I just received my official notification from ISC² that I am officially a Certified Secure Software Lifecycle Professional (CSSLP). For those of you familiar with the CISSP, the CSSLP is related but it is specifically focused software development or procurement.
In order to demonstrate my knowledge, I was tested on security and risk-related activities covering the entire software lifecycle, from initial planning to securely decommissioning software and data being phased out.
Lessons Learned
1. The customer intrinsically accepts all project-related risk
While preparing for the test, I managed to learn a few new things. One of the most important is the realization that the customer is intrinsically accepting all of the risk related to the project. As a software professional, it is our job to assist the customer with this by determining their risk and required security level in the beginning of the project, managing the security requirements at the proper level throughout the project, and helping the customer to validate these requirements have been met when we go to production.
2. The core security principles are confidentiality, integrity, and availability
- Confidentiality - Information that is only exposed to users that are authorized to see it
- Integrity - Information can only be changed by users that are authorized to change it
- Availability - Information is available to users when they need it
3. Secure Software Deployments
Secure software only remains secure if it is deployed to a secure environment. Before, during, and after deployment, the environment's security must be maintained to the appropriate standards.
Of course I learned a lot more than that, but those three ideas stuck in my memory as important.