CSSLP Deconstructed Available for Download

Alexander Fry — Mon, 19 Apr 2010 11:29:21 +0000

I gave a presentation at ISSA-NOVA on January 21, 2010 entitled the “The CSSLP Deconstructed”. The slides provide an introduction for the new CSSLP credential and also :

describe each of the seven domains of the CSSLP
diagram the overlap of the CSSLP with other security certifications
discuss security certification in general, if you should pursue the CSSLP, and effective career management
review the The CSSLP Prep Guide
and discuss other topics such as software security risk, recent threats, and addressing risk for 3rd party software

The PowerPoint slide deck is available for download in the RESOURCES section on Strong Crypto.

Seven Domains Of The CSSLP

Alexander Fry — Mon, 18 Jan 2010 17:34:00 +0000

Here are descriptions for the seven domains of the CSSLP for my presentation at ISSA-NOVA on January 21, 2010:

Secure Software Concepts – the fundamental knowledge for understanding the security implications of software development, and the mechanisms to impose security constraints on the behavior, use, and content of a software system. This includes security design and information assurance principles, risk management, software architectures, legal issues, standards, acquisition methods, information security and software maturity models.

Secure Software Requirements – the overall software specification should include both functional and nonfunctional requirements. The nonfunctional requirements of secure software address issues such as how the software application will: remain dependable under hostile operating conditions; resist compromise by an attacker through the exploitation of vulnerabilities or insertion of malicious code; and be resilient enough to recover quickly, containing damage to itself, data, resources, and external components on which it relies.

Secure Software Design – fundamental activities that approach the definition of the software from a security perspective in order to decrease the likelihood that the design specification will contain flaws. These activities include identifying and minimizing the software’s attack surface, performing threat modeling, and following security design principles.

Secure Software Implementation/Coding – software developers should follow secure coding best practices and standards, understand and avoid common vulnerabilities, implement countermeasures, and use tools and techniques such as static analysis and code review to avoid introducing flaws that can lead to security vulnerabilities.

Secure Software Testing – activities for evaluating a software application in a runtime environment that most closely resembles its production environment. Many testing activities require the application to be functionally complete and follow standards and methodologies such as ISO 9126, the SSE-CMM, and the Open Source Security Testing Methodology Manual (OSSTMM). Security testing should assess the security properties and behaviors of the software application as it interacts with external entities and as its own components interact with each other. An analysis of test results forms the basis for assessing risk and means of remediation.

Software Acceptance – ensuring that the software is ready to be released. This involves pre-release or pre-deployment activities such as generating test data that shows that all prescribed tests have been executed and accepted; and post-release activities such as an independent review of the software conducted by a third-party or by an independent security team of the organization.

Software Deployment/Operations/Maintenance/Disposal – maintaining information assurance during installation, deployment, operation, maintenance, and disposal of secure software systems.

Code Auditor's Corner » CSSLP

CSSLP Deconstructed Available for Download

Seven Domains Of The CSSLP