Requirements and Certification process

Secure Software Lifecycle Professional (CSSLPCM) - How to Certify

There are four processes an aspirant must successfully complete to become a certified CSSLP:

1. Examination
2. Certificaton
3. Endorsement
4. Audit

Examination

• Sign up for the examination date and location
• Submit the examination fee
• Declare that you minimum a 4 years of professional experience in the software development life cycle (SDLC) field or three years plus a college degree
• Complete the Testing contract, attesting to the actuality of your assertions regarding professional experience, and lawfully committing to the obedience of the (ISC)² Code of Ethics
• Successfully satisfy 4 questions regarding illegal account and relevant scene

Certification

To be issued a certificate, an aspirant must:

• Overtake the CSSLP examination

• Submit a correctly completed and executed Endorsement Form

• Successfully enact an audit of their assertions regarding professional experience, if the aspirant is selected for audit

Endorsement

• An aspirant that passes the CSSLP Experience Assessment must be authorized by other (ISC)² certified professional in acceptable standing before the credential can be awarded.

• The endorser faculty testify that the aspirant's assertions regarding professional experience are truthful to the best of the admirer's knowledge, and that the aspirant in good status within the information security industry.

Audit

Passing aspirants will be arbitrarily selected and audited by (ISC)² Services preceding to issuance of any certificate. Quaternary certifications may result in a nominee being audited more than once.

Maintenance Requirements

• Recertification is also required every 3 years, with ongoing requirements to hold your credentials in good status. This is primarily realized finished through continuing professional education [CPE], 90 credits of which are required every 3 years. An extreme of 15 CPEs must be posted during each year of the 3 year certification cycle.

• CSSLPs must also pay an year book fixture fee of $100 per year.

What is Certified Secure Software Lifecycle Professional?

Certified Secure Software Lifecycle Professional (CSSLP) is a new vendor-neutral application security certification governed by the non-profit International Information Systems Security Certification Consortium (commonly recognized as ISC2) intended to validate secure software development knowledge and top practices. As of October 10, 2008, (ISC)² has reported certifying 61,763 information security professionals in 133 countries. A range of organizations have expressed their support for the CSSLP, including Microsoft, Symantec, Cisco, SANS, DSCI (NASSCOM), SRA International, Software Assurance Forum for Excellence in Code (SAFE Code), Xerox, ISSA, BASDA (Business Application Software Developers’ Association), and Frost & Sullivan.

Scope of CSSLP Certification

It's no top Secret that security is not being addressed from a holistic appearance all through the software lifecycle. Whatever 80% of all security breaches are application correlate equating to more 226000000 records state unconcealed and fines movement massive amounts.

The following domains modify up the CSSLP CBK center on the requirement for building security into the SDLC:

1. Software Concepts - security implications in software development
2. Software Requirements - capturing security requirements in the requirements gathering phase
3. Software Design - translating security requirements into application design elements CSSLP Man
4. Software Implementation/Coding - unit testing for security functionality and backlash to attack, and developing secure code and use alleviation
5. Software Testing - Desegregated QA testing for security functionality and resiliency to bother.
6. Acceptance - Security suggestion in the software Acceptance phase
7. Deployment, Dealing, Repair and Disposal - security issues around steady state transaction and management of software

Why do I need to Certify?

There are no safeguards that the software we all rely on is secure. An ontogeny figure of world organizations and experts consider the enterprise is at odd risk because the applications being accessed on a laptop could be entrance points for possible Hack or Bug. The Gartner Group estimates that over 70% of security vulnerabilities live at the application layer.

Benefits of Certification to the Professional

A broad formation of respected organizations has uttered their backing for the CSSLP and are sending their eligible software staff through the training and examination process


Benefits of Certification to the Enterprise

Because security is often “bolted on " at the end of the SLC as a response to a threat or after an exposure, higher production costs and delays can ensue. Straitlaced education and certification are far less pricey than hiring more employees to sewing problems.

Introduction to White Box Testing process

Test Plan

The test plan should manifest the test strategy. The primary reason of having a test plan is to prepare the ulterior testing process. It includes test areas enclosed, test technique execution, test case and data selection, test results validation, test cycles, and substance and exit criteria based on coverage metrics.

In common, the test plan should compound both a high-level abstract of which areas are to be tested and what methodologies are to be worn and a systemic statement of test cases, including prerequisites, setup, process, and a statement of what to care for in the test results. The high-level outline is usable for establishment, planning, and news, spell the writer elaborate descriptions are helpful to get the test process go easily.

While not all testers suchlike using test plans, they offer a quantity of benefits:

• Test plans offer a handwritten of what is to be done.
• Test plans ply a way to gauge growth. This allows testers to shape whether they are on schedule, and also provides a crisp way to report growth to the stakeholders.
• A test manager (or alike position) is liable for processing and managing a test plan. The development managers are also component of test plan development, since the schedules in the test plan are closely fastened to that of the development schedules.
• Test plans afford project stakeholders to sign off on the knowing testing sweat. This helps assure that the stakeholders agree with and faculty hold to reinforcement the test effort
• Test plans support fantabulous proof for testing following releases-they can be used to evolve regression test suites and/or offer management to develop new tests.
• Due to time and budget constraints, it is often unattainable to test all components of a software system. A test plan allows the analyst to succinctly trace what the testing priorities are.

Test Automation

Test automation provides automated reinforcement for the process of managing and executing tests, especially for continuation previous tests. All the tests formulated for the system should be collected into a test suite. Whenever the system changes, the suite of tests that correspond to the changes or those that say a set of regression tests can be run again to see if the software behaves as anticipated. Test drivers or suite drivers support executing test suites. Test drivers essentially exploit in setup, execution, statement, and teardown for each of the tests.

In addition to driving test execution, test automation requires any automated mechanisms to create test inputs and authorise test results. The nature of test data generation and test results validation largely depends on the software under test and on the testing intentions of particular tests. In component to test automation exercise, stubs or scaffolding development is also required. Test scaffolding provides whatever of the infrastructure required in dictate to test expeditiously.

White box testing mostly requires any software usage to sustain executing meticulous tests. This software establishes environs around the test, including states and values for data structures, runtime error solution, and acts as stubs for many outside components. Untold of what system is for depends on the software under test. Yet, as a primo preparation, it is desirable to distinguish the test data inputs from the code that delivers them; typically by swing inputs in one or writer break data files.

This simplifies test fixing and allows for reuse of test code. The members of the testing group are liable for test automation and activity software development. Typically, a member of the test a group is dedicated to the development endeavor

Test Environment

Testing requires the existence of a test environment. Establishing and managing a correct test environment is grave to the efficiency and powerfulness of testing. For articulate application programs, the test environment generally consists of a one computer, but for enterprise-level software systems, the test environs is some much difficult, and the software is ordinarily tight joined to the environment.For security testing, it is often necessary for the tester to feature many control over the environment than in many other testing activities. This is because the tester must be fit to examine and maneuver software/environment interactions at a greater level of detail, in hunt of weaknesses that could be misused by a wrongdoer.

The tester must also be competent to control these interactions. The test environment should be isolated, especially if, for lesson, a test technique produces potentially destructive results during test that might invalidate the results of any concurrent test or other action. Testing malware (spiteful software) can also be treacherous without severe isolation.The test manager is trusty for coordinative test environs thought. Depending on the type of environment required, the members of the development, testing, and build management teams are encumbered in test environs preparation.

Test Execution

Test process involves flowing test cases developed for the system and reporting test results. The prototypal measure in test execution is generally to confirm the infrastructure needed for functioning tests in the first place. This stock primarily encompasses the test environment and test automation, including stubs that might be requisite to run several components, polysynthetic data utilized for testing or populating databases that the software needs to run, and separate applications that act together with the software.The issues being wanted are those that present forbid the software under test from being executed or else make it to change for reasons not affiliated to faults in the software itself.

The members of the test squad are accountable for test execution and reportage.

Importance of Risk Analysis in White Box Testing

Security is ever congener to the information and services being bastioned, the skills and resources of adversaries, and the costs of possibility sureness remedies; security is an lesson in risk management. The object of risk analysis is to resolve precise vulnerabilities and threats that subsist for the software and assess their effect.

White box testing should use a risk-based approach, grounded in both the system's exploit and the attacker's mindset. White box testing should be based on structure and design-level risk analysis. This content region gift plow how to use the results of risk analysis for white box testing, while the Architectural Risk Analysis proportionality region discusses risk analysis in detail. Risk analysis should be the guiding obligate downs all white box testing allied activities.

The pursuing paragraphs shortly innovate how the risk analysis results are utilized in white box testing. The succeeding sections deal the activities in portion. The risk analysis report, in combining with a useable rotting of the application into solon components, processes, data stores, and data communication flows, mapped against the environments crosswise which the software instrument be deployed, allows for a desktop recitation of threats and latent vulnerabilities. The risk analysis report should serve refer

• The threats submit in each tier (or components).
• The form of vulnerabilities that mightiness exist in apiece component.
• The business impact (effect and outlay of failure of software) of risks.
• The chance (probability) of the risks state realized.
• Existing and advisable countermeasures to mitigate identified risks.

Use the above information from the effort reasoning report to

Grow a test strategy: Thoroughgoing testing is seldom cost-effective and often times not conceivable in finite time. Proposed testing is thus selective, and this action should be supported on risks to the system. The antecedence (or superior) of risks from the risk analysis should be the guiding determine for the focus of testing, just because highly threatened areas should be tested good. The test strategy captures all the decisions, priorities, activities, and direction of testing supported on the significance of failure of software. The succeeding divide discusses test strategy in detail.

For careful research on risk-based test planning:

Conclude test coverage: The higher the issue of unfortunate of certain areas (or components), the higher the test reportage should be in those areas. Risk-based testing allows for justifying the rigor of testing in a part expanse. For example, a special ingredient or functionality may feature steep danger to untrusted inputs, hence warranting unnecessary testing tending.

Develop test cases: While a test strategy targets the coverall test activities supported on risks to the system, a test case can take special concerns or risks based on the threats, vulnerabilities, and assumptions unclothed during the analysis. For monition, tests can be formed to formalize controls (or safeguards) put in abode to mitigate a certain danger.

Efforts to White Box testing

Many of the artifacts germane to white box testing permit source code, a risk analysis report, security specification/requirements proof, organization certification, and quality assurance consanguine validation.

• Plan documentation is requisite to turn program faculty and to produce impressive test cases that confirm program decisions and assumptions.
• Architectural and design risk analysis should be the guiding oblige behind all white box testing correlative activities, including test planning, test case creation, test information selection, test technique selection, and test exit criteria selection. If a risk analysis was not realized for the system, this should be the best process performed as construct of white box testing. The pursuing divide discusses risk analysis.
• Source code is the most consequential object required to action white box testing. Without access to the code, white box testing cannot be performed, since it is based on testing software lettered how the system is implemented.
• Security testers should bed right to quality assurance documentation to understand the quality of the software with tenderness to its willful functionality. Quality assurance documentation should allow a test strategy, test plans, and defect reports. Load and performance tests are essential in apprehension the constraints settled on the system and the behavior of the system under stress.
• Security specifications or requirements are a must, to see and pass the security functionality of the software under test.
• Any unit pertinent to performance faculty should be open to white box testers.

Way to carry out White box testing

The picture provides a written drawing of the security testing process. This synoptical impact applies at all levels of testing, from unit testing to systems testing. The use of this

Document does not order subscribing to a particularized testing process or methodology. Readers are urged to fit the activities described here into the process followed within their orderliness.

The plain précis of the white box testing process is as follows:

• Fulfill venture reasoning to orient the complete testing operation.
• Alter a tryout strategy that defines what testing activities are requisite to win testing goals.
• Alter a careful endeavor system that organizes the future testing operation.
• Ready the endeavor environment for tryout executing.
• Penalize effort cases and communicate results.
• Ready a Report.

In improver to the indiscriminate activities described above, the process draw introduces exercise cycles, reporting mechanisms, deliverables, and responsibilities.

What is white box testing?

The goal of any security testing method is to ensure the hardiness of a system in the grappling of malicious attacks or regularized software failures. White box testing is performed based on the knowledge of how the system is implemented. White box testing includes analyzing assemblage feed, control flowing, information line, coding practices, and omission and error touching within the system, to check the supposed and unmotivated software behavior.

White box testing can be performed to authorize whether code effectuation follows intentional program, to confirm implemented security functionality, and to expose exploitable vulnerabilities. White box testing requires admittance to the source code. Though white box testing can be performed any reading in the life cycle after the code is formed, it is a nice drill to execute white box testing during the unit testing phase. White box testing requires knowledgeable what makes software secure or insecure, how to expect equivalent an offender, and how to use contrary testing tools and techniques.

The first step in white box testing is to apprehend and study source code, so wise what makes software secure is a fundamental duty. Support, to make tests that exploit software, a tester moldiness consider equivalent an offender. Tertiary, to action testing effectively, tester’s requisite to know the different tools and techniques usable for white box testing. The tierce requirements do not line in solitariness, but unitedly.