This 12-video course explores the different roles played by data classification in the software development lifecycle. You will learn the differences between data owners and data custodians. While data remain the property of the enterprise or organization, data ownership is used to assign responsibility to the person who defines the requirements related to the data, and will manage the data day-to-day requirements. Data custodians are responsible for ensuring that security and access controls are configured and maintained properly. You will learn how labeling data adds extra data to describe the data being protected, which refers to metadata. This course focuses on two types of data, structured and unstructured, and the importance to the secure software lifecycle. Learners will recognize that data type is one of the key factors that determine how data should be secured. This course can be used in preparation for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

In this 19-video course, learners will explore the intricate world of secure coding practices. Topics covered in detail include declarative versus imperative (programmatic) security-whether the security is part of the application or part of the container. Next, survey defensive coding practices and control such as secure configuration, error handling, and session management. Learners will also explore cryptography, input and output sanitization, error handling, input validation, logging and auditing, and session and exception management. You will learn important information about safe application programming interfaces (APIs), including those that offer different types of functionality, such as Microsoft's Crypto API and Python's pycrypto, which both provide cryptographic functions; popular social media platforms provide their own APIs that programmers can tap into while incorporating aspects of those services. Learn more about useful concepts such as concurrency, type safety, memory management, configuration parameter management, tokenizing, and sandboxing. The course may be used in preparation for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

In this 6-video course, you will discover the basic issues involved in how to perform design security reviews, design secure assembly architecture for component-based systems, and use architecture and design tools that enhance security. First, learn to pay attention to the type of operational environment the software will be running under: is the software intended for public use via the Web, or is it only available within a stable, controlled network? Who will be the end users? Will you need to collaborate and coordinate testing, timing, and integration? Learn security patterns, and consider what security-enhancing architecture is available. Next, learn to distinguish between software appropriate for centralized and decentralized system; identify budgetary constraints, and consider available resources. Will new technologies need to be incorporated into the design at a later date? Your emphasis should be on the future-learning to build a flexible, modular system that can scale up and grow may be imperative. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

Explore how to use the secure lifecycle management model in this 15-video course. First, learners will hear practical descriptions of secure configurations, inversion control, how to obtain security milestones, and secure software methodology. Then receive an overview of security standards and frameworks, and explore configuration management as it relates to source code version control. Next, the course discusses how to prepare proper security documentation, provides an overview of a security matrix, and describes end-of-life policies. Learners will then watch demonstrations of how to perform data destruction and how to perform credential removal. You will learn about concepts such as security metrics and governance, risk, and compliance (GRC). The course concludes with useful discussions of what acceptance is, including software qualification testing, planning hierarchy, what the characteristics of the pre-release testing process are, and the characteristics of a post-release plan; and how and when to report security status. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

This 8-video course covers the use of secure software testing best practices, specifically exploring how to perform secure software testing by tracking security errors, developing securing test data, and verification and validation testing results. Learners will first explore undocumented features-an IT-related term developed to describe software bugs or defects-and how to resolve them, including by use of host-based intrusion prevention systems. Next, you will explore security implications of test results. In general, testing should be performed throughout the software development lifecycle by software testers, members of the quality assurance (QA) team responsible for testing and managing software testers. Artifacts-resources which support the development process-are created throughout the lifecycle process, including use cases and the test plan which identifies objectives of the software test. Learn how to perform secure software testing, to track security errors, and verify and validate the results. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

Explore security architecture considerations such as control identification and prioritization, distributed computing, cloud architectures, mobile applications, and hardware platform concerns in this 12-video course. First, learn to identify characteristics of control identification, or an organization's security controls in an enterprise setting and how to prioritize and enterprise's existing security controls. The course then examines the elements of distributed computing, a type of parallel computing in which software is divided into multiple tasks. Next, learners will explore service-oriented architecture, which is a collection of services that communicate with each other. You will learn about rich Internet web-based applications and pervasive computing, including the Internet of Things, wireless and sensor networks, embedded security architecture, cloud architectures, mobile app architectures, and hardware platforms. Finally, the course explores how an embedded system is designed to perform a specific operation as part of a larger hardware-based machine or system. This course can be used in preparation for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

This course explores the design principles that help to ensure key security practices are incorporated into the software development lifecycle, and it prepares you for the (ISC)2 CSSLP (Certified Secure Software Lifecycle Professional) exam. The design principles you will learn include least privilege, to provide the lowest level of rights and permissions for a user to perform current tasks and separation of duties. This course covers the principles of defense in depth, to include multiple overlapping defenses such as layered controls, input validation, and security zones that work together collectively as a series of defenses. You will learn the concepts of fail-safe principles, including exception handling, and denied by default. Next, learn to design a complete mediation so that authorization is verified every time access is requested. Also covered is a less common design issue is psychological acceptability, such as password complexity and screen layouts, to ensure the design is psychologically acceptable to users. Finally, this course examines the separation of duties principles, including multiparty control, secret sharing and splitting.

This course explores the security requirements needed in all stages of the software development lifecycle. Learners first examine the functional requirements, and learn that these requirements start as business requirements that are translated into functional requirements. You will then learn the characteristics or properties of nonfunctional requirements, which include security, maintainability, costs, accuracy, reliability, and performance. This 7-video course then covers how security requirements are aligned with functional and nonfunctional requirements. Next, learn that policies are defined by the National Institute of Standards and Technology (NIST), and are broken down to issue-specific policies, system-specific policies, and program policies. Learn how issue-specific policies address defined issues, while system-specific policies are directives geared towards achieving some technical outcome. Finally, this course examines the legal and regulatory requirements, and policy documents that define the security requirements. You will learn that there are several sources of industry-standard legal, compliance and policy standards. This course can be used in preparation for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

Explore how to identify and assess security vulnerabilities in this 20-video course, in which you will encounter essential secure coding techniques such as versioning, peer-based code reviews, code analysis, and anti-tampering techniques. First, become familiar with malicious practices and the threats outlined in the Open Web Application Security Project (OWASP) Top 10 list and the Common Weakness Enumeration (CWE) list of software weaknesses. You will soon be able to differentiate between CWE and Common Vulnerabilities and Exposure (CVE) lists. Next, learn to describe the characteristics of injection attacks, before watching demonstrations of input validation failures such as buffer overflows, canonical form, missing defense functions, and general programming failures. You will examine how to analyze reuse code for security vulnerabilities, identify malicious code, securely reuse third-party code, and securely integrate components. Finally, learners will hear discussions of defensive coding, side channels, social engineering attacks, source code and versioning. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

In this 18-video course, learners can explore how to deploy and maintain software and operations. First, you will examine pre-release and post-release activities to address factors such as pre-release testing, completion criteria, risk analysis, incident response, and disaster recovery considerations. Next, examine pre-deployment and post-deployment security testing, security approval, security monitoring, incident response. Examine concepts such as secure activation, environment hardening, and disaster recovery, in which testing is critical to test software and data recoverability, often revealing problems with system availability and data accuracy and integrity. Learn to perform failover testing to ensure that the failover mechanism works as intended, and to consider simulated disasters as a strategy for testing recoverability. You will absorb the basic principles of problem and change management-a process guiding organizations when modifying software or performing upgrades or fixes on software applications-as well as patch and vulnerability management. Next, you will learn more about working with backups, archiving, and retention. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

This 20-video course examines a variety of best practices for supply chain and software acquisitions. Begin by watching demonstrations of how to analyze security for a third-party software and how to verify secure transfers. Then learn the steps involved in securely interconnecting and sharing systems; how to implement code repository security; how to build environment security; and how to work with digitally-signed components. Next, explore such important topics as compliance auditing, vulnerability response and reporting, supplier sourcing challenges, contractual integrity controls, and vendor technical integrity controls. Learn the basics of how to verify pedigree and provenance. The course also covers topics such as managed services controls, service level agreements (SLAs), support structure, and software development lifecycle approaches, as well as how to secure information systems, security track records, and product deployment. Finally, you will review the configuration identification scheme, a crucial tool in configuration management. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.

This 14-video course explores essential testing types-including penetration testing, scanning, simulation testing, failure testing, and cryptographic validation-and many of the best practices. You will also learn more about other types, such as fuzzing, regression testing, continuous testing, attack surface validation, and unit testing. Learn about certification testing-performed as part of a certification process, when load or stress testing determines how the system operates under heavy loads and what effect load has on the system. You will be introduced to ISECOM's Open Source Security Testing Methodology Manual, a comprehensive methodology related to penetration and security testing, security analysis, and measuring operational security. It includes test cases whose outcomes provide verified facts, amounting to actionable information that can tangibly and measurably improve operational security. Become familiar with how to perform an impact assessment, learn why defects discovered during testing must be addressed, and learn the meaning of Priority and Severity levels derived from the defect report. The course prepares learners for the (ISC)2 CSSLP: Certified Secure Software Lifecycle Professional certification exam.