The Art & Science of

Secure Software Development

ISC2 | The Art & Science of Secure Software Development 1
Software Security requires a creative and disciplined approach. It involves having the
vision to create secure strategy, tactics, and execute them securely. Experience, learning from success
and failure, combined with first class theory enables you to excel in this exciting discipline.

In this ebook, contributors offered the opportunity to learn from their varied experiences and show
how CSSLP helped them succeed in their endeavours.

ISC2 | The Art & Science of Secure Software Development 2

To Excel you need to employ creative and secure practices as well as create the right:

Strategy Tactics Execution

Mistakes at any stage need to be identified and resolved.

We spoke to professionals to discover what they had learned from mistakes and how CSSLP can
help avoid predictable and costly errors.

ISC2 | The Art & Science of Secure Software Development 3

 Strategy
To achieve your ambitions, you first need
to decide what you are aiming at and
what it is you want to achieve. The same
is true of a good security practice.

ISC2 | The Art & Science of Secure Software Development 4

First-thought Process
“In the last 2 decades or so, security and privacy The CSSLP credential ensures that developers,
has improved significantly. At the beginning of my architects, and managers think through the entire
career, I witnessed many software products that journey of a secure software lifecycle. This enforces
were developed with security being more of an security as a first-thought process.
afterthought.
The CSSLP certainly helps in bringing a more
However, it didn’t take long for software houses disciplined approach to the secure development
to realize the importance of product lifecycle lifecycle. It is a comprehensive certification that
security. The organizations which believed purely in addresses the entire spectrum of software lifecycle
infrastructure security soon understood that there security.”
were many vulnerabilities which could have been
saved early on in the lifecycle if security
was factored in then.

Santosh Kumar
Chief Security Architect, Webex Contact Centre

ISC2 | The Art & Science of Secure Software Development 55

Security by Design Foundations
“One significant software failure I worked with was The knowledge I acquired while pursuing the CSSLP
the problem of hard coded, backdoor passwords. informed me of many of the vulnerabilities that can occur
While working for a building controls company, the and how they can be mitigated. More importantly, it
previously closed networks (within a single building laid a foundation for approaching security by design at
or several buildings) were merged into larger and the earliest stages of development and throughout the
larger networks, and ultimately became accessible product lifecycle.
to the internet.
The biggest benefit to obtaining the CSSLP was that
Although the use of backdoor passwords is never a it broadened my perspective when it came to product
good idea, they absolutely cripple control systems design. It added security as an important factor to
that can be accessed via the internet. consider in any design, in addition to all of the other
requirements. This adds confidence as we bring new
products to market.”

Tim Riesch
Senior Design Engineer

ISC2 | The Art & Science of Secure Software Development 66

Rigorous Quality Assurance Testing
“Many years ago, a new version of a security Through the CSSLP, we learnt the importance of
software was developed by third party developers enforcing a rigorous software quality assurance
and managed by my project team. The new testing regime, especially integration testing (with
software was to be integrated with a Commercial COTS software) and regression testing.
Off The Shelf software.
The CSSLP gives me a good fundamental outline
Unfortunately, a software defect resulted in an of what is required for a holistic, secure software
unauthorized disclosure of information to an development lifecycle, covering people, processes
unauthenticated user. Old bugs that were fixed in and technology in each phase of the development
the earlier versions resurfaced in the new version. lifecycle. In fact, in today’s paradigm shift to cloud,
Through the investigation, it was revealed that the the principles and concepts covered in the CSSLP
developers did not properly test the software prior study materials continue to be relevant as well when
releasing it to us for deployment! applying them in the context of DevSecOps.”

Yew Hoong Wong

Senior Consultant

ISC2 | The Art & Science of Secure Software Development 77

Holistic End-to-End Testing
“When I started my first job as a programmer, I was It helps me in connecting the dots, in all the integral
developing an enterprise workflow application, with parts of the end-to-end product and service offerings
just on the job training, learning as I go, both in the to customers. Having a seamless customer experience
programming itself and coding practices. Secure completes the product offering, which will delight
coding was not front and center of the job. The customers and build trust.
first version of the application was so buggy that
whenever the user keyed in non-numeric input into
The CSSLP qualification provides members with
numeric fields, it would not work, and in worst-case
industry recognition as an expert in the secure software
scenarios, it would hang the system.
development lifecycle. It has given me the confidence
to carry out my job by understanding the concepts,
The CSSLP’s Exam Outline provides a holistic end- technology, and solutions presented by the solutions
to-end view of the secure software development architects, and the security architects.”
lifecycle.

Kevin Wu
Senior Product Manager

ISC2 | The Art & Science of Secure Software Development 88

Fostering a Cultural Change Towards Security
“One of the most interesting stories I can share The CSSLP Exam Outline covers a lot of topics,
is one of my oldest. A manager introduced from basic to advanced. It collects the information
application security training to the organization, in a series of clear categories and is structured in a
but the training was not well received. It was later way that simply makes sense. One of the most
discovered that passwords were not being correctly useful pieces of knowledge I gathered from CSSLP,
encrypted in a database. Once the problem was is a strong understanding of the various security
corrected, they began to view application security principles. After years, I still use it every day.
more seriously.
The CSSLP credential has represented an
That event helped to foster a cultural change in opportunity to complete my knowledge with very
their organization; they decided to appoint a CISO important concepts I missed, and a way to learn
and move to a proactive approach to security. more vendor-independent language.

Simone Curzi
Principal Cyber Consultant

ISC2 | The Art & Science of Secure Software Development 99

Building Trust Between Teams
“In my past experiences, I witnessed many the requirements, designing the software, through
software security vulnerabilities that had potentially implementation and testing, ending up to deployment
catastrophic impacts. Most of them were due to and ongoing maintenance. More importantly, CSSLP
not only insecure coding practices but also lack of doesn’t simply tell me what to do for building secure
security consideration in the first place. Most of software. It lets me understand how to build software
the time, security was not stated in the software securely.
requirement, and did not appear in the later stages
of design and testing. In one example, an HR Before gaining my CSSLP, my work focused more
system reporting module allowed any user to print on infrastructure, which was important but far from
any other employees’ information. This was a big complete in terms of security. The knowledge obtained
violation of privacy. through CSSLP helped me understand the software
development process and communicate the need of
The CSSLP domains cover every phase of the security to developers. This facilitated cooperation and
software development life cycle, from defining enabled building the trust between security team and
development team.”

Alan Chan
Deputy General Manager, Information Security

ISC2 | The Art & Science of Secure Software Development 10

10
Providing Effective Advisory Services
“As a professional security consultant, I have been The comprehensive information from the domains
involved in the full range of software development of the CSSLP course precisely corresponds to the
spectrums, from “secure by design” to “absence of pain points that anyone related to the process of
security concepts. secure software development needs to know, from
the beginning to the ending of the software lifecycle.
Many companies rely on security at the With this knowledge, I provide more effective advice
infrastructure level. Without security in mind from to my clients.
the early stages of software development, the
tremendous amount of time and workload that With the CSSLP credential, I am appreciated, and it
will be expended at the later stage will result in an pleases me to apply the CSSLP skills to my valued
inefficient cost investment. customers. The security mindset of the CSSLP plays
a major role in recognition, acknowledgment, and
These situations would not happen if the early implementation in the cybersecurity industry.”
stages of the development life cycle included
adequate security measures.

Nop Phoomthaisong
Principal Consultant, Cybersecurity

ISC2 | The Art & Science of Secure Software Development 11

Creating Professionalism
“During a system review, I noticed that the system up associated policies and guidelines in application
development team had direct access to production development.
data, including customers’ personal and banking
information, without any information security The biggest benefit to me in gaining the CSSLP
controls. This loophole affected the total integrity certification is the ability to create professionalism
of the system. This unauthorized disclosure of in secure software systems development. The
sensitive information could have resulted in identity certification provides me with domain knowledge
theft, and it violates all known privacy regulations. to evaluate and recommend secure software
systems development processes to my clients.
The various domains of the CSSLP Exam Outline
enable IT organizations to have a clear vision in all Secure Software Engineering is a discipline, and
aspects of secure IT application systems. This is very the CSSLP helps to maintain that discipline.”
important because a clear vision will help
organizations to set

Dr. Patrick Eulogius Yau

Internal Auditor

ISC2 | The Art & Science of Secure Software Development 12

Security On Day One
“The most significant software failures I have The knowledge obtained through CSSLP helps
witnessed are in embedded devices, IoT and ICS everyone in the creation chain to see the bigger
devices that had a long lifecycle (+10 years), and picture when it comes to various cybersecurity
were designed without any cybersecurity controls. features in modern software, while giving these
From communication protocols to proprietary stakeholders the necessary tools to integrate
applications designed to perform critical cybersecurity into software products from day-one.
tasks, I have seen many insecure designs and
implementations. I treat any certification, or training opportunity, as
a way to improve my fundamentals in a specific
When those products were designed, the world domain. Experience alone is not sufficient especially
was not as interconnected, but, when designing when we are dealing with emerging technologies.
something that has a lifespan measured in decades, The CSSLP credential, through its continuous
a modular approach that enables future upgrades professional education requirements, has helped me
without having to change the entire application remain relevant in the field of software security.”
should be a primary consideration.

Sergiu Sechel
Cybersecurity Consulting Manager

ISC2 | The Art & Science of Secure Software Development 13

Cost Avoidance
“One of the most significant software failures I Having the CSSLP certification will train you to
remember happened when there was a decision look for these types of issues to avoid costly,
to migrate critical hardware components that critical security issues. With the knowledge of
were designed to operate on a legacy technology CSSLP, you can communicate and advise the
without involving the security team. Security was various stakeholders on the threats and the
dismissed as not being an important factor. This necessary security.
migration opened up many new vulnerabilities for
the system, including data spoofing and alteration. One of the biggest benefits in gaining my CSSLP
The confidentiality, integrity and availability of is the complete understanding of the software
the data was subject to being compromised. That security lifecycle. In the context of cybersecurity,
particular system has since been redesigned, understanding the lifecycle is everything. The
however, the redesign of the subsystem resulted in CSSLP has enabled me to communicate risk and
additional costs and overruns. security issues in all phases of the lifecycle to
multiple teams, departments, and stakeholders.”

Tom Jackson
Principal Systems Architect - Cybersecurity

ISC2 | The Art & Science of Secure Software Development 14

 Tactics
How you are going to get to your destination,
what tools are at your disposal? Which direction
are you going to take for the task ahead?

In software security, professionals must gather

the necessary skills and resources, and consider
the implications of particular courses of action.

ISC2 | The Art & Science of Secure Software Development 15

Security Increases Quality
“A widely held thought process is that security is The biggest benefit to earning the CSSLP was
the final checklist to review as an addendum to gaining a deep understanding of the relationship
other forms of acceptance testing. Unfortunately, between software security and quality. Also, I gained
this approach has led to overwhelming amounts of insight in helping an organization set up cybersecurity
technical debts that are costly to resolve – that is checkpoints throughout the SDLC to ensure that
the best case-scenario. security is as integrated as functionality and does not
impede progress but rather enhances it.”
The most impactful thing I gained in preparing
for the CSSLP is the concept of the Software
Supply Chain. It is not enough to run a static and a
dynamic code scan and say, “our code is secure.”
We must vet and thoroughly test the entire software
development lifecycle – including our entire supply
chain; anyone and anything that is a dependency in
our process.

Brian J. Barber
Information Systems Security Manager

ISC2 | The Art & Science of Secure Software Development 16

Situational Awareness
“I was advising an important government office, situation better, and now I can advise my clients
and as part of a cybersecurity initiative, we on better practices on secure development
launched a vulnerability scan on a very important and deployment.
website. The scan was very intrusive, and it caused
the website to show bogus data and other errors.
The biggest benefit derived from achieving the
We had to immediately restore a previous backup
CSSLP credential is the elevated reputation. The
because of political reasons.
CSSLP credential is a huge advantage, not only
because of the status it gives to me as a software
The CSSLP certification (which at that time I was security expert, but due to the fact that I must keep
just considering) gives me very deep knowledge in it up-to-date through continuous learning.”
software security management. That would have
allowed me to be more aware and manage the

Cristián Rojas
Cybersecurity Consultant, Professor and Speaker

ISC2 | The Art & Science of Secure Software Development 17

Maintaining a Secure Codebase
for High-End Projects
“In a company I worked for previously, we did For software developers working on high-end projects,
pen testing on various applications before release or stretching over a long time, the CSSLP will help
to customers. One such test was on a mobile them, both in writing more secure code, but also with
application that handled medical information for maintaining a secure codebase as the project moves
insurance customers. The developers writing the along.
code were inexperienced, and they had no formal
training in secure development methodologies, Having the CSSLP credential gives me a lot more
making the application exceedingly vulnerable to weight when I am advising customers on their
even the most basic pen testing attacks on mobile development projects. The CSSLP will become
applications. The end result for these errors was a something that potential employers can use as a
6-month delay, while the code was rewritten. differentiator. It will make you much more eligible for
the more interesting software development projects!”
I use the knowledge I gained from the CSSLP
certification in both my own projects, as well as in
my consulting for the customers in my company.

Tom Madsen
Security Architect

ISC2 | The Art & Science of Secure Software Development 18

Security as an Ever Thought,
Not an After Thought
“In one of my early teams, we were building The problem in particular with security is that developers
software, and I thought it was important for the who are not exposed to it early don’t know to consider it
team to know what the software was doing. So from the beginning. Security needs to be an ever-thought,
I trained them on various exploits and how they not an after-thought. To my knowledge, nobody ever took
worked. At some point, I demonstrated SQL advantage of the obvious issue in the software.
injections; what they are, how they work, and how
NOT DIFFICULT it is to run them. Upon seeing I’ve been a CSSLP for a long time, and being able to
this, one of the lead database developers turned connect with others who are securing software and services
white and left the room. He later informed me that where I am just learning about them has been a huge
he was concerned, and the software needed to be benefit to me. Additionally, companies continue to view
fixed RIGHT NOW. certifications as a benefit.”

Dr. Margaret (Meg) Layton

Security & Compliance Lead, Managed Detection & Response

ISC2 | The Art & Science of Secure Software Development 19

Security Point of Contact
“I was involved in testing a third-party mobile Initially, the CSSLP credential moved me from
application and we uncovered a number of issues, being one of the developers on the team to being
including the ability to take over other user’s accounts. a security point-of-contact. The CSSLP Exam
The source of this was excessive data exposure from Outline gave me knowledge that helped me to
the underlying API. This is a common issue and should learn other areas of security, which led me to work
ideally be found much earlier in the API’s development, in offensive security. I now work as part of a red
but instead was found just before it was released. team, testing security for my employer. This
includes testing software, so my development
The CSSLP helps to improve knowledge around key background and knowledge from the CSSLP are
areas such as common vulnerabilities, utilizing major still really useful.”
industry resources to focus on recurring patterns.
This helps to highlighting the ways vulnerabilities can
be introduced and even looks at aspects like threat
modelling that can tease out potential vulnerabilities
before the code is written.

Gavin Johnson-Lynn
Offensive Security Specialist

ISC2 | The Art & Science of Secure Software Development 20

Competitive Advantage
“I once worked for a company that suffered a Some ways that the CSSLP would have helped to
cyberattack to their accounting system. This prevent this attack would include reviewing the
resulted in the system being down for two days, application by threat modelling, applying threat
which impacted their global business operations. modelling in the design phase of the software
After an investigation, it was shown that the development process, reinforcing hardening
internet-facing system (with a web interface) in software deployment phase, and reinforcing
allowed unauthorized access to read some of the security testing.
financial data. The main contributing factors were
that the system was over 10 years old, so there A person with the CSSLP credential not only can
was no security considered at the outset of the demonstrate professional knowledge applicable
development. In addition, the security patches to any company, but also can show a competitive
were not updated. advantage in the job market.”

Kenji Chang
Senior Manager, Information Security & Governance

ISC2 | The Art & Science of Secure Software Development 21

A Structured Approach
“Most of our customers are performing security audits the product security, simple question, but once
to every software that they use, one of the biggest raised it to make us think on the security effect,
ones performed such test and provided feedback that and we have found out that in most cases just
his security team discovered, in our Admin console we thinking on the topic can provide the needed
provide an option to save credentials (AKA remember value.
me), this was done to provide better user experience to
the admin, but security-wise it is considered to be a bad CSSLP certification provides a structured approach
practice, this was done due to lack of knowledge about for dealing with security in all stages in the
the security aspects of such change. development. It provides both formal recognition
and opens new types of opportunities for me.
Based on the knowledge obtained in the CSSLP we CSSLP certification provided me with the
have added some checklists into the development life opportunity to learn the security “language”, and
cycle, for example, in the requirement phase of every this allows me to communicate with partners and
new feature that we ask, does this new feature affect customers effectively.”

Erez Pasternak
VP Innovation & Shield Architect

ISC2 | The Art & Science of Secure Software Development 22

 Execution
Now you have to make it happen. Bring together
all your experience and knowledge and create.
Deliver against your ambition, making sure that
everything becomes all you had intended.

ISC2 | The Art & Science of Secure Software Development 23

Multiple Methods to Solve Problems
“In a previous job, I witnessed the lack of proper The largest benefit as a result of attaining the
constraint testing for a web application (customer CSSLP has been the understanding of how
facing) that resulted in a large scale denial of service to implement an end-to-end framework, in
attack, brought on by an exploit that utilized a conjunction with application development
successful cross-site scripting attack. This is of course and security departments working together,
avoidable today, given the knowledge I’ve gained that encompasses secure software
through the CSSLP course and certification. implementation, testing, and secure software
lifecycle management”.
By applying knowledge gained through the course of
study for the CSSLP, I’ve been able to understand and
properly apply multiple methods, including constraint
testing, proper security architecture development, and
most importantly understanding the need for properly
protecting databases utilized by applications.

Jim Rutt
CIO & CISO

ISC2 | The Art & Science of Secure Software Development 24

Guidelines for Everyday Decisions
“Years ago, I had an opportunity to participate Exam Outline offers very good guidelines
in a practical exercise to test an operational web that help to make decisions during the
application for a customer. The company who everyday software development process.
owned the application wanted to ensure that
the application met all the quality assurance Earning the CSSLP credential was valuable to me,
requirements. Our testing revealed that most of the as it has helped me in my everyday job, improving
basic web application security risks were present. my software design and development skills, and
It was such a mess to overcome. helping to understand the importance of software
systems in the context of a business. It is also
The most valuable knowledge gained in the delightful to see that more and more companies
learning process of CSSLP has been finding and recruiters seem to value the certification.”
out about secure design principles. The CSSLP

Reimo Reisberg
Software Developer

ISC2 | The Art & Science of Secure Software Development 25

Keeping the Numbers Correct
“When developing a daily credit card billing run, our development. Any one or all of these
team neglected to implement unit testing, leaving it methods would have served to at least catch
as an afterthought. This led to a rounding error that the rounding error and many more potential
resulted in dozens of erroneous charges to clients in blunders.
production. This had very severe consequences as a
security issue when viewed from the Confidentiality, I have seen three or four times more recruiter
Integrity, and Availability perspective. The integrity of traffic in response to my LinkedIn profile.
the customer’s purchase was violated, and incorrect The CSSLP attracts attention and at the very
data was exposed. least has created many opportunities for
conversation and consulting.”
The CSSLP with its emphasis on the SDLC lifecycle
security components clearly defines the role of multiple
testing and quality assurance approaches, providing
a “testing first” mentality and approach to software

Alan Young
Identity & Privilege Access Management Architect

ISC2 | The Art & Science of Secure Software Development 26

Strengthened Skills
“In a project that consisted of implementing various These practices invite us to approach security
business processes on a software suite, we had from the initial definition of the software to be
a security failure that lead to the configuration implemented.
and permissions being modified. This granted
unauthorized access to unauthorized administrative The knowledge related to the CSSLP certification
functionalities. The solution was to rebuild all strengthens my skills within the tasks I perform.
the information from scratch to ensure correct Now, I have the security capabilities, and a holistic
operation. vision throughout the development life cycle.
This is an important role in the industry, and it
Within the knowledge that corresponds to CSSLP, allows me to obtain quality results and guarantee
the different security practices are understood software to clients and users with a controlled and
within each phase of the development cycle. low-security risks.”

Carlos Fajardo
Cybersecurity Leader

ISC2 | The Art & Science of Secure Software Development 27

Formalized & Refined Software Security Skills
I have witnessed significant software failures around The CSSLP certification formalized and
the lack of comprehensive data validation in systems refined the software security skills I gained
which utilize “dead” languages in back-end mainframe in practicum. However, the biggest benefit
processing. Inadequate data validation provides a of the CSSLP is the framework it codifies
gateway for several high risk vulnerability exploits to which can be used to educate students and
occur which leads to a data breach. practitioners on the breadth and depth of
software security fundamentals.
The knowledge obtained through the CSSLP Exam
Outline facilitates the security evangelism necessary to The competencies gained from this education
implement a security-aware culture throughout the is monumental in developing the next
software development process. Specifically, it solicits generation of software security practitioners,
active inquiry into the identification and rationalization which will serve to continuously strengthen
of strong software security requirements. the overall security posture of software.”

Jenelle Davis
Faculty Member

ISC2 | The Art & Science of Secure Software Development 28

Risk Mitigation Competencies
“I recall one instance of a front-end development The CSSLP training is unique in both system, and
project, whereby a wrong software library was application software design. The knowledge
installed leading to the possibility of unintended areas of implementation, testing, and production
data leakage. also enable me to prevent and mitigate huge
cybersecurity risks.”
The CSSLP Exam Outline addresses ways to
prevent trivial design faults that can lead to
breach events. Particularly, the sections of
Secure Software Design, Secure Software
Implementation and Secure Software Testing are
unmatched in their informational and
educational value.”

Dr. Daniel Ng
Director

ISC2 | The Art & Science of Secure Software Development 29

Confidence to be a Better Software Developer
“I witnessed, but was not involved in, several instances Looking for defenses in depth at the
where applications have been hacked and private different application layers and evaluating
information was accessed. The cause for most of these threats during the design helps to better
breaches was lack of appropriate testing and proactive secure the applications.
controls.
I started as a software developer in my
Knowing and understanding the appropriate places career and only a little later did I realize
to look and how applications can be attacked has the necessity to better understand security
been priceless to keeping out of the spotlight. I don’t within applications. I realized that as hacking
consider myself omniscient, but I always look for ways sophistication grew, those controls were no
to defend in depth. longer adequate. At that point, I realized
that I needed to learn about securing
Attaining the knowledge of securing applications and applications. I took to the CSSLP exam to
keeping up with the latest practices helps to reduce the gain the confidence that I needed to be a
likelihood of exposed vulnerabilities. better software developer.”

Scott Brookhart
Problem Manager

ISC2 | The Art & Science of Secure Software Development 30

How CSSLP Certification Helps
Earning the CSSLP from ISC2 is a proven way to build your career and demonstrate your expertise and ability to incorporate
security practices – authentication, authorization and auditing – into each phase of the Software Development Lifecycle (SDLC).

Begin your journey toward CSSLP – Become an ISC2 Candidate. Join ISC2, the world’s leading cybersecurity professional
organization, more than 600,000. Members, associates and candidate strong. You’ll access a full range of benefits, including
20% off online training and up to 50% off textbooks. Sign up now - Your first year is free – no cost to you.*

Next Step: Get the Ultimate Guide

Take your next step toward certification with The Ultimate Guide to the CSSLP.
It covers everything you need to know about CSSLP certification. Find out how CSSLP
and ISC2 can help you discover your certification path, create your pan and acquire
knowledge and skills for a successful career.

Get Your Guide

ISC2 | The Art & Science of Secure Software Development 31

About ISC2
ISC2 is an international nonprofit membership association focused on inspiring a safe and secure cyber world.
Best known for the acclaimed Certified Information Systems Security Professional (CISSP) certification, ISC2 offers
a portfolio of credentials that are part of a holistic, pragmatic approach to security.

Our membership, more than 600,000 strong, is made up of certified cyber, information, software and infrastructure
security professionals who are making a difference and helping to advance the industry. Our vision is supported by
our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber
Safety and Education™.

For more information on ISC2 visit our website follow us on X or connect with us on Facebook, LinkedIn and YouTube.

ISC2 | The Art & Science of Secure Software Development 32