CSSLP Exam Outline Sept2020
CSSLP Exam Outline Sept2020
CSSLP Exam Outline Sept2020
The broad spectrum of topics included in the CSSLP Common Body of Knowledge (CBK®) ensure its relevancy
across all disciplines in the field of information security. Successful candidates are competent in the following
eight domains:
Experience Requirements
A candidate is required to have a minimum of four years of cumulative paid Software Development Lifecycle
(SDLC) professional work experience in one or more of the eight domains of the (ISC)2 CSSLP CBK, or three
years of cumulative paid SDLC professional work experience in one or more of the eight domains of the
CSSLP CBK with a four-year degree leading to a Baccalaureate, or regional equivalent in Computer Science,
Information Technology (IT) or related fields.
If you don’t have the required experience to become a CSSLP, you may become an Associate of (ISC)² by
successfully passing the CSSLP examination. You will then have five years to earn the four years required
experience. You can learn more about CSSLP experience requirements and how to account for part-time work
and internships at www.isc2.org/Certifications/CSSLP/experience-requirements.
Accreditation
CSSLP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard 17024.
Total: 100%
» Data anonymization
» User consent
» Disposition (e.g., right to be forgotten)
» Data retention
» Cross borders (e.g., data residency, jurisdiction, multi-national data processing boundaries)
» Understand common threats (e.g., Advance Persistent Threat (APT), insider threat, common malware, third-
party/supplier)
» Attack surface evaluation
» Threat intelligence (e.g., Identify credible relevant threats)
3.10 Use Secure Architecture and Design Principles, Patterns, and Tools
» Secure logging & auditing » Access control (e.g., trust zones, function
permissions, Role Based Access Control (RBAC))
» Session management
» Processor microarchitecture security extensions
» Trusted/Untrusted Application Programming (e.g., Software Guard Extensions (SGX),
Interface (APIs), and libraries Advanced Micro Devices (AMD) Secure
» Type safety Memory Encryption(SME)/Secure Encrypted
» Resource management (e.g., compute, storage, Virtualization(SEV), ARM TrustZone)
network, memory management)
» Secure configuration management (e.g.,
4.3 Implement Security Controls (e.g., watchdogs, File Integrity Monitoring (FIM),
anti-malware)
4.5 Securely Reuse Third-Party Code or Libraries (e.g., Software Composition Analysis (SCA))
» Attack surface validation » Failure (e.g., fault injection, stress testing, break
testing)
» Penetration tests
» Cryptographic validation (e.g., Pseudo-Random
» Fuzzing (e.g., generated, mutated)
Number Generator (PRNG), entropy)
» Scanning (e.g., vulnerability, content, privacy)
» Regression tests
» Simulation (e.g., simulating production
» Integration tests
environment and production data, synthetic
workloads) » Continuous (e.g., synthetic transactions)
5.3 Verify and Validate Documentation (e.g., installation and setup instructions, error
messages, user guides, release notes)
5.5 Analyze Security Implications of Test Results (e.g., impact on product management,
prioritization, break build criteria)
6.6 Develop Security Metrics (e.g., defects per line of code, criticality level, average
remediation time, complexity)
» End of life policies (e.g., credential removal, configuration removal, license cancellation, archiving)
» Data disposition (e.g., retention, destruction, dependencies)
» Security champions
» Security education and guidance
» Deployment environment
» Personnel training (e.g., administrators vs. users)
» Safety criticality
» System integration
» Credentials
» Secrets
» Keys/certificates
» Configurations
» Collect and analyze security observable data (e.g., logs, events, telemetry, and trace data)
» Threat intel
» Intrusion detection/response
» Secure configuration
» Regulation changes
7.11 Runtime Protection (e.g., Runtime Application Self-Protection (RASP), Web Application
Firewall (WAF), Address Space Layout Randomization (ASLR))
7.13 Integrate Service Level Objectives (SLO) and Service Level Agreements (SLA) (e.g.,
maintenance, performance, availability, qualified personnel)
» Identify
» Assess
» Respond
» Monitor
8.5 Support contractual requirements (e.g., Intellectual Property (IP) ownership, code escrow,
liability, warranty, End-User License Agreement (EULA), Service Level Agreements (SLA))
Legal Info
For any questions related to (ISC)²’s legal policies, please contact the (ISC)2 Legal
Department at legal@isc2.org.
Any Questions?
(ISC)² Candidate Services
311 Park Place Blvd., Suite 400
Clearwater, FL 33759
(ISC)² Americas
Tel: +1.866.331.ISC2 (4722)
Email: membersupport@isc2.org
(ISC)² Asia-Pacific
Tel: +852.2850.6951
Email: membersupportapac@isc2.org
(ISC)² EMEA
Tel: +44.203.960.7800
Email: membersupportemea@isc2.org
v9/2021 14