(ISC)²

CIS1550 Introduction for Secure Programming

(OAKCC-CIS1550.AO2)
Lessons
Lab
TestPrep
Get A Free Trial

Skills You’ll Get

Download Course Outline

1

Introduction

  • Why Focus on Software Development?
  • The Role of CSSLP
  • How to Use This Course
  • The Examination
  • Exam Objective Map
  • CSSLP Version 3 (2020)
2

Core Concepts

  • Confidentiality
  • Integrity
  • Availability
  • Authentication
  • Authorization
  • Accountability (Auditing and Logging)
  • Nonrepudiation
  • Secure Development Lifecycle
  • Secure Development Lifecycle Components
  • Lesson Review
3

Security Design Principles

  • System Tenets
  • Secure Design Tenets
  • Security Models
  • Adversaries
  • Lesson Review
4

Define Software Security Requirements

  • Functional Requirements
  • Operational and Deployment Requirements
  • Connecting the Dots
  • Lesson Review
5

Identify and Analyze Compliance Requirements

  • Regulations and Compliance
  • Data Classification
  • Privacy
  • Lesson Review
6

Misuse and Abuse Cases

  • Misuse/Abuse Cases
  • Requirements Traceability Matrix
  • Software Acquisition
  • Lesson Review
7

Secure Software Architecture

  • Perform Threat Modeling
  • Define the Security Architecture
  • Lesson Review
8

Secure Software Design

  • Performing Secure Interface Design
  • Performing Architectural Risk Assessment
  • Model (Nonfunctional) Security Properties and Constraints
  • Model and Classify Data
  • Evaluate and Select Reusable Secure Design
  • Perform Security Architecture and Design Review
  • Define Secure Operational Architecture
  • Use Secure Architecture and Design Principles, Patterns, and Tools
  • Lesson Review
9

Secure Coding Practices

  • Declarative vs. Imperative Security
  • Memory Management
  • Error Handling
  • Interface Coding
  • Primary Mitigations
  • Learning from Past Mistakes
  • Secure Design Principles
  • Interconnectivity
  • Cryptographic Failures
  • Input Validation Failures
  • General Programming Failures
  • Technology Solutions
  • Lesson Review
10

Analyze Code for Security Risks

  • Code Analysis (Static and Dynamic)
  • Code/Peer Review
  • Code Review Objectives
  • Additional Sources of Vulnerability Information
  • CWE/SANS Top 25 Vulnerability Categories
  • OWASP Vulnerability Categories
  • Common Vulnerabilities and Countermeasures
  • Lesson Review
11

Implement Security Controls

  • Security Risks
  • Implement Security Controls
  • Applying Security via the Build Environment
  • Anti-tampering Techniques
  • Defensive Coding Techniques
  • Primary Mitigations
  • Secure Integration of Components
  • Lesson Review
12

Security Test Cases

  • Security Test Cases
  • Attack Surface Evaluation
  • Penetration Testing
  • Common Methods
  • Lesson Review
13

Security Testing Strategy and Plan

  • Develop a Security Testing Strategy and a Plan
  • Functional Security Testing
  • Nonfunctional Security Testing
  • Testing Techniques
  • Environment
  • Standards
  • Crowd Sourcing
  • Lesson Review
14

Software Testing and Acceptance

  • Perform Verification and Validation Testing
  • Identify Undocumented Functionality
  • Analyze Security Implications of Test Results
  • Classify and Track Security Errors
  • Secure Test Data
  • Lesson Review
15

Secure Configuration and Version Control

  • Secure Configuration and Version Control
  • Define Strategy and Roadmap
  • Manage Security Within a Software Development Methodology
  • Identify Security Standards and Frameworks
  • Define and Develop Security Documentation
  • Develop Security Metrics
  • Decommission Software
  • Report Security Status
  • Lesson Review
16

Software Risk Management

  • Incorporate Integrated Risk Management
  • Promote Security Culture in Software Development
  • Implement Continuous Improvement
  • Lesson Review
17

Secure Software Deployment

  • Perform Operational Risk Analysis
  • Release Software Securely
  • Securely Store and Manage Security Data
  • Ensure Secure Installation
  • Perform Post-Deployment Security Testing
  • Lesson Review
18

Secure Software Operations and Maintenance

  • Obtain Security Approval to Operate
  • Perform Information Security Continuous Monitoring
  • Support Incident Response
  • Perform Patch Management
  • Perform Vulnerability Management
  • Runtime Protection
  • Support Continuity of Operations
  • Integrate Service Level Objectives and Service Level Agreements
  • Lesson Review
19

Software Supply Chain Risk Management

  • Implement Software Supply Chain Risk Management
  • Analyze Security of Third-Party Software
  • Verify Pedigree and Provenance
  • Lesson Review
20

Supplier Security Requirements

  • Ensure Supplier Security Requirements in the Acquisition Process
  • Support Contractual Requirements
  • Lesson Review

1

Core Concepts

  • Protecting Data in Transit and at Rest
  • Protecting Sensitive Data and Functions
2

Secure Software Design

  • Protecting Database Access
3

Secure Coding Practices

  • Identifying Vulnerabilities in a Software Project
  • Finding Common Web Vulnerabilities
  • Examining the Project Files
  • Reviewing Error Handling
  • Identifying Software Defects and Misconfiguration
4

Analyze Code for Security Risks

  • Identifying Vulnerabilities in an Application
  • Cracking a Password Hash
  • Fixing a Password Hash Vulnerability
5

Implement Security Controls

  • Designing for Security
  • Managing People Risks
6

Security Test Cases

  • Performing a Memory-Based Attack
  • Improving Error Handling
  • Performing Manual Inspection and Review
  • Performing Code Analysis
  • Using a Test Suite to Automate Unit Testing
  • Monitoring and Logging a Deployed Application
  • Handling Privacy Defects
  • Handling Authentication and Authorization Defects
  • Staging a Persisted XSS Attack on an Administrator Function
7

Secure Configuration and Version Control

  • Managing Software Development Process Risks