CSSLP: Supply Chain and Software Acquisition

This course is included in our On-demand training solution.


Software lifecycle activities regularly extend beyond the internal environment. Outsourced software development, acquisition, and procurement activities require specific attention to ensure security is integrated into the end software product or service. In this course, you’ll learn about supplier risk assessment considerations, including intellectual property, code reuse, and legal compliance complexities. This course also introduces some considerations to make with supplier sourcing like contractual integrity controls, vendor technical integrity controls, and service-level agreements or SLAs. Finally, this course also introduces software delivery and maintenance best practices like publishing and dissemination controls, product deployment and sustainment controls, and supplier transitioning requirements. This course is one of a series in the Skillsoft learning path that covers the objectives for the Certified Secure Software Lifecycle Professional or CSSLP exam.

Target Audience

Individuals interested in secure software lifecycle design concepts and methodologies; candidates for the Certified Secure Software Lifecycle Professional (CSSLP) exam



Expected Duration

90 min.

Course Objectives

Course Introduction

Risk Assessment for Code Reuse

  • recognize characteristics of risk assessment for code reuse
  • Code Reuse Plan Best Practices

  • identify best practices for creating a practical reuse plan
  • Intellectual Property

  • identify best practices for preventing intellectual property theft
  • Legal Compliance

  • recognize characteristics of legal compliance
  • Supplier Prequalification

  • identify best practices for supplier prequalification activities
  • Supplier Sourcing Challenges

  • distinguish between different security trade-offs in supplier sourcing
  • Contractual Integrity Controls

  • identify best practices for contractual integrity controls
  • Vendor Technical Integrity Controls

  • identify best practices for vendor technical integrity controls
  • Managed Services Controls

  • identify best secure control practices for managed services from a supplier
  • Service-level Agreements

  • distinguish between the two rules service-level agreements or SLAs should provide
  • Technical Controls

  • identify technical controls for software development and testing
  • Code Testing and Verification

  • identify code testing and verification options for software development and testing
  • Security Testing Controls

  • list the eight steps to create a formal set of security testing controls
  • Software Requirements Verification and Validation

  • identify software requirements verification and validation
  • Chain of Custody

  • identify chain of custody best practices
  • Publishing and Dissemination Controls

  • distinguish between licenses, encryption, and authentication as publishing and dissemination controls
  • System-of-Systems Integration

  • identify characteristics of system-of-systems integration
  • Software Authenticity and Integrity

  • identify software authenticity and integrity best practices during software delivery, operations, and maintenance
  • Product Deployment and Sustainment Controls

  • recognize best practices when integrating product deployment and sustainment controls
  • Monitoring and Incident Management

  • identify monitoring and incident management best practices
  • Vulnerability Management, Tracking, and Resolution

  • identify best practices for vulnerability management, tracking, and resolution activities
  • Code Escrow and Data Exports

  • identify the purpose of Code Escrow during supplier transitioning
  • Contracts

  • identify contracts best practices during supplier transitioning
  • Exercise: Assessing Supplier Risk