CSSLP Certification All-in-One Exam Guide

Title Page
Copyright Page
About the Authors
	About the Technical Editor
Contents at a Glance
Contents
Acknowledgments
Introduction
	Why Focus on Software Development?
	The Role of CSSLP
	How to Use This Book
	The Examination
	Exam Readiness Checklist
Part I: Secure Software Concepts
	Chapter 1: General Security Concepts
		The CSSLP Knowledge Base
		General Security Concepts
			Security Basics
			Accounting (Auditing)
			System Tenets
			Secure Design Principles
		Security Models
			Access Control Models
			Multilevel Security Model
			Integrity Models
			Information Flow Models
		Adversaries
			Adversary Type
			Adversary Groups
			Threat Landscape Shift
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 2: Risk Management
		Definitions and Terminology
			General Terms
			Quantitative Terms
			Risk Management Statements
		Types of Risk
			Business Risk
			Technology Risk
			Risk Controls
			Qualitative Risk Management
			Qualitative Matrix
			Quantitative Risk Management
			Comparison of Qualitative and Quantitative Methods
		Governance, Risk, and Compliance
			Regulations and Compliance
			Legal
			Standards
		Risk Management Models
			General Risk Management Model
			Software Engineering Institute Model
			Model Application
		Risk Options
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 3: Security Policies and Regulations
		Regulations and Compliance
			FISMA
			Sarbanes-Oxley
			Gramm-Leach-Bliley
			HIPAA and HITECH
			Payment Card Industry Data Security Standard (PCI DSS)
			Other Regulations
		Legal Issues
			Intellectual Property
	Chapter 4: Software Development Methodologies
		Secure Development Lifecycle
			Principles
			Security vs. Quality
			Security Features != Secure Software
		Secure Development Lifecycle Components
			Software Team Awareness and Education
			Gates and Security Requirements
			Bug Tracking
			Threat Modeling
			Fuzzing
			Security Reviews
Part II: Secure Software Requirements
	Chapter 5: Policy Decomposition
		Confidentiality, Integrity, and Availability Requirements
			Confidentiality
			Integrity
			Availability
		Authentication, Authorization, and Auditing Requirements
			Identification and Authentication
			Authorization
			Auditing
		Internal and External Requirements
			Internal
			External
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 6: Data Classification and Categorization
		Data Classification
			Data States
			Data Usage
			Data Risk Impact
		Data Ownership
			Data Owner
			Data Custodian
		Labeling
			Sensitivity
			Impact
		Types of Data
			Structured
			Unstructured
		Data Lifecycle
			Generation
			Retention
			Disposal
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 7: Requirements
		Functional Requirements
			Role and User Definitions
			Objects
			Activities/Actions
			Subject-Object-Activity Matrix
			Use Cases
			Abuse Cases (Inside and Outside Adversaries)
			Sequencing and Timing
			Secure Coding Standards
		Operational Requirements
			Deployment Environment
		Requirements Traceability Matrix
		Chapter Review
			Quick Tips
			Questions
			Answers
Part III: Secure Software Design
	Chapter 8: Design Processes
		Attack Surface Evaluation
			Attack Surface Measurement
			Attack Surface Minimization
		Threat Modeling
			Threat Model Development
		Control Identification and Prioritization
		Risk Assessment for Code Reuse
	Chapter 9: Design Considerations
		Application of Methods to Address Core Security Concepts
			Confidentiality, Integrity, and Availability
			Authentication, Authorization, and Auditing
			Secure Design Principles
			Interconnectivity
		Interfaces
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 10: Securing Commonly Used Architecture
		Distributed Computing
			Client Server
			Peer-to-Peer
			Message Queuing
		Service-Oriented Architecture
			Enterprise Service Bus
			Web Services
		Rich Internet Applications
			Client-Side Exploits or Threats
			Remote Code Execution
	Chapter 11: Technologies
		Authentication and Identity Management
			Identity Management
			Authentication
		Credential Management
			X.509 Credentials
			Single Sign-On
		Flow Control (Proxies, Firewalls, Middleware)
			Firewalls
			Proxies
			Application Firewalls
			Queuing Technology
		Logging
			Syslog
		Data Loss Prevention
		Virtualization
		Digital Rights Management
		Trusted Computing
			TCB
			TPM
			Malware
			Code Signing
		Database Security
			Encryption
			Triggers
			Views
			Privilege Management
		Programming Language Environment
			CLR
			JVM
			Compiler Switches
			Sandboxing
			Managed vs. Unmanaged Code
		Operating Systems
		Embedded Systems
			Control Systems
			Firmware
		Chapter Review
			Quick Tips
			Questions
			Answers
Part IV: Secure Software Implementation/Coding
	Chapter 12: Common Software Vulnerabilities and Countermeasures
		CWE/SANS Top 25 Vulnerability Categories
		OWASP Vulnerability Categories
		Common Vulnerabilities and Countermeasures
			Injection Attacks
			Cryptographic Failures
		Input Validation Failures
			Buffer Overflow
			Canonical Form
			Missing Defense Functions
			General Programming Failures
		Common Enumerations
			Common Weakness Enumerations (CWE)
			Common Vulnerabilities and Exposures (CVE)
		Virtualization
		Embedded Systems
		Side Channel
		Social Engineering Attacks
			Phishing
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 13: Defensive Coding Practices
		Declarative vs. Programmatic Security
			Bootstrapping
			Cryptographic Agility
			Handling Configuration Parameters
		Memory Management
			Type Safe Practice
			Locality
		Error Handling
			Exception Management
		Interface Coding
		Primary Mitigations
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 14: Secure Software Coding Operations
		Code Analysis (Static and Dynamic)
			Static
			Dynamic
		Code/Peer Review
		Build Environment
			Integrated Development Environment (IDE)
		Antitampering Techniques
		Configuration Management: Source Code and Versioning
		Chapter Review
			Quick Tips
			Questions
			Answers
Part V: Secure Software Testing
	Chapter 15: Security Quality Assurance Testing
		Standards for Software Quality Assurance
			ISO 9216
			SSE-CMM
			OSSTMM
		Functional Testing
			Unit Testing
			Integration or Systems Testing
			Performance Testing
		Security Testing
			White-Box Testing
			Black-Box Testing
			Grey-Box Testing
	Chapter 16: Security Testing
		Scanning
			Attack Surface Analyzer
		Penetration Testing
		Fuzzing
		Simulation Testing
		Testing for Failure
		Cryptographic Validation
			FIPS 140-2
		Regression Testing
Part VI: Secure Software Acceptance
	Chapter 17: Secure Software Acceptance
		Introduction to Acceptance
			Software Qualification Testing
			Qualification Testing Plan
			The Qualification Testing Hierarchy
		Pre-release Activities
			Implementing the Pre-release Testing Process
			Completion Criteria
			Risk Acceptance
		Post-release Activities
			Validation and Verification
			Independent Testing
		Chapter Review
			Quick Tips
			Questions
			Answers
Part VII: Secure Software Installation, Deployment, Operations, Maintenance, and Disposal
	Chapter 18: Secure Software Installation and Deployment
		Secure Software Installation and Its Subsequent Deployment
			Installation Validation and Verification
			Planning for Operational Use
		Configuration Management
			Organizing the Configuration Management Process
			Configuration Management Roles
			The Configuration Management Plan
			The Configuration Management Process
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 19: Secure Software Operations and Maintenance
		Secure Software Operations
			Operation Process Implementation
		The Software Maintenance Process
			Monitoring
			Incident Management
			Problem Management
			Change Management
			Backup, Recovery, and Archiving
		Secure Software Disposal
			Software Disposal Planning
			Software Disposal Execution
		Chapter Review
			Quick Tips
			Questions
			Answers
	Chapter 20: Supply Chain and Software Acquisition
		Supplier Risk Assessment
			What Is Supplier Risk Assessment?
			Risk Assessment for Code Reuse
			Intellectual Property
			Legal Compliance
			Supplier Prequalification
		Supplier Sourcing
			Contractual Integrity Controls
			Vendor Technical Integrity Controls for Third-party Suppliers
			Managed Services
			Service Level Agreements
		Software Development and Testing
			Code Testing
			Security Testing Controls
			Software Requirements Testing and Validation
			Software Requirements Testing and Validation for Subcontractors
		Software Delivery, Operations, and Maintenance
			Chain of Custody
			Publishing and Dissemination Controls
			Systems-of-systems Integration
			Software Authenticity and Integrity
			Product Deployment and Sustainment Controls
			Monitoring and Incident Management
			Vulnerability Management, Tracking, and Resolution
		Supplier Transitioning
		Chapter Review
			Quick Tips
			Questions
			Answers
Appendix A: About the Download
	Downloadable MasterExam
	System Requirements
		MasterExam
		Help
		Removing Installation
	Technical Support
		LearnKey Technical Support
		McGraw-Hill Education Technical Support and Customer Service
Appendix B: Practice Exam
Glossary
Index
Privacy
	Privacy Policy
	Personally Identifiable Information
	Personal Health Information
	Breach Notifications
	Data Protection Principles
Security Standards
	ISO
	NIST
Secure Software Architecture
	Security Frameworks
Trusted Computing
	Principles
	Trusted Computing Base
	Trusted Platform Module
	Microsoft Trustworthy Computing Initiative
Acquisition
	Definitions and Terminology
	Build vs. Buy Decision
	Outsourcing
	Contractual Terms and Service Level Agreements
Chapter Review
	Quick Tips
	Questions
	Answers
Software Development Models
	Waterfall
	Spiral
	Prototype
	Agile Methods
	Open Source
Microsoft Security Development Lifecycle
	History
	SDL Foundation
	SDL Components
Chapter Review
	Quick Tips
	Questions
	Answers
Documentation
Design and Architecture Technical Review
Chapter Review
	Quick Tips
	Questions
	Answers
Pervasive/Ubiquitous Computing
	Wireless
	Location-Based
	Constant Connectivity
	Radio Frequency Identification
	Near-Field Communication
	Sensor Networks
Mobile Applications
Integration with Existing Architectures
Cloud Architectures
	Software as a Service
	Platform as a Service
	Infrastructure as a Service
Chapter Review
	Quick Tips
	Questions
	Answers
Environment
Bug Tracking
	Defects
	Errors
	Vulnerabilities
	Bug Bar
Attack Surface Validation
Testing Artifacts
Test Data Lifecycle Management
Chapter Review
	Quick Tips
	Questions
	Answers
Impact Assessment and Corrective Action
Chapter Review
	Quick Tips
	Questions
	Answers