ISC2 Expert

CSSLP

Certified Secure Software Lifecycle Professional

The Certified Secure Software Lifecycle Professional (CSSLP) is an expert-level certification that validates expertise in incorporating security practices throughout each phase of the software development lifecycle (SDLC). The CSSLP demonstrates a practitioner's ability to develop secure software through knowledge of secure software concepts, secure development processes, and secure testing methodologies.

This certification covers five domains: Secure Software Concepts (10%), Secure Software Requirements (14%), Secure Software Architecture and Design (14%), Secure Software Implementation (12%), and Secure Software Testing and Deployment (50%). Candidates must demonstrate comprehensive knowledge of threat modeling, risk assessment, secure design principles, secure coding practices, security testing techniques, deployment security, supply chain security, and secure maintenance and disposal.

The CSSLP requires four years of cumulative paid work experience in one or more of the five domains of the CSSLP CBK. The exam consists of 125 multiple-choice and advanced innovative questions with a 3-hour time limit. This certification is ideal for software developers, application security specialists, DevSecOps engineers, QA testers, and anyone involved in building secure software systems.

Updated Sep 2024 Development

125

Вопросы

Пробные тесты

70%

Проходной балл

Просмотры

Всего попыток

Ср. балл

Процент сдачи

Обсуждения

Пробные тесты Карточки Темы экзамена Шпаргалка

€5.00

CSSLP Practice Exam 1

Comprehensive 50-question practice exam covering all five CSSLP domains: Secure Software Concepts, Secure Software Requirements, Secure Software Architecture and Design, Secure Software Implementation, and Secure Software Testing and Deployment.

50 Q 90 минут 70%

Тест-драйв

€5.00

CSSLP Practice Exam 2

50 Q 90 минут 70%

Тест-драйв

€5.00

CSSLP Practice Exam 3

50 Q 90 минут 70%

Тест-драйв

€5.00

CSSLP Practice Exam 4

50 Q 90 минут 70%

Тест-драйв

€5.00

CSSLP Practice Exam 5

50 Q 90 минут 70%

Тест-драйв

€5.00

CSSLP Practice Exam 6

50 Q 90 минут 70%

Тест-драйв

Разблокировать весь контент за CSSLP

6 Пробный(е) тест(ы) + Карточки для запоминания — Доступ на 3 месяца

€39.99 €26.99 Экономия 30%

или входит в подписку Monthly / Полный набор

CSSLP Cheat Sheet

Краткий справочник - 6 разделов

Бесплатный доступ

CSSLP Exam Details

Detail	Value
Exam Code	CSSLP
Full Name	Certified Secure Software Lifecycle Professional
Issuing Body	ISC2 (International Information System Security Certification Consortium)
Duration	3 hours (180 minutes)
Number of Questions	125 multiple-choice questions
Passing Score	700 out of 1000
Question Format	Multiple choice (single and multiple response)
Exam Fee	$599 USD
Delivery	Pearson VUE testing centers
Experience Requirement	4 years of cumulative paid work experience in one or more of the 8 CSSLP domains
CPE Requirement	40 CPE credits/year, 120 CPE credits over 3-year cycle

Domain Weight Breakdown

Domain	Weight
Domain 1: Secure Software Concepts	13%
Domain 2: Secure Software Lifecycle Management	11%
Domain 3: Secure Software Requirements	14%
Domain 4: Secure Software Architecture and Design	14%
Domain 5: Secure Software Implementation	14%
Domain 6: Secure Software Testing	14%
Domain 7: Secure Software Deployment, Operations, Maintenance	11%
Domain 8: Secure Software Supply Chain	9%

Who Should Take This Exam

Software developers and architects who need to embed security throughout the software development lifecycle
Application security engineers who perform secure code reviews, threat modeling, and security testing
DevSecOps engineers who integrate security tooling and practices into CI/CD pipelines
QA engineers and testers who validate security requirements and perform security-focused testing
Software project managers who need to understand secure SDLC practices and manage security requirements

Tip: CSSLP covers the entire software lifecycle from requirements through deployment and supply chain. Unlike application-specific certifications, it is technology-agnostic and focuses on secure software development principles that apply to any language, platform, or methodology.

Core Security Concepts

Concept	Definition	Software Example
Confidentiality	Ensuring information is accessible only to authorized parties	Encryption of data at rest and in transit, access control enforcement
Integrity	Ensuring data and systems are accurate and unaltered	Input validation, checksums, digital signatures, tamper detection
Availability	Ensuring systems and data are accessible when needed	Redundancy, load balancing, DoS protection, graceful degradation
Authentication	Verifying the identity of users or systems	MFA implementation, certificate-based auth, OAuth/OIDC
Authorization	Determining what authenticated users can do	RBAC, ABAC, permission checks at every access point
Accountability	Actions can be traced to individuals	Audit logging, non-repudiation, session tracking
Non-Repudiation	Preventing denial of having performed an action	Digital signatures, timestamped audit logs, transaction receipts

Secure Design Principles

Least Privilege: Grant only the minimum permissions needed to perform a function. Every process, user, and module should operate with the fewest privileges necessary
Separation of Duties: Critical operations require multiple parties to complete. Prevents single-point-of-compromise scenarios in both code and operations
Defense in Depth: Layer multiple security controls so that failure of one does not compromise the system. Combine network, application, data, and physical controls
Fail Secure (Fail Safe): When a system fails, it should default to a secure state. Deny access by default rather than granting it when errors occur
Economy of Mechanism: Keep security mechanisms as simple as possible. Complex code is harder to audit and more likely to contain vulnerabilities
Complete Mediation: Every access to every resource must be verified against the access control mechanism. No bypass paths should exist
Open Design: Security should not depend on the secrecy of the implementation (Kerckhoffs' principle). The algorithm can be public; the key must be secret
Psychological Acceptability: Security mechanisms should not make the resource significantly harder to use. If security is too burdensome, users will circumvent it

Secure SDLC Models

Model	Origin	Key Feature
Microsoft SDL	Microsoft	Security activities integrated into each SDLC phase, threat modeling emphasis
OWASP SAMM	OWASP	Software Assurance Maturity Model with 5 business functions and maturity levels
BSIMM	Synopsys	Descriptive model based on observed practices at real organizations
NIST SSDF (SP 800-218)	NIST	Secure Software Development Framework with practices and tasks
SAFECode	Industry consortium	Practical secure development guidance from major software vendors

Tip: Know the difference between prescriptive models (Microsoft SDL tells you what to do) and descriptive models (BSIMM describes what organizations actually do). OWASP SAMM is both prescriptive and measurable, making it ideal for maturity assessment.

Security Requirements Types

Security requirements define the security capabilities that software must have to protect against threats and comply with regulations. They should be gathered alongside functional requirements and traced throughout the development lifecycle. Incomplete or missing security requirements are a leading cause of software vulnerabilities because developers cannot implement controls they are not aware of.

Type	Description	Examples
Functional Security	What the software must do for security	Authenticate users, enforce access control, encrypt data, log events
Non-Functional Security	Quality attributes related to security	Performance under attack, reliability, scalability of security controls
Compliance Requirements	Regulatory and standard mandates	PCI DSS, HIPAA, GDPR, SOX requirements for the software
Abuse Cases / Misuse Cases	How attackers might misuse the system	SQL injection attempts, privilege escalation, data exfiltration scenarios

Threat Modeling

Methodology	Approach	Best For
STRIDE	Categorize threats: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege	General-purpose threat identification per component
DREAD	Risk rating: Damage, Reproducibility, Exploitability, Affected Users, Discoverability	Prioritizing threats by risk score
PASTA	Process for Attack Simulation and Threat Analysis — 7-stage risk-centric model	Business-aligned threat modeling with attack simulation
VAST	Visual, Agile, Simple Threat modeling for Agile/DevOps environments	Scalable threat modeling in CI/CD pipelines
Attack Trees	Hierarchical diagram of attack paths to a goal	Analyzing specific attack scenarios in depth

Tip: STRIDE is the most commonly tested threat modeling methodology on the CSSLP exam. Memorize each category and its corresponding mitigation: Spoofing → Authentication, Tampering → Integrity, Repudiation → Audit Logging, Info Disclosure → Encryption, DoS → Availability, EoP → Authorization.

Secure Architecture Patterns

Defense in Depth: Multiple layers of security controls (network, host, application, data) so that compromise of one layer does not expose the entire system
Zero Trust Architecture: Never trust, always verify. Every request is authenticated and authorized regardless of network location. Microsegmentation and continuous verification
Sandboxing: Isolate untrusted code in a restricted environment to limit the impact of exploitation. Used for plugins, user-uploaded content, and third-party code
Microservices Security: Each service has its own security boundary, authentication, and authorization. API gateways handle cross-cutting security concerns
Secure API Design: Authentication (API keys, OAuth tokens), rate limiting, input validation, output encoding, versioning, and TLS enforcement for all API endpoints

Data Protection in Architecture

State	Protection Method	Implementation
Data at Rest	Encryption (AES-256), tokenization, hashing	Database encryption, file system encryption, key management
Data in Transit	TLS 1.2+, certificate pinning, mutual TLS	HTTPS enforcement, API transport security, secure WebSocket
Data in Use	Memory protection, secure enclaves, process isolation	Trusted execution environments, runtime encryption, memory scrubbing

OWASP Top 10 Vulnerabilities

Vulnerability	Description	Mitigation
A01: Broken Access Control	Users can act outside intended permissions	Server-side enforcement, deny by default, RBAC, CORS restrictions
A02: Cryptographic Failures	Sensitive data exposed due to weak crypto	Strong algorithms (AES-256, SHA-256+), proper key management, TLS
A03: Injection	Untrusted data sent as part of commands/queries	Parameterized queries, input validation, ORM usage, output encoding
A04: Insecure Design	Missing or ineffective security architecture	Threat modeling, secure design patterns, abuse cases, design reviews
A05: Security Misconfiguration	Default configs, open cloud storage, verbose errors	Hardening guides, automated config scanning, minimal installs
A06: Vulnerable Components	Using components with known vulnerabilities	SCA tools, dependency scanning, SBOM, automated patching
A07: Auth & Identification Failures	Broken authentication mechanisms	MFA, session management, credential storage (bcrypt/Argon2)
A08: Software & Data Integrity	Assumptions about integrity without verification	Digital signatures, integrity checks, CI/CD pipeline security
A09: Logging & Monitoring Failures	Insufficient logging, detection, and alerting	Comprehensive audit logs, SIEM integration, alerting rules
A10: SSRF	Server-Side Request Forgery via manipulated URLs	Input validation, allowlists, network segmentation, disable redirects

Secure Coding Practices

Input Validation: Validate all input on the server side using allowlists (not denylists). Check data type, length, range, and format. Reject invalid input rather than attempting to sanitize it
Output Encoding: Encode all output based on the context (HTML encoding, URL encoding, JavaScript encoding, CSS encoding) to prevent XSS and injection attacks
Parameterized Queries: Use prepared statements with parameterized queries for all database interactions. Never concatenate user input into SQL strings
Error Handling: Implement centralized error handling that logs detailed errors internally but shows generic messages to users. Never expose stack traces, database details, or internal paths
Session Management: Use cryptographically random session IDs, enforce timeouts, regenerate IDs after authentication, protect with Secure and HttpOnly flags
Memory Management: Prevent buffer overflows by using safe functions, bounds checking, and memory-safe languages where possible. Clear sensitive data from memory after use

Tip: The most effective defense against injection attacks is parameterized queries (prepared statements). Input validation is important but should be a secondary defense. The CSSLP exam favors defense-in-depth approaches that combine multiple controls.

Cryptography in Software

Use Case	Recommended Algorithm	Avoid
Symmetric encryption	AES-256 (GCM mode preferred)	DES, 3DES, RC4, ECB mode
Asymmetric encryption	RSA-2048+, ECC (P-256+)	RSA-1024, DSA
Hashing	SHA-256, SHA-3	MD5, SHA-1
Password storage	Argon2id, bcrypt, scrypt	Plain text, MD5, SHA without salt, single SHA iteration
Key exchange	ECDHE, DH-2048+	Static DH, RSA key transport (no PFS)

Security Testing Methods

Method	Type	When Used	What It Finds
SAST (Static Analysis)	White-box (source code)	During development/build	Code-level vulnerabilities (SQL injection, XSS, buffer overflows)
DAST (Dynamic Analysis)	Black-box (running application)	Testing/staging environment	Runtime vulnerabilities (authentication flaws, misconfigurations)
IAST (Interactive Analysis)	Combined (instrumented runtime)	During functional testing	Both code-level and runtime issues with precise location
SCA (Software Composition)	Component analysis	Build/CI pipeline	Known vulnerabilities in third-party dependencies
Fuzz Testing	Input mutation	Testing phase	Unexpected behavior from malformed input (crashes, hangs)
Penetration Testing	Adversarial simulation	Pre-release / production	Exploitable vulnerabilities through attacker simulation

Security in CI/CD Pipelines

Pre-Commit: IDE security plugins, secret scanning (detect API keys, passwords in code), pre-commit hooks for security linting
Build Phase: SAST scanning integrated into build process, SCA for dependency vulnerabilities, container image scanning, SBOM generation
Test Phase: DAST scanning against deployed test environment, IAST during automated functional tests, security-focused unit and integration tests
Release Phase: Final security gate review, sign artifacts with digital signatures, verify compliance with security policies before deployment approval
Deploy Phase: Infrastructure as Code (IaC) security scanning, runtime application self-protection (RASP), configuration validation
Monitor Phase: Runtime monitoring, WAF, SIEM integration, anomaly detection, vulnerability disclosure program

Tip: The CSSLP exam tests the concept of “shifting security left” — integrating security testing as early as possible in the SDLC. Finding a vulnerability in code review costs 10x less than finding it in production. SAST in the IDE is the earliest possible point.

Secure Deployment Practices

Practice	Description
Environment Hardening	Remove unnecessary services, close unused ports, apply CIS benchmarks, disable debug mode
Configuration Management	Infrastructure as Code, immutable infrastructure, version-controlled configurations
Secrets Management	Use vault services (HashiCorp Vault, AWS Secrets Manager), never hardcode credentials
Artifact Integrity	Sign build artifacts with digital signatures, verify checksums before deployment
Rollback Capability	Maintain ability to quickly revert to previous known-good version if security issues arise

Secure Operations and Maintenance

Patch Management: Establish patching SLAs based on severity (critical: 24-48 hours, high: 7 days, medium: 30 days). Test patches before production deployment
Vulnerability Management: Regular scanning, risk-based prioritization, tracking to remediation, and verification of fixes
Incident Response: Documented procedures for security incidents affecting the application. Include containment, evidence collection, and communication plans
End of Life (EOL): Secure decommissioning procedures including data sanitization, certificate revocation, DNS cleanup, and user notification

Software Supply Chain Security

Software supply chain security has become a critical domain following high-profile attacks like SolarWinds, Log4Shell, and Codecov. The CSSLP exam tests your understanding of risks inherent in using third-party components, open-source libraries, and development tools, as well as the controls needed to secure the entire software supply chain from development to delivery.

Control	Description	Purpose
SBOM (Software Bill of Materials)	Complete inventory of all components, libraries, and dependencies	Visibility into what is in the software for vulnerability tracking
SCA (Software Composition Analysis)	Automated scanning for known vulnerabilities in dependencies	Detect and alert on vulnerable third-party components
Code Signing	Digital signatures on code and artifacts to verify authenticity	Ensure code has not been tampered with in transit or storage
Vendor Assessment	Evaluate security practices of third-party providers	Ensure vendors meet security requirements before integration
SLSA Framework	Supply-chain Levels for Software Artifacts (Google)	Graduated security levels for build integrity and provenance
Reproducible Builds	Same source always produces identical binary output	Verify build process has not been compromised

SAST vs DAST vs IAST vs SCA

Feature	SAST	DAST	IAST	SCA
Analyzes	Source code	Running app	Instrumented app	Dependencies
When	Build time	Test/staging	During testing	Build time
False Positives	High	Low	Low	Low
Coverage	All code paths	Only reachable paths	Exercised paths	All declared deps
Language Dependent	Yes	No	Yes	Package manager

Exam Day Strategy

Lifecycle mindset: Every question relates to a phase of the secure SDLC. Identify which phase is being discussed to narrow your answer choices
Defense in depth: When multiple controls are listed, prefer the answer that combines preventive and detective controls rather than relying on a single mechanism
Prevention over detection: Input validation prevents injection. WAFs detect and block. Parameterized queries eliminate the vulnerability entirely. The CSSLP prefers elimination over mitigation
Know STRIDE thoroughly: Be able to map any threat to its STRIDE category and recommend the corresponding countermeasure
OWASP Top 10 mastery: Know each vulnerability, its root cause, and the primary mitigation. This knowledge applies across multiple domains
Supply chain is growing: This domain is gaining importance. Know SBOM, SCA, code signing, and the concept of software provenance

Tip: The CSSLP exam is challenging because it covers both security concepts and software development practices. Unlike the CISSP which is management-focused, the CSSLP expects technical depth in areas like cryptography, secure coding, and testing methodologies. Focus on understanding WHY each control works, not just what it does.

CSSLP

Certified Secure Software Lifecycle Professional

CSSLP Practice Exam 1

CSSLP Practice Exam 2

CSSLP Practice Exam 3

CSSLP Practice Exam 4

CSSLP Practice Exam 5

CSSLP Practice Exam 6

Разблокировать весь контент за CSSLP

Предпросмотр (10 / 120)

Карточки для запоминания

Доступные языки

Темы экзамена

CSSLP Cheat Sheet

CSSLP Exam Details

Domain Weight Breakdown

Who Should Take This Exam

Core Security Concepts

Secure Design Principles

Secure SDLC Models

Security Requirements Types

Threat Modeling

Secure Architecture Patterns

Data Protection in Architecture

OWASP Top 10 Vulnerabilities

Secure Coding Practices

Cryptography in Software

Security Testing Methods

Security in CI/CD Pipelines

Secure Deployment Practices

Secure Operations and Maintenance

Software Supply Chain Security

SAST vs DAST vs IAST vs SCA

Exam Day Strategy