(ISC)²® Enhances CSSLP® Secure Software Credential Program to Address Widening Security Gaps in Software Supply Chain

Share Article

Application vulnerabilities still the number one security concern of Infosec Pros, according to (ISC)² study.

To address the growing number of threats arising from widening security gaps in the software supply chain,(ISC)2® (“ISC-squared”), the world’s largest not-for-profit information and software security professional body and administrators of the CISSP®, has added a new domain to its Certified Secure Software Lifecycle Professional (CSSLP) credential exam. The new Domain, titled “Supply Chain and Software Acquisition”, captures the activities within each phase of the software lifecycle that must occur to mitigate Supply Chain Risk.

The CSSLP is the only certification in the industry designed to ensure that security is considered throughout the entire software development lifecycle. From concept and planning through operations and maintenance to the ultimate disposal, it establishes industry standards and best practices for building security into each phase. The domains, or key areas covered by the exam, include:
1.    Secure Software Concepts
2.    Secure Software Requirements
3.    Secure Software Design
4.    Secure Software Implementation/Coding
5.    Secure Software Testing
6.    Software Acceptance
7.    Software Deployment, Operations, Maintenance, and Disposal
8.    Supply Chain & Software Acquisition (New)

The new eighth domain validates that an individual perform the activities necessary when acquiring software to ensure the proper security measures are implemented. Key elements to supply chain risk that CSSLP candidates must know include:

  •     Supplier Risk Assessment
  •     Supplier Sourcing
  •     Software Development and Test
  •     Software Delivery, Operations, and Maintenance
  •     Supplier Transitioning – Code Escrow, Data Exports, Contracts, Disclosure

The largest gap between information security risk awareness and response exists in the software development discipline. According to the recently released [2013 (ISC)² Global Information Security Workforce Study, which surveyed 12,394 information security professionals from around the world:

  •     Respondents rated secure software development above software and hardware solutions in level of importance in effectively securing an organization’s infrastructure.
  •     Application vulnerabilities are the number one security concern for 69 percent of respondents, with 72 percent of C-level executives rating it as their highest concern.
  •     Almost half of responding security organizations are NOT involved in software development.
  •     Insecure software was a contributor in approximately one-third of the 60 percent of detected security breaches1.

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director for (ISC)², commented, “Our data shows that the frequency of software acquisition and outsourcing are increasing dramatically. The CSSLP is an excellent vehicle for professionals and organizations to validate and maintain the most sought-after skills of the secure software workforce. By adding this new domain, we are hoping to enhance a professional’s ability to secure the supply chain and decrease breaches attributable to insecure software.”

For more information about the CSSLP, the new domain or to register for the exam, please visit http://www.isc2.org/csslp.

About (ISC)²

# # #
© 2013, (ISC)2 Inc. (ISC)², CISSP, CSSLP, ISSAP, ISSMP, ISSEP, CAP, SSCP, and CBK are registered marks of (ISC)², Inc.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Michelle Schafer
Merritt Group
Email >

Sarah Bohne
Email >
Follow us on