The domain, dubbed “Supply Chain and Software Acquisition,” has been added to the (ISC)²’s Certified Secure Software Lifecycle Professional (CSSLP) credential exam, which validates that an individual can perform the activities necessary when acquiring and implementing applications to ensure the proper security measures are implemented throughout the entire software development lifecycle.
The largest gap between information security risk awareness and response exists in the software development discipline, according to the 2013 (ISC)² Global Information Security Workforce Study. Respondents rated secure software development above software and hardware solutions in terms of the level of importance in effectively securing an organization’s infrastructure.
Application vulnerabilities were the No. 1 security concern for 69% of respondents, with 72% of C-level executives rating it as their highest concern. Insecure software was a contributor in approximately one-third of detected security breaches.
“Our data shows that the frequency of software acquisition and outsourcing are increasing dramatically,” said W. Hord Tipton, executive director for (ISC)². “The CSSLP is an excellent vehicle for professionals and organizations to validate and maintain the most sought-after skills of the secure software workforce. By adding this new domain, we are hoping to enhance a professionals' ability to secure the supply chain and decrease breaches attributable to insecure software.”
The new domain – the eighth within the overall software development credential – validates that an individual can perform the activities necessary when acquiring software to ensure the proper security measures are implemented. Key elements to supply-chain risk that CSSLP candidates must know include:
- Supplier Risk Assessment
- Supplier Sourcing
- Software Development and Testing
- Software Delivery, Operations and Maintenance
- Supplier Transitioning – Code Escrow, Data Exports, Contracts, Disclosure
The umbrella CSSLP credential addresses software development from concept and planning through operations and maintenance, to establish industry standards and best practices for building security into each phase.
The key areas covered by the exam include: secure software concepts; secure software requirements; secure software design; secure software implementation/coding; secure software testing; software acceptance; software deployment, operations, maintenance and disposal; and the latest domain, supply chain and software acquisition.