(ISC)² CSSLP domain 7: Secure software deployment, operations, maintenance
The Certified Secure Software Lifecycle Professional (CSSLP) is a secure software professional certification released by (ISC)². This certification validates that the certification holder has the know-how to incorporate security practices such as authorization, authentication, and auditing into the different phases of the SDLC, or software development lifecycle. The certification exam is made up of 8 domains of knowledge and this article will detail CSSLP domain 7 – secure software deployment, operations, and maintenance. It will explore what secure software deployment, operations, and maintenance are, how they can help your career and what is covered by CSSLP domain 7.
CSSLP domains of knowledge
The CSSLP certification exam is based upon the CSSLP CBK. This knowledge is spread among eight domains of knowledge. There are a few changes in the 2020 version of the exam since the previous version, such as an increase in CSSLP domain 7 exam content percentage from 9% to 12%. You may also notice that this domain name has changed slightly since the last exam version with the addition of the word “secure” which is ultimately only a cosmetic change. The current CSSLP domains of knowledge, and their respective exam content weight percentages, are below:
- Secure software concepts 10%
- Secure software requirements 14%
- Secure software architecture and design 14%
- Secure software implementation 14%
- Secure software testing 14%
- Secure software lifecycle management 11%
- Secure software deployment, operations and maintenance 12%
- Secure software supply chain 11%
What is a secure software deployment, operations and maintenance?
Secure software deployment, operations and maintenance refer to the moment that all secure software developers dream of (or dread). This is the moment where the rubber meets the proverbial road, and the secure software is released. Now, this is not a haphazard process thrown together at the last minute without a second thought, but rather is carefully calculated and thorough, but more on this below.
How will secure software deployment, operations and maintenance help my career?
CSSLP candidates (and others in secure software development) will help their careers greatly by knowing about secure software deployment, operations and maintenance. This is because while leading the secure software development lifecycle during the meat and potatoes of development is one thing, but unless you know how to transition the secure software from beta development to full-on deployment, as well as during production operations and maintenance, your career will be more of a supporting role in secure software development. Since hiring organizations will expect a secure software professional to lead during this late phase of the secure software lifecycle, it should be another piece in your secure software development range of skills.
What is covered by CSSLP domain 7 of the exam?
CSSLP domain 7 of the exam covers a wide array of processes that guide the release of the secure software that you have been working so hard on from deployment to being in operations (or production), as well as maintenance of the secure software going forward. The objectives are straightforward compared to some of the other domains of the CSSLP certification exam.
7.1 Perform operational risk analysis
- Deployment environment
- Personnel training (e.g., administrators vs. users)
- Safety criticality
- Safety integration
7.2 Release software securely
- Secure continuous integration and continuous delivery (CI/CD) pipeline
- Secure software toolchain
- Build artifact verification (e.g., code signing, checksums or hashes)
7.3 Securely store and manage security data
7.4 Ensure secure installation
- Bootstrapping (e.g., key generation, access and management)
- Least privilege
- Environment hardening
- Secure activation (e.g., credentials, whitelisting, device configuration, network configuration and licensing)
- Security policy implementation
- Secrets injection (e.g., certificate, Open Authorization (OAUTH) tokens and Secure Shell (SSH) keys)
7.5 Perform post-deployment security testing
As the name indicates, this objective tests your knowledge of security testing after the secure software has already been deployed in the field. It may seem redundant given the secure software has made it through thorough testing in CSSLP domain 5, this testing is just as important.
7.6 Obtain security approval to operate (e.g., risk acceptance, sign-off at the appropriate level)
Since this is secure software development, obtaining security approval to operate is critical to proving that the software meets all requirements and passes all criteria of the developing organization and other interested parties.
7.7 Perform information security continuous monitoring (ISCM)
- Collect and analyze security observable data (e.g., logs, events, telemetry and trace data)
- Threat intel
- Intrusion detection/response
- Secure configuration
- Regulation changes
7.8 Support incident response
- Root cause analysis
- Incident triage
7.9 Perform patch management (e.g. secure release, testing)
7.10 Perform vulnerability management (e.g., scanning, tracking and triaging)
7.11 Runtime protection (e.g., runtime application self-protection (RASP), web application firewall (WAF), address space layout randomization (ASLR))
7.12 Support continuity of operations
- Backup, archiving and retention
- Disaster recovery (DR)
- Resiliency (e.g., operational redundancy, erasure code and survivability)
7.13 Integrate service level objectives (SLO) and service level agreements (SLA) (e.g., maintenance, performance, availability and qualified personnel)
Learning about domain 7 of the CSSLP
CSSLP domain 7 covers secure software deployment, operations and maintenance. The knowledge in this domain covers what you need to know to implement a successful deployment of the secure software, and the post-deployment action items, such as performing ISCM, runtime protection, supporting continuity of operations and integration with SLOs and SLAs. This domain concludes the secure software development lifecycle, but it is not the final hurdle you will have to pass to earn the CSSLP certification. See you at my next article, CSSLP domain 8: secure software supply chain.