ISC-squared

ISC-squared Creates a Software Lifecycle Credential

Ask any security-savvy software developer how best to make code secure, and he or she will quickly tell you something like “To make code secure, you must design it to be secure, then test the heck out of it to make sure the implementation lives up to that design goal.” And in fact, a growing body of knowledge in the software development community focuses on design tools and techniques to  help make sure that what gets built is indeed as secure as possible, augmented by a growing number of automated tests designed to check such work from the security perspective.

This is a very good thing. No less a security eminence than Bruce Schneier believes that security testing is not only important, but also something that must be part and parcel of the development process starting from initial design all the way through post-release maintenance and updates —throughout th entire software lifecycle as it were. For some fascinating reading on this and just about any other security topic that might interest you, check out his blog “Schneier on Security” for some eye-opening and thought-provoking material.

The new credential is called the Certified Secure Software Lifecycle Professional (CSSLP) and aims to bring better knowledge and tools to bear on software design, development, and maintenance. The primary subject areas figure into the CSSLP:

• Secure Software Concepts: security implications that touch on software development
• Secure Software Requirements: representing security needs and concerns during the requirements gathering phase of development
• Secure Software Design: translating security requirements into application design elements and specifications
• Secure Software Implementation/Coding: unit testing for security functionality and resistance to attack, developing secure code, including incident-handling and mitigation techniques
• Secure Software Testing: QA testing that integrates tests for security functionality and resistance to attack
• Software Acceptance: Security analysis and investigation during software acceptance
• Software Deployment, Operations, Maintenance, and Disposal: ensuring security during steady state operations and when managing software

Anybody who’s familiar with the software lifecycle model for development will recognize that this new cert simply integrates security throughout its current phases and activities. This is a great way to make common sense and a growing body of thought and expertise more explicit and better recognized. If you’re a developer with a security bent, this could be just as potent a credential for coders as the CISSP is for system and network administrators and “security policy wonks.” Check it out on the CSSLP Home page.

Prepping for CISSP? Check out CCCure.org

As I started working on one of our more successful books–it’s now in a fourth edition, and continues to generate modest but steady earnings–I first stumbled across French-Canadian Clement Dupuis’ outstanding CCCure.org Web site. For those prepping for the CISSP exam, this site is a real treasure trove of information, including all kinds of useful study tips and advice on how best to prepare for the exam, as well as beaucoups content and pointers to still more content to help candidates learn the subject matter necessary from each of the exam’s many categories/topic areas in the body of knowledge that they must master.

You’ll also find pointers to relevant training and tutorials, exam quizzes to help you hone your study skills, and even a nice collection of book reviews of CISSP study guides–including, thankfully, a good review of the aforementioned CISSP Study Guide to which James Michael Stewart, Mike Chapple, and I all contributed. But the best aspect of this resource has to be the on-site forums. Here, you can learn an awful lot by reading over postings from others with CISSP related questions, and the answers that some incredible security luminaries regularly provide in response. If you need answers to your own questions, please do your homework and search existing threads first before posting here, then be prepared to wait 2-3-sometimes-even-4 days to get a reply. You won’t be sorry.

Of course, I should also mention that Clement Dupuis is no slouch in the security department: he’s a well-known instructor, researcher, and consultant in this area. He’s also now teaching for Shon Harris’ San Antonio-based training company, Logical Security, where he regularly rubs shoulders with other security experts as well.

If you need to add an excellent on-line resource to your study arsenal for the CISSP exam, CCCure.org is it. You’ll also find some coverage of the ISACA CISA and CISM exams here, too, but I haven’t explored it sufficiently enough to give it the same ringing endorsement I so happily give to the CISSP coverage–though I’m pretty sure I would do likewise were I to dig into it more deeply.