Official (ISC)²® CBK Training Seminars for the CSSLP®
Certified Secure Software Lifecycle Professional Training
(ISC)² is the creator of the CSSLP Exam, which makes the Official CSSLP CBK Training Seminar the key to success in pursuing certification.
Prepared by CSSLP credential holders and conducted only by (ISC)²-Authorized Instructors, each of whom is up to date on the latest application security related developments and is an expert in the eight domains of the CSSLP CBK (Common Body of Knowledge), the (ISC)² CSSLP CBK Training Seminar is the largest, most comprehensive collection of best practices, policies, and procedures to ensure a security initiative across all phases of application development.
CSSLP Course Description
The Certified Secure Software Lifecycle Professional (CSSLP) course is designed for professionals who demonstrate a globally recognized level of competence, as defined in a common body of knowledge, by assuring security throughout the software lifecycle. They incorporate security when planning, designing, developing, acquiring, testing, deploying, maintaining, and/or managing software to increase its trustworthiness.
This five day program is comprised of a total of eight domains. The modular format is designed to organize and chunk information in order to assist with learning retention as participants are guided through the CSSLP course materials. Each module/domain includes one or more of the following design approaches to support knowledge retention and transfer:
- Presentation - The facilitator explains content to participants using PowerPoint to guide the presentation. Multiple examples are used to clarify points.
- Short Lecture/Discussion -The facilitator engages participants in conversation by asking questions and encouraging them to respond. Participants are encouraged to provide examples from their experience.
- Group Activity - Participants work in small teams of three or four. The facilitator debriefs the entire class at the end of the activity.
- Individual Activity - Individuals work on their own to complete an action plan, worksheet, or evaluation.
- The goal of the Security Software Concepts module is to provide the learner with concepts related to the core software security requirements and foundational design principles as they relate to issues of privacy, governance, risk, and compliance. Learners will understand the software methodologies needed in order to develop software that is secure and resilient to attacks.
- The goal of the Security Software Requirements module is to provide the learner with concepts related to understanding the importance of identifying and developing software with secure requirements. The learner will be able to incorporate security requirements in the development of software in order to produce software that is reliable, resilient, and recoverable.
- The design phase of secure software development is one of the most important phases in the Software Development Lifecycle. The Security Software Design module provides the learner with an understanding of how to ensure that software security requirements are included in the design of the software. Learners will gain knowledge of secure design principles and processes, and be exposed to different architectures and technologies for securing software.
- The Security Software Implementation/Coding module provides the learner with an understanding of the importance of programming concepts that can effectively protect software from vulnerabilities. Learners will touch on topics such as software coding vulnerabilities, defensive coding techniques and processes, code analysis and protection, and environmental security considerations that should be factored into software.
- The Security Software Testing module addresses issues pertaining to proper testing of software for security, including the overall strategies and plans. Learners will gain an understanding of the different types of functional and security testing that should be performed, the criteria for testing, concepts related to impact assessment and corrective actions, and the test data lifecycle.
- The Software Acceptance module provides an understanding of the requirements for software acceptance, paying specific attention to compliance, quality, functionality, and assurance. Participants will learn about pre- and post-release validation requirements and well as pre-deployment criteria.
- The Software Deployment, Operations, Maintenance, and Disposal module provides the learner with knowledge pertaining to the deployment, operations, maintenance, and disposal of software from a secure perspective. This is achieved by identifying processes during installation and deployment, operations and maintenance, and disposal that can affect the ability of the software to remain reliable, resilient, and recoverable in its prescribed manner.
- The Supply Chain and Software Acquisition module provides the learner with knowledge on how to perform effective assessments on an organization's cyber-supply chain, and describes how security applies to the supply chain and software acquisition process. Learners will understand the importance of supplier sourcing and being able to validate vendor integrity, from third-party vendors to complete outsourcing. Finally, learners will understand how to manage risk through the adoption of standards and best practices for proper development and testing across the entire lifecycle of products.
Domain 1 - Secure Software Concepts
- Module 1: Concepts of Secure Software
- Module 2: Principles of Security Design
- Module 3: Security Privacy
- Module 4: Governance, Risk, and Compliance
- Module 5: Methodologies for Software Development
Domain 2 - Security Software Requirements
- Module 1: Policy Decomposition
- Module 2: Classification and Categorization
- Module 3: Functional Requirements - Use Cases and Abuse Cases
- Module 4: Secure Software Operational Requirements
Domain 3 - Secure Software Design
- Module 1: Importance of Secure Design
- Module 2: Design Considerations
- Module 3: The Design Process
- Module 4: Securing Commonly Used Architectures
Domain 4 - Secure Software Implementation/coding
- Module 1: Fundamental Programming Concepts
- Module 2: Code Access Security
- Module 3: Vulnerability Databases and Lists
- Module 4: Defensive Coding Practices and Controls
- Module 5: Secure Software Processes
Domain 5 - Security Software Testing
- Module 1: Artifacts of Testing
- Module 2: Testing for Secure Quality Assurance
- Module 3: Types of Testing
- Module 4: Impact Assessment and Corrective Action
- Module 5: Test Data Lifecycle Management
Domain 6 - Software Acceptance
- Module 1: Software Acceptance Considerations
- Module 2: Post-Release
Domain 7 - Software Deployment, Operation, Maintenance and Disposal
- Module 1: Installation and Deployment
- Module 2: Operations and Maintenance
- Module 3: Disposal of Software
Domain 8 - Supply Chain and Software Acquisition
- Module 1: Supplier Risk Assessment
- Module 2: Supplier Sourcing
- Module 3: Software Development and Test
- Module 4: Software Delivery, Operations, and Maintenance
- Module 5: Supplier Transitioning
Types of Activities
The CSSLP training course is divided into multiple topic levels. Each level identifies a specific agenda and learning objectives. Each chapter matches a domain title identified in the CIB. Within each chapter are modules and within modules are agendas. Each preceding level identifies a more granular objective but supports the overall objective.
Several types of activities are used throughout the course to reinforce topics and increase knowledge retention. These activities include open ended questions from the instructor to the students, group assignments, matching and poll questions, group activities, open/closed questions, and group discussions. Each activity was developed to support the learning appropriate to the course topic.
Who should attend?
The course is intended for students who have at least four years of direct full-time secure software lifecycle professional work experience in one or more of the eight domains of the (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) Common Body of Knowledge (CBK), or three years of direct full-time secure software lifecycle professional work experience in one or more of the eight domains of the CSSLP CBK with a four-year college degree in an information technology discipline. The course builds on and brings together the holistic view of the topics covered in the everyday environment of an information assurance professional. Experience in the following professions will greatly enhance the learning environment.
- Software developers
- Engineers and architects
- Product managers
- Project managers
- Software QA
- QA testers
- Business analysts
- Professionals who manage these stakeholders
What can I take back to the workplace?
Each chapter, module, and agenda is derived from the CSSLP CBK and updated by the results of the Job Task Analysis (JTA). The JTA topics are developed by a small group of subject matter experts (SMEs) who have a number of years of experience and are representative of various geographic regions, ethnicities, and practice settings. The entire membership group of the credential holders is asked to validate the survey based on their current day-to-day tasks. All topics covered during the class are literally the same tasks performed by current CSSLP credential holders.