by Mano Paul, CISSP, CSSLP, MCSD, MCAD, CompTIA Network+, ECSA
As highlighted in the recently released 2013 Global Information Security Workforce Study (GISWS) – the largest vendor-neutral study of its kind conducted by (ISC)2 and analyst firm Frost & Sullivan – the largest gap between information security risk awareness and response exists in the secure software development discipline. In fact, respondents ranked application vulnerabilities as their top concern, making application security and secure software development the highest ranking security concern for the information security profession today.
As the first software security certification, the groundbreaking Certified Secure Software Lifecycle Professionals (CSSLP®s) was created to validate secure software development practices and expertise to address the increasing number of application vulnerabilities. Taking a holistic approach to software security, the CSSLP aims to validate an individual’s competency in addressing security issues throughout the entire software development lifecycle (SDLC).
So who is it for? In today's cyber world, it may be easier to answer the question: Who it is NOT for? Professionals not involved in software (or applications): Which means it is aimed at all stakeholders involved in software development. Although focused foundationally on software architects, programmers (engineers) and software development managers, the CSSLP caters to all individuals involved in the SDLC, including software testers, business analysts, project managers, operational personnel, security team members, auditors, and software vendors. It goes beyond traditional security views with an aim to educate and assess an individual’s competency in software assurance.
The CSSLP is a base-level certification that addresses software security from a holistic view, and is technology-, code/syntax-, and vendor-agnostic. By holistic I mean:
It covers the people, process, and technology aspects of software assurance.
- It covers the network, host, and application aspects of software assurance.
- It goes beyond just writing secure code and covers the security aspects from the requirements phase to the retirement phase through design, development, testing, and deployment.
Interested in pursuing the CSSLP? There are two important components that are necessary for success – the first is experience and the second is education. Like any other elite professional certification, the CSSLP assessment gauges an individual's knowledge and competency on software assurance concepts; not merely at a definitive level but also at a functional level. Additionally, just as one would not take a test without first preparing, it would be foolhardy to assume that you can take the CSSLP examination without proper preparation. You can learn more about the requirements and next steps to earn the CSSLP here.
When you see dark clouds, there will likely be a storm. And with hackers targeting the application layer, the future for organizations that pay little to no attention to this software (or application) security is bleak. The CSSLP is ultimately intended to educate a company's workforce so they can weather inevitable storms in the application space. And while earning the CSSLP certification is a vital and key step in your professional cyber security career, one cannot stop the continuing education process afterwards. It’s time we closed the widening gap between risk awareness and risk response in the software development discipline and getting your CSSLP can certainly help your organization in this endeavor, besides helping you professional in your career
The bottom line as outlined by the Global Workforce Study: deepening engagements in software development cannot occur in isolation or be the exclusive responsibility of the information security workforce. Other relevant functional groups—software developers, application owners, and the quality assurance and testing teams—must internalize secure software development best practices and engage, as standard operating procedure, with information security professionals.