ISC2 CSSLP

ISC2 CSSLP domain 6: Secure software lifecycle management

Greg Belding
August 31, 2021 by
Greg Belding

The Certified Secure Software Lifecycle Professional, or CSSLP, is a certification intended for those with the expertise to weave secure software development practices into every stage of the software development life cycle. To earn this certification, you will have to pass the CSSLP certification exam. This exam tests your knowledge of the common body of knowledge (CBK) of CSSLP, divided into eight domains of knowledge. This article will detail CSSLP domain 6 and explore secure software lifecycle management, how secure software lifecycle management will help your career, and what is covered by CSSLP domain 6 of the exam.

CSSLP domains of knowledge

The CSSLP certification exam is based upon the CSSLP CBK. This knowledge is spread among eight domains of knowledge. There are a few changes in the 2020 version of the exam since the previous version. Changes include an increase in CSSLP domain 6 exam content percentage from 10% to 11%. The current CSSLP domains of knowledge and their respective exam content weight percentages are below:

  1. Secure software concepts 10%
  2. Secure software requirements 14%
  3. Secure software architecture and design 14%
  4. Secure software implementation 14%
  5. Secure software testing 14%
  6. Secure software lifecycle management 11%
  7. Secure software deployment, operations and maintenance 12%
  8. Secure software supply chain 11%

What is secure software lifecycle management?

Secure software lifecycle management refers to the managerial control of the different processes and procedures required to incorporate security practices into each phase of the software development lifecycle (SDLC). 

This management covers the entire lifecycle and beyond, from defining strategy and road mapping to identifying the proper security standards and frameworks to implement continuous improvement in the future. Secure software lifecycle management contains many moving parts, so effectively managing the secure software lifecycle is required for successful, secure development.

How will secure software lifecycle management help my career?

The CSSLP certification is intended for secure software development professionals. No, this is not a “captain obvious” statement but rather a testament to the expectations of the hiring organization. CSSLP certification holders will be expected to take part in the secure software development lifecycle and take the bull by the horns and manage it.

Simply put, it will be an expectation that you, as a CSSLP cert holder, know how to manage the lifecycle to get the most out of your secure software development expertise. Remember, organizations are understaffed with secure software professionals, which means that you will probably be the only one with this expertise, so you should expect to be the one to manage the secure software development lifecycle.

What’s covered in CSSLP domain 6 of the exam?

As you can probably expect, there is a lot involved with managing the secure software development lifecycle. Domain 6 features 11 objectives. Don’t let this intimidate you; this CSSLP domain makes up 11% of the overall exam content. Below are the objectives that CSSLP certification candidates will be expected to explain on the CSSLP certification exam.

6.1 Secure configuration and version control (e.g., hardware, software, documentation, interfaces and patching)

Being on the same page is important in any line of work, and when it comes to secure software development, it is even more so. Imagine trying to use an outdated configuration for software and trying to make it secure? 

6.2 Define strategy and roadmap

The secure software development lifecycle is not an organic, spontaneous effort but rather is well-planned and calculated. As such, you will need to define what you will do to integrate security into each phase of the software development cycle and how you will be doing that.

6.3 Manage security within a software development methodology

You will be responsible for knowing how to incorporate security into both types of software development methodologies:

  • Security in adaptive methodologies (e.g., agile methodologies)
  • Security in predictive methodologies (e.g., waterfall)

6.4 Identify security standards and frameworks

You are probably aware that different security standards and frameworks have their own use and purpose. Since secure software development can refer to multiple standards and frameworks throughout the secure software development lifecycle, expect to see them on the certification exam.

6.5 Define and develop security documentation

Documentation is crucial for the secure software development lifecycle, and you should know how important it is and be able to explain it if necessary.

6.6 Develop security metrics (e.g., defects per line of code, criticality level, average remediation time and complexity)

Security metrics help guide the secure software development lifecycle and will be covered on the certification exam.

6.7 Decommission software

  • End of life policies (e.g., credential removal, configuration removal, license cancellation and archiving)
  • Data disposition (e.g., retention, destruction and dependencies)

6.8 Report security status (e.g., reports, dashboards and feedback loops)

6.9 Incorporate integrated risk management (IRM)

  • Regulations and compliance
  • Legal (e.g., intellectual property and breach notification)
  • Standards and guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), OWASP, Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM) and Building Security In Maturity Model (BSIMM))
  • Risk management (e.g., mitigate, accept, transfer and avoid)
  • Terminology (e.g., threats, vulnerability, residual risk, controls, probability and impact)
  • Technical risk vs. business risk

6.10 Promote security culture in software development

  • Security champions
  • Security education and guidance

6.11 Implement continuous improvement (e.g., retrospective, lessons learned)

Learning more about CSSLP domain 6

To earn the Certified Secure Software Lifecycle Professional certification, you will have to pass the certification exam, which covers eight domains of knowledge. CSSLP domain 6 covers secure software lifecycle management, which is critical for any secure software development professional to have a firm understanding of both for the certification exam and your career.

 

Sources

 CSSLP Certification Exam Outline, ISC2

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.