1st Edition

Official (ISC)2 Guide to the CSSLP

By Mano Paul Copyright 2011
    572 Pages 131 B/W Illustrations
    by CRC Press

    As the global leader in information security education and certification, (ISC)has a proven track record of educating and certifying information security professionals. Its newest certification, the Certified Secure Software Lifecycle Professional (CSSLP®) is a testament to the organization’s ongoing commitment to information and software security.

    The Official (ISC) Guide to the CSSLP® provides an all-inclusive analysis of the CSSLP Common Body of Knowledge (CBK®). As the first comprehensive guide to the CSSLP CBK, it facilitates the required understanding of the seven CSSLP domains—Secure Software Concepts, Secure Software Requirements, Secure Software Design, Secure Software Implementation/Coding, Secure Software Testing, Software Acceptance, and Software Deployment, Operations, Maintenance and Disposal—to assist candidates for certification and beyond.

    • Serves as the only official guide to the CSSLP professional certification
    • Details the software security activities that need to be incorporated throughout the software development lifecycle
    • Provides comprehensive coverage that includes the people, processes, and technology components of software, networks, and host defenses
    • Supplies a pragmatic approach to implementing software assurances in the real-world

    The text allows readers to learn about software security from a renowned security practitioner who is the appointed software assurance advisor for (ISC)2. Complete with numerous illustrations, it makes complex security concepts easy to understand and implement. In addition to being a valuable resource for those studying for the CSSLP examination, this book is also an indispensable software security reference for those already part of the certified elite. A robust and comprehensive appendix makes this book a time-saving resource for anyone involved in secure software development.

    Secure Software Concepts
    Introduction
    Objectives
    Holistic Security
    Implementation Challenges
    Quality and Security
    Design Security Concepts
    Security Concepts in the SDLC
    Security Policies: The What and Why of Security
    Security Methodologies
    Security Frameworks
    Regulations, Privacy, and Compliance
    Acquisitions
    Summary
    Review Questions
    References

    Secure Software Requirements
    Introduction
    Objectives
    Sources for Security Requirements
    Summary
    Review Questions
    References

    Secure Software Design
    Introduction
    Objectives
    The Need for Secure Design
    Secure Design and Architecture Review
    Summary
    Review Questions
    References

    Secure Software Implementation / Coding
    Introduction
    Objectives
    Who is to be blamed for Insecure Software?
    Fundamental Concepts of Programming
    Software Development Methodologies
    Common Software Vulnerabilities and Countermeasures
    Defensive Coding Practices
    Secure Software Processes
    Summary
    Review Questions
    Commonly Used Opcodes in Assembly
    HTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)
    References

    Secure Software Testing
    Introduction
    Objectives Quality Assurance
    Software Security Testing
    Defect Reporting and Tracking
    Tools for Security Testing
    Summary
    Review Questions
    Chapter Appendix: Security Testing Tools
         Reconnaissance Tools
         Vulnerability Scanners
         Fingerprinting Tools
         Sniffers/Protocol Analyzers
         Password Crackers
         Web Security Tools: Scanners, Proxies, and Vulnerability Management
         Wireless Security Tools
         Reverse Engineering Tools
         Source Code Analyzers
         Vulnerability Exploitation Tools
         Security-Oriented Operating Systems
         Privacy Testing Tools
         References

    Software Acceptance
    Introduction
    Objectives
    Guidelines for Software Acceptance
    Legal Protection Mechanism
    Verification and Validation
    Summary
    Review Questions

    Software Deployment, Operations, Maintenance, and Disposal
    Introduction
    Objectives
    Installation and Deployment
    Operations and Maintenance
    Disposal
    Summary
    Review Questions
    Appendix

    Index

    Biography

    Manoranjan (Mano) Paul is the Software Assurance Advisor for the (ISC)2, the global leader in information security education and certification, representing and advising the organization on software assurance strategy, training, education and certification. His information security and software assurance experience includes designing and developing security programs from compliance-to-coding, security in the SDLC, writing secure code, risk management, security strategy, and security awareness training and education.

    Mr. Paul started his career as a shark researcher in the Bimini Biological Field Station, Bahamas. His educational pursuit took him to the University of Oklahoma where he received his Business Administration degree in Management Information Systems (MIS) with various accolades and the coveted 4.0 GPA. Following his entrepreneurial acumen, he founded and serves as the CEO & President of Express Certifications, a professional certification assessment and training company that developed studISCope, (ISC)2's official self assessment offering for prospective certification candidates. Express Certifications is also the self assessment testing company behind the US Department of Defense certification education program as mandated by the 8570.1 directive. He also founded SecuRisk Solutions, a company that specializes in security product development and consulting.

    Before Express Certifications and SecuRisk Solutions, Mr. Paul played several roles from software developer, quality assurance engineer, logistics manager, technical architect, IT strategist, and security engineer/program manager/strategist at Dell Inc. Mr. Paul is an appointed faculty member and Vice President of the Capitol of Texas Information System Security Association (ISSA) chapter. He is a contributing author for the Information Security Management Handbook, writes periodically for the Certification magazine and has contributed to security topics for the Microsoft Solutions Developer Network (MSDN). He has been featured in various domestic and international security conferences and is an invited speaker and panelist, delivering talks and keynotes in conferences such as the CSI (Computer Security Institute), Burton Group Catalyst, SC World Congress, TRISC (Texas Regional Infrastructure Security Conference) and OWASP. Mr. Paul holds the following professional certifications - CSSLP, CISSP, AMBCI, MCSD, MCAD, CompTIA Network+ and the ECSA certification.