Certified Secure Software Lifecycle Professional

Course Info

Duration: 5 days (09:00~18:00; 8 hours per day)
Fee: NT$ 50000 Early Bird Discount Price: NT$ 45000
Points: 12.5

講師

★國際資安與專案管理資歷
Ray曾任跨國企業資安長 (CISO)、數位長 (CDO) 和產品主管，熟悉歐美、亞洲市場的技術標準與業務需求。
他在 AWS 安全架構、ISO 資安稽核、DevSecOps 與敏捷專案管理等領域，皆具備深厚的實戰經驗，是全球首批台灣首位 AWS Security Hero。

★跨領域資歷與國際認證
擁有多達 20 項國際專業認證，涵蓋資安 (CISSP、CSSLP、CISM、CEH)、雲端 (AWS-SCS、Azure Solutions Architect Expert)、軟體專案管理 (PMP、PMI-RMP) 等領域，並曾翻譯出版多本國際知名敏捷相關書籍。

★豐富教學經驗與實務應用推廣者
Ray Yes (ISC)²  & AWS原廠認證講師，並在台灣多家領先企業與教育機構擔任培訓導師，培養了大量資安與軟體專才。教學風格深入淺出，善於結合理論與實務，能夠幫助學員快速掌握複雜知識應用於實際工作。

★獲獎&國際認證無數的敏捷與資安推動者
曾多次榮獲台灣與國際資安、敏捷相關獎項，包括 PMI Taiwan 敏捷大獎、EC-Council Cybersecurity Career Mentor，並帶領團隊獲得 敏捷團隊大賞，同時活躍於資安與敏捷專業社群，現任 DevSecOps Taiwan 社長。

Features

Software development is the backbone of all system operations. Even critical security tools like firewalls, IDS/IPS, and more are powered by software. Yet, courses specifically focusing on software security are rare compared to other cybersecurity topics. The importance of developing secure software is only increasing, especially since most security breaches stem from vulnerabilities in information systems. Frequent patch updates (like various update notifications) further highlight the need for secure software development. This course is unique because it offers a cybersecurity certification tailored to everyone involved in the Software Development Life Cycle (SDLC).

The CSSLP covers eight key areas, including software security fundamentals, software lifecycle security management, secure software design, supply chain and software procurement, among others. The goal is to help those involved in software development understand and master the processes and methods of secure software development. It spans the entire software lifecycle and risk management, guiding professionals on the standards and tools to use at each development stage to assess overall security.

The CSSLP is an officially recognized cybersecurity certification by ISC2, with the certificate issued by ISC2. This certification helps businesses prevent the loss caused by security incidents and ensures the security and reliability of software development.

AIN Network Training Center is an ISC2 authorized training provider, and the instructors are certified and qualified by ISC2.

Course Outline

The CSSLP (Certified Secure Software Lifecycle Professional) course outline covers eight key domains. The following description is derived from the ISC2 official electronic textbook, 6th edition (latest version):

• Domain 1: Secure Software Concepts
  • Define core security goals for software development.
  • Describe the three elements of information security and explain the main mechanisms of information confidentiality, integrity and availability.
  • Describe the relationship between information security and data privacy.
  • Identify regulatory considerations that impact software security.
  • Explain how security methods mitigate vulnerabilities through access control.
  • Describe the purpose and function of multiple layers of protection in software security.
  • Describe how security culture and practices impact data privacy and security.
• Domain 2: Secure Software Life Cycle Management
  • Exploring security in predictive and adaptive approaches to software development.
  • Describe integrating software security practices into the SDLC process.
  • Define DevOps and DevSecOps.
  • Understand security configuration standards and benchmarks.
  • Describe the security-centered configuration management process.
  • Security standards for identifying software weaknesses and vulnerabilities.
  • Explain OWASP's Software Assurance Maturity Model (OpenSAMM) and Build Security Maturity Model (BSIMM).
  • Define software security milestones and checkpoints in DevSecOps.
  • Explain the system security plan.
  • Identify security-related documents.
  • Defining metrics in software development.
  • Develop software decommissioning policies and procedures.
  • Explain security reporting mechanisms in DevSecOps.
  • Describe risk assessment and risk management.
  • Review the implementation of safe operating procedures.
  • Determine security considerations during the container lifecycle.
• Domain 3: Secure Software Requirements
  • Describe requirements management.
  • Identify functional and non-functional requirements.
  • Explain the impact of security-focused stories in the SCRUM/Category SCRUM approach.
  • Describe the sources of software security requirements.
  • Analyze security policies and their supporting elements as internal sources of security requirements.
  • Interpret compliance requirements and consider laws, regulations, and industry standards as external sources of security requirements.
  • Discuss security standards and frameworks.
  • Describe data governance and ownership.
  • Describe material classification and security labels and markings.
  • Identify structured and unstructured data types.
  • Describe the data life cycle.
  • Identify privacy laws and regulations that reduce privacy risks.
  • Discuss data anonymization and list various anonymization methods.
  • Explain user consent, data retention and data processing in a privacy context.
  • Understand the impact of cross-border data transfers and limitations on the transfer of personal data.
  • Describe user and software data access requirements.
  • Describe misuse and abuse cases and their correlation to known attack patterns.
  • Describe the Security Requirements Traceability Matrix (STRM).
  • Determine security requirements for third-party vendors.
• Domain 4: Secure Software Architecture and Design
  • Describe architectural and security-related design patterns.
  • Understand security standards for interface design.
  • Compare and differentiate between various authentication and authorization mechanisms.
  • Describes credential management.
  • Identify the principles and tools used in cybersecurity.
  • Describe the methods used to maintain database security.
  • Identify threat modeling processes, tools, and methods.
  • Outline the process for attack surface assessment and management.
  • Discuss threat intelligence and sources of cyber threat information.
  • Describe the architectural risk assessment process.
  • Recognize non-functional safety attributes and limitations.
  • Determine considerations for security maintenance architecture.
• Domain 5: Secure Software Implementation
  • Characteristics that define secure coding standards.
  • Describes different ways to build security into outsourced applications.
  • Identify common defects in software and corresponding mitigation strategies.
  • Explain common secure coding practices.
  • Define protection methods for data in transit and at rest.
  • Identify software weaknesses listed in the most common vulnerability lists and databases.
  • Describe the functionality and methods of software assurance tools.
  • Describe the classification of controls by type and function.
  • Define controls to prevent common web application vulnerabilities.
  • Describe the process for defining security policies, including software risk considerations.
  • Identify the risks associated with using third-party and open source components and libraries.
  • Describe various integration categories and their relevance to software security.
  • Describe the build automation process
  • Explain the techniques used in software assurance
• Domain 6: Secure Software Testing
  • Identify common security testing techniques.
  • Describe the test environment.
  • Define the organization's software security standards and guidelines.
  • Explain the security of crowdsourcing and the benefits of bug bounty programs.
  • Guidelines for defining security testing
  • Identify various security testing cases.
  • Recognize the importance of designing misuse and abuse cases.
  • Profile verification and validation
  • Explain the structure and goals of the OWASP Application Security Validation Standard (ASVS). .
  • Describes undocumented functionality and source code.
  • Interpret the safety implications of test results.
  • Distinguish the type of test result.
  • Describe the process for tracking security flaws
  • Risk scoring system and Common Vulnerability Scoring System (CVSS) explained.
  • Explain the generation of test data and the consequences of using formal environmental data.
  • Describe the process for verification and validation testing.
• Domain 7: Secure Software Deployment, Operations, and Maintenance
  • Describe operational risk analysis in the context of the ISO 31000 series.
  • Describe Security Parameter Management (SecCM).
  • Identify elements of a secure continuous integration and continuous delivery (CI/CD) process.
  • Explain the application security toolchain.
  • Identify steps to identify application vulnerabilities.
  • Compare and differentiate common methods of storing and managing security information.
  • Describe secure installation procedures and methods.
  • Explain the security software startup mechanism.
  • Determine the steps and methods in the Authorization to Operate (ATO) process.
  • Explain how to perform continuous monitoring of information security.
  • Describe the incident contingency planning phases.
  • Link patch management processes to overall software security practices.
  • Describe methods and tools used for vulnerability management.
  • Describe how controls help protect the application during execution.
  • Compare and differentiate how business continuity and disaster recovery plans each support operational continuity.
  • Interpret and differentiate between Service Level Agreements (SLAs), Service Level Objectives (SLOs), and Service Level Indicators (SLIs) to enable continued supplier operations.
• Domain 8: Secure Software Supply Chain
  • Describe the software supply chain.
  • Review the software supply chain risk management process.
  • Explain the security risks associated with third-party software.
  • Risks associated with peer-to-peer applications and file sharing.
  • Code repository and environment security explained.
  • Describes components with cryptographic hashes and digital signatures.
  • Determine security requirements and principles in software procurement.
  • Elaborate on key software purchasing considerations.
  • Explain the contractual requirements for software procurement.

Exam Information

The exam locations and seats are limited, so please make sure to book your exam center in advance. The exam center information for Taiwan is as follows:

1. Pearson Professional Test Center Taipei, Taiwan台北市信義區基隆路一段163號12樓-3 聯合世紀大樓 電話：02-2756-7808
2. 4F-1, 38 Xinguang Rd., Lingya District, Kaohsiung City (Asia Pacific Financial Plaza) · Phone: 07-536-1199

• Exam content: 8 major domains: Introduction to Software Security, Software Lifecycle Security Management, Software Security Requirements, Software Security Design, Supply Chain and Software Procurement, Software Security Development, Software Security Development Testing, Software Deployment, Operations and Maintenance.
• Exam time: 3 hours
• Number of exam questions: 125 multiple choice questions (English)
• Exam fee: $599

Notes