In a bit of exciting news for me, I recently passed the Certified Secure Software Lifecycle Professional certification exam from (ISC)2. This is a big accomplishment for me. I wanted to share my experience in studying for this exam as well as why I feel a certification like this is important for the development community.
Why Application Security?
The world of information security is large and rich and has many different avenues and niches into which someone might explore. It is great that there are different options for certifications that display a person’s skills in a particular discipline of security. Application security has always been a passion of mine so I decided to turn that into a certification to validate my knowledge and experience in that realm.
Application security is also a necessary skill to have, even if you are a developer that does not specialize in security. This is due to one main factor: software is the easiest way to infiltrate a network.
Think about this: a hacker that is trying to get into a company’s network is trying to get to data. For the sake of argument, let’s assume adequate equipment, training, and experience on the part of the network administrators and security folks. With that assumption, and the current state of network protections and best practices, it is getting more and more difficult to simply break into a network.
On the other hand, an application (especially a web application) gives the attacker an easy path right past your defenses. An application exposed to the internet is just like the Trojan Horse (not the virus, the actual Trojan Horse). The attacker can pass in a nasty payload wrapped up in a legitimate request. The firewall won’t block port 80 or 443 so it’s fair game.
So which would you choose: pounding on a network perimeter trying to find a way in or downloading a SQL injection program that you can point to a website and steal sensitive data with a couple of clicks?
CSSLP – Learning How to Build Secure Software
This brings us to the CSSLP test itself. It covers 8 domains that cover how to build secure software from the requirements up through operations and retirement. This is key to protecting your organization in today’s environment as the applications you build will be the obvious choice for attackers to use to try to infiltrate your company’s systems. Every developer should know how to build secure software. That is one reason why I started this blog in the first place.
The certification also requires that you have at least 4 years of Software Development LifeCycle (SDLC) experience in one or more of the domains of the exam. This can be reduced to 3 years if you have a Bachelor’s degree in Computer Science or IT.
Secure Software Concepts introduces the basic security concepts that serve as the foundation of secure software development. Think stuff like the triad of confidentiality, integrity, and availability. Also, concepts such as risk management and software development methodologies come into play here.
Secure Software Requirements covers building security requirements for software. This involves activities such as policy decomposition: taking security policies and standards regarding authentication, authorization, etc and translating them into concrete requirements. The exam also expects you to be aware of the various industry standards that apply to your specific software and translate those standards into requirements for your project (think PCI-DSS or ISO 27001).
Secure Software Design introduces techniques to help design secure software. Threat modeling and assessing the attack surface of your designed application are key skills here. Also, you should understand how to build a secure architecture and know how to apply the secure software concepts to your design. For instance, understanding how to properly handle passwords and encrypt sensitive data is expected.
Secure Software Implementation/Coding is where the rubber meats the road. This domain is given the most weight on the test. This domain covers all of the common attacks and vulnerabilities that applications have and what security controls are needed to protect against them. This domain also covers good practices that help to find potential implementation problems and useful resources such as the OWASP Top 10 and SAN Top 25 lists.
Secure Software Testing deals with various types of testing that is done with software. This includes security-related testing such as penetration testing and fuzz testing. It also touches on functional testing and automated testing.
Software Acceptance covers the acceptance phase of the software lifecycle. This means the business owner accepting the software, validating that the software meets requirements and verifying that it functions as expected. Risk acceptance and documentation fall under this domain.
Software Deployment, Operations, Maintenance, and Disposal covers what is commonly thought of as the “operations” piece. This is software running in production. This domain includes secure deployment and configuration to ensure that no vulnerabilities are introduced via configuration instead of the application code itself. What to do when a vulnerability is found in production is discussed. Finally, secure disposal is introduced so that it is understood how to securely retire an application.
Finally, Supply Chain and Software Acquisition explains techniques to ensure the security of software built by a third party and delivered to you.
The test covers quite a bit of information. It consists of 175 questions. It took me about 3 1/2 of the allotted 4 hours to complete it. If you want to take the test, I’ll give one piece of advice. Make sure you understand the concepts and design techniques through and through. Just facts are not enough as you will need to apply the concepts to different scenarios with unique needs. If you understand what really makes software secure, then you will do fine.
Overall, I found it an enjoyable and gratifying experience. I’ve always considered (ISC)2 to be one of the best and most rigorous certification bodies in the IT world so it felt great to pass a test created by them.
My only complaint is in the lack of solid training materials available. I feel that other certifications seem to have an abundance of preparation materials that CSSLP does not. I used the official on-demand training as well as the CSSLP All-in-One guide.
I’d like to now contribute to the community with more materials to assist developers in studying for this exam, but more on that later. I also aim to share the lessons I’ve learned so that all developers can build secure software and keep their company’s assets and secrets safe.
Note: I am not a full-fledged CSSLP yet, as my experience is still under review by (ISC)2 as is the custom with their certifications. My official designation for now is Associate of (ISC)2 and I’ll update my blog once the final determination is made.