ISC2 CSSLP - Certified Secure Software Lifecycle Professional

Domain 1: Secure Software Concepts

• Core Concepts
• Security Design Principles

Domain 2: Secure Software Requirements

• Define Software Security Requirements
• Identify and Analyze Compliance Requirements
• Identify and Analyze Data Classification Requirements
• Identify and Analyze Privacy Requirements
• Develop Misuse and Abuse Cases
• Develop Security Requirement Traceability Matrix (STRM)
• Ensure Security Requirements Flow Down to Suppliers/Providers

Domain 3: Secure Software Architecture and Design

• Perform Threat Modeling
• Define the Security Architecture
• Performing Secure Interface Design
• Performing Architectural Risk Assessment
• Model (Non-Functional) Security Properties and Constraints
• Model and Classify Data
• Evaluate and Select Reusable Secure Design
• Perform Security Architecture and Design Review
• Define Secure Operational Architecture
• Use Secure Architecture and Design Principles, Patterns, and Tools

Domain 4: Secure Software Implentation

• Adhere to Relevant Secure Coding Practices
• Analyze Code for Security Risks
• Implement Security Controls
• Address Security Risks (e.g. remediation, mitigation, transfer, accept)
• Securely Reuse Third-Party Code or Libraries
• Securely Integrate Components
• Apply Security During the Build Process

Domain 5: Secure Software Testing

• Develop Security Test Cases
• Develop Security Testing Strategy and Plan
• Verify and Validate Documentation
• Identify Undocumented Functionality
• Analyze Security Implications of Test Results
• Classify and Track Security Errors
• Secure Test Data
• Perform Verification and Validation Testing

Domain 6: Secure Software Lifecycle Management

• Secure Configuration and Version Control
• Define Strategy and Roadmap
• Manage Security Within a Software Development Methodology
• Identify Security Standards and Frameworks
• Define and Develop Security Documentation
• Develop Security Metrics
• Decommission Software
• Report Security Status
• Incorporate Integrated Risk Management (IRM)
• Promote Security Culture in Software Development
• Implement Continuous Improvement

Domain 7: Secure Software Deployment, Operations, Maintenance

• Perform Operational Risk Analysis
• Release Software Securely
• Securely Store and Manage Security Data
• Ensure Secure Installation
• Perform Post-Deployment Security Testing
• Obtain Security Approval to Operate
• Perform Information Security Continuous Monitoring (ISCM)
• Support Incident Response
• Perform Patch Management (e.g. secure release, testing)
• Perform Vulnerability Management
• Runtime Protection
• Support Continuity of Operations
• Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA)

Domain 8: Secure Software Supply Chain

• Implement Software Supply Chain Risk Management
• Analyze Security of Third-Party Software
• Verify Pedigree and Provenance
• Ensure Supplier Security Requirements in the Acquisition Process
• Support contractual requirements

C

• Software Architect
• Software Engineer
• Software Developer
• Application Security Specialist
• Software Program Manager
• Quality Assurance Tester
• Penetration Tester
• Software Procurement Analyst
• Project Manager
• Security Manager IT