# CISSP - CSSLP 陳詰昌 Jeff Chen power.shell@gmail.com ## 參考書籍 * CSSLP Certification All-in-One Exam Guide * Official (ISC)2 Guide to the CSSLP CBK ((ISC)2 Press) * Essential CSSLP Exam Guide: Updated for the 2nd Edition * Certified Secure Software Lifecycle Professional Exam Questions and Dumps Latest Version : Exam Prep Tests for CSSLP ## 內容 1. Secure Software Concepts 12% * General Security Concepts * Risk Management * Security Policies and Regulations * Software Development Methodologies 2. Secure Software Requirements 11% * Secure Software Requirements * Policy Decomposition * Data Classification and Categorization Requirements 3. Secure Software Design 13% * Secure Software Design * Design Processes * Design Considerations * Securing Commonly Used Architecture * Technologies 4. Secure Software Implementation/Programming 15% * Secure Software Implementation/Programming * Common Software Vulnerabilities and Countermeasures * Defensive Coding Practices * Secure Software Coding Operations 5. Secure Software Testing 14% * Secure Software Testing * Security Quality Assurance Testing * Security Testing 6. Secure Lifecycle Management 14% * General Security Concepts 7. Software Deployment, Operations, and Maintenance 11% * Software Deployment, Operations, and Maintenance * Secure Software Installation and Deployment * Secure Software Operations and Maintenance 10. Supply Chain and Software Acquisition 10% * Supply Chain and Software Acquisition # Domain 1:安全軟體概念 ## 1.1 - 核心概念 ### CIA * 機密性Confidentiality (e.g., encryption) * 完整性Integrity (e.g., hashing, digital signatures, code signing, reliability, modifications, authenticity) * 不可否認性Nonrepudiation (e.g., digital signatures, block chain) * 可用性Availability (e.g., redundancy, replication, clustering, scalability, resiliency) ### 3A * Authentication (e.g., multi-factor authentication (MFA), identity & access management (IAM), single sign-on (SSO), federated identity, biometrics) * Authorization (e.g., access controls, permissions, entitlements) * Accountability (e.g., auditing, logging) ### GRC * Governance, risk and compliance (GRC) standards (e.g., regulatory authority, legal, industry) ## 1.2 - 安全設計原則 * 最小權限Least privilege (e.g., access control, need-to-know, run-time privileges, Zero Trust) * 權責分離Segregation of Duties (SoD) (e.g., multi-party control, secret sharing, split knowledge) * 縱深防禦Defense in depth (e.g., layered controls, geographical diversity, technical diversity, distributed systems) * 韌性Resiliency (e.g., fail safe, fail secure, no single point of failure, failover) * 機制經濟Economy of mechanism (e.g., single sign-on (SSO), password vaults, resource efficiency) * 完全中介Complete mediation (e.g., cookie management, session management, caching of credentials) * 開放設計Open design (e.g., Kerckhoffs’s principle, peer review, open source, crowd source) * 最少共通機制Least common mechanism (e.g., compartmentalization/isolation, allow/accept list) * 心理可接受度Psychological acceptability (e.g., password complexity, passwordless authentication, screen layouts, Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)) * 元件重複使用Component reuse (e.g., common controls, libraries) # Domain 2:安全軟體要求 ## 2.1 - Manage security within a software development methodology (e.g., Agile, waterfall) ## 2.2 - Identify and adopt security standards (e.g., implementing security frameworks, promoting security awareness) ## 2.3 - Outline strategy and roadmap Security milestones and checkpoints (e.g., control gate, break/build criteria) ## 2.4 - Define and develop security documentation ## 2.5 - Define security metrics (e.g., criticality level, average remediation time, complexity, Key Performance Indicators (KPI), objectives and key results) ## 2.6 - Decommission applications End of Life (EOL) policies (e.g., credential removal, configuration removal, license cancellation, archiving, service-level agreements (SLA)) Data disposition (e.g., retention, destruction, dependencies) ## 2.7 - Create security reporting mechanisms (e.g., reports, dashboards, feedback loops) ## 2.8 - Incorporate integrated risk management methods Regulations, standards and guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security in Maturity Model (BSIMM)) Legal (e.g., intellectual property, breach notification) Risk management (e.g., risk assessment, risk analysis) Technical risk vs. business risk ## 2.9 - Implement secure operation practices Change management process Incident response plan Verification and validation Assessment and Authorization (A&A) process # Domain 1. 安全軟體概念 ## 1.1 核心概念 ### CIA - **Confidentiality** - Covert channel: communication path that is intentionally hidden. Leaves almost no trace. Receiver has to be actively listening for message - Overt channel: communication path that is not hidden. Leaves evidence behind but receiver doesn't have to be listening for message - Side channel: unintentional communication. Think power consumption changes to get information about encryption used - **Integrity** - Also includes stability and reliability for authorized subjects - **Availability** - **Authentication** - **Authorization** - **Accountability** - **Nonrepudiation** ## 1.2 安全設計概念 - **Least Privilege** - **Separation of duties** - **Defense in depth** - **Resiliency** - fail safe, fail secure, no single point of failure - **Economy of mechanism** - less complexity is better - eliminate nonessential services and protocols - **Complete mediation** - authorization cannot by bypassed - authorization checked every time subject requests access to an object - **Open design** - security of a system is independent of the design (don't rely on security by obscurity) - Kerckhoffs's principle: security of a cryptosystem is reliant on choice of keys, not algorithm - **Least common mechanism** - isolation to protect against sharing of information - **Psychological acceptability** - **Component reuse** - **Diversity of defense** - layers of defense should be diverse - **Safeguard** - _Proactive_ controls to protect assets - controls can be physical, administrative, or technical - **Countermeasure** - _Reactive_ controls to protect assets - controls can be physical, administrative, or technical # 2. 安全軟體要求 ## 2.1 定義 - **功能性** - business requirements - use cases - user stories - **非功能性** - operational - deployment - systemic qualities ## 2.2 識別與分析合規要求 - **FISMA** - an agency-wide information security program is required for federal agencies - **Sarbanes-Oxley** - internal control measures for financial accounting - **Gramm-Leach-Bliley** - protection of PFI (Personal Financial Information) - protects against falsely pretending to obtain PFI - **HIPAA and HITECH** - **Payment Card Industry Data Security Standard (PCI DSS)** ## 2.3 識別與分析資料分類要求 - **Data ownership** - **Labeling** - sensitivity and impact - primarily driven by cost - **Types of data** - structured, unstructured - categories: security sensitive, PII, hidden - **Data life-cycle** - if persistent, data needs to be classified, labeled, assigned retention policy - retention policies include backups, DR sites, legal holds - legal hold data is excluded from normal disposal procedures ## 2.4 識別與分析隱私要求 - **Data anonymization** - **User consent** - **Disposition** - right to be forgotten - **Data retention** - **Cross borders** ## 2.5 建置濫用(abuse)與誤用(misuse)案例 - **Use cases** - helpful for clarifying complex/confusing/ambiguous situations - not intended for all subject-object relationships ## 2.6 建置安全要求追蹤矩陣(SRTM,Secure Requirement Traceability Matrix) - document relationships between security requirements, controls, and test/verification efforts ## 2.7 確認安全要求落實至供應商 # 3. 安全軟體架構與設計 ## 3.1 威脅塑模 - **Understand common threats** - **Attack surface evaluation** - **Threat intelligence** ## 3.2 定義安全架構 - **Security control identification and prioritization** - **Distributed computing** - **Service-oriented architecture** - **Rich internet applications** - **Pervasive/ubiquitous computing** - IOT - RFID - NFC - **Embedded** - Field-programmable gate array (FPGA) security features - **Cloud architecture** - **Mobile applications** - **Hardware platform concerns** - **Cognitive computing** - machine learning, AI - **Control systems** ## 3.3 安全介面設計 - **Security management interfaces, out-of-band management, log interfaces** - **Upstream/downstream dependencies** - **Protocol design choices** ### 3.4 架構風險評鑑 ### 3.5 模型 (Non-Functional) 安全特性與限制 ### 3.6 模型及資料分類 ### 3.7 評估及選擇可重複使用安全設計 - **Credential management** - **Flow control** - proxies, firewalls, protocols, queueing - **Data loss prevention** - **Virtualization** - **Trusted computing** - **Database security** - **Programming language environment** - **Operating system controls and services** - **Secure backup and restoration planning** - **Secure dat retention, retrieval, and destruction** ## 3.8 安全架構及設計審視 ## 3.9 定義安全維運架構 ## 3.10 安全架構與設計原則、模型及工具 # 4. 安全軟體執行 ## 4.1 Adhere to Relevant Secure Coding Practices - **Declarative vs imperative (programmatic) security** - **Concurrency** - **Output sanitization** - **Error and exception handling** - **Input validation** - **Secure logging & auditing** - **Session management** - **Trusted/Untrusted APIs and libraries** - **Type safety** - **Resource management** - **Secure configuration management** - **Tokenizing** - **Isolation** - **Cryptography** - **Access control** - **Processor micro-architecture security extensions** ### 4.2 Analyze Code for Security Risks - **Secure code reuse** - **Vulnerability databases/lists** - **Static application security testing** - **Dynamic application security testing** - **Manual code review** - **Look for malicious code** - **Interactive application security testing** ### 4.3 Implement Security Controls ### 4.4 Address Security Risks - **Risk response** ### 4.5 Securely Reuse Third-Party Code or Libraries ### 4.6 Securely Integrate Components - **Systems-of-systems integration** ### 4.7 Apply Security During the Build Process - **Anti-tampering techniques** - **Compiler switches** - **Address compiler warnings** ## 5. Secure Software Testing ### 5.1 Develop Security Test Cases - **Attack surface validation** - **Penetration tests** - **Fuzzing** - **Scanning** - **Simulation** - **Failure** - break testing - fault injection: introducing faults to see how software behaves. Test error handling code paths - **Cryptographic validation** - **Regression tests** - **Integration tests** - **Continuous** - synthetic transactions: write code to mimic user behavior using a browser - real-user monitoring: collect data based on actual user data (e.g. Google Analytics) ### 5.2 Develop Security Testing Strategy and Plan - **functional security testing** - **nonfunctional security testing** - reliability - performance - scalability - **testing techniques** - white box - black box - **environment** - **standards** - ISO - Open Source Security Testing Methodology Manual (OSSTMM) - Software Engineering Institute (SEI) - **crowd sourcing** - bug bounty ### 5.3 Verify and Validate Documentation ### 5.4 Identify Undocumented Functionality ### 5.5 Analyze Security Implications of Test Results ### 5.6 Classify and Track Security Errors - **Bug tracking** - **Risk scoring** - CVSS ### 5.7 Secure Test Data - **Generate test data** - **Reuse of production data** ### 5.8 Perform verification and validation testing ## 6. Secure Software Lifecycle Management ### 6.1 Secure configuration and version control ### 6.2 Define strategy and roadmap ### 6.3 Manage security within a software development methodology ### 6.4 Identify security standards and frameworks ### 6.5 Define and develop security documentation ### 6.6 Develop security metrics ### 6.7 Decommision software - **End of life policies** - **Data disposition** ### 6.8 Report security status ### 6.9 Incorporate integrated risk management (IRM) ### 6.10 Promote security culture in software development ### 6.11 Implement continuous improvement ## 7. Secure Software Deployment, Operations, and Maintenance ### 7.1 Perform operational risk analysis - **Deployment environment** - **Personnel training** - **Safety criticality** - **System integration** ### 7.2 Release software securely - **Secure continuous integration and continuous delivery pipeline** - **Secure software tool chain** - **Build artifact verification** ### 7.3 - **Credentials** - **Secrets** - **Keys/certificates** - **Configurations** ### 7.4 Ensure secure installation - **Bootstrapping** - **Least privilege** - **Environment hardening** - **Secure activation** - **Security policy implementation** - **Secrets injection** ### 7.5 Perform post-deployment security testing ### 7.6 Obtain security approval to operate ### 7.7 Perform information security continuous monitoring (ISCM) - **Collect and analyze observable data** - **Threat intel** - **Intrusion detection/response** - **Secure configuration** - **Regulation changes** ### 7.8 Support incident response - **Root cause analysis** - **Incident triage** - **Forensics** ### 7.9 Perform patch management ### 7.10 Perform vulnerability management ### 7.11 Runtime protection ### 7.12 Support continuity of operations - **Backup, archiving, retention** - **Disaster recovery** - **Resiliency** ### 7.13 Integrate service level objectives and service level agreements ## 8. Secure Software Supply Chain ### 8.1 Implement software supply chain risk management - **Identify** - **Assess** - **Respond** - **Monitor** ### 8.2 Analyze security of third-party software ### 8.3 Verify pedigree and provenance - **Secure transfer** - **System sharing/interconnections** - **Code repository security** - **Build environment security** - **Cryptographically-hashed, digitally-signed components** - **Right to audit** ### 8.4 Ensure supplier security requirements in teh acquisition process ### 8.5 Support contractual requirements