Comment on page

# Certificação CSSLP

Aqui estão minhas anotações sobre o roadmap para obter a certificação Certified Secure Software Lifecycle Professional

## Sobre

Custo do exame: US\$599
Tempo de Prova: 3h
Questões: 125 de múltipla escolha
Idioma do exame: Inglês
Score mínimo: 700 de 1000.
Requisitos: A candidate is required to have a minimum of four years of cumulative paid Software Development Lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)2 CSSLP CBK, or three years of cumulative paid SDLC professional work experience in one or more of the eight domains of the CSSLP CBK with a four-year degree leading to a Baccalaureate, or regional equivalent in Computer Science, Information Technology (IT) or related fields.

## Questions / Notes

### Concepts

What is Algorithm: A clearly specified mathematical process for computation; a set of rules that, if followed, will give a prescribed result.
Describe what is an Asset: Anything of value may be considered an asset. Assets may be tangible or intangible.
What is Asymmetric Algorithm: A reference to cryptographic algorithms that rely on a mathematically related public-private key par to perform encryption/decryption. Whichever key is used to encrypt a message, the other key must be used to decrypto the message. Aside from confidentiality, these algorithms may also be used for the purpose of key exchange and/or digital signatures.
Authentication: The process of verifying a subject's identity based on one or more authentication factors. Authentication follows identification.
Authorization: The process of determining the rights and permissions of subjects in regard to objects. Authorization follows authentication.
Countermeasure: A reference to physical, administrative, or technical security controls used to protect assets. Countermeasures are reactive in nature.
Cryptographic Hash Function: An algorithm (function) suited for use in cryptography and used to map input data of arbitrary length to a fixed size output. Good hash functions are one way, deterministic, and collision resistant.
Deterministic: A reference to hash functions that always produce the same digest from the same input data.
Digital Signature: A reference to cryptographic operations that, when implemented correctly, can provide assurance for data integrity, origin, and nonrepudiation.
Encryption Algorithm: Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.
Identification: Claim of an identity by a subject.
Malware: Malicious software such as viruses, worms, or Trojans. Different malware may have different characteristics and deliver various payloads.
Safeguard: A reference to physical, administrative, or technical security controls used to protect assets. Safeguards are proactive in nature.
Software Development Lifecycle (SDLC): A framework and a systematic process with associated tasks that are performed in a series of steps for building software applications. The lifecycle begins with planning and requirements gathering and ends with decommissioning and sunsetting the software.
Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Trusted Computing Base (TCB): Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.
Trusted Platform Module (TPM): A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.
Version Control: Also known as revision control or source control systems. A reference to software tools that are used by software development teams to manage the access and the changes to source code over time.

## Lifecycle and Risk Management

Adequate Security: Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Governance (Information Security): The process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. {Ref: NIST Special Publication 800-100 Information Security Handbook: A Guide for Managers}
Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security Continuous Monitoring (ISCM): NIST 800-137 defines information security continuous monitoring (ISCM) as "maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions."
Intellectual Property (IP): Intellectual property (IP) refers to creations of the mind: inventions; literary and artistic works; and symbols, names and images used in commerce.
Key Performance Indicator (KPI): Metric that provides meaningful insight, and can be used for decision making.
Residual Risk: Portion of risk remaining after security measures have been applied.
Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event and typically a function of:
1. 1.
the adverse impacts that would arise if the circumstance or event occurs and
2. 2.
the likelihood of occurrence.
Risk Assessment: The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations, resulting from the operation of an information system. Part of risk management, it incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Management: The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, and other organizations and includes: (i) establishing the context for risk-related activities, (ii) assessing risk, (iii) responding to risk once determined, and (iv) monitoring risk over time.
Risk Mitigation: Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
Risk Monitoring: Maintaining ongoing awareness of an organization's risk environment, risk management program, and associated activities to support risk decisions.
Risk Response: Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (e.g., mission, functions, image, or reputation), organizational assets, individuals, and other organizations.
Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Vulnerability Assessment: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Administrative Controls: Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.
Artificial Intelligence: The ability of computers and robots to simulate human intelligence and behavior.
Baseline: A documented, lowest level of security configuration allowed by a standard or organization.
Biometric: Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.
Bot: Malicious code that acts like a remotely controlled "robot" for an attacker, with other Trojan and worm capabilities.
Classified or Sensitive Information: Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.
Criticality: A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1
Data Integrity: The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A
Encryption: The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.
General Data Protection Regulation (GDPR): In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.
Health Insurance Portability and Accountability Act (HIPAA): This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual's health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.
Impact: The magnitude of harm that could be caused by a threat's exercise of a vulnerability.
International Organization of Standards (ISO): The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.
Internet Engineering Task Force (IETF): The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B
Likelihood: The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.
Likelihood of Occurrence: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.
Multi-Factor Authentication: Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.
National Institutes of Standards and Technology (NIST): The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.
Non-repudiation: The inability to deny taking an action such as creating information, approving information and sending or receiving a message.
Personally Identifiable Information (PII): The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information."
Physical Controls: Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.
Privacy: The right of an individual to control the distribution of information about themselves.
Probability: The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Source: NIST SP 800-30 Rev. 1
Protected Health Information (PHI): Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).
Qualitative Risk Analysis: A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high. Source: NISTIR 8286
Quantitative Risk Analysis: A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. Source: NISTIR 8286
Risk Acceptance: Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
Risk Assessment: The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.
Risk Avoidance: Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Management: The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.
Risk Tolerance: The level of risk an entity is willing to assume in order to achieve a potential desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.
Risk Transference: Paying an external party to accept the financial impact of a given risk.
Risk Treatment: The determination of the best way to address an identified risk.
Sensitivity: A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1
State: The condition an entity is in at a point in time.
System Integrity: The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A
Technical Controls: Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.
Threat Actor: An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.
Threat Vector: The means by which a threat actor carries out their objectives.
Token: A physical object a user possesses and controls that is used to authenticate the user's identity. Source: NISTIR 7711

### Software Requirements

Attack Patterns: A reference to the conceptual pattern and description of how a particular type of attack is implemented.
Common Attack Pattern Enumeration and Classification (CAPEC): A repository and dictionary of commonly known patterns of attack used for exploitation.
Data Anonymization: The process of sanitizing data by removing personally identifiable information from the data sets for the purpose of privacy protection.
Data Breach: Release of sensitive information to parties without valid need to know. Not every event is a security incident, and not every security incident is a data breach.
Data Classification: In the context of information security, this is a reference to the process used by organizations to assess what types of data they hold, put them in different categories (based on some criteria such as a confidentiality requirement), determine the degree of protection that should be given to each category, and specify access and handling requirements for each category of data.
Data Custodian: A reference to a subject or entity with the responsibility to maintain the data and ensure that safeguards and countermeasures for data protection are implemented.
Data Lifecycle: Sequence of stages throughout the life of data from the time that data is collected/generated to the time that it is destroyed and every stage in between, including storage, usage, sharing, and archival. Any reference to the protection of sensitive data throughout the lifecycle should be interpreted as protection of data through each and every stage of the lifecycle.
Data Owner: A reference to a subject or entity with the authority/ responsibility for performing classification, defining the protection needs, determining retention/destruction requirements, and validating access needs in regard to the data.
Data Privacy: Related to (but not the same as) data security, and primarily concerned with proper collection, storage, and handling of data through its destruction, sharing with third parties, notices, consent, and regulatory obligations.
Data Subject: A reference to the individual to whom the personal data refers.
Misuse Case: A reference to a use case from a hostile actor's perspective. Created from use cases and likely representing an interaction with the system in ways that the system was not designed to be used. Can help with the identification of security requirements, controls, and security test cases.
NIST Special Publication (SP): A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Security Requirements Traceability Matrix: A reference to a document that is created to link/map the requirements to test cases. This document may serve various purposes throughout the software lifecycle, but the primary objective is to provide forward and backward traceability to ensure that all defined requirements are tested.
Use case: Usage scenario and set of interactions between users and a system in ways that the system was designed to be used. Use cases can serve the purpose of identifying and clarifying the requirements.
User Story: In Agile methodologies, a high-level description of a user requirement, typically originating from a business user need.

## Architecture and Design

Attack Surface: Attack surface (of software) is the totality of all the software exposure points and different ways that an adversary can inflict damage.
Data-flow Diagram: A visual representation of a process, or flow of data through systems.
DREAD: A risk ranking (rating) methodology. Frequently used with STRIDE, the acronym stands for damage potential, reproducibility, exploitability, affected users, and discoverability.
Driver (device driver): Software layer that provides an interface for accessing the functions of hardware devices. Typically used by the operating system.
Kernel: The essential and core component of the operating system that manages computer resources.
Microservices: An architectural approach that is considered a variant of the service-oriented architecture (SOA) and is particularly suited for developing web or mobile applications. Applications are constructed as a collection of loosely coupled and independent services.
Pervasive Computing: Also referred to as ubiquitous computing. It is about embedding capabilities (through microcontrollers) into everyday objects in our environment and providing them with storage, processing, and transmission capabilities. With all these objects connected to the internet, the basis for Internet of Things (IoT) was established.
Rich Internet Application (RIA): Breed of a web application that is delivered over the web and has many of the characteristics (i.e., look and feel) of desktop application software.
Service-oriented Architecture (SOA): An architectural style where business functionality is encapsulated and made available through the network as a service for consumption using well-defined interfaces. SOA promotes interoperability and reusability.
STRIDE: A threat modeling and categorization methodology. The acronym stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges.
Third-party Software: Acquired software, proprietary or open source, not developed in house.
Threat Modeling: A systematic process of identifying potential threats to the application, ranking the threats by risk, and selecting appropriate mitigations.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Web Services: An implementation of service-oriented architecture (SOA). Interoperability is achieved through XML-based open standards. Standards like Web Services Description Language (WSDL), Simple Object Access Protocol (SOAP), and Universal Description, Discovery, and Integration (UDDI) provide the approach for defining, publishing, and using web services.