ISBN-10:
1466571276
ISBN-13:
9781466571273
Pub. Date:
08/27/2013
Publisher:
Taylor & Francis
Official (ISC)2 Guide to the CSSLP CBK, Second Edition / Edition 2

Official (ISC)2 Guide to the CSSLP CBK, Second Edition / Edition 2

by Mano Paul

Hardcover

View All Available Formats & Editions
Current price is , Original price is $93.95. You
Select a Purchase Option (Revised)
  • purchase options
    $81.78 $93.95 Save 13% Current price is $81.78, Original price is $93.95. You Save 13%.
  • purchase options

Product Details

ISBN-13: 9781466571273
Publisher: Taylor & Francis
Publication date: 08/27/2013
Series: (ISC)2 Press Series
Edition description: Revised
Pages: 800
Sales rank: 231,461
Product dimensions: 7.00(w) x 10.10(h) x 1.60(d)

Table of Contents

Domain 1 - Secure Software Concepts
Holistic Security
Implementation Challenges
Iron Triangle Constraints
Security as an Afterthought
Security vs. Usability

Quality and Security
Security Profile – What Makes Software Secure?
Core Security Concepts
Design Security Concepts
Risk Management

Terminology and Definitions
Risk Management for Software
Handling Risk
Risk Management Concept: Summary
Security Policies: The ‘What’ and ‘Why’ for Security
Scope of the Security Policies
Prerequisites for Security Policy Development
Security Policy Development Process

Security Standards
Types of Security Standards
Internal Coding Standards
NIST Standards
Federal Information Processing (FIPS) standards
ISO Standards
PCI Standards
Organization for the Advancement of Structured Information Standards (OASIS)
Benefits of Security Standards

Best Practices
Open Web Application Security Project (OWASP)
Information Technology Infrastructure Library (ITIL)

Software Development Methodologies
Waterfall Model
Iterative Model
Spiral Model
Agile Development Methodologies

Software Assurance Methodologies
Socratic Methodology
Six Sigma (6 σ) Capability Maturity Model Integration (CMMI)
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE®)
STRIDE and DREAD
Open Source Security Testing Methodology Manual (OSSTMM)
Flaw Hypothesis Method (FHM)

Enterprise Application and Security Frameworks
Zachman Framework
Control Objectives for Information and related Technology (COBIT®)
Committee of Sponsoring Organizations (COSO)
Sherwood Applied Business Security Architecture (SABSA)

Regulations, Privacy and Compliance
Significant Regulations and Privacy Acts
Sarbanes-Oxley Act (SOX)
BASEL II
Gramm-Leach-Bliley Act (GLB Act)
Health Insurance Portability and Accountability Act (HIPAA)
Data Protection Act
Computer Misuse Act
Mobile Device Privacy Act
State Security Breach Laws

Privacy and Software Development
Data Anonymization
Disposition
Security Models

Trusted Computing
Ring Protection
Trust Boundary (or Security Perimeter)
Trusted Computing Base (TCB)
Reference Monitor

Acquisitions

Domain 2 - Secure Software Requirements
Sources for Security Requirements
Types of Security Requirements
Core Security Requirements
General Requirements
Operational Requirements
Other Requirements

Protection Needs Elicitation (PNE)
Brainstorming
Surveys (Questionnaires and Interviews)

Policy Decomposition
Data Classification
Subject/Object Matrix

Use Case & Misuse Case Modeling
Requirements Traceability Matrix (RTM)

Domain 3 - Secure Software Design
The Need for Secure Design

Flaws versus Bugs
Architecting Software with Core Security Concepts
Confidentiality Design
Integrity Design
Availability Design
Authentication Design
Authorization Design
Accountability Design

Architecting Software with Secure Design Principles
Least Privilege
Separation of Duties
Defense in Depth
Fail Secure
Economy of Mechanisms
Complete Mediation
Open Design
Least Common Mechanisms
Psychological Acceptability
Weakest Link
Leveraging Existing Components
Balancing Secure Design Principles

Other Design Considerations
Interface Design
Interconnectivity

Design Processes
Attack Surface Evaluation
Threat Modeling
Architectures
Mainframe Architecture
Distributed Computing
Service Oriented Architecture
Rich Internet Applications
Pervasive/Ubiquitous Computing
Cloud Computing
Mobile Applications
Integration with Existing Architectures

Technologies
Authentication
Identity Management
Credential Management
Flow Control
Auditing (Logging)
Trusted Computing
Database Security
Programming Language Environment
Operating Systems
Embedded Systems

Secure Design and Architecture Review

Domain 4 - Secure Software Implementation/Coding
Who is to be Blamed for Insecure Software?
Fundamental Concepts of Programming
Computer Architecture
Evolution of Programming Languages

Common Software Vulnerabilities and Controls
Buffer Overflow
Stack Overflow
Heap Overflow
Injection Flaws
Broken Authentication and Session Management
Cross-Site Scripting (XSS)
Non-persistent or Reflected XSS
Persistent or Stored XSS
DOM based XSS
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Checks
Cross-Site Request Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
File Attacks
Race Condition
Side Channel Attacks

Defensive Coding Practices – Concepts and Techniques
Input Validation
Canonicalization
Sanitization
Error Handling
Safe APIs
Memory Management
Exception Management
Session Management
Configuration Parameters Management
Secure Startup
Cryptography
Concurrency
Tokenization
Sandboxing
Anti-Tampering

Secure Software Processes
Version (Configuration Management)
Code Analysis
Code/Peer Review

Securing Build Environments

Domain 5 -Secure Software Testing
Quality Assurance
Testing Artifacts
Test Strategy
Test Plan
Test Case
Test Script
Test Suite
Test Harness

Types of Software QA Testing
Functional Testing
Non-Functional Testing
Other Testing

Attack Surface Validation (Security Testing)
Motives, Opportunities and Means
Testing of Security Functionality versus Security Testing
The Need for Security Testing

Security Testing Methods
White Box Testing
Black Box Testing
White Box Testing versus Black Box Testing

Types of Security Testing
Cryptographic Validation Testing
Scanning
Fuzzing

Software Security Testing
Testing for Input Validation
Testing for Injection Flaws Controls
Testing for Scripting Attacks Controls
Testing for Non-repudiation Controls
Testing for Spoofing Controls
Testing for Error and Exception Handling Controls (Failure Testing)
Testing for Privileges Escalations Controls
Anti-Reversing Protection Testing

Tools for Security Testing
Test Data Management
Defect Reporting and Tracking
Reporting Defects
Tracking Defects
Impact Assessment and Corrective Action


Domain 6 - Software Acceptance
Guidelines for Software Acceptance
Benefits of Accepting Software Formally
Software Acceptance Considerations
Completion Criteria
Change Management
Approval to Deploy or Release
Risk Acceptance and Exception Policy
Documentation of Software

Verification and Validation (V&V)
Reviews
Testing

Certification and Accreditation (C&A)

Domain 7 - Software Deployment, Operations, Maintenance, and Disposal
Installation and Deployment
Hardening
Environment Configuration
Release Management
Bootstrapping and Secure Startup

Operations and Maintenance
Monitoring
Incident Management
Problem Management
Change Management
Backups, Recovery and Archiving

Disposal
End-of-Life Policies
Sun-Setting Criteria
Sun-setting Processes
Information Disposal and Media Sanitization


Domain 8 - Supply Chain and Software Acquisition
Software Acquisition and the Supply Chain
Acquisition Lifecycle
Software Acquisition Models and Benefits
Supply Chain Software Goals
Threats to Supply Chain Software

Software Supply Chain Risk Management (SCRM)
Supplier Risk Assessment and Management
Supplier Sourcing
Contractual Controls
Intellectual Property (IP) Ownership and Responsibilities
Types of Intellectual Property (IP)
Licensing (Usage and Redistribution Terms)

Software Development and Testing
Assurance Requirement Conformance Validation
Code Review
Code Repository Security
Build Tools and Environment Integrity
Testing for Code Security

Software SCRM during Acceptance
Anti-Tampering Resistance and Controls
Authenticity and Anti-Counterfeiting Controls
Supplier Claims Verification

Software SCRM during Delivery (Handover)
Chain of Custody
Secure Transfer
Code Escrows
Export Control and Foreign Trade Data Regulations Compliance

Software SCRM during Deployment (Installation/Configuration)
Secure Configuration
Perimeter (Network) Security Controls
System-of-Systems (SoS) Security

Software SCRM during Operations and Maintenance
Runtime Integrity Assurance
Patching and Upgrades
Termination Access Controls
Custom Code Extensions Checks
Continuous Monitoring and Incident Management

Software SCRM during Retirement

Appendices
Answers to Review Questions
Security Models
Threat Modeling
Commonly Used Opcodes in Assembly
HTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)
Security Testing Tools

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews