London, UK – 4th April 2013 - To address the growing number of threats arising from widening security gaps in the software supply chain, (ISC)2® (“ISC-squared”), the world’s largest not-for-profit information and software security professional body and administrators of the CISSP®, has added a new domain to its Certified Secure Software Lifecycle Professional (CSSLP) credential exam. The new Domain, titled “Supply Chain and Software Acquisition”, captures the activities within each phase of the software lifecycle that must occur to mitigate Supply Chain Risk.

The CSSLP is the only certification in the industry designed to ensure that security is considered throughout the entire software development lifecycle. From concept and planning through operations and maintenance to the ultimate disposal, it establishes industry standards and best practices for building security into each phase. The domains, or key areas covered by the exam, include:

Secure Software Concepts

Secure Software Requirements

Secure Software Design

Secure Software Implementation/Coding

Secure Software Testing

Software Acceptance

Software Deployment, Operations, Maintenance, and Disposal

Supply Chain & Software Acquisition (New)

The new eighth domain validates that an individual perform the activities necessary when acquiring software to ensure the proper security measures are implemented. Key elements to supply chain risk that CSSLP candidates must know include:

Supplier Risk Assessment

Supplier Sourcing

Software Development and Test

Software Delivery, Operations, and Maintenance

Supplier Transitioning – Code Escrow, Data Exports, Contracts, Disclosure

The largest gap between information security risk awareness and response exists in the software development discipline. According to the recently released 2013 (ISC)² Global Information Security Workforce Study, which surveyed 12,394 information security professionals from around the world:

Respondents rated secure software development above software and hardware solutions in level of importance in effectively securing an organisation’s infrastructure.

Application vulnerabilities are the number one security concern for 69 percent of respondents, with 72 percent of C-level executives rating it as their highest concern.

Almost half of responding security organisations are NOT involved in software development.

Insecure software was a contributor in approximately one-third of the 60 percent of detected security breaches[1].

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director for (ISC)², commented, “Our data shows that the frequency of software acquisition and outsourcing are increasing dramatically. The CSSLP is an excellent vehicle for professionals and organisations to validate and maintain the most sought-after skills of the secure software workforce. By adding this new domain, we are hoping to enhance a professional’s ability to secure the supply chain and decrease breaches attributable to insecure software.”

For more information about the CSSLP, the new domain or to register for the exam, please visit www.isc2.org/csslp.

[1] 2013 (ISC)2 Global Information Security Workforce Study https://www.isc2cares.org/IndustryResearch/GISWS/