CSSLP - ISC2

__**Domain 1: Secure Software Concepts**__

One-way hash

A reference to hash functions that make it easy to go in one direction and computationally infeasible to go in the opposite direction.

Safeguard

A reference to physical, administrative, or technical security controls used to protect assets. Safeguards are proactive in nature.

Software development lifecycle (SDLC)

A framework and a systematic process with associated tasks that are performed in a series of steps for building software applications. The lifecycle begins with planning and requirements gathering and ends with decommissioning and sunsetting the software.

Symmetric algorithm

A reference to cryptographic algorithms that rely on a single private key for both encryption as well as decryption of a message. Examples include DES and AES.

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Trusted computing base (TCB)

Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.

Trusted Platform Module (TPM)

A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.

Two-factor authentication

An authentication scheme that involves using two distinct instances of the three factors of authentication for identity.

__**Domain 2: Secure Software Requirements**__

Attack patterns

A reference to the conceptual pattern and description of how a particular type of attack is implemented.

Common Attack Pattern Enumeration and Classification (CAPEC)

A repository and dictionary of commonly known patterns of attack used for exploitation.

Data anonymization

The process of sanitizing data by removing personally identifiable information from the data sets for the purpose of privacy protection.

Data breach

Release of sensitive information to parties without valid need to know. Not every event is a security incident, and not every security incident is a data breach.

Data classification

In the context of information security, this is a reference to the process used by organizations to assess what types of data they hold, put them in different categories (based on some criteria such as a confidentiality requirement), determine the degree of protection that should be given to each category, and specify access and handling requirements for each category of data.

Data custodian

A reference to a subject or entity with the responsibility to maintain the data and ensure that safeguards and countermeasures for data protection are implemented.

Data lifecycle

Sequence of stages throughout the life of data from the time that data is collected/generated to the time that it is destroyed and every stage in between, including storage, usage, sharing, and archival. Any reference to the protection of sensitive data throughout the lifecycle should be interpreted as protection of data through each and every stage of the lifecycle.

Data owner

A reference to a subject or entity with the authority/ responsibility for performing classification, defining the protection needs, determining retention/destruction requirements, and validating access needs in regard to the data.

Data privacy

Related to (but not the same as) data security, and primarily concerned with proper collection, storage, and handling of data through its destruction, sharing with third parties, notices, consent, and regulatory obligations.

Data subject

A reference to the individual to whom the personal data refers.

Misuse case

A reference to a use case from a hostile actor's perspective. Created from use cases and likely representing an interaction with the system in ways that the system was not designed to be used. Can help with the identification of security requirements, controls, and security test cases.

NIST Special Publication (SP)

A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Security requirements traceability matrix

A reference to a document that is created to link/map the requirements to test cases. This document may serve various purposes throughout the software lifecycle, but the primary objective is to provide forward and backward traceability to ensure that all defined requirements are tested.

Use case

Usage scenario and set of interactions between users and a system in ways that the system was designed to be used. Use cases can serve the purpose of identifying and clarifying the requirements.

__**Domain 3: Secure Software Design**__

Asset

Anything of value may be considered an asset. Assets may be tangible or intangible.

Attack surface

Attack surface (of software) is the totality of all the software exposure points and different ways that an adversary can inflict damage.

Data-flow diagram

A visual representation of a process, or flow of data through systems.

DREAD

A risk ranking (rating) methodology. Frequently used with STRIDE, the acronym stands for damage potential, reproducibility, exploitability, affected users, and discoverability.

Driver (device driver)

Software layer that provides an interface for accessing the functions of hardware devices. Typically used by the operating system.

Kernel

The essential and core component of the operating system that manages computer resources.

Microservices

An architectural approach that is considered a variant of the service-oriented architecture (SOA) and is particularly suited for developing web or mobile applications. Applications are constructed as a collection of loosely coupled and independent services.

Pervasive computing

Also referred to as ubiquitous computing. It is about embedding capabilities (through microcontrollers) into everyday objects in our environment and providing them with storage, processing, and transmission capabilities. With all these objects connected to the internet, the basis for Internet of Things (IoT) was established.

__**Domain 4: Secure Software Implementation**__

Buffer

A reference to an area (chunk) of memory. Normally set aside to temporarily hold data for processing or transfer from one place to another.

Buffer overflow

A reference to a situation where a process makes an attempt to place more data in a buffer than it has the capacity to hold. Buffer overflow can be caused by various conditions and in various ways, both on the stack and on the heap.

Code signing

A reference to the process of digitally signing executables/scripts with the objective of providing assurance of integrity and authenticity of the code. Object signing certificates may be used for this purpose.

Compiler

A reference to the software used to convert/translate the program code (source code) into machine-understandable format (i.e., object code).

Concurrency

A reference to an environment where multiple execution paths within the same process can exist at the same time. The objective is to have the ability to execute various parts of the program simultaneously and possibly out of order and yet not affect the expected final outcome. Concurrency-related issues are not just quality issues, but also security relevant as they may introduce vulnerabilities. Time of check to time of use (TOCTOU) is an example.

Cryptographic agility

A reference to the ability to evolve and adopt alternative cryptographic primitives with ease. This capacity to swap out one cryptographic service provider for another is an important architectural consideration during the design of cryptographic libraries/frameworks (e.g., when the original provider becomes vulnerable/broken and must be replaced with an alternative).

Heap

A reference to the area of memory used for dynamic allocation of space. Failure to deallocate memory when it is no longer needed will result in memory leaks.

Injection vulnerability

A reference to a flaw in software and a common application vulnerability that would allow externally influenced (malicious) input to be used as part of the construction and subsequent execution of a command. Variations include SQL injection, OS command injection, and LDAP injection.

Integrated development environment (IDE)

A reference to software development tools that at minimum facilitate editing, compiling, linking, and debugging programs all in one place without having to constantly switch tools. Modern IDEs have become very comprehensive, and offer an array of capabilities beyond what is mentioned here (e.g., static code analysis capabilities).

Linker

Software used to combine compiled object files (e.g., yours and those of the third-party libraries) into one executable program. Static linking and dynamic linking are both common.

Obfuscation

A reference to the deliberate act of obscuring the code in various forms (e.g., source code, bytecode, object code). The objective is to either make the code difficult for humans to understand or to protect against decompiling and reverse-engineering. Ultimately, it is about the protection of intellectual properties.

Stack

A reference to an area of memory that is used for static allocation of space for program variables and used during function calls.

Type safety

A reference to the capacity of a programming language to discourage/prevent data type related issues such as unsafe type conversions/operations. Java is considered an example of a type safe language. C is an example of a type unsafe language.

__**Domain 5: Secure Software Testing**__

Black-box testing

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Resource: csrc.nist.gov/glossary

May also be referred to as zero-knowledge testing, and best suited for uncovering certain types of vulnerabilities in software.

Functional testing

Type of software testing that remains focused on validating the functional behavior of the software, and the assurance that the software meets its functional specifications and requirements.

Fuzz testing (software)

Type of testing that is best suited for uncovering certain types of memory-related issues/vulnerabilities that may be present in software (e.g., memory leaks, buffer overflows) by subjecting the entry points of the software to invalid or random input types, ranges, and input lengths. It is normally conducted using automated testing tools and techniques.

Non-functional testing

Type of software testing that remains focused on validating the nonfunctional aspects of the software, including its performance, usability, scalability, recoverability, and security.

Penetration testing (software)

Type of security testing that is conducted from the perspective of the attackers and targets the application while it is running in its production or production-like environment. Penetration testing represents an intrusive testing method, which can potentially cause harm. Pen testing is generally conducted using automated and manual testing techniques. Addressing rules of engagement is the first step in every penetration test activity. Penetration tests follow a specific methodology.

Pseudorandom number generator

A deterministic computational process that has one or more inputs called "seeds," which outputs a sequence of values that appears to be random according to specified statistical tests. Resource: csrc.nist.gov/glossary.

Real user monitoring (RUM)

A monitoring tool/technology that aims to provide deeper insight into the end-user experience, performance, and general health of applications.

Regression testing

Reference to the type of software testing that remains concerned with the verification that new changes introduced to the software do not adversely affect the existing/old functionality.

Stress testing

Type of software testing that remains focused on verifying the stability and reliability of the software under stress conditions (beyond the normal limits of operation). Stress may be expressed in terms of excessive loads/volumes or even unexpected anomalies at run time (e.g., loss of connection to the network or to the database).

Synthetic monitoring

A monitoring tool/technology that relies on scripting capabilities and consistent sets of transactions to assess performance and availability, and aims to minimize the time to detect and mitigate production issues.

Test case

A reference to a procedure that is created and executed by software developers/testers to determine whether the software under the test meets the specified requirement.

Test strategy

A reference to a high-level document that describes an organization's overall approach to testing the software.

Unit testing

Type of software testing that focuses on testing units of code in isolation, and is conducted by software developers during the implementation (coding) phase of the lifecycle. Dependencies of the code being tested in isolation are addressed through creation of drivers and stubs.

Vulnerability scanner (software)

A software tool (commercial or open source) that is specially designed for uncovering weaknesses and vulnerabilities in software.

White-box testing

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Resource: csrc.nist.gov/glossary

May also be referred to as full-knowledge testing, and best suited for uncovering certain types of vulnerabilities in software.

__**Domain 6: Secure Lifecycle Management / Acceptance**__

Adequate security

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

Assessment approach

The approach used to assess risk and its contributing risk factors, including quantitatively, qualitatively, or semi-quantitatively.

Governance (Information Security)

The process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

{Ref: NIST Special Publication 800-100 Information Security Handbook: A Guide for Managers}

Impact value

The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.

Information security

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information security risk

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, and other organizations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.

Intellectual Property

Intellectual property (IP) refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce.

Likelihood of occurrence

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.

Qualitative assessment

Use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels.

Quantitative assessment

Use of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.

Residual risk

Portion of risk remaining after security measures have been applied.

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs and (ii) the likelihood of occurrence.

Risk assessment

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations, resulting from the operation of an information system. Part of risk management, it incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

Risk management

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, and other organizations and includes: (i) establishing the context for risk-related activities, (ii) assessing risk, (iii) responding to risk once determined, and (iv) monitoring risk over time.

Risk mitigation

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Risk response

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, and other organizations.

Security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Vulnerability assessment

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

__**Domain 7: Software Deployment, Ops**__

Authorization to operate

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. Resource:https://csrc.nist.gov/glossary/term/authorization-to-operate

Business Impact Analysis (BIA)

An analysis of an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption

Resource: Nist https://csrc.nist.gov/glossary/term/business-impact-analysis

Bytecode

A reference to code that has been generated by compiling Java source code. Bytecode is low level and can be interpreted/executed on any system/platform that provides a Java virtual machine and runtime environment.

Certificate (digital certificate)

A reference to a public key certificate, as a component of the public-key infrastructure (PKI), and based on the X.509 standard. Certificate fields include information that identifies the issuer of the certificate, owner of the certificate, owner's public key, and validity period of the certificate, among other fields.

Disaster Recovery Plan (DRP)

Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days.

Dynamic application security testing (DAST)

A reference to a form of application security testing method and associated tools and technologies that focus on testing the application from the outside and in the runtime environment. Primarily used for web applications, DAST is appropriate for detecting certain types of security flaws/vulnerabilities, but most importantly adequate for detecting configuration issues. DAST has its own pros and cons.

Hardening (software)

A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various software, including operating system, web server, application server, application, etc. Hardening is normally performed based on industry guidelines and benchmarks such as those provided by the Center for Internet Security (CIS).

Interactive application security testing (IAST)

A reference to combining/integrating SAST and DAST to improve testing and provide behavioral analysis capabilities to pinpoint the source of vulnerabilities.

Java Runtime Environment (JRE)

A reference to a software environment that allows for programs compiled for a typical JVM implementation to run.

Software release

A reference to the distribution of software for use. Public release of software may be preceded by an alpha and beta release.

Static application security testing (SAST)

A reference to a form of application security testing method and associated tools and technologies that focus on analyzing the source code and/or compiled versions of the code without running the code, for the purpose of detecting security flaws/vulnerabilities. SAST has its own pros and cons.

Steganography

Reference to a covert mechanism (in contrast to encryption) to enable secret communication. One example is hiding a message inside an image by manipulating the RGB value of image pixels.