🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CSSLP
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CSSLP ISC2 Coming Soon

CSSLP

ISC2's Certified Secure Software Lifecycle Professional (CSSLP) training teaches professionals how to embed security across the software development lifecycle, covering concepts, management, requirements, architecture, and implementation.

180
Minutes
125
Questions
700/1000
Passing Score
$599
Exam Cost

Who Should Take This

The course targets software engineers, architects, and security analysts with at least four years of hands‑on experience in development or security. They seek to validate expertise, deepen knowledge of secure design patterns, and earn the CSSLP credential to advance their careers and protect organizational assets.

What's Covered

1 All eight domains of the ISC2 CSSLP Common Body of Knowledge: Domain 1 Secure Software Concepts
2 , Domain 2 Secure Software Lifecycle Management
3 , Domain 3 Secure Software Requirements
4 , Domain 4 Secure Software Architecture and Design
5 , Domain 5 Secure Software Implementation
6 , Domain 6 Secure Software Testing
7 , Domain 7 Secure Software Deployment, Operations, and Maintenance
8 , Domain 8 Secure Software Supply Chain

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

69 learning goals
1 Domain 1: Secure Software Concepts
3 topics

Core security principles for software

  • Apply the CIA triad (confidentiality, integrity, availability) along with authentication, authorization, and non-repudiation principles to define security properties that software systems must preserve.
  • Implement defense-in-depth, least privilege, separation of duties, fail-secure defaults, and complete mediation as foundational secure design principles in software architecture decisions.
  • Evaluate the Saltzer and Schroeder design principles including economy of mechanism, open design, and psychological acceptability to assess their application in modern software security architectures.

Security governance and risk concepts for software

  • Apply software risk management concepts including threat identification, vulnerability assessment, impact analysis, and risk prioritization to inform secure development investment decisions.
  • Analyze the regulatory landscape including GDPR, HIPAA, PCI DSS, SOX, and sector-specific requirements to determine software compliance obligations and security control mapping strategies.
  • Design a software security governance framework that establishes secure development policies, security champion programs, maturity measurement, and executive reporting for organizational software risk posture.

Privacy and ethical considerations in software

  • Implement privacy-by-design principles including data minimization, purpose limitation, consent management, and user transparency controls in software applications that process personal data.
  • Evaluate ethical considerations in software development including responsible disclosure, algorithmic bias, surveillance capabilities, and dual-use technology implications for security professionals.
2 Domain 2: Secure Software Lifecycle Management
3 topics

Security in SDLC methodologies

  • Implement security touchpoints across waterfall SDLC phases including security requirements in analysis, threat modeling in design, secure coding in implementation, security testing in verification, and hardening in deployment.
  • Configure security integration points within agile and Scrum workflows including security user stories, definition of done security criteria, security sprint tasks, and iteration-level security reviews.
  • Differentiate security integration approaches across waterfall, agile, spiral, and DevSecOps methodologies to recommend the most appropriate secure development framework for different organizational and project contexts.

Security maturity models and metrics

  • Apply BSIMM (Building Security In Maturity Model) and OWASP SAMM assessment methodologies to measure organizational software security practice maturity across governance, intelligence, and touchpoint dimensions.
  • Formulate a software security metrics program that tracks vulnerability density, mean time to remediate, security defect escape rate, and coverage ratios to demonstrate program effectiveness and guide improvement investments.

Secure development environment management

  • Establish secure development environment controls including source code repository access management, branch protection rules, code signing requirements, and segregation of development, staging, and production environments.
  • Implement secure configuration management practices including version control, change tracking, baseline management, and configuration audit procedures to maintain development infrastructure integrity.
3 Domain 3: Secure Software Requirements
3 topics

Security requirements engineering

  • Execute security requirements elicitation techniques including abuse case modeling, misuse case development, attack surface enumeration, and stakeholder interviews to derive comprehensive security requirements.
  • Apply regulatory compliance requirements from GDPR, HIPAA, PCI DSS, and NIST frameworks to derive specific, testable, and traceable software security requirements for regulated applications.
  • Evaluate security requirement completeness and testability using structured analysis techniques to identify gaps in authentication, authorization, input validation, error handling, and audit logging requirements.
  • Design a security requirements traceability matrix that maps security requirements to design decisions, implementation controls, test cases, and compliance evidence throughout the software lifecycle.

Data protection and privacy requirements

  • Implement data classification requirements that define sensitivity levels, handling procedures, encryption standards, and retention policies for data processed, stored, and transmitted by the software application.
  • Assess privacy impact by conducting data flow analysis, identifying personal data processing operations, and determining appropriate consent mechanisms, anonymization techniques, and data subject rights implementations.

Operational and environmental security requirements

  • Configure security requirements for operational environments including deployment hardening standards, monitoring and alerting requirements, incident response hooks, and graceful degradation behaviors.
  • Analyze availability and resilience requirements including recovery time objectives, recovery point objectives, and fault tolerance thresholds to specify software reliability and continuity controls.
4 Domain 4: Secure Software Architecture and Design
3 topics

Threat modeling and architecture risk analysis

  • Execute threat modeling using STRIDE methodology to systematically identify spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege threats across software components and data flows.
  • Apply PASTA (Process for Attack Simulation and Threat Analysis) risk-centric threat modeling to align threat assessment with business impact analysis, attack library enumeration, and residual risk scoring.
  • Evaluate architecture risk analysis methodologies to identify design-level flaws including trust boundary violations, insufficient isolation, shared resource contention, and improper privilege separation in complex system architectures.
  • Recommend a threat modeling program that integrates automated threat enumeration, collaborative whiteboard modeling, and continuous threat model maintenance into the development lifecycle.

Secure design patterns and architecture

  • Implement secure design patterns including input validation gateways, authentication brokers, authorization enforcement points, secure session management, and secure error handling to prevent common vulnerability classes.
  • Apply cryptographic architecture patterns including key derivation hierarchies, envelope encryption, secure random number generation, and certificate-based authentication to protect data confidentiality and integrity in software systems.
  • Analyze microservices and distributed system security challenges including service mesh authentication, inter-service authorization, distributed tracing, and cascading failure containment to evaluate secure decomposition strategies.
  • Design a secure software architecture that integrates authentication, authorization, audit logging, encryption, and error handling as cross-cutting concerns with consistent enforcement across all application layers.

Secure interface and API design

  • Implement secure API design principles including authentication token management, rate limiting, input schema validation, output filtering, and versioning strategies to protect service interfaces from abuse.
  • Assess secure user interface design approaches including CSRF protection, clickjacking prevention, content security policy headers, and secure form handling to mitigate client-side attack vectors.
5 Domain 5: Secure Software Implementation
4 topics

Secure coding practices

  • Apply input validation and output encoding techniques including allowlist validation, parameterized queries, context-aware encoding, and canonicalization to prevent injection vulnerabilities across SQL, LDAP, OS command, and XSS attack vectors.
  • Implement secure error handling and logging practices that prevent information leakage through error messages while providing sufficient audit trail detail for security monitoring and incident investigation.
  • Configure secure session management including session token generation, cookie security attributes (HttpOnly, Secure, SameSite), session timeout enforcement, and session fixation prevention controls.
  • Analyze the OWASP Top 10 and CWE Top 25 vulnerability categories to evaluate the effectiveness of defensive coding patterns and determine priority areas for secure coding standard enforcement.

Memory safety and concurrency

  • Apply memory-safe coding practices to prevent buffer overflow, heap overflow, use-after-free, and format string vulnerabilities through bounds checking, safe string functions, and memory-safe language features.
  • Implement concurrency controls including mutex locks, semaphores, atomic operations, and thread-safe data structures to prevent race conditions, deadlocks, and time-of-check-to-time-of-use vulnerabilities.
  • Evaluate the security implications of programming language choice by comparing memory-safe languages (Rust, Go, Java) with memory-unsafe languages (C, C++) for different application security requirements.

Cryptographic implementation

  • Implement cryptographic operations using vetted library APIs (OpenSSL, libsodium, Bouncy Castle) with appropriate algorithm selection, key length, initialization vector management, and padding mode configuration.
  • Assess cryptographic implementation pitfalls including weak random number generation, hardcoded keys, improper certificate validation, and deprecated algorithm usage to identify remediation priorities in code audits.

Secure coding standards and code review

  • Establish secure coding standards based on CERT Secure Coding, OWASP Secure Coding Practices, and CWE guidelines with automated enforcement through IDE plugins, pre-commit hooks, and CI/CD quality gates.
  • Design a security-focused code review process that combines automated tool findings, manual expert review, and peer review workflows to maximize vulnerability detection rate while maintaining development velocity.
6 Domain 6: Secure Software Testing
3 topics

Static and dynamic analysis

  • Configure static application security testing tools within CI/CD pipelines with appropriate rule sets, false positive suppression, and severity thresholds to automate vulnerability detection during the build phase.
  • Deploy dynamic application security testing against running applications to detect runtime vulnerabilities including authentication bypass, authorization flaws, and injection points not identifiable through static analysis.
  • Differentiate SAST, DAST, IAST, and RASP tool capabilities to determine optimal tool selection and deployment strategy for achieving comprehensive vulnerability coverage across different application architectures.

Fuzz testing and penetration testing

  • Implement fuzz testing strategies including mutation-based, generation-based, and coverage-guided fuzzing to discover unexpected input handling vulnerabilities, crashes, and assertion failures in software interfaces.
  • Evaluate penetration testing methodologies (OWASP Testing Guide, PTES, OSSTMM) to determine appropriate scope, techniques, and reporting formats for application-level security assessments.
  • Analyze penetration test findings to prioritize remediation based on exploitability, business impact, and compensating control availability while integrating results into the vulnerability management lifecycle.

Security testing strategy and automation

  • Implement security regression testing suites that verify previously remediated vulnerabilities remain fixed and detect security control regressions introduced by code changes or dependency updates.
  • Design a comprehensive security testing strategy that orchestrates SAST, DAST, SCA, fuzz testing, and penetration testing across development, staging, and production phases with defined quality gates and escalation criteria.
7 Domain 7: Secure Software Deployment, Operations, and Maintenance
3 topics

Secure deployment and configuration

  • Implement secure deployment procedures including environment hardening checklists, deployment verification testing, rollback procedures, and production access controls to maintain security during software releases.
  • Configure secrets management solutions including vault-based credential storage, dynamic secret generation, secret rotation automation, and runtime injection to eliminate hardcoded credentials in application configurations.
  • Evaluate infrastructure-as-code security practices including template scanning, drift detection, immutable infrastructure patterns, and GitOps workflows to assess deployment pipeline security posture.

Operational security and monitoring

  • Implement application security monitoring including runtime anomaly detection, security event logging, application performance correlation, and automated alerting for suspicious behavior patterns.
  • Establish a software vulnerability response process that defines triage criteria, severity classification, remediation SLAs, emergency patch procedures, and stakeholder communication for production security issues.
  • Design a software security operations program that integrates vulnerability management, patch deployment, incident response, and security monitoring into unified operational workflows with measurable SLAs.

End-of-life and decommissioning

  • Execute secure software decommissioning procedures including data migration, credential revocation, dependency notification, archive preservation, and secure data destruction for end-of-life applications.
  • Assess end-of-life risk for legacy applications by evaluating unsupported dependency exposure, compensating control feasibility, and migration cost-benefit to recommend retirement or extended support strategies.
8 Domain 8: Secure Software Supply Chain
3 topics

Third-party component risk management

  • Implement software composition analysis to inventory third-party and open-source dependencies, track known vulnerabilities (CVE/NVD), and enforce version currency policies across the application portfolio.
  • Evaluate open-source license compliance risks including copyleft propagation, attribution obligations, and commercial license incompatibilities to determine acceptable dependency usage policies.
  • Assess third-party vendor security practices including secure development attestation, vulnerability disclosure processes, and patch release cadence to determine supplier risk ratings and acceptable dependency sources.

SBOM and provenance management

  • Configure automated SBOM generation using CycloneDX or SPDX formats integrated into CI/CD pipelines to maintain real-time software bill of materials for vulnerability tracking and regulatory compliance.
  • Implement software provenance attestation using SLSA framework levels, Sigstore signing, and in-toto attestation to verify build integrity and establish tamper-evident audit trails for software artifacts.
  • Analyze SBOM completeness and accuracy to identify transitive dependency risks, phantom dependencies, and version pinning gaps that could introduce untracked vulnerabilities into production deployments.

Build pipeline security and artifact integrity

  • Establish secure artifact repository management including access controls, vulnerability scanning, promotion policies, and retention rules for container images, packages, and compiled binaries.
  • Evaluate build pipeline attack vectors including dependency confusion, typosquatting, compromised build tools, and CI/CD credential theft to determine appropriate build system hardening controls.
  • Design a comprehensive software supply chain security program that integrates SCA, SBOM management, provenance attestation, artifact signing, and continuous monitoring to protect against supply chain compromise across the organization.

Scope

Included Topics

  • All eight domains of the ISC2 CSSLP Common Body of Knowledge: Domain 1 Secure Software Concepts (10%), Domain 2 Secure Software Lifecycle Management (11%), Domain 3 Secure Software Requirements (14%), Domain 4 Secure Software Architecture and Design (14%), Domain 5 Secure Software Implementation (14%), Domain 6 Secure Software Testing (14%), Domain 7 Secure Software Deployment, Operations, and Maintenance (12%), Domain 8 Secure Software Supply Chain (11%).
  • Secure software development methodologies including security integration into waterfall, agile, DevSecOps, and SAFe frameworks with continuous security verification throughout the software lifecycle.
  • Security requirements engineering: abuse case modeling, misuse case development, attack surface analysis, privacy requirements, compliance-driven security requirements (PCI DSS, HIPAA, GDPR), and security user stories.
  • Secure architecture and design principles: threat modeling (STRIDE, PASTA, LINDDUN), secure design patterns, architecture risk analysis, trust boundary identification, and defense-in-depth layering for software systems.
  • Secure implementation practices: secure coding standards (CERT, CWE, OWASP), input validation, output encoding, error handling, cryptographic API usage, memory safety, concurrency controls, and secure session management.
  • Software security testing: static analysis (SAST), dynamic analysis (DAST), interactive analysis (IAST), fuzz testing, penetration testing, code review processes, and security regression testing in CI/CD pipelines.
  • Secure deployment and operations: configuration hardening, secrets management, runtime protection, patch management, vulnerability response, end-of-life decommissioning, and secure update distribution mechanisms.
  • Software supply chain security: third-party component risk assessment, SBOM management, open-source license compliance, dependency vulnerability tracking, build pipeline integrity, and provenance attestation.

Not Covered

  • Language-specific syntax and programming tutorials that do not directly relate to secure software lifecycle principles tested on the CSSLP exam.
  • Infrastructure and network security operations detail that is not directly related to software security lifecycle management.
  • Project management and general SDLC process detail that does not incorporate security integration points.
  • Vendor-specific tool configuration beyond conceptual understanding of security tool categories and their roles in the secure SDLC.

Official Exam Page

Learn more at ISC2

Visit

CSSLP is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

(ISC)²®, CISSP®, CCSP®, SSCP®, CSSLP®, and all (ISC)² certification marks are registered trademarks of (ISC)². (ISC)² does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.