Archive for January 2014
The secret to the CSSLP roles a CSSLP plays in an organization
So you want to be a CSSLP. Why is it important to become one and what will you learn? Who are the stake holders in the organization?
Roles a CSSLP plays within his/ her organization
- Provides a holistic approach to software security needs
- Gives advice regarding designing, developing and deploying secure software
- Maintains knowledge on the latest software security technologies
- Assists in meeting the assurance of compliance to regulations
- Affirms compliance to the policy and procedures set
Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
https://www.isc2.org/uploadedFiles/Landing_Pages/Version_1/CSSLP-Prof-Web.pdf
CSSLP the beginning: What is secure software development?
So lets talk about what we are trying to accomplish becoming a CSSLP. In order to be a CSSLP you need to understand the basic concepts of software security.
- Confidentiality– keeping data private that is sensitive.
- Authentication– verifying the entity that they are who they say they are.
- Session management– HTTP is a stateless protocol and this is usually managed by cookies. States or session are sensitive.
- Integrity- making sure the books stay straight and that data is not modified
- Authorization- the entity has the clearance to do what he or she is supposed to do no more or no less. This also ties with the principle of least privilege.
- Exceptions management– that the software systems handles errors properly and maintains a fail safe secure state.
- Availability– that the software system is up and running when it needs to, to support the business.
- Auditing– the who, what, where and when questions to an activity.
- Configuration management– making sure that that vulnerabilities are not introduced to software systems when making changes.
Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
The secret to the CSSLP the beginning of the journey
I am studying to become a CSSLP. I have had my CISSP for a number of years and have been a programmer and ethical hacker for ten years. I have my master’s degree in information security and management science and a bachelor’s degree in information science and human computer interaction. I work for a very large security company. I am taking the exam too and wanted to share my knowledge of studying for it with the blogsphere.
The CSSLP examination tests the breadth and depth of a candidate’s knowledge by focusing on the seven domains which comprise the CSSLP, taxonomy of information security topics:
- Secure Software Concepts – security implications in software development and for software supply chain integrity
- Secure Software Requirements – capturing security requirements in the requirements gathering phase
- Secure Software Design – translating security requirements into application design elements Secure Software Implementation/Coding – unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
- Secure Software Testing – integrated QA testing for security functionality and resiliency to attack
- Software Acceptance – security implication in the software acceptance phase
- Software Deployment, Operations, Maintenance and Disposal – security issues around steady state operations and management of software
CSSLP stakeholders include:
- Auditors
- Top Management
- Business Unit Heads
- IT Manager
- Security Specialists
- Application Owners
- Developers & Coders
- Project Managers Team Leads
- Technical Archietects
- Quality Assurance Managers
- Business Analysts
- Industry Group Delivery Heads
- Client Side PM
Thanks Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
parsonsisconsulting 