ISC2, ISC Self-Paced

Certified Secure Software Lifecycle Professional – Self-paced (Incl. Exam Voucher)

CY-CSSLP-SP

Type

Skill Level

ISC2: Advanced

Available dates

Learning Path

Cybersecurity

Virtual

Duration

6 Months

1 Day

LEARNING PATH

Cybersecurity

SKILL LEVEL

ISC2: Advanced

DURATION

6 Months

AVAILABLE DATES

Choose date

R38 500,00

Price excluding VAT

Introduction

The Certified Secure Software Lifecycle Professional (CSSLP) is a global, vendor-neutral certification to recognize those with leading software and application security skills. The CSSLP recognizes your expertise and ability to incorporate security practices — authentication, authorization and auditing — into each phase of the SDLC.

Audience profile

The CSSLP is ideal for software development and security professionals responsible for applying best practices to each phase of the SDLC – from software design and implementation to testing and deployment – including those in the following positions:

Software Architect
Software Engineer
Software Developer
Application Security Specialist/Manager/Architect
Software Program Manager
Quality Assurance Tester
Penetration Tester/Testing Manager
Software Procurement Analyst
Project Manager
Security Manager
IT Director/Manager

Pre-requisites

The knowledge and skills that a learner must have before attending this course is as follows:

Candidates must have a minimum of four years of cumulative paid Software Development Lifecycle (SDLC) professional work experience in one or more of the eight domains of the ISC2 CSSLP Common Body of Knowledge (CBK)
Earning a four-year college degree or regional equivalent in Computer Science, Information Technology (IT) or related fields or an additional credential from the ISC2 approved list will satisfy one year of the required experience
Education credit will only satisfy one year of experience
Part-time work and internships may also count towards your experience
Fulltime Experience: Your work experience is accrued monthly

Thus, you must have worked a minimum of 35 hours/week for four weeks to accrue one month of work experience
Part-Time Experience: Your part-time experience cannot be less than 20 hours a week and no more than 34 hours a week
1040 hours of part-time = 6 months of full-time experience
2080 hours of part-time = 12 months of full-time experience
Internship: Paid or unpaid internship is acceptable. You will need documentation on company/organisation letterhead confirming your position as an intern. If you are interning at a school, the document can be on the registrar’s stationery

What is Online Self-Paced Training?

ISC2 Self-Paced Training enables a flexible and engaging learning experience which gives you the freedom and confidence to move ahead on your schedule, without sacrificing quality for convenience. Throughout the entire learning experience, you have on-demand access to interactive learning content and industry topics to reinforce the material and increase your knowledge retention. Course activities which draw from real-world scenarios and a learning Plan helps you stay on track with your studies and help you prepare for your ISC2 certification exam.

What is included?

180-day access to official course content
Video-based instructional content
Knowledge checks
Practical assessment
Key takeaway resources for each domain
Online interactive flash cards
New glossary
New digital eTextbook
Instructor email support

How is the Self-Paced Course Accessed?

An access key and instructions will be sent via email after your purchase is complete.

You may then login anytime, here.

Course objectives

On completion of this program, the participants will be able to:

Understand and apply the concepts of risk assessment, risk analysis, data classification, and security awareness and Implement risk management and the principles used to support it (Risk avoidance, Risk acceptance, Risk mitigation, Risk transference)
Apply a comprehensive and rigorous method for describing a current and/or future structure and behaviour for an organisation’s security processes, information security systems, personnel, and organisational sub-units so that these practices and processes align with the organisation’s core goals and strategic direction and address the frameworks and policies, concepts, principles, structures, and standards used to establish criteria for the protection of information assets, as well as to assess the effectiveness of that protection and establish the foundation of a comprehensive and proactive security program to ensure the protection of an organisation’s information assets
Apply a comprehensive and rigorous method for describing a current and/or future structure and behaviour for an organisation’s security processes, information security systems, personnel, and organisational sub-units so that these practices and processes align with the organisation’s core goals and strategic direction and examine the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality, and authenticity
Understand the structures, transmission methods, transport formats, and security measures used to provide confidentiality, integrity, and availability for transmissions over private and public communications networks and media and identify risks that can be quantitatively and qualitatively measured to support the building of business cases to drive proactive security in the enterprise
Offer greater visibility into determining who or what may have altered data or system information, potentially affecting the integrity of those asset and match an entity, such as a person or a computer system, with the actions that entity takes against valuable assets, allowing organisations to have a better understanding of the state of their security posture
Plan for technology development, including risk, and evaluate the system design against mission requirements, and identify where competitive prototyping and other evaluation techniques fit in the process
Protect and control information processing assets in centralized and distributed environments and execute the daily tasks required to keep security services operating reliably and efficiently
Understand the Software Development Life Cycle (SDLC) and how to apply security to it and identify which security control(s) are appropriate for the development environment, and assess the effectiveness of software security

Exam Domains

Domain 1: Secure Software Concepts

Domain 2: Secure Software Requirements

Domain 3: Secure Software Architecture and Design

Domain 4: Secure Software Implementation

Domain 5: Secure Software Testing

Domain 6: Secure Software Lifecycle Management

Domain 7: Secure Deployment, Operations, Maintenance

Domain 8: Software Supply Chain

Course content

Domain 1: Secure Software Concepts
Understand core concepts: Confidentiality (e.g., encryption) Integrity (e.g., hashing, digital signatures, code signing, reliability, modifications, authenticity) Availability (e.g., redundancy, replication, clustering, scalability, resiliency) Authentication (e.g., multi-factor authentication (MFA), identity & access management (IAM), single sign-on (SSO), federated identity, biometrics)	Authorization (e.g., access controls, permissions, entitlements) Accountability (e.g., auditing, logging) Nonrepudiation (e.g., digital signatures, block chain) Governance, risk and compliance (GRC) standards (e.g., regulatory authority, legal, industry)
Understand security design principles: Least privilege (e.g., access control, need-to-know, run-time privileges, Zero Trust) Segregation of Duties (SoD) (e.g., multi-party control, secret sharing, split knowledge) Defence in depth (e.g., layered controls, geographical diversity, technical diversity, distributed systems) Resiliency (e.g., fail safe, fail secure, no single point of failure, failover) Economy of mechanism (e.g., single sign-on (SSO), password vaults, resource efficiency) Component reuse (e.g., common controls, libraries)	Complete mediation (e.g., cookie management, session management, caching of credentials) Open design (e.g., Kerckhoffs’s principle, peer review, open source, crowd source) Least common mechanism (e.g., compartmentalization/isolation, allow/accept list) Psychological acceptability (e.g., password complexity, passwordless authentication, screen layouts, Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA))
Domain 2: Secure Software Requirements
Manage security within a software development methodology (e.g., Agile, waterfall)	Identify and adopt security standards (e.g., implementing security frameworks, promoting security awareness)
Outline strategy and roadmap: Security milestones and checkpoints (e.g., control gate, break/build criteria)	Define and develop security documentation
Define security metrics (e.g., criticality level, average remediation time, complexity, Key Performance Indicators (KPI), objectives and key results)	Decommission applications: End of Life (EOL) policies (e.g., credential removal, configuration removal, license cancellation, archiving, service-level agreements (SLA)) Data disposition (e.g., retention, destruction, dependencies)
Incorporate integrated risk management methods: Regulations, standards and guidelines (e.g., International Organisation for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security in Maturity Model (BSIMM))	Legal (e.g., intellectual property, breach notification) Risk management (e.g., risk assessment, risk analysis) Technical risk vs. business risk
Implement secure operation practices: Change management process Incident response plan Verification and validation Assessment and Authorization (A&A) process	Create security reporting mechanisms (e.g., reports, dashboards, feedback loops)
Domain 3: Secure Software Architecture and Design
Define software security requirements: Functional (e.g., business requirements, use cases, stories) Non-functional (e.g., security, operational, continuity, deployment)	Identify compliance requirements: Regulatory authority Legal Industry-specific (e.g., defence, healthcare, commercial, financial, Payment Card Industry (PCI)) Company-wide (e.g., development tools, standards, frameworks, protocols)
Identify data classification requirements: Data ownership (e.g., data dictionary, data owner, data custodian) Data labelling (e.g., sensitivity, impact) Data types (e.g., structured, unstructured) Data lifecycle (e.g., generation, storage, retention, disposal) Data handling (e.g., personally identifiable information (PII), publicly available information)	Identify privacy requirements: Data collection scope Data anonymization (e.g., pseudo-anonymous, fully anonymous) User rights (legal) and preferences (e.g., data disposal, right to be forgotten, marketing preferences, sharing and using third parties, terms of service) Data retention (e.g., how long, where, what) Cross-border requirements (e.g., data residency, jurisdiction, multi-national data processing boundaries)
Define data access provisioning: User provisioning Service accounts Re-approval process	Develop misuse and abuse: Mitigating control identification
Develop security requirement traceability matrix	Define third-party vendor security requirements
Domain 4: Secure Software Implementation
Define the security architecture: Secure architecture and design patterns (e.g., Sherwood Applied Business Security Architecture (SABSA), security chain of responsibility, federated identity) Security controls identification and prioritization Distributed computing (e.g., client server, peer-to-peer (P2P), message queuing, N-tier) Service-oriented architecture (SOA) (e.g., enterprise service bus, web services, microservices) Rich internet applications (e.g., client-side exploits or threats, remote code execution, constant connectivity) Pervasive/ubiquitous computing (e.g., Internet of Things (IoT), wireless, location-based, Radio-Frequency Identification (RFID), Near Field Communication (NFC), sensor networks, mesh)	Embedded software (e.g., secure boot, secure memory, secure update) Cloud architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)) Mobile applications (e.g., implicit data collection privacy) Hardware platform concerns (e.g., side-channel mitigation, speculative execution mitigation, secure element, firmware, drivers) Cognitive computing (e.g., artificial intelligence (AI), virtual reality, augmented reality) Industrial Internet of Things (IoT) (e.g., facility-related, automotive, robotics, medical devices, software-defined production processes)
Perform secure interface design: Security management interfaces, out-of-band management, log interfaces Upstream/downstream dependencies (e.g., key and data sharing between apps) Protocol design choices (e.g., application programming interfaces (API), weaknesses, state, models)	Define secure operational architecture (e.g., deployment topology, operational interfaces, Continuous Integration and Continuous Delivery (CI/CD))
Evaluate and select reusable technologies: Credential management (e.g., X.509, single sign-on (SSO)) Flow control (e.g., proxies, firewalls, protocols, queuing) Data loss prevention (DLP) Virtualization (e.g., Infrastructure as code (IaC), hypervisor, containers) Trusted computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB)) Secure data retention, retrieval, and destruction	Database security (e.g., encryption, triggers, views, privilege management, secure connections) Programming language environment (e.g., common language runtime, Java virtual machine (VM), Python, PowerShell) Operating system (OS) controls and services Secure backup and restoration planning
Perform threat modelling: Threat modelling methodologies (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Process for Attack Simulation and Threat Analysis (PASTA), Hybrid Threat Modelling Method, Common Vulnerability Scoring System (CVSS))	Common threats (e.g., advanced persistent threat (APT), insider threat, common malware, third-party suppliers) Attack surface evaluation Threat analysis Threat intelligence (e.g., identify credible relevant threats, predict)
Perform architectural risk assessment and design reviews	Model (non-functional) security properties and constraints
Domain 5: Secure Software Testing
Adhere to relevant secure coding practices (e.g., standards, guidelines, regulations): Declarative versus imperative (programmatic) security Concurrency (e.g., thread safety, database concurrency controls) Input validation and sanitization Error and exception handling Output sanitization (e.g., encoding, obfuscation) Secure logging & auditing (e.g., confidentiality, privacy) Session management Access control (e.g., trust zones, function permissions, role-based access control (RBAC), discretionary access control (DAC), mandatory access control (MAC))	Trusted/untrusted application programming interfaces (API), and libraries Resource management (e.g., compute, storage, network, memory management) Secure configuration management (e.g., baseline security configuration, credentials management) Tokenization Isolation (e.g., sandboxing, virtualization, containerization, Separation Kernel Protection Profiles) Cryptography (e.g., payload, field level, transport, storage, agility, encryption, algorithm selection) Processor microarchitecture security extensions
Analyse code for security risks: Secure code reuse Vulnerability databases/lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumerations (CWE), SANS Top 25 Most Dangerous Software Errors)	Static application security testing (SAST) (e.g., automated code coverage, linting) Manual code review (e.g., peer review) Inspect for malicious code (e.g., backdoors, logic bombs, high entropy)
Implement security controls (e.g., watchdogs, file integrity monitoring, anti-malware)	Address the identified security risks (e.g., risk strategy)
Evaluate and integrate components: Systems-of-systems integration (e.g., trust contracts, security testing, analysis) Reusing third-party code or open-source libraries in a secure manner (e.g., software composition analysis)	Apply security during the build process: Anti-tampering techniques (e.g., code signing, obfuscation) Compiler switches Address compiler warnings
Domain 6: Secure Software Lifecycle Management
Develop security testing strategy & plan: Standards (e.g., International Organisation for Standardization (ISO), Open-Source Security Testing Methodology Manual, Software Engineering Institute) Functional security testing (e.g., logic) Security researcher outreach (e.g., bug bounties)	Nonfunctional security testing (e.g., reliability, performance, scalability) Testing techniques (e.g., known environment testing, unknown environment testing, functional testing, acceptance testing) Testing environment (e.g., interoperability, test harness)
Develop security test cases: Attack surface validation Automated vulnerability testing (e.g., dynamic application security testing (DAST), interactive application security testing (IAST)) Penetration tests (e.g., security controls, known vulnerabilities, known malware) Fuzzing (e.g., generated, mutated) Integration tests Continuous testing	Simulation (e.g., simulating production environment and production data, synthetic transactions) Failure (e.g., fault injection, stress testing, break testing)) Cryptographic validation (e.g., pseudorandom number generators, entropy) Unit testing and code coverage Regression tests Misuse and abuse test cases
Verify and validate documentation (e.g., installation and setup instructions, error messages, user guides, release notes)	Identify undocumented functionality
Analyse security implications of test results (e.g., impact on product management, prioritization, break/build criteria)	Classify and track security errors: Bug tracking (e.g., defects, errors and vulnerabilities) Risk scoring (e.g., Common Vulnerability Scoring System (CVSS))
Secure test data: Generate test data (e.g., referential integrity, statistical quality, production representative) Reuse of production data (e.g., obfuscation, sanitization, anonymization, tokenization, data aggregation mitigation)	Perform verification and validation testing (e.g., independent/internal verification and validation, acceptance test)
Domain 7: Secure Software Deployment, Operations, Maintenance
Perform operational risk analysis: Deployment environment (e.g., staging, production, quality assurance (QA)) Personnel training (e.g., administrators vs. users) Legal compliance (e.g., adherence to guidelines, regulations, privacy laws, copyright, etc.) System integration	Secure configuration and version control: Hardware Baseline configuration Version control/patching Documentation practices
Release software securely: Secure Continuous Integration and Continuous Delivery (CI/CD) pipeline (e.g., DevSecOps) Application security toolchain Build artifact verification (e.g., code signing, hashes)	Store and manage security data: Credentials Secrets Keys/certificates Configurations
Ensure secure installation: Secure boot (e.g., key generation, access, management) Least privilege Environment hardening (e.g., configuration hardening, secure patch/updates, firewall)	Secure provisioning (e.g., credentials, configuration, licensing, Infrastructure as code (IaC)) Security policy implementation
Obtain security approval to operate (e.g., risk acceptance, sign-off at appropriate level)	Perform patch management (e.g. secure release, testing)
Perform vulnerability management (e.g., tracking, triaging, Common Vulnerabilities and Exposures (CVE))	Incorporate runtime protection (e.g., Runtime Application Self Protection (RASP), web application firewall (WAF), Address Space Layout Randomization (ASLR), dynamic execution prevention)
Integrate service level objectives and service-level agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)	Support continuity of operations: Backup, archiving, retention Disaster recovery plan (DRP) Resiliency (e.g., operational redundancy, erasure code, survivability, denial-of-service (DoS)) Business continuity plan (BCP)
Perform information security continuous monitoring: Observable data (e.g., logs, events, telemetry, trace data, metrics) Threat intelligence	Intrusion detection/response Regulation and privacy changes Integration analysis (e.g., security information and event management (SIEM))
Execute the incident response plan: Incident triage Forensics Remediation Root cause analysis
Domain 8: Secure Software Supply Chain
Implement software supply chain risk management (e.g., International Organisation for Standardization (ISO), National Institute of Standards and Technology (NIST)): Identification and selection of the components	Risk assessment of the components (e.g., mitigate, accept) Maintaining third-party components list (e.g., software bill of materials) Monitoring for changes and vulnerabilities
Analyse security of third-party software: Certifications Assessment reports (e.g., cloud controls matrix) Origin and support	Support contractual requirements (e.g., intellectual property ownership, code escrow, liability, warranty, End-User License Agreement (EULA), service-level agreements (SLA))
Verify pedigree and provenance: Secure transfer (e.g., chain of custody, authenticity, integrity) System sharing/interconnections Code repository security	Build environment security Cryptographically hashed, digitally signed components Right to audit
Ensure and verify supplier security requirements in the acquisition process: Audit of security policy compliance (e.g., secure software development practices) Vulnerability/incident notification, response, coordination, and reporting	Maintenance and support structure (e.g., community versus commercial, licensing) Security track record Scope of testing (e.g., shared responsibility model) Log integration into security information and event management (SIEM)

Benefits of Certified Secure Software Lifecycle Professional

For the Individual:

Instant credibility: Proves subject matter expertise in application security and shows desirable skills for employers around the world
Increased compensation: Can lead to pay gains and “skill premiums”
Relevant, new knowledge: Expand security knowledge, affirm expertise. Continuing education helps keep skills current and relevant
Versatile skills: Vendor-neutral so skills can be applied to different technologies and methodologies
A broader perspective: Holistic understanding of best practices, policies and procedures throughout the software development life cycle; skills to advise others on how to build secure software
Better protect the organisation: Keep sensitive data safe through secure coding practices

For the Organisation:

Protect reputation: Reduce loss of revenue and reputation due to a breach resulting from insecure software
Improve processes: Break the “penetrate and patch” test approach
Save money: Reduce production cost, vulnerabilities and delivery delays
Gain instant credibility: Increases credibility of the organisation and its development team.
Stay current: Ensures professionals are up to date on best practices, policies and procedures through continuing professional education requirements
Ensure compliance: Comply with government and industry regulations (DoD 8140.01/8570.01 approved)

Associated certifications and exam

Associate of ISC2: A candidate who doesn’t have the required experience may become an Associate of ISC2 by successfully passing the CSSLP examination. The Associate of ISC2 will then have five years to earn the four years of cumulative paid Software Development Lifecycle (SDLC) professional work experience in one or more of the eight domains of the ISC2 CSSLP Common Body of Knowledge (CBK).

Exam Details	Certified Secure Software Lifecycle Professional (CSSLP)
Exam Title	CSSLP
Number of Questions/Practical Challenges	125 Questions
Test Duration	3 Hours
Test Format	Multiple choice questions
Test Delivery	Pearson VUE Testing Centre
Availability	English
Passing Score	700/1000

ISC2 Overview

In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish holistic security programs that assure the protection of an organisations information assets.

ISC2 is an international non-profit membership association focused on inspiring a safe and secure cyber world. Today, based in the United States, ISC2 serves its global membership from its headquarters in Alexandria, Virginia, along with a portfolio of credentials and world-class education programs in the form of vendor-neutral education products and career services.

Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, ISC2 offers a portfolio of credentials that are part of a holistic, programmatic approach to security.

ISC2 members, candidates and associates, nearly 675,000 strong, are made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. ISC2 members represent an elite, global network of dedicated cybersecurity professionals – preeminent experts in their field – who have committed themselves to the highest ethical standards and best practices. All members are certified professionals who have passed ISC2 examinations attesting to skill and knowledge in their field. Through their ISC2 certification, they have demonstrated superior competency and devoted themselves to making the cyber world a safer place for all.

Torque IT is the longest standing Official Training Partner (OTP) in South Africa and has maintained the status of one of the leading ISC2 accredited training organizations in South Africa. Torque IT remains the Only Preferred OTP in the South Africa. As a leading and established training provider of cybersecurity education and certification, Torque IT is committed to expanding our offerings and promoting cybersecurity awareness and expertise across all ISC2 Certifications and throughout South Africa and various African countries.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Certified Secure Software Lifecycle Professional – Self-paced (Incl. Exam Voucher)

Type

Skill Level

Available dates

Learning Path

Duration

LEARNING PATH

SKILL LEVEL

DURATION

AVAILABLE DATES

Price excluding VAT

Exam Domains

ISC2 Overview

contact

Vendor
Authorised

Details

Menu

newsletter

Certified Secure Software Lifecycle Professional – Self-paced (Incl. Exam Voucher)

Type

Skill Level

Available dates

Learning Path

Duration

LEARNING PATH

SKILL LEVEL

DURATION

AVAILABLE DATES

Price excluding VAT

ISC2 Overview

contact

Vendor Authorised

Details

Menu

newsletter

Vendor
Authorised