CSSLP Certified Secure Software Lifecycle Professional

Become a CSSLP – Certified Secure Software Lifecycle Professional
Earning the globally recognized CSSLP secure software development certification is a proven way to build your career and better incorporate security practices into each phase of the software development lifecycle (SDLC).

CSSLP certification recognizes leading application security skills. It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization and auditing throughout the SDLC using best practices, policies and procedures established by the cybersecurity experts at (ISC)².

Prove your skills, advance your career, and gain support from a community of cybersecurity leaders here to help you throughout your professional journey.

Who Earns the CSSLP?
The CSSLP is ideal for software development and security professionals responsible for applying best practices to each phase of the SDLC – from software design and implementation to testing and deployment – including those in the following positions:

Software Architect
Software Engineer
Software Developer
Application Security Specialist
Software Program Manager
Quality Assurance Tester

Penetration Tester
Software Procurement Analyst
Project Manager
Security Manager
IT Director/Manager

What will You Need to Know to Pass the CSSLP Exam?
The CSSLP exam evaluates your expertise across eight security domains. Think of the domains as topics you need to master based on your professional experience and education.

CSSLP Domains
Domain 1. Secure Software Concepts
Domain 2. Secure Software Requirements
Domain 3. Secure Software Design
Domain 4. Secure Software Implementation/Programming
Domain 5. Secure Software Testing
Domain 6. Secure Lifecycle Management
Domain 7. Software Deployment, Operations, and Maintenance
Domain 8. Supply Chain and Software Acquisition

For a complete list of acronyms and terms you may encounter during your (ISC)² exam, reference the translated (ISC)² Certification Acronym and (ISC)² Certification Terms glossaries.

Register for Your CSSLP Exam

Don’t wait. If you’re ready to pursue the CSSLP secure software development certification, commit yourself now by registering for the exam.

Schedule your exam by creating an account with Pearson VUE, the leading provider of global, computer-based testing for certification and licensure exams. You can find details on testing locations, policies, accommodations and more on their website.

Register Now

Get CSSLP Training that’s Right for You
With instructor-led online and classroom courses, (ISC)² has a training option to fit your schedule and learning style. Trainings, seminars, courseware and self-study aids directly from (ISC)² or one of our many Official Training Providers help you get ready for the rigorous CSSLP exam by reviewing relevant domains and topics. Visit the (ISC)² Training Finder to register for the course that best meets your needs, including:

What will You Need to Know to Pass the CSSLP Exam?
The CSSLP exam evaluates your expertise across eight security domains. Think of the domains as topics you need to master based on your professional experience and education.

CSSLP Domains
Domain 1. Secure Software Concepts
Domain 2. Secure Software Requirements
Domain 3. Secure Software Design
Domain 4. Secure Software Implementation/Programming
Domain 5. Secure Software Testing
Domain 6. Secure Lifecycle Management
Domain 7. Software Deployment, Operations, and Maintenance
Domain 8. Supply Chain and Software Acquisition

Download the CSSLP Exam Outline for a deeper dive into the CSSLP domains.

For a complete list of acronyms and terms you may encounter during your (ISC)² exam, reference the translated (ISC)² Certification Acronym and (ISC)² Certification Terms glossaries.

Register for Your CSSLP Exam

Don’t wait. If you’re ready to pursue the CSSLP secure software development certification, commit yourself now by registering for the exam.

Schedule your exam by creating an account with Pearson VUE, the leading provider of global, computer-based testing for certification and licensure exams. You can find details on testing locations, policies, accommodations and more on their website.

Register Now

Get CSSLP Training that’s Right for You
With instructor-led online and classroom courses, (ISC)² has a training option to fit your schedule and learning style. Trainings, seminars, courseware and self-study aids directly from (ISC)² or one of our many Official Training Providers help you get ready for the rigorous CSSLP exam by reviewing relevant domains and topics. Visit the (ISC)² Training Finder to register for the course that best meets your needs, including:

Join A Global Community Of Cybersecurity Leaders
Once you are certified and become an (ISC)² member, you’re a part of a global community of more than 140,000 certified cybersecurity professionals focused on inspiring a safe and secure cyber world. In addition to that extensive network, a wealth of continuing education opportunities help you keep your skills sharp, informed of the latest trends and best practices, and ensures your expertise remains relevant throughout your career. Learn more about (ISC)² member benefits.

QUESTION 4
Which of the following penetration testing techniques automatically tests every phone line in an
exchange and tries to locate modems that are attached to the network?

A. Demon dialing
B. Sniffing
C. Social engineering
D. Dumpster diving

Answer: A

Explanation: The demon dialing technique automatically tests every phone line in an exchange
and tries to locate modems that are attached to the network. Information about these modems can
then be used to attempt external unauthorized access.
Answer: B is incorrect. In sniffing, a protocol analyzer is used to capture data packets that are later
decoded to collect information such as passwords or infrastructure configurations. Answer: D is
incorrect. Dumpster diving technique is used for searching paper disposal areas for unshredded or
otherwise improperly disposed-of reports. Answer: C is incorrect. Social engineering is the most
commonly used technique of all, getting information (like passwords) just by asking for them.

QUESTION 5
Which of the following roles is also known as the accreditor?

A. Data owner
B. Chief Risk Officer
C. Chief Information Officer
D. Designated Approving Authority

Answer: D

Explanation: Designated Approving Authority (DAA) is also known as the accreditor.
Answer: A is incorrect. The data owner (information owner) is usually a member of management, in charge of a
specific business unit, and is ultimately responsible for the protection and use of a specific subset
of information. Answer: B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk
Management Officer (CRMO). The Chief Risk Officer or Chief Risk Management Officer of a
corporation is the executive accountable for enabling the efficient and effective governance of
significant risks, and related opportunities, to a business and its various segments. Risks are
commonly categorized as strategic, reputational, operational, financial, or compliance-related.
CRO’s are accountable to the Executive Committee and The Board for enabling the business to
balance risk and reward. In more complex organizations, they are generally responsible for
coordinating the organization’s Enterprise Risk Management (ERM) approach.
Answer: C is incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title
commonly given to the most senior executive in an enterprise responsible for the information
technology and computer systems that support enterprise goals. The CIO plays the role of a
leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In
military organizations, they report to the commanding officer.

QUESTION 6
DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance
Categories (MAC) and confidentiality levels. Which of the following MAC levels requires high
integrity and medium availability?

A. MAC III
B. MAC IV
C. MAC I
D. MAC II

Answer: D

Explanation: The various MAC levels are as follows: MAC I: It states that the systems have high
availability and high integrity. MAC II: It states that the systems have high integrity and medium
availability. MAC III: It states that the systems have basic integrity and availability.

QUESTION 7
Microsoft software security expert Michael Howard defines some heuristics for determining code
review in “A Process for Performing Security Code Reviews”. Which of the following heuristics
increase the application’s attack surface? Each correct answer represents a complete solution.
Choose all that apply.

A. Code written in C/C++/assembly language
B. Code listening on a globally accessible network interface
C. Code that changes frequently
D. Anonymously accessible code
E. Code that runs by default
F. Code that runs in elevated context

Answer: B,D,E,F

Explanation: Microsoft software security expert Michael Howard defines the following heuristics
for determining code review in “A Process for Performing Security Code Reviews”: Old code:
Newer code provides better understanding of software security and has lesser number of
vulnerabilities. Older code must be checked deeply. Code that runs by default: It must have high
quality, and must be checked deeply than code that does not execute by default. Code that runs
by default increases the application’s attack surface.
Code that runs in elevated context: It must have higher quality. Code that runs in elevated
privileges must be checked deeply and increases the application’s attack surface. Anonymously
accessible code: It must be checked deeply than code that only authorized users and
administrators can access, and it increases the application’s attack surface. Code listening on a
globally accessible network interface: It must be checked deeply for security vulnerabilities and
increases the application’s attack surface. Code written in C/C++/assembly language: It is prone to
security vulnerabilities, for example, buffer overruns. Code with a history of security vulnerabilities:
It includes additional vulnerabilities except concerted efforts that are required for removing them.
Code that handles sensitive data: It must be checked deeply to ensure that data is protected from
unintentional disclosure. Complex code: It includes undiscovered errors because it is more difficult
to analyze complex code manually and programmatically. Code that changes frequently: It has
more security vulnerabilities than code that does not change frequently.

QUESTION 8
Which of the following cryptographic system services ensures that information will not be disclosed
to any unauthorized person on a local network?

A. Authentication
B. Integrity
C. Non-repudiation
D. Confidentiality

Answer: D

Explanation: The confidentiality service of a cryptographic system ensures that information will
not be disclosed to any unauthorized person on a local network.

QUESTION 9
What are the various activities performed in the planning phase of the Software Assurance
Acquisition process? Each correct answer represents a complete solution. Choose all that apply.

A. Develop software requirements.
B. Implement change control procedures.
C. Develop evaluation criteria and evaluation plan.
D. Create acquisition strategy.

Answer: A,C,D

Explanation: The various activities performed in the planning phase of the Software Assurance
Acquisition process are as follows: Determine software product or service requirements. Identify
associated risks. Develop software requirements. Create acquisition strategy. Develop evaluation
criteria and evaluation plan. Define development and use of SwA due diligence questionnaires.
Answer: B is incorrect. This activity is performed in the monitoring and acceptance phase of the
Software Assurance acquisition process.