  • Supplier Risk Assessment (e.g., managing the enterprise risk of outsourcing)
  • Supplier Sourcing
  • Software Development and Test
  • Software Delivery, Operations and Maintenance
  • Supplier Transitioning (e.g., code escrow, data exports, contracts, disclosure)