CSSLP: Secure Software Concepts Competency

  • 16m
  • 16 questions
The Secure Software Concepts Competency benchmark will evaluate your knowledge of the secure software concepts of confidentiality, integrity, and availability (CIA), in addition to concepts that support CIA, such as authentication, authorization, accountability, and non-repudiation. You will be evaluated on your skills in ensuring key design principles are incorporated into the software development lifecycle, such as least privilege, separation of duties, defense in depth, fail-safe, complete mediation, least common, psychological acceptability, and single points of failure, as well as key security practices. A learner who scores high on this benchmark demonstrates that they have the skills to describe secure software core concepts and incorporate security practices into the software development lifecycle.

Topics covered

  • describe complete mediation principles such as cookie management, session management, and caching of credentials
  • describe different availability concepts such as failover, replication, clustering, scalability, and resiliency
  • describe fail safe principles such as exception handling, non-verbose errors, and deny by default
  • describe least privileges principles such as access control, need-to know, and run-time privileges
  • describe non-repudiation concepts such as PKI and digital signatures
  • describe open design principles such as peer reviewed algorithm
  • differentiate between authorization concepts such as access controls and entitlements
  • differentiate between different defense in depth principles such as layered controls, input validation, and security zones
  • differentiate between different integrity concepts such as hashing, digital signatures, code signing, reliability, alterations, and authenticity
  • eliminate single points of failure
  • list accountability concepts such as auditing and logging
  • list psychological acceptability principles such as password complexity and screen layouts
  • recognize available authentication concepts such as multifactor authentication, identity and access management, single sign-on, and federated identity
  • recognize confidentiality concepts such as covert, overt, and encryption
  • recognize least common mechanism principles such as compartmentalization/isolation
  • recognize separation of duties principles such as multi-party control, secret sharing, and splitting