Application vulnerabilities continue to top the list of cyber security concerns. While attackers and researchers continue to expose new application vulnerabilities, the most common application flaws are previous, rediscovered threats. For example, SQL injection and cross-site scripting (XSS) have appeared on the Open Web Application Security Project (OWASP) Top 10 list year after year over the past decade. This high volume of known application vulnerabilities suggests that many development teams do not have the security resources needed to address all potential security flaws and a clear shortage of qualified professionals with application security skills exists. Without action, this soft underbelly of business and governmental entities has and will continue to be exposed with serious consequences—data breaches, disrupted operations, lost business, brand damage, and regulatory fines. This is why it is essential for software professionals to stay current on the latest advances in software development and the new security threats they create.
Recognized as one of the best application security tools available for professionals involved in software development, the Official (ISC)2® Guide to the CSSLP® CBK®, Second Edition, is both up-to-date and relevant, reflecting the latest developments in this ever-changing field and providing an intuitive approach to the CSSLP Common Body of Knowledge (CBK). It provides a robust and comprehensive study of the 8 domains of the CBK, covering everything from ensuring software security requirements are included in the software design phase to programming concepts that can effectively protect software from vulnerabilities to addressing issues pertaining to proper testing of software for security, and implementing industry standards and practices to provide a high level of assurance that the supply chain is secure—both up-stream. The book discusses the issues facing software professionals today, such as mobile app development, developing in the cloud, software supply chain risk management, and more.
Numerous illustrated examples and practical exercises are included in this book to help the reader understand the concepts within the CBK and to enable them to apply these concepts in real-life situations. Endorsed by (ISC)2 and written and reviewed by CSSLPs and other (ISC)2 members, this book serves as an unrivaled study tool for the certification exam and an invaluable career reference. Earning your CSSLP is an esteemed achievement that validates your efforts in security leadership to help your organization build resilient software capable of combating the security threats of today and tomorrow.
Domain 1 - Secure Software Concepts
Implementation Challenges
Iron Triangle Constraints
Security as an Afterthought
Security vs. Usability
Quality and Security
Security Profile – What Makes Software Secure?
Core Security Concepts
Design Security Concepts
Risk Management
Terminology and Definitions
Risk Management for Software
Handling Risk
Risk Management Concept: Summary
Security Policies: The ‘What’ and ‘Why’ for Security
Scope of the Security Policies
Prerequisites for Security Policy Development
Security Policy Development Process
Security Standards
Types of Security Standards
Internal Coding Standards
NIST Standards
Federal Information Processing (FIPS) standards
ISO Standards
PCI Standards
Organization for the Advancement of Structured Information Standards (OASIS)
Benefits of Security Standards
Best Practices
Open Web Application Security Project (OWASP)
Information Technology Infrastructure Library (ITIL)
Software Development Methodologies
Waterfall Model
Iterative Model
Spiral Model
Agile Development Methodologies
Software Assurance Methodologies
Socratic Methodology
Six Sigma (6 σ) Capability Maturity Model Integration (CMMI)
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE®)
STRIDE and DREAD
Open Source Security Testing Methodology Manual (OSSTMM)
Flaw Hypothesis Method (FHM)
Enterprise Application and Security Frameworks
Zachman Framework
Control Objectives for Information and related Technology (COBIT®)
Committee of Sponsoring Organizations (COSO)
Sherwood Applied Business Security Architecture (SABSA)
Regulations, Privacy and Compliance
Significant Regulations and Privacy Acts
Sarbanes-Oxley Act (SOX)
BASEL II
Gramm-Leach-Bliley Act (GLB Act)
Health Insurance Portability and Accountability Act (HIPAA)
Data Protection Act
Computer Misuse Act
Mobile Device Privacy Act
State Security Breach Laws
Privacy and Software Development
Data Anonymization
Disposition
Security Models
Trusted Computing
Ring Protection
Trust Boundary (or Security Perimeter)
Trusted Computing Base (TCB)
Reference Monitor
Acquisitions
Domain 2 - Secure Software Requirements
Sources for Security Requirements
Types of Security Requirements
Core Security Requirements
General Requirements
Operational Requirements
Other Requirements
Protection Needs Elicitation (PNE)
Brainstorming
Surveys (Questionnaires and Interviews)
Policy Decomposition
Data Classification
Subject/Object Matrix
Use Case & Misuse Case Modeling
Requirements Traceability Matrix (RTM)
Domain 3 - Secure Software Design
The Need for Secure Design
Flaws versus Bugs
Architecting Software with Core Security Concepts
Confidentiality Design
Integrity Design
Availability Design
Authentication Design
Authorization Design
Accountability Design
Architecting Software with Secure Design Principles
Least Privilege
Separation of Duties
Defense in Depth
Fail Secure
Economy of Mechanisms
Complete Mediation
Open Design
Least Common Mechanisms
Psychological Acceptability
Weakest Link
Leveraging Existing Components
Balancing Secure Design Principles
Other Design Considerations
Interface Design
Interconnectivity
Design Processes
Attack Surface Evaluation
Threat Modeling
Architectures
Mainframe Architecture
Distributed Computing
Service Oriented Architecture
Rich Internet Applications
Pervasive/Ubiquitous Computing
Cloud Computing
Mobile Applications
Integration with Existing Architectures
Technologies
Authentication
Identity Management
Credential Management
Flow Control
Auditing (Logging)
Trusted Computing
Database Security
Programming Language Environment
Operating Systems
Embedded Systems
Secure Design and Architecture Review
Domain 4 - Secure Software Implementation/Coding
Who is to be Blamed for Insecure Software?
Fundamental Concepts of Programming
Computer Architecture
Evolution of Programming Languages
Common Software Vulnerabilities and Controls
Buffer Overflow
Stack Overflow
Heap Overflow
Injection Flaws
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Non-persistent or Reflected XSS
Persistent or Stored XSS
DOM based XSS
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Checks
Cross-Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
File Attacks
Race Condition
Side Channel Attacks
Defensive Coding Practices – Concepts and Techniques
Input Validation
Canonicalization
Sanitization
Error Handling
Safe APIs
Memory Management
Exception Management
Session Management
Configuration Parameters Management
Secure Startup
Cryptography
Concurrency
Tokenization
Sandboxing
Anti-Tampering
Secure Software Processes
Version (Configuration Management)
Code Analysis
Code/Peer Review
Securing Build Environments
Domain 5 -Secure Software Testing
Quality Assurance
Testing Artifacts
Test Strategy
Test Plan
Test Case
Test Script
Test Suite
Test Harness
Types of Software QA Testing
Functional Testing
Non-Functional Testing
Other Testing
Attack Surface Validation (Security Testing)
Motives, Opportunities and Means
Testing of Security Functionality versus Security Testing
The Need for Security Testing
Security Testing Methods
White Box Testing
Black Box Testing
White Box Testing versus Black Box Testing
Types of Security Testing
Cryptographic Validation Testing
Scanning
Fuzzing
Software Security Testing
Testing for Input Validation
Testing for Injection Flaws Controls
Testing for Scripting Attacks Controls
Testing for Non-repudiation Controls
Testing for Spoofing Controls
Testing for Error and Exception Handling Controls (Failure Testing)
Testing for Privileges Escalations Controls
Anti-Reversing Protection Testing
Tools for Security Testing
Test Data Management
Defect Reporting and Tracking
Reporting Defects
Tracking Defects
Impact Assessment and Corrective Action
Domain 6 - Software Acceptance
Guidelines for Software Acceptance
Benefits of Accepting Software Formally
Software Acceptance Considerations
Completion Criteria
Change Management
Approval to Deploy or Release
Risk Acceptance and Exception Policy
Documentation of Software
Verification and Validation (V&V)
Reviews
Testing
Certification and Accreditation (C&A)
Domain 7 - Software Deployment, Operations, Maintenance, and Disposal
Installation and Deployment
Hardening
Environment Configuration
Release Management
Bootstrapping and Secure Startup
Operations and Maintenance
Monitoring
Incident Management
Problem Management
Change Management
Backups, Recovery and Archiving
Disposal
End-of-Life Policies
Sun-Setting Criteria
Sun-setting Processes
Information Disposal and Media Sanitization
Domain 8 - Supply Chain and Software Acquisition
Software Acquisition and the Supply Chain
Acquisition Lifecycle
Software Acquisition Models and Benefits
Supply Chain Software Goals
Threats to Supply Chain Software
Software Supply Chain Risk Management (SCRM)
Supplier Risk Assessment and Management
Supplier Sourcing
Contractual Controls
Intellectual Property (IP) Ownership and Responsibilities
Types of Intellectual Property (IP)
Licensing (Usage and Redistribution Terms)
Software Development and Testing
Assurance Requirement Conformance Validation
Code Review
Code Repository Security
Build Tools and Environment Integrity
Testing for Code Security
Software SCRM during Acceptance
Anti-Tampering Resistance and Controls
Authenticity and Anti-Counterfeiting Controls
Supplier Claims Verification
Software SCRM during Delivery (Handover)
Chain of Custody
Secure Transfer
Code Escrows
Export Control and Foreign Trade Data Regulations Compliance
Software SCRM during Deployment (Installation/Configuration)
Secure Configuration
Perimeter (Network) Security Controls
System-of-Systems (SoS) Security
Software SCRM during Operations and Maintenance
Runtime Integrity Assurance
Patching and Upgrades
Termination Access Controls
Custom Code Extensions Checks
Continuous Monitoring and Incident Management
Software SCRM during Retirement
Appendices
Answers to Review Questions
Security Models
Threat Modeling
Commonly Used Opcodes in Assembly
HTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)
Security Testing Tools
