The Certified Secure Software Lifecycle Professional (CSSLP) is the only certification in the industry that ensures security is considered throughout the entire lifecycle. It is designed to establish an industry standard and credential that attests to the holder’s knowledge and ability to apply best practices in delivering secure software. The certification is language neutral and focuses on professionals whose work is related to the software life cycle, including software architects, software engineers, developers, programmers, project managers, quality assurance testers, and analysts.
The impetus behind the CSSLP certification is the ever-increasing losses incurred by all types of organizations from both insider and outsider attacks because of software that is not secure. Also, because of the increased exploitation of software vulnerabilities, additional regulatory and compliance requirements are being imposed by governmental bodies.
Secure software controls should be an integral part of the software life cycle, from conception to disposal, and should address the fundamental security concepts of confidentiality, integrity, availability, authentication, authorization, and auditing.
As defined by (ISC)2, the domains comprising the CSSLP Common Body of Knowledge are:
- Secure software concepts —Security implications in software development
- Secure software requirements—Capturing security requirements in the requirements gathering phase
- Secure software design—Translating security requirements into application design elements
- Secure software implementation/coding —Testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
- Secure software testing—Testing for security functionality and resiliency to attack
- Software acceptance —Security implications in the software acceptance phase
- Software deployment, operations, maintenance, and disposal —Security issues around steady state operations and management of software