(ISC)² CSSLP domain 5: Secure software testing
Certified Secure Software Lifecycle Professional (CSSLP) is a certification for those who have a secure software development role. It validates that the certification holder has the expertise to integrate software security practices, such as authentication, authorization and auditing, into each stage of the software development lifecycle. To earn this certification, you must pass a certification exam that tests your knowledge of secure software lifecycle across eight domains of knowledge.
This article will detail domain 5 of the CSSLP certification exam and explore what secure software testing is, how secure software testing will help your career and what is covered in CSSLP domain 5.
CSSLP domains of knowledge
To earn the CSSLP certification, you need to pass the CSSLP certification exam. The exam covers the CSSLP common body of knowledge, or CBK, which is spread among eight domains of knowledge. These domains, and their respective weights of exam content, are below:
- Secure software concepts 10%
- Secure software requirements 14%
- Secure software architecture and design 14%
- Secure software implementation 14%
- Secure software testing 14%
- Secure software lifecycle management 11%
- Secure software deployment, operations [and] maintenance 12%
- Secure software supply chain 11%
What is secure software testing?
Secure software testing, or security testing for software development, is the secure software development lifecycle stage where the software is complete (functionally speaking) and begins beta testing. Its goal is to discover any security issues or vulnerabilities at this stage of software development. Traditional software testing focuses on testing software functionality with use cases as user scenarios (including whether making changes won’t break it, which secure software testing does cover). Secure software testing focuses on testing the software’s security by using security test cases.
How will secure software testing help my career?
Those who are CSSLP certification candidates are doing so to help propel their career in secure software development. The question some may have is how secure software testing will help my career? Testing is integral to any software development professional’s career, especially for those working on the secure side of development. This is because secure software testing adds the extra layer of focusing on security issues and vulnerabilities that basic functionality testing does not consider, such as attack surface validation, Scanning, and penetration tests, which hiring organizations. It is a foundational skill that hiring organizations will require when hiring for secure software development roles.
What’s covered in CSSLP domain 5 of the exam?
CSSLP domain 5 divides the secure software testing CBK into eight easily digestible objectives, making the world of secure software testing both easier and more approachable. CSSLP certification candidates will need to demonstrate mastery over security test cases, security testing strategy and planning, security testing documentation, identifying undocumented functionality, analyzing security implications of test results, classifying and tracking security errors and more. Below are the eight objectives covered by this domain:
5.1 Develop security test cases
Developing security test cases is the bread and butter of secure software testing. Think of it as the checklist of what you will need to do to test the software for software issues and vulnerabilities. This objective will cover:
- Attack surface validation
- Penetration tests
- Fuzzing (e.g., generated, mutated)
- Scanning (e.g., vulnerability, content and privacy)
- Simulation (e.g., simulating production, environment and production data and synthetic workloads)
- Failure (e.g., fault injection, stress testing and brake testing)
- Cryptographic validation (e.g., Pseudo-Random Number Generator (PRNG) and entropy)
- Regression tests
- Integration tests
- Continuous (e.g., synthetic transactions)
5.2 Develop security testing strategy and plan
If security test cases are the checklist for thorough, secure software testing, security testing strategy and planning are the road map of secure software testing. The two go hand in hand. Knowing how you will be security testing is just as important as knowing what you will be testing.
This objective contains:
- Functional security testing (e.g., logic)
- Nonfunctional security testing (e.g., reliability, performance and scalability)
- Testing techniques (e.g., white box and black box)
- Environment (e.g., interoperability, test harness)
- Standards (e.g., International Organization for Standardization (ISO), Open Source Security Testing Methodology Manual (OSSTMM) and Software Engineering Institute (SEI))
- Crowdsourcing (e.g., bug bounty)
5.3 Verify and validate documentation (e.g., installation and setup instructions, error messages, user guides and release notes)
Observing good documentation practices in secure software testing is key, and the practice of verifying and validating documentation used in secure software testing is necessary. Imagine how accurate testing of one version of the software would be if it were to be predicated on release notes for a previous version!
5.4 Identify undocumented functionality
It is not altogether uncommon for undocumented functionality to be discovered during secure software testing. This objective shows how to identify this undocumented functionality.
5.5 Analyze security implications of test results (e.g., impact on product management, prioritization and break build criteria)
Having results from security software testing is one thing, but analyzing the security implications is another. This objective covers what you need to know for this important step in the secure software testing process.
5.6 Classify and track security errors
Discovering security errors in secure software testing is one thing but knowing how to classify and track them is necessary to get the most out of your testing. This objective covers:
- Bug tracking (e.g., defects, errors and vulnerabilities)
- Risk scoring (e.g., Common Vulnerability Scoring System (CVSS))
5.7 Secure test data
- Generate test data (e.g., referential integrity, statistical quality and production representative)
- Reuse of production data (e.g., obfuscation, sanitization, anonymization, tokenization and data aggregation mitigation)
5.8 Perform verification and validation testing
Learning about CSSLP domain 5
To earn the CSSLP certification exam, you have to first pass the CSSLP certification exam, which comprises eight domains of knowledge. CSSLP domain 5 covers secure software testing, which is a fundamental element of the secure software lifecycle. Mastering the objectives of CSSLP domain 5 is required to earn this secure software lifecycle professional certification.