CSSLP® Training and Certification

Course 2059

  • Duration: 5 days
  • Exam Voucher: Yes
  • Language: English
  • Level: Intermediate

Attend this official ISC2™ Certified Secure Software Lifecycle Professional (CSSLP) training and certification course and get prepared to achieve this premier secure software development certification. This course provides you with in-depth coverage on the skills and concepts in the eight domains of software security. This includes Software Concepts, Requirements, Design, Implementation, Testing, Lifecycle Management, among others.

This course covers secure software development with the Certified Secure Software Lifecycle (CSSLP) and its domains. Topics include identifying security requirements, secure SDLC, manual testing, unit testing, functional testing, acceptance testing, and security testing, code review, and test automation. Students learn about security vulnerabilities, software testing, and source code. The course covers IAST (Interactive Application Security Testing tools, CI/CD (Continuous Integration/Continuous Delivery pipeline, and penetration testing to help prepare for the CSSLP exam.

Passing the CSSLP Certification Exam meets U.S. DoD Directive 8140/8570.01 Information Assurance Security Architect/Engineer (IASAE) Level-I and Information Assurance Security Architect/Engineer (IASAE) Level-II requirements.

CSSLP Training Delivery Methods

  • In-Person

  • Online

CSSLP Training Course Information

In this CSSLP course, you will learn how to:

  • Prepare for and pass the CSSLP Exam.
  • Identify security software requirements.
  • Follow secure coding practices.
  • Develop a security testing strategy and plan.
  • Choose a secure software methodology.
  • Release software securely.

CSSLP Training Prerequisites

This CSSLP course is for Software Developers, Engineers, Architects, Penetration Testers, and other IT (Information Technology) professionals who have a minimum of four years' experience in full-time Software Development Lifecycle (SDLC) in one or more of the eight domains covered in the CSSLP exam.

CSSLP Certification Information

Learning Tree can provide a voucher that allows you to take the exam at any Pearson VUE Test Center available on request.

Requirements for certification:

  • A minimum of four years of cumulative, paid, full-time Software Development Lifecycle (SDLC) professional experience in one or more of the eight domains of the CSSLP Common Body of Knowledge (CBK)
  • Pass CSSLP exam

As one of only 12 ISC22 CPE Submitters worldwide, Learning Tree can submit courses on your behalf to ISC2 for CPE credit. ISC2 members can earn:

  • Group A credits for attending any of our cybersecurity courses, and 
  • Group B General Education credits for any other Learning Tree course they attend.
  • Or ISC2 members can submit CPE credits directly to the CPE portal in the Members section of the ISC2 website.

This is an ISC2 certification prep course. Click here to view more ISC2 certification prep training ›

CSSLP Training Outline

1.1 Core Concepts

  • Confidentiality (e.g., covert, overt, encryption)
  • Integrity (e.g., hashing, digital signatures, code signing, reliability, modifications, authenticity)
  • Availability (e.g., redundancy, replication, clustering, scalability, resiliency)
  • Authentication (e.g., multifactor authentication (MFA), identity & access management (IAM), single sign-on (SSO), federated identity)
  • Authorisation (e.g., access controls, permissions, entitlements)
  • Accountability (e.g., auditing, logging)
  • Nonrepudiation (e.g., digital signatures, blockchain)

1.2 Security Design Principles

  • Least privilege (e.g., access control, need-to-know, run-time privileges)
  • Separation of Duties (e.g., multi-party control, secret sharing, and split knowledge)
  • Defence in depth (e.g., layered controls, input validation, security zones)
  • Resiliency (e.g., fail safe, fail secure, no Single Point of Failure (SPOF))
  • The economy of mechanism (e.g., Single Sign-On (SSO), password vaults, resource)
  • Complete mediation (e.g., cookie management, session management, caching of credentials)
  • Open design (e.g., Kerckhoffs’s principle)
  • Least common mechanism (e.g., compartmentalisation/isolation, safe listing)
  • Psychological acceptability (e.g., password complexity, screen layouts, Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), biometrics)
  • Component reuse (e.g., common controls, libraries)
  • Diversity of defence (e.g., geographical diversity, technical diversity, distributed systems)

2.1 Define Software Security Requirements

  • Functional (e.g., business requirements, use cases, stories)
  • Non-functional (e.g., operational, deployment, systemic qualities)

2.2 Identify and Analyse Compliance Requirements

2.3 Identify and Analyse Data Classification Requirements

  • FData ownership (e.g., data owner, data custodian)
  • Labelling (e.g., sensitivity, impact)
  • Types of data (e.g., structured, unstructured data)
  • Data life cycle (e.g., generation, retention, disposal)

2.4 Identify and Analyse Privacy Requirements

  • Data anonymisation
  • User consent
  • Disposition (e.g., right to be forgotten)
  • Data retention
  • Cross borders (e.g., data residency, jurisdiction, multi-national data processing boundaries)

2.5 Develop Misuse and Abuse Cases

2.6 Develop a Security Requirement Traceability Matrix (STRM)

2.7 Ensure Security Requirements Flow Down to Suppliers/Providers

3.1 Perform Threat Modelling

  • Understand common threats (e.g., Advance Persistent Threat (APT), insider threat, common malware, third-party/supplier)
  • Attack surface evaluation
  • Threat intelligence (e.g., Identify credible, relevant threats)

3.2 Define the Security Architecture

  • Security control identification and prioritisation
  • Distributed computing (e.g., client-server, peer-to-peer (P2P), message queuing)
  • Service-oriented architecture (SOA) (e.g., Enterprise Service Bus (ESB), web services
  • Rich internet applications (e.g., client-side exploits or threats, remote code execution, constant connectivity)
  • Pervasive/ubiquitous computing (e.g., Internet of Things (IoT), wireless, location-based, Radio-Frequency Identification (RFID), near field communication, sensor networks)
  • Embedded (e.g., secure update, Field-Programmable Gate Array (FPGA) security features, microcontroller security)
  • Cloud architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS))
  • Mobile applications (e.g., implicit data collection privacy)
  • Hardware platform concerns (e.g., side-channel mitigation, speculative execution mitigation, embedded Hardware Security Modules (HSM))
  • Cognitive computing (e.g., Machine Learning (ML), Artificial Intelligence (AI))
  • Control systems (e.g., industrial, medical, facility-related, automotive)

3.3 Performing Secure Interface Design

  • Security management interfaces, Out-of-Band (OOB) management, log interfaces
  • Upstream/downstream dependencies (e.g., key and data sharing between apps)
  • Protocol design choices (e.g., Application Programming Interface (APIs), weaknesses, state, models)

3.4 Performing Architectural Risk Assessment

3.5 Model (Non-Functional) Security Properties and Constraints

3.6 Model and Classify Data

3.7 Evaluate and Select Reusable Secure Design

  • Credential management (e.g., X.509 and Single Sign-On (SSO))
  • Flow control (e.g., proxies, firewalls, protocols, queuing)
  • Data loss prevention (DLP)
  • Virtualisation (e.g., software-defined infrastructure, hypervisor, containers)
  • Trusted computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB))
  • Database security (e.g., encryption, triggers, views, privilege management)
  • Programming language environment (e.g., Common Language Runtime (CLR), Java Virtual Machine (JVM))
  • Operating System (OS) controls and services
  • Secure backup and restoration planning
  • Secure data retention, retrieval, and destruction

3.8 Perform Security Architecture and Design Review

3.9 Define Secure Operational Architecture (e.g., deployment topology, operational interfaces)

3.10 Use Secure Architecture and Design Principles, Patterns, and Tools

4.1 Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines, and regulations)

  • Declarative versus imperative (programmatic) security
  • Concurrency (e.g., thread safety, database concurrency controls)
  • Output sanitisation (e.g., encoding, obfuscation)
  • Error and exception handling
  • Input validation
  • Secure logging & auditing
  • Session management
  • Trusted/Untrusted Application Programming Interfaces (APIs) and libraries
  • Type safety
  • Resource management (e.g., compute, storage, network, memory management)
  • Secure configuration management (e.g., parameter, default options, credentials)
  • Tokenising
  • Isolation (e.g., sandboxing, virtualisation, containers, Separation Kernel Protection Profiles (SKPP))
  • Cryptography (e.g., payload, field level, transport, storage, agility, encryption, algorithm selection)
  • Access control (e.g., trust zones, function permissions, Role Based Access Control (RBAC))
  • Processor microarchitecture security extensions (e.g., Software Guard Extensions (SGX), Advanced Micro Devices (AMD) Secure Memory Encryption(SME)/Secure Encrypted Virtualisation(SEV), ARM TrustZone)

4.2 Analyse Code for Security Risks

  • Secure code reuse
  • Vulnerability databases/lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumeration (CWE))
  • Static Application Security Testing (SAST) (e.g., automated code coverage, linting)
  • Dynamic Application Security Testing (DAST)
  • Manual code review (e.g., individual, peer)
  • Look for malicious code (e.g., backdoors, logic bombs, high entropy)
  • Interactive Application Security Testing (IAST)

4.3 Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware)

4.4 Address Security Risks (e.g., remediation, mitigation, transfer, accept)

4.5 Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))

4.6 Securely Integrate Components

  • Systems-of-systems integration (e.g., trust contracts, security testing, and analysis)

4.7 Apply Security During the Build Process

  • Anti-tampering techniques (e.g., code signing, obfuscation)
  • Compiler switches
  • Address compiler warnings

5.1 Develop Security Test Cases

  • Attack surface validation
  • Penetration tests
  • Fuzzing (e.g., generated, mutated)
  • Scanning (e.g., vulnerability, content, privacy)
  • Simulation (e.g., simulating production environment and production data, synthetic workloads)
  • Failure (e.g., fault injection, stress testing, break testing)
  • Cryptographic validation (e.g., Pseudo-Random Number Generator (PRNG), entropy)
  • Regression tests
  • Integration tests
  • Continuous (e.g., synthetic transactions)

5.2 Develop Security Testing Strategy and Plan

  • Functional security testing (e.g., logic)
  • Nonfunctional security testing (e.g., reliability, performance, scalability)
  • Testing techniques (e.g., the white box and the black box)
  • Environment (e.g., interoperability, test harness)
  • Standards (e.g., International Organisation for Standardisation (ISO), Open Source Security Testing Methodology Manual (OSSTMM), Software Engineering Institute (SEI))
  • Crowdsourcing (e.g., bug bounty)

5.3 Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes)

5.4 Identify Undocumented Functionality

5.5 Analyse Security Implications of Test Results (e.g., impact on product management, prioritisation, break build criteria)

5.6 Classify and Track Security Errors

  • Bug tracking (e.g., defects, errors, and vulnerabilities)
  • Risk Scoring (e.g., Common Vulnerability Scoring System (CVSS))

5.7 Secure Test Data

  • Generate test data (e.g., referential integrity, statistical quality, production representative)
  • Reuse of production data (e.g., obfuscation, sanitisation, anonymisation, tokenisation, data aggregation mitigation)

5.8 Perform Verification and Validation Testing

6.1 Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching)

6.2 Define Strategy and Roadmap

6.3 Manage Security Within a Software Development Methodology

  • Security in adaptive methodologies (e.g., Agile methodologies)
  • Security in predictive methodologies (e.g., Waterfall)

6.4 Identify Security Standards and Frameworks

6.5 Define and Develop Security Documentation

6.6 Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)

6.7 Decommission Software

  • End-of-life policies (e.g., credential removal, configuration removal, license cancellation, archiving)
  • Data disposition (e.g., retention, destruction, dependencies)

6.8 Report Security Status (e.g., reports, dashboards, feedback loops)

6.9 Incorporate Integrated Risk Management (IRM)

  • Regulations and compliance
  • Legal (e.g., intellectual property, breach notification)
  • Standards and guidelines (e.g., International Organisation for Standardisation (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), OWASP, Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM))
  • Risk management (e.g., mitigate, accept, transfer, avoid)
  • Terminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)
  • Technical risk vs. business risk

6.10 Promote Security Culture in Software Development

  • Security champions
  • Security education and guidance

6.11 Implement Continuous Improvement (e.g., retrospective, lessons learned)

7.1 Perform Operational Risk Analysis

  • Deployment environment
  • Personnel training (e.g., administrators vs. users)
  • Safety criticality
  • System Integration

7.2 Release Software Securely

  • Secure Continuous Integration and Continuous Delivery (CI/CD) pipeline
  • The secure software toolchain
  • Build artefact verification (e.g., code signing, checksums, hashes)

7.3 Securely Store and Manage Security Data

  • Credentials
  • Secrets
  • Keys/certificates
  • Configurations

7.4 Ensure Secure Installation

  • Bootstrapping (e.g., key generation, access, management)
  • Least privilege
  • Environment hardening
  • Secure activation (e.g., credentials, safelisting, device configuration, network configuration, licensing)
  • Security policy implementation
  • Secrets injection (e.g., certificate, Open Authorisation (OAuth) tokens, Secure Shell (SSH) keys)

7.5 Perform Post-Deployment Security Testing

7.6 Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at the appropriate level)

7.7 Perform Information Security Continuous Monitoring (ISCM)

  • Collect and analyse observable security data (e.g., logs, events, telemetry, and trace data)
  • Threat intel
  • Intrusion detection/response
  • Secure configuration
  • Regulation changes

7.8 Support Incident Response

  • Root cause analysis
  • Incident triage
  • Forensics

7.9 Perform Patch Management (e.g., secure release, testing)

7.10 Perform Vulnerability Management (e.g., scanning, tracking, triaging)

7.11 Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomisation (ASLR))

7.12 Support Continuity of Operations

  • Backup, archiving, retention
  • Disaster Recovery (DR)
  • Resiliency (e.g., operational redundancy, erasure code, survivability)

7.13 Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)

8.1 Implement Software Supply Chain Risk Management

  • Identify
  • Assess
  • Respond
  • Monitor

8.2 Analyse the Security of Third-Party Software

8.3 Verify Pedigree and Provenance

  • Secure transfer (e.g., interdiction mitigation)
  • System sharing/interconnections
  • Code repository security
  • Build environment security
  • Cryptographically hashed, digitally-signed components
  • Right to audit

8.4 Ensure Supplier Security Requirements in the Acquisition Process

  • Audit of security policy compliance (e.g., secure software development practices)
  • Vulnerability/incident notification, response, coordination, and reporting
  • Maintenance and support structure (e.g., community versus commercial, licensing)
  • Security track record

8.5 Support contractual requirements

  • Intellectual Property (IP) ownership, code escrow, liability, and warranty
  • End-User License Agreement (EULA)
  • Service Level Agreements (SLA)

Need Help Finding The Right Training Solution?

Our training advisors are here for you.

CSSLP Training FAQs

Certified secure software lifecycle professional is a certification from ISC2. It focuses on application security within the SDLC.

Learning Tree can provide a voucher to sit the exam upon request.

Yes! We know your busy work schedule may prevent you from getting to one of our classrooms, which is why we offer convenient online training to meet your needs wherever you want. This course is available in class and live online.

The Certified Secure Software Lifecycle Professional (CSSLP) is a premier certification offered by ISC2 for software professionals who are involved in the secure software development lifecycle. It covers eight domains of software security, including software concepts, requirements, design, implementation, testing, lifecycle management, and more. Passing the CSSLP Certification Exam meets U.S. DoD Directive 8140/8570.01 Information Assurance Security Architect/Engineer (IASAE) Level-I and Information Assurance Security Architect/Engineer (IASAE) Level-II requirements.

The CSSLP Training Course is a 5-day instructor-led training course that follows the official ISC2 curriculum. It includes an ISC2 exam voucher in the course tuition and one-on-one after-course instructor coaching.

The CSSLP Training Course is for Software Developers, Engineers, Architects, Penetration Testers, Software Testers, and other IT (Information Technology) professionals who have a minimum of four years of experience in full-time Software Development Lifecycle (SDLC) in one or more of the eight domains covered in the CSSLP exam.

Learning Tree can provide a voucher on request that allows you to take the CSSLP Exam at any Pearson VUE Test Center available. Requirements for certification include a minimum of four years of cumulative, paid, full-time Software Development Lifecycle (SDLC) professional experience in one or more of the eight domains of the CSSLP Common Body of Knowledge (CBK) and passing the CSSLP exam.

CSSLP Training is available in two formats: in-person and online.

Yes, Learning Tree offers Team Training for organisations that want to bring CSSLP Training to their employees. It includes full-scale programme development and expert team coaching. It can be delivered when, where, and how you want it, and can be tailored to the specific needs of your team.

In the CSSLP Training Course, you will learn how to prepare for and pass the CSSLP Exam, identify security software requirements, follow secure coding practices, develop a security testing strategy and plan, choose a secure software methodology, and release software securely.

The eight domains covered in the CSSLP Training Course are Secure Software Concepts, Secure Software Requirements, Secure Software Architecture and Design, Secure Software Implementation, Secure Software Testing, Software Acceptance, Software Deployment, Operations, Maintenance, and Disposal, and Supply Chain and Software Acquisition.

The Secure Software Concepts domain covers core concepts such as confidentiality, integrity, and availability, as well as security design principles like least privilege, separation of duties, and resiliency.