It’s time we addressed the holes

in software development.
 WHAT HOLES?
No security built in, that’s the hole, the flaw and it’s huge. David Rice, esteemed
author of “Geekonomics: The Real Cost of Insecure Software”, puts the total cost
of security holes in software at around 180 billion U.S. Dollars a year.
The combined losses are so enormous, they are virtually unquantifiable. Fines
against organizations that have experienced breaches because of insecure
software alone have reached astronomical amounts. Factor in that more than
226 million records have been disclosed or breached since 2005. Then multiply
THE PROBLEM by the reputation damage to violated companies and the subsequent loss of
customer trust, and you get a sense of the enormity of the problem.
Security is not being addressed from a holistic
perspective throughout the software lifecycle. Consumer, government, education, healthcare, banking, retail, wholesale, insurance,
Some 80% of all security breaches are application the media – each has experienced some kind of data breach, with disastrous
results. No one is immune.
related. Every person involved should consider
security as an essential element. It’s almost an understatement to say that today’s applications – operating in
increasingly hostile environments, and faced with mounting regulatory and
compliance requirements – should be secure.
THE SOLUTION
Professional Certification – with CSSLPCM, we will
PROBLEM: LACK OF SECURITY.
establish an industry standard and instill best
SOLUTION: FINDING WAYS TO FILL THE HOLES.
practices.
We should be thinking about security now, not as an afterthought.
Any organization directly involved in software development needs to incorporate
security controls, and not just as an add on or a patch but rather, throughout the
entire software lifecycle – from concept and planning through operations and
maintenance, to the ultimate disposal.
No question – insecure software provides vulnerabilities that are easily exploited.
The entire development team needs to embrace security. Every member needs
to adopt a mindset which proclaims security first, security last and security in
between.
Confidentiality, integrity, availability, authentication, authorization and auditing - the
core tenets of security - must become requirements in the software lifecycle.
Without this level of commitment, you place information at risk. Incorporating
security early and maintaining it throughout all the different phases of the software
lifecycle has been proven to be 30-100 times less expensive and incalculably more
effective than wrenching security into an operational system.
Simply stated, what we’re talking about is requiring all software lifecycle
stakeholders to understand the importance of the role they play and to act
accordingly. And that means clients, business analysts, requirements analysts,
 Software Lifecycle Stakeholder Chart

Top Management

Auditors Business
Unit Heads

Client Side PM
IT Manager

Industry Group Security

Delivery Heads Software Specialists
Lifecycle
Stakeholders

Business
Application
Analysts
Owners

Quality Developers
Assurance & Coders
Managers

Technical Project Managers

Architects Team Leads
product managers, project managers, software engineers, designers, architects,
development managers, developers (coders), testers and operations personnel
operating in tandem to layer defensive measures, till they’ve created an
impenetrable barrier to those who would violate their software.

WHY ISN’T EVERYONE DOING IT?

Research indicates that one of the reasons security vulnerabilities find their way
into software applications is because lifecycle influencers simply think it’s too
expensive and time-consuming. But studies prove that the cost of dealing with The following domains make up the CSSLP CBK®.
security problems is infinitely more expensive than preventing them. We created them around the specific need for
Some blame constraints in project scope, schedule and budget when asked why building security into the SDLC.
they left security requirements out. Secure Software Concepts - security implications in
Still others, clients and business units for example, express exasperation over an software development
inability to adequately articulate the security requirements to IT teams who, in Secure Software Requirements - capturing security
turn, aren’t trained to ask for security requirements, or translate the functional requirements in the requirements gathering phase
requirements into security requirements.
Secure Software Design - translating security
However, when confronted with well-documented irrefutable evidence that building requirements into application design elements
in security saves money, those who make excuses quickly change their tune.
Secure Software Implementation / Coding - unit
testing for security functionality and resiliency to
(ISC)2® INTRODUCES SECURITY THROUGH CERTIFICATION attack, and developing secure code and exploit
Awareness is all well and good. Awareness might instantly turn every software mitigation
lifecycle influencer into a security evangelist, but it won’t fix the problem. Secure Software Testing - integrated QA testing for
Certification will provide an objective measure of knowledge, skills and abilities. security functionality and resiliency to attack
Education will provide an effective means to impart the know-how.
Software Acceptance - security implication in the
What exactly does software certification promise? Actually, the National Institute software acceptance phase
of Standards and Technology states it better than we ever could. This venerable
Software Deployment, Operations, Maintenance
body maintains that security certification “ensures controls are effectively
and Disposal - security issues around steady state
implemented through established verification techniques and procedures,
operations and management of software
giving organization officials confidence that the appropriate safeguards and
countermeasures are in place as means of protection.”
Confidence. Indeed, that’s the ultimate benefit. At (ISC)2, our quest to instill
confidence drove us to develop the Certified Secure Software Lifecycle
Professional (CSSLPCM) certification program, the most comprehensive software
security certification in the industry.
It is category-defining. It will show software lifecycle stakeholders not only how to
implement security, but how to glean security requirements, design, architect, test
and deploy secure software.
Let it be known that (ISC)2 ®, as the not-for-profit global leader in educating and
certifying information security professionals throughout their careers, is addressing
the holes in software development head on.

CSSLPCM IS HOLISTIC - CONSIDER NOTHING LESS

CSSLP FACTS
At (ISC)2, our software security certification program is poised to make an
enormous impact. In part because it’s the only certification in the industry that Certification Process:
ensures that security is considered throughout the entire software lifecycle. • Subscribe to the (ISC)2 Code of Ethics
Providing a CBK® that is destined to become the industry standard, is the • Provide proof of four years in the SDLC
foundation of (ISC)2’s reputation in security. process or 3 years plus a bachelors degree
First, CSSLP is not just a test or a course like some certifications. Based on the or regional equivalent in an IT discipline
(ISC)2 CSSLP CBK it is a comprehensive program that evolves as the security • Submit Experience Assessment essays or
landscape evolves. A program that requires Continuing Professional Education pass examination
(CPEs) allowing you to stay on top of security issues. “What’s secure today may • Complete the endorsement process
not be secure tomorrow. “ This is our program’s mantra. It’s what drives us to
keep CSSLP CBK and certification program relevant and dangerously effective.
Experience Assessment Window:
Second, our education seminars cover all seven CSSLP CBK domains included
in the exam which we’ll offer beginning in early 2009. Trust that through our • October 2008 – March 2009
program you’ll get the most comprehensive education available on providing • Standard Fee: US$650
security throughout the software lifecycle.
Ours is a holistic approach to security in the software lifecycle. CSSLP CSSLP CBK Education Program:
smoothly addresses everything the software lifecycle stakeholder
• Standard Registration Fee: US$2499
needs to know.
• Education Program Registration begins
February 1, 2009
THE HOLE WILL NOT FILL ITSELF,
SO SIGN UP FOR CSSLP TODAY.
Examination Process:
In the end, you have to ask yourself, who will build security into
• Standard registration fee: US$599
the software lifecycle? Who will assure your clients that their
• Annual maintenance fee: US$100
software will be free of holes? It’s qualified people who are
empowered with the knowledge that the CSSLP • Exam registration begins February 1, 2009
program can give them… YOU.
Call 1.866.462.4777 Recertification Requirements:
or visit www.isc2.org/csslp today. • Recertification required every three years
• Earn 90 Continuing Professional Education (CPE)
credits (minimum 15 CPEs earned each year)
• Pay annual maintenance fees
www.isc2.org/csslp