{"product_id":"csslp®-training-and-certification","title":"CSSLP® Training and Certification","description":"\u003cdiv\u003e\n\u003cp\u003eAttend this official ISC2™ Certified Secure Software Lifecycle Professional \u003cstrong\u003e(CSSLP) training and certification\u003c\/strong\u003e course and get prepared to achieve this premier secure software development certification. This course provides you with in-depth coverage on the skills and concepts in the eight domains of software security. This includes Software Concepts, Requirements, Design, Implementation, Testing, Lifecycle Management, among others.\u003c\/p\u003e\r\n\u003cp\u003eThis course covers secure software development with the Certified Secure Software Lifecycle (CSSLP) and its domains. Topics include identifying security requirements, secure SDLC, manual testing, unit testing, functional testing, acceptance testing, and security testing, code review, and test automation. Students learn about security vulnerabilities, software testing, and source code. The course covers IAST (Interactive Application Security Testing tools, CI\/CD (Continuous Integration\/Continuous Delivery pipeline, and penetration testing to help prepare for the CSSLP exam.\u003c\/p\u003e\r\n\u003cp\u003eU.S. DoDM 8140.03 APPROVED BY DEPARTMENT OF DEFENSE\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch3\u003eCSSLP® Training and Certification Benefits\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eIn this CSSLP course, you will learn how to:\u003c\/strong\u003e\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003ePrepare for and pass the CSSLP Exam.\u003c\/li\u003e\n\u003cli\u003eIdentify security software requirements.\u003c\/li\u003e\n\u003cli\u003eFollow secure coding practices.\u003c\/li\u003e\n\u003cli\u003eDevelop a security testing strategy and plan.\u003c\/li\u003e\n\u003cli\u003eChoose a secure software methodology.\u003c\/li\u003e\n\u003cli\u003eRelease software securely.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eCSSLP Training Prerequisites\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eThis CSSLP course is for Software Developers, Engineers, Architects, Penetration Testers, and other IT (Information Technology) professionals who have a minimum of four years' experience in full-time Software Development Lifecycle (SDLC) in one or more of the eight domains covered in the CSSLP exam.\u003c\/p\u003e\n\u003c\/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eCSSLP Certification Information\u003c\/strong\u003e\u003c\/p\u003e\n\u003cp\u003eLearning Tree can provide a voucher that allows you to take the exam at any Pearson VUE Test Center available on request.\u003c\/p\u003e\n\u003cp\u003eRequirements for certification:\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eA minimum of four years of cumulative, paid, full-time Software Development Lifecycle (SDLC) professional experience in one or more of the eight domains of the CSSLP Common Body of Knowledge (CBK)\u003c\/li\u003e\n\u003cli\u003ePass CSSLP exam\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003eAttendees can self-submit our courses for the following \u003ca href=\"https:\/\/www.isc2.org\/CPE-Portal-Questions\" title=\"CPE Portal Questions | (ISC)² Home\" rel=\"nofollow noopener\" target=\"_blank\"\u003eCPE credit\u003c\/a\u003e:\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eGroup A credits for attending any of our cybersecurity courses, and \u003c\/li\u003e\n\u003cli\u003eGroup B General Education credits for any other Learning Tree course they attend.\u003c\/li\u003e\n\u003cli\u003eOr ISC2 members can submit CPE credits directly to the \u003ca href=\"https:\/\/www.isc2.org\/CPE-Portal-Questions\" title=\"CPE Portal Questions | ISC2 Home\" rel=\"nofollow noopener\" target=\"_blank\"\u003eCPE portal\u003c\/a\u003e in the Members section of the \u003ca href=\"https:\/\/www.isc2.org\/Membership\" title=\"Membership | ISC2 Home\" rel=\"nofollow noopener\" target=\"_blank\"\u003eISC2 website\u003c\/a\u003e.\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003eThis is an ISC2 certification prep course. \u003cspan title=\"ISC2® Certification Training Courses | Learning Tree\" rel=\"follow noopener\" target=\"_blank\"\u003eClick here to view more ISC2 certification prep training ›\u003c\/span\u003e\u003c\/p\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e\u003cdiv\u003e\u003ch3\u003eCSSLP Training Outline\u003c\/h3\u003e\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 1: Secure Software Concepts\u003c\/h4\u003e\n\u003cp\u003e\u003cspan style=\"font-size: 11.0pt; line-height: 107%; font-family: 'Calibri',sans-serif; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: 'Times New Roman'; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;\"\u003e1.1 \u003c\/span\u003eCore Concepts\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eConfidentiality (e.g., covert, overt, encryption)\u003c\/li\u003e\n\u003cli\u003eIntegrity (e.g., hashing, digital signatures, code signing, reliability, modifications, authenticity)\u003c\/li\u003e\n\u003cli\u003eAvailability (e.g., redundancy, replication, clustering, scalability, resiliency)\u003c\/li\u003e\n\u003cli\u003eAuthentication (e.g., multifactor authentication (MFA), identity \u0026amp; access management (IAM), single sign-on (SSO), federated identity)\u003c\/li\u003e\n\u003cli\u003eAuthorization (e.g., access controls, permissions, entitlements)\u003c\/li\u003e\n\u003cli\u003eAccountability (e.g., auditing, logging)\u003c\/li\u003e\n\u003cli\u003eNonrepudiation (e.g., digital signatures, blockchain)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e\u003cspan style=\"font-size: 11.0pt; line-height: 107%; font-family: 'Calibri',sans-serif; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: 'Times New Roman'; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;\"\u003e1.2 \u003c\/span\u003eSecurity Design Principles\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eLeast privilege (e.g., access control, need-to-know, run-time privileges)\u003c\/li\u003e\n\u003cli\u003eSeparation of Duties (e.g., multi-party control, secret sharing, and split knowledge)\u003c\/li\u003e\n\u003cli\u003eDefense in depth (e.g., layered controls, input validation, security zones)\u003c\/li\u003e\n\u003cli\u003eResiliency (e.g., fail safe, fail secure, no Single Point of Failure (SPOF))\u003c\/li\u003e\n\u003cli\u003eThe economy of mechanism (e.g., Single Sign-On (SSO), password vaults, resource)\u003c\/li\u003e\n\u003cli\u003eComplete mediation (e.g., cookie management, session management, caching of credentials)\u003c\/li\u003e\n\u003cli\u003eOpen design (e.g., Kerckhoffs’s principle)\u003c\/li\u003e\n\u003cli\u003eLeast common mechanism (e.g., compartmentalization\/isolation, safe listing)\u003c\/li\u003e\n\u003cli\u003ePsychological acceptability (e.g., password complexity, screen layouts, Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), biometrics)\u003c\/li\u003e\n\u003cli\u003eComponent reuse (e.g., common controls, libraries)\u003c\/li\u003e\n\u003cli\u003eDiversity of defense (e.g., geographical diversity, technical diversity, distributed systems)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 2: Secure Software Requirements\u003c\/h4\u003e\n\u003cp\u003e2.1 Define Software Security Requirements\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eFunctional (e.g., business requirements, use cases, stories)\u003c\/li\u003e\n\u003cli\u003eNon-functional (e.g., operational, deployment, systemic qualities)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e2.2 Identify and Analyze Compliance Requirements\u003c\/p\u003e\n\u003cp\u003e2.3 Identify and Analyze Data Classification Requirements\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eFData ownership (e.g., data owner, data custodian)\u003c\/li\u003e\n\u003cli\u003eLabeling (e.g., sensitivity, impact)\u003c\/li\u003e\n\u003cli\u003eTypes of data (e.g., structured, unstructured data)\u003c\/li\u003e\n\u003cli\u003eData life cycle (e.g., generation, retention, disposal)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e2.4 Identify and Analyze Privacy Requirements\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eData anonymization\u003c\/li\u003e\n\u003cli\u003eUser consent\u003c\/li\u003e\n\u003cli\u003eDisposition (e.g., right to be forgotten)\u003c\/li\u003e\n\u003cli\u003eData retention\u003c\/li\u003e\n\u003cli\u003eCross borders (e.g., data residency, jurisdiction, multi-national data processing boundaries)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e2.5 Develop Misuse and Abuse Cases\u003c\/p\u003e\n\u003cp\u003e2.6 Develop Security Requirement Traceability Matrix (STRM)\u003c\/p\u003e\n\u003cp\u003e2.7 Ensure Security Requirements Flow Down to Suppliers\/Providers\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 3: Secure Software Architecture and Design\u003c\/h4\u003e\n\u003cp\u003e3.1 Perform Threat Modeling\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eUnderstand common threats (e.g., Advance Persistent Threat (APT), insider threat, common malware, third-party\/supplier)\u003c\/li\u003e\n\u003cli\u003eAttack surface evaluation\u003c\/li\u003e\n\u003cli\u003eThreat intelligence (e.g., Identify credible, relevant threats)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e3.2 Define the Security Architecture\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity control identification and prioritization\u003c\/li\u003e\n\u003cli\u003eDistributed computing (e.g., client-server, peer-to-peer (P2P), message queuing)\u003c\/li\u003e\n\u003cli\u003eService-oriented architecture (SOA) (e.g., Enterprise Service Bus (ESB), web services\u003c\/li\u003e\n\u003cli\u003eRich internet applications (e.g., client-side exploits or threats, remote code execution, constant connectivity)\u003c\/li\u003e\n\u003cli\u003ePervasive\/ubiquitous computing (e.g., Internet of Things (IoT), wireless, location-based, Radio-Frequency Identification (RFID), near field communication, sensor networks)\u003c\/li\u003e\n\u003cli\u003eEmbedded (e.g., secure update, Field-Programmable Gate Array (FPGA) security features, microcontroller security)\u003c\/li\u003e\n\u003cli\u003eCloud architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS))\u003c\/li\u003e\n\u003cli\u003eMobile applications (e.g., implicit data collection privacy)\u003c\/li\u003e\n\u003cli\u003eHardware platform concerns (e.g., side-channel mitigation, speculative execution mitigation, embedded Hardware Security Modules (HSM))\u003c\/li\u003e\n\u003cli\u003eCognitive computing (e.g., Machine Learning (ML), Artificial Intelligence (AI))\u003c\/li\u003e\n\u003cli\u003eControl systems (e.g., industrial, medical, facility-related, automotive)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e3.3 Performing Secure Interface Design\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity management interfaces, Out-of-Band (OOB) management, log interfaces\u003c\/li\u003e\n\u003cli\u003eUpstream\/downstream dependencies (e.g., key and data sharing between apps)\u003c\/li\u003e\n\u003cli\u003eProtocol design choices (e.g., Application Programming Interface (APIs), weaknesses, state, models)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e3.4 Performing Architectural Risk Assessment\u003c\/p\u003e\n\u003cp\u003e3.5 Model (Non-Functional) Security Properties and Constraints\u003c\/p\u003e\n\u003cp\u003e3.6 Model and Classify Data\u003c\/p\u003e\n\u003cp\u003e3.7 Evaluate and Select Reusable Secure Design\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eCredential management (e.g., X.509 and Single Sign-On (SSO))\u003c\/li\u003e\n\u003cli\u003eFlow control (e.g., proxies, firewalls, protocols, queuing)\u003c\/li\u003e\n\u003cli\u003eData loss prevention (DLP)\u003c\/li\u003e\n\u003cli\u003eVirtualization (e.g., software-defined infrastructure, hypervisor, containers)\u003c\/li\u003e\n\u003cli\u003eTrusted computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB))\u003c\/li\u003e\n\u003cli\u003eDatabase security (e.g., encryption, triggers, views, privilege management)\u003c\/li\u003e\n\u003cli\u003eProgramming language environment (e.g., Common Language Runtime (CLR), Java Virtual Machine (JVM))\u003c\/li\u003e\n\u003cli\u003eOperating System (OS) controls and services\u003c\/li\u003e\n\u003cli\u003eSecure backup and restoration planning\u003c\/li\u003e\n\u003cli\u003eSecure data retention, retrieval, and destruction\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e3.8 Perform Security Architecture and Design Review\u003c\/p\u003e\n\u003cp\u003e3.9 Define Secure Operational Architecture (e.g., deployment topology, operational interfaces)\u003c\/p\u003e\n\u003cp\u003e3.10 Use Secure Architecture and Design Principles, Patterns, and Tools\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 4: Secure Software Implementation\u003c\/h4\u003e\n\u003cp\u003e4.1 Adhere to Relevant Secure Coding Practices (e.g., standards, guidelines, and regulations)\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeclarative versus imperative (programmatic) security\u003c\/li\u003e\n\u003cli\u003eConcurrency (e.g., thread safety, database concurrency controls)\u003c\/li\u003e\n\u003cli\u003eOutput sanitization (e.g., encoding, obfuscation)\u003c\/li\u003e\n\u003cli\u003eError and exception handling\u003c\/li\u003e\n\u003cli\u003eInput validation\u003c\/li\u003e\n\u003cli\u003eSecure logging \u0026amp; auditing\u003c\/li\u003e\n\u003cli\u003eSession management\u003c\/li\u003e\n\u003cli\u003eTrusted\/Untrusted Application Programming Interfaces (APIs) and libraries\u003c\/li\u003e\n\u003cli\u003eType safety\u003c\/li\u003e\n\u003cli\u003eResource management (e.g., compute, storage, network, memory management)\u003c\/li\u003e\n\u003cli\u003eSecure configuration management (e.g., parameter, default options, credentials)\u003c\/li\u003e\n\u003cli\u003eTokenizing\u003c\/li\u003e\n\u003cli\u003eIsolation (e.g., sandboxing, virtualization, containers, Separation Kernel Protection Profiles (SKPP))\u003c\/li\u003e\n\u003cli\u003eCryptography (e.g., payload, field level, transport, storage, agility, encryption, algorithm selection)\u003c\/li\u003e\n\u003cli\u003eAccess control (e.g., trust zones, function permissions, Role Based Access Control (RBAC))\u003c\/li\u003e\n\u003cli\u003eProcessor microarchitecture security extensions (e.g., Software Guard Extensions (SGX), Advanced Micro Devices (AMD) Secure Memory Encryption(SME)\/Secure Encrypted Virtualization(SEV), ARM TrustZone)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e4.2 Analyze Code for Security Risks\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecure code reuse\u003c\/li\u003e\n\u003cli\u003eVulnerability databases\/lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumeration (CWE))\u003c\/li\u003e\n\u003cli\u003eStatic Application Security Testing (SAST) (e.g., automated code coverage, linting)\u003c\/li\u003e\n\u003cli\u003eDynamic Application Security Testing (DAST)\u003c\/li\u003e\n\u003cli\u003eManual code review (e.g., individual, peer)\u003c\/li\u003e\n\u003cli\u003eLook for malicious code (e.g., backdoors, logic bombs, high entropy)\u003c\/li\u003e\n\u003cli\u003eInteractive Application Security Testing (IAST)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e4.3 Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM), anti-malware)\u003c\/p\u003e\n\u003cp\u003e4.4 Address Security Risks (e.g., remediation, mitigation, transfer, accept)\u003c\/p\u003e\n\u003cp\u003e4.5 Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))\u003c\/p\u003e\n\u003cp\u003e4.6 Securely Integrate Components\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSystems-of-systems integration (e.g., trust contracts, security testing, and analysis)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e4.7 Apply Security During the Build Process\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eAnti-tampering techniques (e.g., code signing, obfuscation)\u003c\/li\u003e\n\u003cli\u003eCompiler switches\u003c\/li\u003e\n\u003cli\u003eAddress compiler warnings\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 5: Secure Software Testing\u003c\/h4\u003e\n\u003cp\u003e5.1 Develop Security Test Cases\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eAttack surface validation\u003c\/li\u003e\n\u003cli\u003ePenetration tests\u003c\/li\u003e\n\u003cli\u003eFuzzing (e.g., generated, mutated)\u003c\/li\u003e\n\u003cli\u003eScanning (e.g., vulnerability, content, privacy)\u003c\/li\u003e\n\u003cli\u003eSimulation (e.g., simulating production environment and production data, synthetic workloads)\u003c\/li\u003e\n\u003cli\u003eFailure (e.g., fault injection, stress testing, break testing)\u003c\/li\u003e\n\u003cli\u003eCryptographic validation (e.g., Pseudo-Random Number Generator (PRNG), entropy)\u003c\/li\u003e\n\u003cli\u003eRegression tests\u003c\/li\u003e\n\u003cli\u003eIntegration tests\u003c\/li\u003e\n\u003cli\u003eContinuous (e.g., synthetic transactions)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e5.2 Develop Security Testing Strategy and Plan\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eFunctional security testing (e.g., logic)\u003c\/li\u003e\n\u003cli\u003eNonfunctional security testing (e.g., reliability, performance, scalability)\u003c\/li\u003e\n\u003cli\u003eTesting techniques (e.g., the white box and the black box)\u003c\/li\u003e\n\u003cli\u003eEnvironment (e.g., interoperability, test harness)\u003c\/li\u003e\n\u003cli\u003eStandards (e.g., International Organization for Standardization (ISO), Open Source Security Testing Methodology Manual (OSSTMM), Software Engineering Institute (SEI))\u003c\/li\u003e\n\u003cli\u003eCrowdsourcing (e.g., bug bounty)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e5.3 Verify and Validate Documentation (e.g., installation and setup instructions, error messages, user guides, release notes)\u003c\/p\u003e\n\u003cp\u003e5.4 Identify Undocumented Functionality\u003c\/p\u003e\n\u003cp\u003e5.5 Analyze Security Implications of Test Results (e.g., impact on product management, prioritization, break build criteria)\u003c\/p\u003e\n\u003cp\u003e5.6 Classify and Track Security Errors\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eBug tracking (e.g., defects, errors, and vulnerabilities)\u003c\/li\u003e\n\u003cli\u003eRisk Scoring (e.g., Common Vulnerability Scoring System (CVSS))\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e5.7 Secure Test Data\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eGenerate test data (e.g., referential integrity, statistical quality, production representative)\u003c\/li\u003e\n\u003cli\u003eReuse of production data (e.g., obfuscation, sanitization, anonymization, tokenization, data aggregation mitigation)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e5.8 Perform Verification and Validation Testing\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 6: Secure Software Lifecycle Management\u003c\/h4\u003e\n\u003cp\u003e6.1 Secure Configuration and Version Control (e.g., hardware, software, documentation, interfaces, patching)\u003c\/p\u003e\n\u003cp\u003e6.2 Define Strategy and Roadmap\u003c\/p\u003e\n\u003cp\u003e6.3 Manage Security Within a Software Development Methodology\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity in adaptive methodologies (e.g., Agile methodologies)\u003c\/li\u003e\n\u003cli\u003eSecurity in predictive methodologies (e.g., Waterfall)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e6.4 Identify Security Standards and Frameworks\u003c\/p\u003e\n\u003cp\u003e6.5 Define and Develop Security Documentation\u003c\/p\u003e\n\u003cp\u003e6.6 Develop Security Metrics (e.g., defects per line of code, criticality level, average remediation time, complexity)\u003c\/p\u003e\n\u003cp\u003e6.7 Decommission Software\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eEnd-of-life policies (e.g., credential removal, configuration removal, license cancellation, archiving)\u003c\/li\u003e\n\u003cli\u003eData disposition (e.g., retention, destruction, dependencies)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e6.8 Report Security Status (e.g., reports, dashboards, feedback loops)\u003c\/p\u003e\n\u003cp\u003e6.9 Incorporate Integrated Risk Management (IRM)\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eRegulations and compliance\u003c\/li\u003e\n\u003cli\u003eLegal (e.g., intellectual property, breach notification)\u003c\/li\u003e\n\u003cli\u003eStandards and guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), OWASP, Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security In Maturity Model (BSIMM))\u003c\/li\u003e\n\u003cli\u003eRisk management (e.g., mitigate, accept, transfer, avoid)\u003c\/li\u003e\n\u003cli\u003eTerminology (e.g., threats, vulnerability, residual risk, controls, probability, impact)\u003c\/li\u003e\n\u003cli\u003eTechnical risk vs. business risk\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e6.10 Promote Security Culture in Software Development\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity champions\u003c\/li\u003e\n\u003cli\u003eSecurity education and guidance\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e6.11 Implement Continuous Improvement (e.g., retrospective, lessons learned)\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 7: Secure Software Deployment, Operations, Maintenance\u003c\/h4\u003e\n\u003cp\u003e7.1 Perform Operational Risk Analysis\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eDeployment environment\u003c\/li\u003e\n\u003cli\u003ePersonnel training (e.g., administrators vs. users)\u003c\/li\u003e\n\u003cli\u003eSafety criticality\u003c\/li\u003e\n\u003cli\u003eSystem Integration\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.2 Release Software Securely\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecure Continuous Integration and Continuous Delivery (CI\/CD) pipeline\u003c\/li\u003e\n\u003cli\u003eThe secure software toolchain\u003c\/li\u003e\n\u003cli\u003eBuild artifact verification (e.g., code signing, checksums, hashes)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.3 Securely Store and Manage Security Data\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eCredentials\u003c\/li\u003e\n\u003cli\u003eSecrets\u003c\/li\u003e\n\u003cli\u003eKeys\/certificates\u003c\/li\u003e\n\u003cli\u003eConfigurations\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.4 Ensure Secure Installation\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eBootstrapping (e.g., key generation, access, management)\u003c\/li\u003e\n\u003cli\u003eLeast privilege\u003c\/li\u003e\n\u003cli\u003eEnvironment hardening\u003c\/li\u003e\n\u003cli\u003eSecure activation (e.g., credentials, safelisting, device configuration, network configuration, licensing)\u003c\/li\u003e\n\u003cli\u003eSecurity policy implementation\u003c\/li\u003e\n\u003cli\u003eSecrets injection (e.g., certificate, Open Authorization (OAuth) tokens, Secure Shell (SSH) keys)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.5 Perform Post-Deployment Security Testing\u003c\/p\u003e\n\u003cp\u003e7.6 Obtain Security Approval to Operate (e.g., risk acceptance, sign-off at the appropriate level)\u003c\/p\u003e\n\u003cp\u003e7.7 Perform Information Security Continuous Monitoring (ISCM)\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eCollect and analyze observable security data (e.g., logs, events, telemetry, and trace data)\u003c\/li\u003e\n\u003cli\u003eThreat intel\u003c\/li\u003e\n\u003cli\u003eIntrusion detection\/response\u003c\/li\u003e\n\u003cli\u003eSecure configuration\u003c\/li\u003e\n\u003cli\u003eRegulation changes\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.8 Support Incident Response\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eRoot cause analysis\u003c\/li\u003e\n\u003cli\u003eIncident triage\u003c\/li\u003e\n\u003cli\u003eForensics\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.9 Perform Patch Management (e.g., secure release, testing)\u003c\/p\u003e\n\u003cp\u003e7.10 Perform Vulnerability Management (e.g., scanning, tracking, triaging)\u003c\/p\u003e\n\u003cp\u003e7.11 Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR))\u003c\/p\u003e\n\u003cp\u003e7.12 Support Continuity of Operations\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eBackup, archiving, retention\u003c\/li\u003e\n\u003cli\u003eDisaster Recovery (DR)\u003c\/li\u003e\n\u003cli\u003eResiliency (e.g., operational redundancy, erasure code, survivability)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e7.13 Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g., maintenance, performance, availability, qualified personnel)\u003c\/p\u003e\n\u003c\/div\u003e\u003cdiv\u003e\n\u003ch4\u003eDomain 8: Secure Software Supply Chain\u003c\/h4\u003e\n\u003cp\u003e8.1 Implement Software Supply Chain Risk Management\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify\u003c\/li\u003e\n\u003cli\u003eAssess\u003c\/li\u003e\n\u003cli\u003eRespond\u003c\/li\u003e\n\u003cli\u003eMonitor\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e8.2 Analyze the Security of Third-Party Software\u003c\/p\u003e\n\u003cp\u003e8.3 Verify Pedigree and Provenance\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecure transfer (e.g., interdiction mitigation)\u003c\/li\u003e\n\u003cli\u003eSystem sharing\/interconnections\u003c\/li\u003e\n\u003cli\u003eCode repository security\u003c\/li\u003e\n\u003cli\u003eBuild environment security\u003c\/li\u003e\n\u003cli\u003eCryptographically hashed, digitally-signed components\u003c\/li\u003e\n\u003cli\u003eRight to audit\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e8.4 Ensure Supplier Security Requirements in the Acquisition Process\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eAudit of security policy compliance (e.g., secure software development practices)\u003c\/li\u003e\n\u003cli\u003eVulnerability\/incident notification, response, coordination, and reporting\u003c\/li\u003e\n\u003cli\u003eMaintenance and support structure (e.g., community versus commercial, licensing)\u003c\/li\u003e\n\u003cli\u003eSecurity track record\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003cp\u003e8.5 Support contractual requirements\u003c\/p\u003e\n\u003cul\u003e\n\u003cli\u003eIntellectual Property (IP) ownership, code escrow, liability, and warranty\u003c\/li\u003e\n\u003cli\u003eEnd-User License Agreement (EULA)\u003c\/li\u003e\n\u003cli\u003eService Level Agreements (SLA)\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003c\/div\u003e","brand":"Learning Tree","offers":[{"title":"268B14US \/ 2026-08-10T09:00:00 \/ Herndon, VA","offer_id":47534218772699,"sku":"US-2059-IL","price":3436.0,"currency_code":"USD","in_stock":true},{"title":"26AB97US \/ 2026-10-26T09:00:00 \/ Herndon, VA","offer_id":48216585404635,"sku":"US-2059-IL","price":3436.0,"currency_code":"USD","in_stock":true},{"title":"274B57US \/ 2027-04-26T09:00:00 \/ Herndon, VA","offer_id":48669323985115,"sku":"US-2059-IL","price":3436.0,"currency_code":"USD","in_stock":true}],"url":"https:\/\/learningtreeinternational-dirinfosec-hhs.myshopify.com\/products\/csslp%c2%ae-training-and-certification","provider":"Learning Tree International","version":"1.0","type":"link"}