I just received my official notification from ISC² that I am officially a Certified Secure Software Lifecycle Professional (CSSLP). For those of you familiar with the CISSP, the CSSLP is related but it is specifically focused software development or procurement.
In order to demonstrate my knowledge, I was tested on security and risk-related activities covering the entire software lifecycle, from initial planning to securely decommissioning software and data being phased out.
While preparing for the test, I managed to learn a few new things. One of the most important is the realization that the customer is intrinsically accepting all of the risk related to the project. As a software professional, it is our job to assist the customer with this by determining their risk and required security level in the beginning of the project, managing the security requirements at the proper level throughout the project, and helping the customer to validate these requirements have been met when we go to production.
Secure software only remains secure if it is deployed to a secure environment. Before, during, and after deployment, the environment’s security must be maintained to the appropriate standards.
Of course I learned a lot more than that, but those three ideas stuck in my memory as important.