CSSLP Course

©Copyrights 2013-2016 by Masoud Ostad
CSSLP by (ISC)2
Course
©2013-2016 DESIGN AND DEVELOPMENT BY
MASOUD OSTAD
VERSION 1.5 BETA
1

Course Outline
 Secure Software Concepts
 Secure Software Requirements
 Secure Software Design Note
 Secure Software Implementation and Coding Note
 Secure Software Testing
 Software Deployment, Operations, Maintenance and
Disposal
 *This color module in next version or refer to Application
Reverse Engineering Presentation
2

3

 While there is no indication that other organizations in this space are addressing
the knowledge areas in the same manner as the CSSLP, the following are
addressing software development and/or security in the software lifecycle:
 IEEE: CSDA and CSDP (Software Development)
 SANS: GSSP-C, GSSP-J (Language specific secure coding)
 ISSECO: CSSE (Entry level education program with certificate of completion)
 DHS: Software Assurance Initiative (Awareness Program/Forum)
 Vendor-Specific: Sun Microsystems SCJP, Microsoft MCSD, Symantec -
based on internal lifecycle process or technology specific
Key Players

CSSLP
(ISC)²
Professional Certification
Program
CSDA
(IEEE)
Associate Level
Status
CSDP
(IEEE)
Professional
Certification Program
GSSP-C
(SANS)
Software Coder
GSSP-J
(SANS)
Software Coder
Software
Assurance
Initiative
(DHS)
Awareness Effort
CSSE
(ISSECO)
Entry-level
Education
Program
Certificate of
Completion
Vendor-
Specific
Credentials
Our Course Overlap with Other Certification

Secure Software Concepts
Core Concepts of Secure Software
Security Design Principles
Privacy
Governance, Risk, and Compliance
(GRC)
Software Development Methodologies
6

Holistic Security 7

Holistic Security Challenge
Iron Triangle
Constraints
Security as an
Afterthought
Security Versus
Usability
8

Iron Triangle Constraints
Scope
Schedule Budget
9

Relative Cost of Software Defects 10

TQM
 Security is not separate of Product Quality
 Before release or developed you should be test
product
 Code structure test
 Feature test
 Function test
 Logical Test
 Match with ISO standard
 For example ITIL like 6Sigma
11

Security Profile Model 12

Security Profile Detail
 Authentication
The identifying information provided in this mechanism
for validation is something that you own or have
 Knowledge
 Provide a Mechanism for valid Identity like : UN/PW or Passphrase
or PIN
 Ownership
 Provide a Mechanism for valid Specify Identity like Token or Smart
Card
 Characteristic
 Provide a Mechanism for valid Specify Identity mix with Biometric
Method like Fingerprint , Blood ,Retina , Face and Voice
13

 Authorization
 its top of layer of security concern or upper authentication
 This method shown area of access or number of access
 For detect material of user like human or not
 With Authorization can manage an Object or target
 For example in Database use (CRUD Concept)
 Availability
 BCP
 SLA
14

 Accountability and Non-repudiation
 Auditing is the security concept in which privileged and critical
businesses transactions are logged and tracked.
 For example an online shopping store view by Customer or Developer
 At a bare minimum, audit fields which include who (the subject which may
be a user or process) did what (operations such as create, read, update,
delete etc.), where (the object on which the operation is performed such as
a file or table) and when (timestamp of the operation) along with a before
and after snapshot of the information that was changed must be logged for
all administrative (privilege) or critical transactions as defined by the business.
 Never overwrite new log on old log
 Non-repudiation addresses the deniability of actions taken by either a
user or the software on behalf of the user.
 In Iran Like National Code Validation or NCV
15

Risk Management Standard
 National Institute of Standards and Technology deploy SP800-64
 Systems Development Life Cycle or SDLC
 CSSLP must be familiar with are covered in this section
 Some of the definitions used in this section are from NIST Risk
Management Guide to Information Technology Systems special
publication 800-30 (SP 800-30).
 In the next page explain terminology
16

Standard Terminology 17
Asset
Vulnerability
Threat Protection
Attack
Probability Impact
Exposure
Factor
Control

Type of Security Standard 18
Standards
Internal
e.g. Coding Standards
External
Industry
e.g. PCI-DSS
Government
e.g. NIST Standard
International
e.g. ISO Series
National
e.g. FIPS

SP 800-30: Risk Management Guide
for IT for Example
19

Federal Information Processing
(FIPS) standards for Example
 Some of the well-known FIPS publications that
are closely related to software security are
 FIPS 140: Security Requirement for Cryptographic
Modules
 FIPS 186: Digital Signature Standard
 FIPS 197: Advanced Encryption Standard
20

ISO/IEC 15408-1:2005 EAL for
Example
21

Software Development
Methodologies
Waterfall model
Iterative model
Spiral model
22

Waterfall Model
Requirement
Design
Implementation
Verification
Maintenance
23

Iterative Model for Small Project 24

Spiral Model (Mix Model) 25

Regulations, Privacy and
Compliance
Gramm-Leach-Bliley Act (GLB Act)
Health Insurance Portability and
Accountability Act (HIPAA)
State Security Breach Laws
Or Privacy Terms
26

Trust Computing Security Model 27
Ring0
OS Kernel
Ring1
IO Utilities
Ring2
Drivers
Ring3
User Application

28

Security Requirement Essential 29

Availability Requirement
 MTD : Maximum Tolerable Downtime
 RTO : Recovery Time Object
 BIA : Business Impact Analyst
30

Additional Security Requirement 31

Confidentiality Requirement 32

Masking Confidentiality Method
Masking
Method
In Transit
In Processing
In Storage
33

Type of Access Control Model
ACM
Discretionar
y Access
Control
(DAC)
Non-
Discretionar
y Access
Control
(NDAC)
Mandatory
Access
Control
(MAC)
Role-Based
Access
Control
(RBAC)
Resource-
Based
Access
Control
34
• DAC on Object
• NDAC on User
• MAC on User mapping Object
• RBAC make Role and assign
role to User
• Use Role and Group Role
• REBAC on Resource of System

Protection Needs Elicitation (PNE)
 PNE begins with the discovery of assets that need
to be protected from unauthorized access and
users.
 Some standard force to used this concept like
 The Information Assurance Technical Framework (IATF)
 The United States National Security Agency (NSA)
 The Information Systems Security Engineering (ISSE)
35

Protection Needs Elicitation (PNE)
Techniques
36

Policy Decomposition 37

38

Type of Cryptography 39

Symmetric Algorithm 40

Asymmetric Algorithm Method 41

Digital Certificate Component 42

Data Integrity using Hash Functions 43

Unsalted Hash 44

Salted Hash 45

Recreational Integrity or RDBMS 46

Availability Design
Replication
Replication usually follows
a master-slave or primary-
secondary backup
scheme in which there is
one master or primary
node and dates are
propagated to the slaves
or secondary node either
actively or passively.
Fail Over
In computing, failover
refers to the automatic
switching from an active
transactional software,
server, system, hardware
component or network to
standby (or redundant)
system.
47

Other Design Considerations
User
Interface
Application
Programming
Interfaces
Security
Management
Interfaces
Out-of-Band
Interface
Log
Interfaces
48

Type of Malware 49
Malware
Proliferative
Virus
Worm
Stealth ware
Spyware
Adware
Trojan
Rootkit
Ransomware

Cloud Model
50

Type of Cloud 51

Mobile Architecture 52

53

Programming Language 54

Compile and Linking 55

List of Organization for application
bug track and security advisory
 The National Vulnerability Database (NVD)
 Common Vulnerabilities and Exposures (CVE)
 Common Weakness Enumeration (CWE™)
 OWASP Top 10
 Open Source Vulnerability Database
 US Computer Emergency Response Team (CERT)
Vulnerability Notes Database
56

Man-in-The Middle 57

Man-in-The Middle is E2E Solution 58

Electronic Social Engineering
Phishing Pharming
Vishing SMSishing
ESE
59

Secure Software Processes
Versioning(CM)
Code Analysis(Syntax)(Automatic)
Code/Peer
review(Logic)(Manual)
60

Acquisition Lifecycle phases 61

CSSLP Course

In this document

CSSLP Course

Editor's Notes

CSSLP Course

In this document

More Related Content

What's hot

Similar to CSSLP Course

Recently uploaded

CSSLP Course

Editor's Notes