INTRODUCTION

Computer security is becoming increasingly important today as we are becoming more reliant upon computers and the number of security incidents is steadily increasing. Vulnerable software is one of the root causes of many security incidents, and given the increasingly complex nature of software, this is not an issue that will be solved in the near term. Reducing the number and severity of vulnerabilities is both possible and useful in software projects. The principles behind the CSSLP certification can provide a roadmap to this goal.

Why Focus on Software Development?

Software vulnerabilities are preventable. Reducing the number and severity of vulnerabilities in software is not a trivial task; it is one that is complex and difficult to execute. Years of experience across numerous software development firms have resulted in proven methods of improving the software development process. Using these principles, development teams can produce software that has fewer vulnerabilities, and those that are found are of lesser risk. This reduces the total cost of development over the entire development lifecycle. This also improves the overall enterprise security posture of the users of the software, reducing their costs as well. Reduced risk, reduced cost, improved customer relations, and the advantages of improving the development process make the hard tasks required worth undertaking.

The Role of CSSLP

Creating and managing the necessary processes to build a secure development lifecycle is a significant task. The CSSLP credential speaks to the knowledge needed to make this possible. Software development is a team activity, and one that requires a series of processes in the enterprise. The tasks required to operate within a security-focused development environment require a workforce with an enhanced skillset. In addition to their individual skills in their areas of expertise, team members need to have an understanding of how a security-enhanced software development lifecycle process works. The body of knowledge for CSSLP covers these essential elements, and whether a designer, developer, tester, or program manager, the body of knowledge prepares a team for operating in this environment.

How to Use This Book

This book covers everything you’ll need to know for (ISC)²’s CSSLP exam. Each chapter covers specific objectives and details for the exam, as defined by (ISC)². We’ve done our best to arrange these objectives in a manner that makes sense to us, and we hope you see it the same way.

Each chapter has several components designed to effectively communicate the information you’ll need for the exam:

•   Sidebars are included in each chapter and are designed to point out information, tips, and stories that will be helpful in your day-to-day responsibilities. In addition, they’re just downright fun sometimes. Please note that although these entries provide real-world accounts of interesting pieces of information, they are sometimes used to reinforce testable material. Don’t just discount them as simply “neat”—some of the circumstances and tools described in these sidebars may prove the difference in correctly answering a question or two on the exam.

•   Exam Tips are exactly what they sound like. These are included to point out a focus area you need to concentrate on for the exam. No, they are not explicit test answers. Yes, they will help you focus your study.

•   Specially called out Notes are part of each chapter, too. These are interesting tidbits of information that are relevant to the discussion and point out extra information. Just as with the sidebars, don’t discount them.

The Examination

Before we get to anything else, let us be frank: This book will help you pass your test. We’ve taken great pains to ensure that everything (ISC)² has asked you to know before taking the exam is covered in the book. Software development is a real task, and the information in this book needs to be included within the context of your experience in the development process. To get the value of the material in the book, it is important to combine it with the domain knowledge of software development processes.

Speaking of the test, these exam tips should help you:

•   Be sure to pay close attention to the Exam Tips in the chapters. They are there for a reason. And retake the practice exams—both the end-of-chapter exams and the electronic exams. Practice will help, trust us.

•   The exam is 175 questions, all multiple choice with four answers, and you are allowed to mark and skip questions for later review. Go through the entire exam, answering the ones you know beyond a shadow of a doubt. On the ones you’re not sure about, choose an answer anyway and mark the question for further review (you don’t want to fail the exam because you ran out of time and had a bunch of questions that didn’t even have an answer chosen). At the end, go back and look at the ones you’ve marked. Only change your answer if you are absolutely, 100 percent sure about it.

•   You will, with absolute certainty, see a couple of questions that will blow your mind. On every exam there are questions you will not recognize. When you see them, don’t panic. Use deductive reasoning and make your best guess. Almost every single question on this exam can be whittled down to at least 50/50 odds on a guess. There is no penalty for guessing, so answer all questions.

And finally, dear reader, thank you for picking this book. We sincerely hope your exam goes well and wish you the absolute best in your upcoming career. Learn and use the material for good, and make better software.

Exam Readiness Checklist

The following checklist has been constructed to allow you to cross-reference the official exam objectives with the objectives as they are presented and covered in this book. The checklist also allows you to gauge your level of expertise on each objective at the outset of your studies. This should allow you to check your progress and make sure you spend the time you need on more difficult or unfamiliar sections. References have been provided for the objective exactly as the exam vendor presents it, the section of the exam guide that covers that objective, and a chapter and page reference.

CSSLP Version 2 (2017)

In the summer of 2017, (ISC)² updated the domains of the CSSLP exam to more accurately reflect the current practice of secure development. This action was taken as a result of an analysis of job task analysis data. There are minor changes in the knowledge, skills, and abilities associated with the CSSLP domains. The domain weighting also has changed, as illustrated next.

CSSLP Certification All-in-One Exam Guide, Second Edition takes these changes into account and adds data in areas such as software bill of materials, intellectual property, and cloud-related activities. The length and time for the exam will be the same, but the content is updated to reflect the new domain weightings.