Future Skills Fiesta:
 Get up to 30% OFF on Career Booster Combos
AVAIL NOW
D H M S

CISSP Certification Training in Reading
Read Reviews

In this course, students will expand upon their knowledge by addressing the essential elements of the 8 domains that comprise a Common Body of Knowledge (CBK)® for information systems security professionals.

Learn CISSP with the new syllabus of 2024

Watch Intro Video

CISSP Course Highlights

  • 40-Hour LIVE Instructor-Led Training
  • Immersive Learning
  • Career-oriented Skill-based Course
  • Guaranteed Lowest Price
  • Certified Trainers
  • Exam Voucher
  • Post Training Support
  • Access to Recorded Sessions

Accredited By

Choose your Preferred Learning Mode

ON DEMAND TRAINING

Learn on Your Own Time
1-to-1 learning
Customized Solutions

Contact US

ONLINE TRAINING

Flexibility, Convenience & Time Saving
More Effective
Learning Cost Savings

Classes starting from

5th Sep: Weekend

15th Sep: Weekday

ENROLL NOW Preferred

CORPORATE TRAINING

Anytime, Anywhere – Across The Globe
Hire A Trainer
At Your Own Pace
Customized Corporate Training

Contact US For Business

you were looking for your convenient time & date

REQUEST A BATCH

CISSP Course Description

The Certified Secure Software Lifecycle Professional (CSSLP) certification validates your expertise in secure software development and your ability to incorporate security practices throughout the Software Development Lifecycle (SDLC). To become certified, you must master the topics outlined in the CSSLP body of knowledge. CSSLP training teaches a comprehensive approach to designing, developing, and maintaining secure software applications. It equips professionals with the skills to address vulnerabilities, manage risks, and implement robust security controls, ensuring the protection of software from design to deployment and beyond.

Target Audience

  • Application Security Specialist
  • IT Director/Manager
  • Penetration Tester
  • Project Manager
  • Quality Assurance Tester
  • Security Manager
  • Software Architect
  • Software Developer
  • Software Engineer
  • Software Procurement Analyst
  • Software Program Manager

Pre-Requisite

A candidate must have:

  • Four years of cumulative paid Software Development Lifecycle (SDLC) professional work experience in one or more of the eight domains of the ISC2 CSSLP CBK.
  • Alternatively, three years of cumulative paid SDLC professional work experience in one or more of the eight domains of the CSSLP CBK, provided they also have a four-year degree (or regional equivalent) in Computer Science, Information Technology (IT), or related fields.

Exam Information

Number of Questions 125 Questions
Exam Format Multiple-choice
Exam Duration 3 Hours
Passing Score 700 out of 1000 points
Language English

Note:

  • CSSLP® is a registered mark of the International Information Systems Security Certification Consortium ((ISC)2).
  • We are not an authorized training partner of (ISC)2.
1800-843-7890
Call Now

GET A FREE DEMO CLASS

For
Captcha*
8 + 16 =
loader-infosectrain

CISSP Course Objectives

  • Understand fundamental security principles and methodologies.
  • Apply security throughout the SDLC.
  • Identify and manage risks and vulnerabilities.
  • Integrate security with project management and governance.
  • Gather, analyze, and prioritize security requirements.
  • Create secure software specifications and design.
  • Apply security in architectural decisions and design.
  • Master secure coding and address security flaws during testing.
  • Manage software security in deployment and operations.
  • Learn secure software procurement and vendor risk management.

CISSP Course Content

Domain 1: Secure Software Concepts (12%)

  • 1.1: Understand Core Concepts 
    • Confidentiality (e.g., Encryption)
    • Integrity (e.g., Hashing, Digital Signatures, Code Signing, Reliability, Modifications, Authenticity)
    • Availability (e.g., Redundancy, Replication, Clustering, Scalability, Resiliency)
    • Authentication (e.g., Multi-Factor Authentication (MFA), Identity & Access Management (IAM), Single Sign-On (SSO), Federated Identity, Biometrics)
    • Authorization (e.g., Access Controls, Permissions, Entitlements)
    • Accountability (e.g., Auditing, Logging)
    • Nonrepudiation (e.g., Digital Signatures, Blockchain)
    • Governance, Risk and Compliance (GRC) Standards (e.g., Regulatory Authority, Legal, Industry)
  • 1.2: Understand Security Design Principles
    • Least Privilege (e.g., Access Control, Need-to-Know, Run-Time Privileges, Zero Trust)
    • Segregation of Duties (SoD) (e.g., Multi-Party Control, Secret Sharing, Split Knowledge)
    • Defense in Depth (e.g., Layered Controls, Geographical Diversity, Technical Diversity, Distributed Systems)
    • Resiliency (e.g., Fail Safe, Fail Secure, No Single Point of Failure, Failover)
    • Economy of Mechanism (e.g., Single Sign-On (SSO), Password Vaults, Resource Efficiency)
    • Complete Mediation (e.g., Cookie Management, Session Management, CCaching of Credentials)
    • Open Design (e.g., Kerckhoffs’s Principle, Peer Review, Open Source, Crowd Source)
    • Least Common Mechanism (e.g., Compartmentalization/Isolation, Allow/Accept List)
    • Psychological Acceptability (e.g., Password Complexity, Passwordless Authentication, Screen Layouts, Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA))
    • Component Reuse (e.g., Common Controls, Libraries)

 

Domain 2: Secure Software Lifecycle Management (11%)

  • 2.1: Manage Security within a Software Development Methodology (e.g., Agile, Waterfall)
  • 2.2: Identify and Adopt Security Standards (e.g., Implementing Security Frameworks, Promoting Security Awareness)
  • 2.3: Outline Strategy and Roadmap
    • Security Milestones and Checkpoints (e.g., Control Rate, break/build criteria)
  • 2.4: Define and Develop Security Documentation
  • 2.5: Define Security Metrics (e.g., Criticality Level, Average Remediation Time, Complexity, Key Performance Indicators (KPI), Objectives and Key Results)
  • 2.6: Decommission Applications
    • End of Life (EOL) Policies (e.g., Credential Removal, Configuration Removal, License Cancellation, Archiving, Service-Level Agreements (SLA))
    • Data Disposition (e.g., Retention, Destruction, Dependencies)
  • 2.7: Create Security Reporting Mechanisms (e.g., Reports, Dashboards, Feedback Loops)
  • 2.8: Incorporate Integrated Risk Management Methods
    • Regulations, Standards and Guidelines (e.g., International Organization for Standardization (ISO), Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), Software Assurance Forum for Excellence in Code (SAFECode), Software Assurance Maturity Model (SAMM), Building Security in Maturity Model (BSIMM))
    • Legal (e.g., Intellectual Property, Breach Notification)
    • Risk Management (e.g., Risk Assessment, Risk Analysis)
    • Technical Risk vs. Business Risk
  • 2.9: Implement Secure Operation Practices
    • Change Management Process
    • Incident Response Plan
    • Verification and Validation
    • Assessment and Authorization (A&A) Process

 

Domain 3: Secure Software Requirements (13%)

  • 3.1: Define Software Security Requirements
    • Functional (e.g., Business Requirements, Use Cases, Stories)
    • Non-Functional (e.g., Security, Operational, Continuity, Deployment)
  • 3.2: Identify Compliance Requirement
    • Regulatory Authority
    • Legal
    • Industry-Specific (e.g., Defense, Healthcare, Commercial, Financial, Payment Card Industry (PCI))
    • Company-Wide (e.g., Development Tools, Standards, Frameworks, Protocols)
  • 3.3: Identify Data Classification Requirements
    • Data Ownership (e.g., Data Dictionary, Data Owner, Data Custodian)
    • Data Labeling (e.g., Sensitivity, Impact)
    • Data Types (e.g., Structured, Unstructured)
    • Data Lifecycle (e.g., Generation, Storage, Retention, Disposal)
    • Data Handling (e.g., Personally Identifiable Information (PII), Publicly Available Information)
  • 3.4: Identify Privacy Requirements
    • Data Collection Scope
    • Data Anonymization (e.g., Pseudo Anonymous, Fully Anonymous)
    • User Rights (Legal) and Preferences (e.g., Data Disposal, Right to be Forgotten, Marketing Preferences, Sharing and Using Third Parties, Terms of Service)
    • Data Retention (e.g., How Long, Where, What)
    • Cross-Border Requirements (e.g., Data Residency, Jurisdiction, Multi-National Data Processing Boundaries)
  • 3.5: Define Data Access Provisioning
    • User Provisioning
    • Service Accounts
    • Reapproval Process
  • 3.6: Develop Misuse and Abuse
    • Mitigating Control Identification
  • 3.7: Develop Security Requirement Traceability Matrix
  • 3.8: Define Third-Party Vendor Security Requirements

 

Domain 4: Secure Software Architecture and Design (15%)

  • 4.1: Define the Security Architecture
    • Secure Architecture and Design Patterns (e.g., Sherwood Applied Business Security Architecture (SABSA), Security Chain of Responsibility, Federated Identity)
    • Security Controls Identification and Prioritization
    • Distributed Computing (e.g., Client Server, Peer-to-Peer (P2P), Message Queuing, N-Tier)
    • Service-Oriented Architecture (SOA) (e.g., Enterprise Service Bus, Web Services, Microservices)
    • Rich Internet Applications (e.g., Client-Side Exploits or Threats, Remote Code Execution, Constant Connectivity)
    • Pervasive/Ubiquitous Computing (e.g., Internet of Things (IoT), Wireless, Location-Based, Radio-Frequency Identification (RFID), Near Field Communication (NFC), Sensor Networks, Mesh)
    • Embedded Software (e.g., Secure Boot, Secure Memory, Secure Update)
    • Cloud Architectures (e.g., Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS))
    • Mobile Applications (e.g., Implicit Data Collection Privacy)
    • Hardware Platform Concerns (e.g., Side-Channel Mitigation, Speculative Execution Mitigation, Secure Element, Firmware, Drivers)
    • Cognitive Computing (e.g., Artificial Intelligence (AI), Virtual Reality, Augmented Reality)
    • Industrial Internet of Things (IoT) (e.g., Facility-Related, Automotive, Robotics, Medical Devices, Software-Defined Production Processes)
  • 4.2: Perform Secure Interface Design
    • Security Management Interfaces, Out-of-Band Management, Log Interfaces
    • Upstream/Downstream Dependencies (e.g., Key and Data Sharing Between Apps)
    • Protocol Design Choices (e.g., Application Programming Interfaces (API), Weaknesses, State, Models)
  • 4.3: Evaluate and Select Reusable Technologies
    • Credential Management (e.g., X.509, Single Sign-On (SSO))
    • Flow Control (e.g., Proxies, Firewalls, Protocols, Queuing)
    • Data Loss Prevention (DLP)
    • Virtualization (e.g., Infrastructure as code (IaC), Hypervisor, Containers)
    • Trusted Computing (e.g., Trusted Platform Module (TPM), Trusted Computing Base (TCB))
    • Database Security (e.g., Encryption, Triggers, Views, Privilege Management, Secure Connections)
    • Programming Language Environment (e.g., Common Language Runtime, Java Virtual Machine (VM), Python, PowerShell)
    • Operating System (OS) Controls and Services
    • Secure Backup and Restoration Planning
    • Secure Data Retention, Retrieval, and Destruction
  • 4.4: Perform Threat Modeling
    • Threat Modeling Methodologies (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Process for Attack Simulation and Threat Analysis (PASTA), Hybrid Threat Modeling Method, Common Vulnerability Scoring System (CVSS))
    • Common Threats (e.g., Advanced Persistent Threat (APT), Insider Threat, Common Malware, Third-Party Suppliers)
    • Attack Surface Evaluation
    • Threat Analysis
    • Threat Intelligence (e.g., Identify Credible Relevant Threats, Predict)
  • 4.5: Perform architectural risk assessment and design reviews
  • 4.6:  Model (non-functional) security properties and constraints
  • 4.7: Define secure operational architecture (e.g., deployment topology, operational interfaces, Continuous Integration and Continuous Delivery (CI/CD))

 

Domain 5: Secure Software Implementation (14%)

  • 5.1: Adhere to Relevant Secure Coding Practices (e.g., Standards, Guidelines, Regulations)
    • Declarative Versus Imperative (Programmatic) Security
    • Concurrency (e.g., Thread Safety, Database Concurrency Controls)
    • Input Validation and Sanitization
    • Error and Exception Handling
    • Output Sanitization (e.g., Encoding, Obfuscation)
    • Secure Logging & Auditing (e.g., Confidentiality, Privacy)
    • Session Management
    • Trusted/Untrusted Application Programming Interfaces (API), and Libraries
    • Resource Management (e.g., Compute, Storage, Network, Memory Management)
    • Secure Configuration Management (e.g., Baseline Security Configuration, Credentials Management)
    • Tokenization
    • Isolation (e.g., Sandboxing, Virtualization, Containerization, Separation Kernel Protection Profiles)
    • Cryptography (e.g., Payload, Field Level, Transport, Storage, Agility, Encryption, Algorithm Selection)
    • Access Control (e.g., Trust Zones, Function Permissions, Role-Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC))
    • Processor Microarchitecture Security Extensions
  • 5.2: Analyze Code for Security Risks
    • Secure Code Reuse
    • Vulnerability Databases/Lists (e.g., Open Web Application Security Project (OWASP) Top 10, Common Weakness Enumerations (CWE), SANS Top 25 Most Dangerous Software Errors)
    • Static Application Security Testing (SAST) (e.g., Automated Code Coverage, Linting)
    • Manual Code Review (e.g., Peer Review)
    • Inspect for Malicious Code (e.g., Backdoors, Logic Bombs, High Entropy)
  • 5.3: Implement Security Controls (e.g., Watchdogs, File Integrity Monitoring, Anti-Malware)
  • 5.4: Address the Identified Security Risks (e.g., Risk Strategy)
  • 5.5: Evaluate and Integrate Components
    • Systems-of-Systems Integration (e.g., Trust Contracts, Security Testing, Analysis)
    • Reusing Third-Party Code or Open-Source Libraries in a Secure Manner (e.g., Software Composition Analysis)
  • 5.6: Apply Security During the Build Process
    • Anti-Tampering Techniques (e.g., Code Signing, Obfuscation)
    • Compiler Switches
    • Address Compiler Warnings

 

Domain 6: Secure Software Testing (14%)

  • 6.1: Develop Security Testing Strategy & Plan
    • Standards (e.g., International Organization for Standardization (ISO), Open Source Security Testing Methodology Manual, Software Engineering Institute)
    • Functional Security Testing (e.g., Logic)
    • Non Functional Security Testing (e.g., Reliability, Performance, Scalability)
    • Testing Techniques (e.g., Known Environment Testing, Unknown Environment Testing, Functional Testing, Acceptance Testing)
    • Testing Environment (e.g., Interoperability, Test Harness)
    • Security Researcher Outreach (e.g., Bug Bounties)
  • 6.2: Develop Security Test Cases
    • Attack Surface Validation
    • Automated Vulnerability Testing (e.g., Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST))
    • Penetration Tests (e.g., Security Controls, Known Vulnerabilities, Known Malware)
    • Fuzzing (e.g., Generated, Mutated)
    • Simulation (e.g., Simulating Production Environment and Production Data, Synthetic Transactions)
    • Failure (e.g., Fault Injection, Stress Testing, Break Testing))
    • Cryptographic Validation (e.g., Pseudorandom Number Generators, Entropy)
    • Unit Testing and Code Coverage
    • Regression Tests
    • Integration Tests
    • Continuous Testing
    • Misuse and Abuse Test Cases
  • 6.3: Verify and Validate Documentation (e.g., Installation and Setup Instructions, Error Messages, User Guides, Release Notes)
  • 6.4: Identify Undocumented Functionality
  • 6.5: Analyze Security Implications of Test Results (e.g., Impact on Product Management, Prioritization, Break/Build Criteria)
  • 6.6: Classify and Track Security Errors
    • Bug Tracking (e.g., Defects, Errors, and Vulnerabilities)
    • Risk Scoring (e.g., Common Vulnerability Scoring System (CVSS))
  • 6.7: Secure Test Data
    • Generate Test Data (e.g., Referential Integrity, Statistical Quality, Production Representative)
    • Reuse of Production Data (e.g., Obfuscation, Sanitization, Anonymization, Tokenization, Data Aggregation Mitigation)
  • 6.8: Perform Verification and Validation Testing (e.g., Independent/Internal Verification and Validation, Acceptance Test)

 

Domain 7: Secure Software Deployment, Operations, Management (11%)

  • 7.1: Perform Operational Risk Analysis
    • Deployment Environment (e.g., Staging, Production, Quality Assurance (QA))
    • Personnel Training (e.g., Administrators vs. Users)
    • Legal Compliance (e.g., Adherence to Guidelines, Regulations, Privacy Laws, Copyright, etc.)
    • System Integration
  • 7.2: Secure Configuration and Version Control
    • Hardware
    • Baseline Configuration
    • Version Control/Patching
    • Documentation Practices
  • 7.3: Release Software Securely
    • Secure Continuous Integration and Continuous Delivery (CI/CD) Pipeline (e.g., DevSecOps)
    • Application Security Toolchain
    • Build Artifact Verification (e.g., Code Signing, Hashes)
  • 7.4: Store and Manage Security Data
    • Credentials
    • Secrets
    • Keys/Certificates
    • Configurations
  • 7.5: Ensure Secure Installation
    • Secure Boot (e.g., key Generation, Access, Management)
    • Least Privilege
    • Environment Hardening (e.g., Configuration Hardening, Secure Patch/Updates, Firewall)
    • Secure Provisioning (e.g., Credentials, Configuration, Licensing, Infrastructure as Code (IaC))
    • Security Policy Implementation
  • 7.6: Obtain Security Approval to Operate (e.g., Risk Acceptance, Sign-Off at Appropriate Level)
  • 7.7: Perform Information Security Continuous Monitoring
    • Observable Data (e.g., Logs, Events, Telemetry, Trace Data, Metrics)
    • Threat Intelligence
    • Intrusion Detection/Response
    • Regulation and Privacy Changes
    • Integration Analysis (e.g., Security Information and Event Management (SIEM))
  • 7.8: Execute the Incident Response Plan
    • Incident Triage
    • Forensics
    • Remediation
    • Root Cause Analysis
  • 7.9: Perform Patch Management (e.g. Secure Release,Testing)
  • 7.10: Perform Vulnerability Management (e.g., Tracking, Triaging, Common Vulnerabilities and Exposures (CVE))
  • 7.11: Incorporate Runtime Protection (e.g., Runtime Application Self Protection (RASP), Web Application Firewall (WAF), Address Space Layout Randomization (ASLR), Dynamic Execution Prevention)
  • 7.12: Support Continuity of Operations
    • Backup, Archiving, Retention
    • Disaster Recovery Plan (DRP)
    • Resiliency (e.g., Operational Redundancy, Erasure Code, Survivability, Denial-of-Service (DoS))
    • Business Continuity Plan (BCP)
  • 7.13: Integrate Service Level Objectives and Service-Level Agreements (SLA) (e.g., Maintenance, Performance, Availability, Qualified Personnel)

 

Domain 8: Secure Software Supply Chain (10%)

  • 8.1: Implement Software Supply Chain Risk Management (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST))
    • Identification and Selection of the Components
    • Risk Assessment of the Components (e.g., Mitigate, Accept)
    • Maintaining Third-Party Components List (e.g., Software bill of Materials)
    • Monitoring for Changes and Vulnerabilities
  • 8.2: Analyze Security of Third-Party Software
    • Certifications
    • Assessment Reports (e.g., Cloud Controls Matrix)
    • Origin and Support
  • 8.3: Verify Pedigree and Provenance
    • Secure Transfer (e.g., Chain of Custody, Authenticity, Integrity)
    • System Sharing/Interconnections
    • Code Repository Security
    • Build Environment Security
    • Cryptographically-Hashed, Digitally-Signed Components
    • Right to Audit
  • 8.4: Ensure and Verify Supplier Security Requirements in the Acquisition Process
    • Audit of Security Policy Compliance (e.g., Secure Software Development Practices)
    • Vulnerability/Incident Notification, Response, Coordination, and Reporting
    • Maintenance and Support Structure (e.g., Community vs. Commercial, Licensing)
    • Security Track Record
    • Scope of Testing (e.g., Shared Responsibility Model)
    • Log Integration into Security Information and Event Management (SIEM)
  • 8.5: Support Contractual Requirements (e.g., Intellectual Property Ownership, Code Escrow, Liability, Warranty, End-User License Agreement (EULA), Service-Level Agreements (SLA))

Need customized curriculum Talk to Advisor

Related Courses

SSCP Certification Training in New Jersey
Explore
SSCP Certification Training in Washington
Explore
SSCP Certification Training in Georgia
Explore
SSCP Certification Training in Florida
Explore

CISSP Course Benefits

Designation
Annual Salary
Hiring Companies

Here What people are saying about InfosecTrain

Why InfosecTrain

Guaranteed* to run Courses

4 hrs/day in Weekday/Weekend

Customized Training

Technical Support Post Training

Access to the recorded session

Accredited Instructors

CISSP FAQs

1. What is the CISSP exam?
‘CISSP’ or the ‘Certified Information Systems Security Professional’ is considered to be the gold standard of all Information security certifications. The CISSP certification shows that “you have the knowledge and experience to design, develop and manage the overall security posture of an organization” (ISC)2 The exam tests you on eight domains which are ‘Security and Risk Management’, ‘Asset Security’, ‘Security Architecture and Engineering’, ‘Communications and Network Security’, ‘Identity and Access Management’, ‘Security Assessment and Testing’, ‘Security Operations’, ‘Software Development Security’.
2. Am I qualified to take the exam?
If you have 5 years of full-time security experience in two of the eight domains of the (ISC)2 CISSP CBK(Common body of knowledge) you can definitely take the exam.
3. I am a ‘Security Analyst’ – do I need the CISSP?

Yes, if you are a ‘Security Analyst’ you will need the CISSP credential to boost your career. Here are some other job titles that could benefit from having the CISSP:

  • Chief Information Officer
  • Chief Information Security Officer
  • Director of Security
  • IT Director/Manager
  • Network Architect
  • Security Analyst
  • Security Architect
  • Security Auditor
  • Security Consultant
  • Security Manager
  • Security Systems Engineer
4. I only have 2 years of full time experience – what should I do then to take the exam?
All is not lost when you have only 2 years of full time experience. You can take the exam and become an associate of (ISC)2 and can then work towards getting the required amount of experience.
5. Who conducts the CISSP exam?

      The CISSP exam is conducted by ‘ International Information Systems Security Certification Consortium’ or (ISC)2

6. Can you give me some more details about the exam?
  • The exam has about 100-150 questions
  • The candidate must score 700 out of a possible 1000 points to pass the exam
  • The duration of the exam is about 3 hrs.
  • All English versions of the CISSP exam use CAT or ‘Computerized adaptive testing’
  • The candidate can check the pricing of the exam from this link
7. What are CPEs?

Once you are CISSP certified, you become a member of (ISC)2. The candidate is then required to recertify once every three years to maintain the certification. Recertification is done by gaining CPEs and paying an AMF of 125$.

CPEs are  ‘Continuing Professional Education’  and some of the ways in which they can be accrued are by joining webinars, authoring an Information security article that is published in a journal or magazine, reading a book relating to CISSP and writing a review, attending (ISC)2  chapter meetings, volunteering and more.

8. How will the CISSP credential help me in my career?

The Infosec domain is growing by leaps and bounds every day.  The CISSP credential will help you in the following ways:

  • You will be respected more in the InfoSec community
  • CISSP certification will open the doors to new employment opportunities
  • In spite of so many certifications being around, the CISSP certification is still “the” one certification that is demanded by most employers
  • The CISSP will also pave the way for higher salaries
  • Since the CISSP is a vendor neutral certification, you will be able to apply the skills to different technologies and methodologies.
  • You will gain a deeper knowledge of the different domains in cyber security

For more information on the CISSP certification, do download our whitepaper and pass the exam with flying colors!

TOP