Certification Exam Outline

Effective Date: July 2017

About CSSLP
The Certified Secure Software Lifecycle Professional (CSSLP) validates that software professionals have the
expertise to incorporate security practices – authentication, authorization and auditing – into each phase
of the software development lifecycle (SDLC), from software design and implementation to testing and
deployment.

The broad spectrum of topics included in the CSSLP Common Body of Knowledge (CBK) ensure its relevancy
across all disciplines in the field of information security. Successful candidates are competent in the following
eight domains:

• Secure Software Concepts

• Secure Software Requirements
• Secure Software Design
• Secure Software Implementation/Programming
• Secure Software Testing
• Secure Lifecycle Management
• Software Deployment, Operations, and Maintenance
• Supply Chain and Software Acquisition

Experience Requirements
A candidate is required to have a minimum of 4 years of cumulative paid full-time Software Development
Lifecycle (SDLC) professional work experience in 1 or more of the 8 domains of the (ISC)2® CSSLP CBK, or 3
years of cumulative paid full-time SDLC professional work experience in 1 or more of the 8 domains of the
CSSLP CBK with a 4-year degree leading to a Baccalaureate, or regional equivalent in Computer Science,
Information Technology (IT) or related fields.

If you don’t have the required experience to become a CSSLP, you may become an Associate of (ISC)²
by successfully passing the CSSLP examination. You will then have 5 years to earn the 4 years required
experience.

Accreditation
CSSLP meets the stringent requirements of ANSI/ISO/IEC Standard 17024.

Job Task Analysis (JTA)

(ISC)² has an obligation to its membership to maintain the relevancy of the CSSLP. Conducted at regular
intervals, the Job Task Analysis (JTA) is a methodical and critical process of determining the tasks that are
performed by CSSLP credential holders. The results of the JTA are used to update the examination. This
process ensures that candidates are tested on the topic areas relevant to the roles and responsibilities of
today’s practicing information security professionals.

CSSLP Certification Exam Outline 2

 CSSLP Examination Information
Length of exam 4 hours
Number of questions 175
Question format Multiple choice
Passing grade 700 out of 1000 points

Exam availability English

Testing center Pearson VUE Testing Center

CSSLP Examination Weights

Domains Weight

1. Secure Software Concepts 13%

2. Secure Software Requirements 14%

3. Secure Software Design 16%

4. Secure Software Implementation/Programming 16%

5. Secure Software Testing 14%

6. Secure Lifecycle Management 10%

7. Software Deployment, Operations, and Maintenance 9%

8. Supply Chain and Software Acquisition 8%

Total: 100%

CSSLP Certification Exam Outline 3

 Domain 1:
Secure Software Concepts

1.1 Core Concepts

»» Confidentiality (e.g., covert, overt, encryption) federated identity)
»» Integrity (e.g., hashing, digital signatures, code »» Authorization (e.g., access controls, entitlements)
signing, reliability, alterations, authenticity) »» Accountability (e.g., auditing, logging)
»» Availability (e.g., failover, replication, clustering, »» Nonrepudiation (e.g., PKI, digital signatures)
scalability, resiliency)
»» Authentication (e.g., multifactor authentication,
identity & access management, single sign-on,

1.2 Security Design Principles

»» Least privilege (e.g., access control, need-to- »» Open design (e.g., peer reviewed algorithm)
know, run-time privileges) »» Least common mechanism (e.g.,
»» Separation of duties (e.g., multi-party control, compartmentalization/isolation)
secret sharing and splitting) »» Psychological acceptability (e.g., password
»» Defense in depth (e.g., layered controls, input complexity, screen layouts)
validation, security zones) »» Leveraging existing components (e.g., common
»» Fail safe (e.g., exception handling, non-verbose controls, libraries)
errors, deny by default) »» Eliminate single point of failure
»» Economy of mechanism (e.g., single sign-on)
»» Complete mediation (e.g., cookie management,
session management, caching of credentials)

CSSLP Certification Exam Outline 4

 Domain 2:
Secure Software Requirements

2.1 Identify Security Requirements

»» Functional
»» Non-functional
»» Policy decomposition (e.g., internal and external requirements)
»» Legal, regulatory, and industry requirements

2.2 Interpret Data Classification Requirements

»» Data ownership (e.g., data owner, data custodian)

»» Labeling (e.g., sensitivity, impact)
»» Types of data (e.g., structured, unstructured data)
»» Data life-cycle (e.g., generation, retention, disposal)

2.3 Identify Privacy Requirements

»» Data anonymization
»» User consent
»» Disposition

2.4 Develop Misuse and Abuse Cases

2.5 Include Security in Software Requirement Specifications

2.6 Develop Security Requirement Traceability Matrix

CSSLP Certification Exam Outline 5

 Domain 3:
Secure Software Design

3.1 Perform Threat Modeling

»» Understand common threats (e.g., APT, insider threat, common malware, third party/supplier)
»» Attack surface evaluation

3.2 Define the Security Architecture

»» Control identification and prioritization »» Pervasive/ubiquitous computing (e.g., IoT,

wireless, location-based, RFID, near field
»» Distributed computing (e.g., client server, peer-to-
communication, sensor networks)
peer, message queuing)
»» Embedded (e.g., control systems, firmware)
»» Service-oriented architecture (e.g., enterprise
service bus, web services) »» Cloud architectures (e.g., software as a service,
platform as a service, infrastructure as a service)
»» Rich internet applications (e.g., client side exploits
or threats, remote code execution, constant »» Mobile applications
connectivity) »» Hardware platform concerns

3.3 Performing Secure Interface Design

»» Security management interfaces, out-of-band management, log interfaces

»» Upstream/downstream dependencies (e.g., key and data sharing between apps)
»» Protocol design choices (e.g., APIs, weaknesses, state, models)

3.4 Performing Architectural Risk Assessment

3.5 Modeling (Non-Functional) Security Properties and Constraints

3.6 Model and Classify Data

3.7 Evaluate and Select Reusable Secure Design

»» Credential management (e.g., X.509 and SSO) »» Trusted computing (e.g., TPM, TCB)
»» Flow control (e.g., proxies, firewalls, protocols, »» Database security (e.g., encryption, triggers,
queuing) views, privilege management)
»» Data loss prevention (DLP) »» Programming language environment (e.g.,
CLR, JVM)
»» Virtualization (e.g., software defined network,
hypervisor) »» Operating system controls and services

CSSLP Certification Exam Outline 6

 3.8 Perform Design Security Review

3.9 Design Secure Assembly Architecture for Component-Based Systems

»» Client side data storage

»» Network attached storage

3.10 Use Security Enhancing Architecture and Design Tools

3.11 Use Secure Design Principles and Patterns

CSSLP Certification Exam Outline 7

 Domain 4:
Secure Software Implementation/
Programming
4.1 Follow Secure Coding Practices
»» Declarative versus imperative (programmatic) »» Type safety
security »» Memory management (e.g., locality, garbage
»» Concurrency collection)
»» Output sanitization (e.g., encoding) »» Configuration parameter management (e.g.,
start-up options)
»» Error and exception handling
»» Tokenizing
»» Input validation
»» Sandboxing
»» Logging & auditing
»» Cryptography (e.g., storage, agility, encryption,
»» Session management
algorithm selection)
»» Safe APIs

4.2 Analyze Code for Security Vulnerabilities

»» Code reuse »» Dynamic analysis
»» Vulnerability databases/lists (e.g., OWASP Top »» Manual code review
10, CWE) »» Peer review
»» Static analysis

4.3 Implement Security Controls

4.4 Fix Security Vulnerabilities

4.5 Look for Malicious Code

4.6 Securely Reuse Third Party Code or Libraries

4.7 Securely Integrate Components

»» Systems-of-systems integration (e.g., security testing and analysis)

4.8 Apply Security during the Build Process

»» Anti-tampering techniques (e.g., code signing, obfuscation)

»» Compiler switches

4.9 Debug Security Errors

CSSLP Certification Exam Outline 8

 Domain 5:
Secure Software Testing

5.1 Develop Security Test Cases

»» Attack surface validation »» Cryptographic validation (e.g., PRNG)

»» Penetration »» Regression
»» Fuzzing (e.g., generated, mutated) »» Continuous (e.g., synthetic transactions)
»» Scanning (e.g., vulnerability, content, privacy) »» Unit testing
»» Simulation (e.g., environment and data)
»» Failure (e.g., fault injection, stress testing, break
testing)

5.2 Develop Security Testing Strategy and Plan

»» Functional security testing (e.g., logic) »» Environment (e.g., interoperability, test harness)
»» Nonfunctional security testing (e.g., reliability, »» Standards (e.g., ISO, OSSTMM, SEI)
performance, scalability)
»» Testing techniques (e.g., white box and black
box)

5.3 Identify Undocumented Functionality

5.4 Interpret Security Implications of Test Results

5.5 Classify and Track Security Errors

»» Bug tracking (e.g., defects, errors and vulnerabilities)

»» Risk Scoring (e.g., CVSS)

5.6 Secure Test Data

»» Privacy
»» Referential integrity

5.7 Develop or Obtain Security Test Data

5.8 Perform Verification and Validation Testing (e.g., IV&V)

CSSLP Certification Exam Outline 9

 Domain 6:
Secure Lifecycle Management

6.1 Secure Configuration and Version Control

6.2 Establish Security Milestones

6.3 Choose a Secure Software Methodology

6.4 Identify Security Standards and Frameworks

6.5 Create Security Documentation

6.6 Develop Security Metrics

6.7 Decommission Software

»» End of life policies

»» Credential removal, configuration removal, license cancellation
»» Data destruction

6.8 Report Security Status

6.9 Support Governance, Risk, and Compliance (GRC)

»» Regulations and compliance

»» Legal (e.g., intellectual property, breach notification)
»» Standards and guidelines (e.g., ISO, PCI, NIST, OWASP, SAFECODE, OpenSAMM, BSIMM)
»» Risk management
»» Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)
»» Technical risk vs business risk
»» Strategies (e.g., mitigate, accept, transfer, avoid)

CSSLP Certification Exam Outline 10

 Domain 7:
Software Deployment,
Operations, and Maintenance
7.1 Perform Implementation Risk Analysis

7.2 Release Software Securely

7.3 Securely Store and Manage Security Data

»» Credentials
»» Secrets
»» Keys/certificates
»» Configurations

7.4 Ensure Secure Installation

»» Bootstrapping (e.g., key generation, access, management)

»» Least privilege
»» Environment hardening
»» Secure activation (e.g., credentials, white listing, device configuration, network configuration, licensing, etc.)

7.5 Perform Post-Deployment Security Testing

7.6 Obtain Security Approval to Operate

»» Risk acceptance (e.g., exception policy, sign-off)

7.7 Perform Security Monitoring (e.g., managing error logs, audits, meeting SLAs, CIA
metrics)

7.8 Support Incident Response

»» Root cause analysis

7.9 Support Patch and Vulnerability Management

7.10 Support Continuity of Operations

»» Backup, archiving, retention

»» Disaster recovery

CSSLP Certification Exam Outline 11

 Domain 8:
Supply Chain and Software Acquisition
8.1 Analyze Security of Third Party Software

8.2 Verify Pedigree and Provenance

»» Secure transfer »» Build environment security
»» System sharing/interconnections »» Cryptographically- hashed, digitally signed
components
»» Code repository security

8.3 Provide Security Support to the Acquisition Process

»» Audit of security policy compliance »» Information systems security policy compliance
»» Vulnerability/incident response and reporting »» Security track record
»» Service-level agreements (SLAs) »» Product deployment and sustainment controls
(e.g., upgrades, secure configuration, custom
»» Maintenance and support structure (e.g.,
code extension, operational readiness, GPL
community versus commercial)
requirements)
»» Assessment of software engineering/SDLC
approaches

CSSLP Certification Exam Outline 12

 Additional Examination Information
Supplementary References
Candidates are encouraged to supplement their education and experience by reviewing
relevant resources that pertain to the CBK and identifying areas of study that may need
additional attention.

View the full list of supplementary references at www.isc2.org/certifications/References.

Examination Policies and Procedures

(ISC)² recommends that CSSLP candidates review exam policies and procedures prior to
registering for the examination. Read the comprehensive breakdown of this important
information at www.isc2.org/Register-for-Exam.

Legal Info
For any questions related to (ISC)²’s legal policies, please contact the (ISC)2 Legal
Department at legal@isc2.org.

Any Questions?
(ISC)² Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759

(ISC)² Americas
Tel: +1.727.785.0189
Email: info@isc2.org

(ISC)² Asia Pacific

Tel: +(852) 28506951
Email: isc2asia@isc2.org

(ISC)² EMEA
Tel: +44 (0)203 300 1625
Email: info-emea@isc2.org

CSSLP Certification
v1013 Exam Outline 13