CSSLP & ISACA Advanced Labs

Master secure software development, IT governance, and risk management through advanced hands-on practice.

These Labs Cover All Cybersecurity Certifications

CompTIA Security+CompTIA CySA+CompTIA PenTest+CompTIA SecurityXISC2 CISSPISC2 SSCPISC2 CCSPISC2 CGRC
ISC2 CSSLPISC2 ISSAPISC2 ISSEPISC2 ISSMPISACA CISAISACA CISMISACA CRISCISACA CGEIT

CSSLP & ISACA Certification Labs

Comprehensive labs for secure development lifecycle, IT governance frameworks, and risk management.

Lab 28: Secure Software Development Lifecycle (SDLC)
Hybrid - GUI + Terminal
CSSLP / SSCP
Scenario: Enterprise Application Security
SecureBank Inc. develops a customer-facing banking application. As Lead Security Engineer, implement comprehensive security throughout the SDLC: define security requirements, design secure architecture, configure repository controls with branch protections, run SAST/DAST scans, implement CI/CD security gates, and ensure secure deployment with runtime protections.

Learning Objectives CSSLP / SSCP Lab

  • Define security requirements and threat models for applications
  • Design secure architecture with defense-in-depth principles
  • Configure source code repository security controls
  • Run SAST and DAST security testing in CI/CD pipeline

Step-by-Step Instructions

  1. Step 1: Define Security Requirements
    🎯 Goal: Click "Security Requirements" toolbar button to open modal and define authentication, authorization, data protection, and compliance requirements.

    📝 Why This Matters: CSSLP Domain 3 (Secure Software Requirements) requires defining security early. Requirements drive architecture, implementation, and testing decisions.

    💻 Actions:
    1. Click "Security Requirements" button
    2. Authentication: Select Multi-Factor Authentication (MFA) Required
    3. Authorization: Select Role-Based Access Control (RBAC)
    4. Session: Select 15-minute idle timeout
    5. Data Protection: Select AES-256 encryption at rest, TLS 1.3 in transit
    6. Audit Logging: Select All authentication, authorization, and data access events
    7. Compliance: Check PCI DSS 4.0 and SOC 2 Type II
    8. Click "Save Requirements"

    Dashboard will show Requirements Status = Defined.
    💡 CSSLP Tip: Security requirements = CIA triad + compliance + privacy + resilience. Must be testable and traceable!
  2. Step 2: Design Secure Architecture
    🎯 Goal: Click "Architecture Design" to define security architecture patterns.

    📝 Why This Matters: CSSLP Domain 4 (Secure Software Design) covers threat modeling, defense-in-depth, secure design patterns. Architecture determines attack surface.

    💻 Actions:
    1. Click "Architecture Design"
    2. Pattern: Select Layered Architecture with DMZ
    3. Authentication: Select OAuth 2.0 + OpenID Connect
    4. Secrets Management: Select HashiCorp Vault
    5. API Security: Select API Gateway with rate limiting and WAF
    6. Database: Select Encrypted database with TDE
    7. Threat Model: Select STRIDE analysis completed
    8. Click "Save Architecture"

    Dashboard will show Architecture Status = Designed.
    ⚠️ Threat Modeling: STRIDE = Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
  3. Step 3: Configure Repository Controls (Terminal)
    🎯 Goal: Use git commands in terminal to configure branch protections, signed commits, and security policies.

    📝 Why This Matters: CSSLP Domain 7 (Secure Operations) covers supply chain security. Repository controls prevent unauthorized code changes.

    Terminal Commands (execute in order):

    First, enable branch protection for main branch:
    git config branch.main.protected true

    Then require signed commits for integrity:
    git config commit.gpgsign true

    Finally, enforce code review requirement:
    git config branch.main.requiredApprovals 2

    Each command confirms with "Configuration updated" message.
    🔒 Supply Chain Security: Signed commits verify author identity. Branch protection prevents direct commits to main. Code reviews catch vulnerabilities.
  4. Step 4: Run SAST and DAST Scans (GUI)
    🎯 Goal: Click "Run Security Scans" to execute static (SAST) and dynamic (DAST) application security testing.

    📝 Why This Matters: CSSLP Domain 6 (Secure Software Testing) requires automated security testing. SAST finds vulnerabilities in code, DAST tests running application.

    💻 Actions:
    1. Click "Run Security Scans" in toolbar
    2. SAST tool will analyze code and show findings panel
    3. Review critical/high findings (SQL Injection, XSS, etc.)
    4. DAST simulation will test API endpoints
    5. Verify scan completion in dashboard

    The proprietary SonarQube-style interface will display vulnerabilities by severity with remediation guidance. Dashboard shows Scans Status = Complete with findings count.
    🎓 Exam Tip: SAST = white-box testing (source code analysis). DAST = black-box testing (runtime behavior). Both required for comprehensive coverage!
SecureBank Security Analysis Dashboard
Overview Issues Security Hotspots Measures

Requirements

Status: Not Defined

Controls: 0

Architecture

Status: Not Designed

Pattern: -

Repository

Protection: Disabled

Signed Commits: No

Scans

Status: Not Run

Findings: -

Complete configuration steps and run security scans to view findings.

Repository Terminal (Step 3)
SecureBank Repository Configuration Terminal Type git commands EXACTLY as shown in Step 3.
securebank@repo:~$
SDLC Activity Log
TimestampActivityDetailsStatus
No activity yet
Progress: 0/4
Score: 0/100
Lab 29: IT Investment and Portfolio Management
GUI-Based
CGEIT / CISM
Scenario: Strategic IT Portfolio Optimization
TechVentures Corp has $50M IT budget with 25 competing projects. Board demands value optimization and alignment with strategic goals. As IT Portfolio Manager, evaluate projects using scoring criteria, categorize investments (Run/Grow/Transform), balance portfolio risk, track benefits realization, and report value delivery to executives.

Learning Objectives CGEIT / CISM Lab

  • Evaluate IT projects using strategic alignment scoring
  • Categorize and balance portfolio across Run/Grow/Transform
  • Assess portfolio risk and optimize risk-return profile
  • Track benefits realization and demonstrate IT value

Step-by-Step Instructions

  1. Step 1: Define Portfolio Scoring Criteria
    🎯 Goal: Establish objective criteria to evaluate and prioritize IT investments.

    📝 Why This Matters: CGEIT Domain 2 (IT Resources) emphasizes value-based investment decisions. Scoring criteria enable data-driven portfolio optimization aligned with business strategy.

    💻 Actions:
    1. Click "Scoring Criteria"
    2. Strategic Alignment Weight: 30%
    3. Financial ROI Weight: 25%
    4. Risk Level Weight: 20%
    5. Resource Availability Weight: 15%
    6. Compliance/Regulatory Weight: 10%
    7. Scoring Scale: Select 1-5 (1=Low Value, 5=High Value)
    8. Approval Threshold: 3.5/5.0 minimum score
    9. Click "Save Criteria"

    Dashboard will show Scoring Model = Active.
    💡 CGEIT Principle: Weighted scoring aligns IT investments with business priorities. Strategic alignment weighted highest!
  2. Step 2: Categorize Portfolio Investments
    🎯 Goal: Classify $50M budget across Run/Grow/Transform categories for balanced investment.

    📝 Why This Matters: CGEIT Domain 3 (Benefits Realization) requires balanced portfolio. Run maintains operations, Grow improves capabilities, Transform enables innovation.

    💻 Actions:
    1. Click "Portfolio Categories"
    2. Run the Business: $20M (40%) — Infrastructure, operations, maintenance
    3. Grow the Business: $18M (36%) — Process improvements, efficiency gains
    4. Transform the Business: $10M (20%) — Digital transformation, innovation
    5. Compliance/Mandatory: $2M (4%) — Regulatory requirements
    6. Target Mix Rationale: Balance stability (Run) with strategic growth (Grow/Transform)
    7. Click "Set Portfolio Mix"

    Dashboard shows Portfolio Balance chart.
    ⚠️ Balance Principle: Too much "Run" = no innovation. Too much "Transform" = operational risk. Balance is key!
  3. Step 3: Assess and Optimize Portfolio Risk
    🎯 Goal: Evaluate portfolio risk profile and optimize risk-return balance.

    📝 Why This Matters: CGEIT Domain 4 (Risk Optimization) requires managing IT portfolio risk. High-risk projects need higher returns to justify investment.

    💻 Actions:
    1. Click "Risk Assessment"
    2. Risk Tolerance: Select Moderate - Accept medium risk for strategic initiatives
    3. High-Risk Projects: 4 projects ($8M total) with mitigation plans required
    4. Medium-Risk Projects: 12 projects ($28M total) with standard controls
    5. Low-Risk Projects: 9 projects ($14M total) with minimal oversight
    6. Risk Concentration: Select No single project >15% of budget
    7. Contingency Reserve: 10% ($5M) for risk mitigation
    8. Click "Optimize Risk"

    Dashboard displays Risk-Return Matrix.
    🎓 Exam Tip: Risk appetite drives portfolio composition. Conservative = more Run projects. Aggressive = more Transform projects.
  4. Step 4: Track Benefits Realization
    🎯 Goal: Establish benefits tracking to demonstrate IT value delivery.

    📝 Why This Matters: CGEIT Domain 3 (Benefits Realization) is 26% of exam. Tracking proves IT investments deliver promised value to business.

    💻 Actions:
    1. Click "Benefits Tracking"
    2. Benefit Categories: Check all (Cost Reduction, Revenue Growth, Risk Mitigation, Compliance)
    3. Measurement Approach: Select Quantitative metrics with baseline and targets
    4. Tracking Frequency: Select Monthly for active projects, quarterly for post-implementation
    5. Accountability: Select Business owner responsible for benefits realization
    6. Reporting Format: Select Executive scorecard with RAG status
    7. Review Process: Quarterly portfolio review with Steering Committee
    8. Click "Enable Benefits Tracking"

    Dashboard shows Benefits Realization status with sample projects tracked.
    💡 Best Practice: Benefits must be SMART — Specific, Measurable, Achievable, Relevant, Time-bound. Vague benefits = no accountability!
IT Portfolio Management DashboardTechVentures Corp - $50M Annual Budget

Scoring Model

Status: Not Configured

Threshold: -

Portfolio Balance

Run/Grow/Transform: -

Total Budget: $50M

Risk Profile

Tolerance: Not Set

Contingency: -

Benefits Status

Tracking: Disabled

Realized: -

Sample Portfolio Projects (Top 8 of 25)
ProjectCategoryBudgetScoreRiskStatus
Cloud MigrationTransform$5.2M4.2/5.0HIGHIn Progress
ERP UpgradeRun$3.8M3.8/5.0MEDIUMOn Track
Data Analytics PlatformGrow$2.5M4.5/5.0MEDIUMOn Track
Cybersecurity EnhancementCompliance$2.0M4.0/5.0LOWOn Track
Customer Portal RedesignGrow$1.8M3.9/5.0MEDIUMAt Risk
Infrastructure RefreshRun$4.5M3.2/5.0LOWOn Track
AI/ML Pilot ProgramTransform$1.5M4.8/5.0HIGHPlanning
Network ModernizationRun$3.2M3.5/5.0LOWOn Track
Progress: 0/4
Score: 0/100
Lab 30: Enterprise Risk Response & Reporting
GUI-Based
CRISC / CISM
Scenario: Cyber Risk Management Program
DataCorp identified 15 critical cyber risks during assessment: ransomware threats, third-party vendor risks, cloud security gaps, insider threats, and regulatory compliance gaps. As Chief Risk Officer, develop risk response strategies (mitigate/transfer/accept/avoid), implement risk treatment plans, establish KRIs for monitoring, and create executive risk reporting for board oversight.

Learning Objectives CRISC / CISM Lab

  • Develop risk response strategies for identified threats
  • Create risk treatment plans with timelines and ownership
  • Establish Key Risk Indicators (KRIs) for monitoring
  • Design executive risk reporting dashboards

Step-by-Step Instructions

  1. Step 1: Develop Risk Response Strategies
    🎯 Goal: Define response strategy (Mitigate/Transfer/Accept/Avoid) for each critical risk.

    📝 Why This Matters: CRISC Domain 3 (Risk Response & Reporting) is 32% of exam. Risk response strategy depends on risk level, cost-benefit, and risk appetite.

    💻 Actions:
    1. Click "Risk Response Planning"
    2. Ransomware Threat: Select Mitigate - Implement EDR, backups, training
    3. Third-Party Risk: Select Transfer - Cyber insurance + contractual liability transfer
    4. Cloud Misconfiguration: Select Mitigate - CSPM tools + IaC scanning
    5. Insider Threat: Select Mitigate - PAM, UEBA, DLP controls
    6. Regulatory Non-Compliance: Select Mitigate - Compliance program + audits
    7. Legacy System Risk: Select Accept - Document risk acceptance with compensating controls
    8. High-Risk Vendor: Select Avoid - Terminate vendor relationship
    9. Click "Save Strategies"

    Dashboard shows Response Strategies = Defined.
    💡 CRISC Principle: Risk response must be cost-effective. Mitigation cost should not exceed risk impact!
  2. Step 2: Create Risk Treatment Plans
    🎯 Goal: Document detailed action plans with owners, timelines, budgets for risk mitigation.

    📝 Why This Matters: Risk treatment plans operationalize risk response. Plans must have clear ownership, milestones, success criteria.

    💻 Actions:
    1. Click "Treatment Plans"
    2. Ransomware Mitigation Plan:
    - Owner: CISO
    - Timeline: 90 days
    - Budget: $500,000
    - Actions: Deploy CrowdStrike EDR, implement 3-2-1 backup, phishing training
    - Success Criteria: 99.9% endpoint coverage, 15-minute RPO, 50% reduction in phishing clicks
    3. Cloud Security Plan:
    - Owner: Cloud Architect
    - Timeline: 60 days
    - Budget: $200,000
    - Actions: Deploy Prisma Cloud CSPM, enable AWS Security Hub, IaC scanning
    - Success Criteria: Zero critical misconfigurations, 100% resource tagging
    4. Click "Submit Plans"

    Dashboard shows Treatment Plans = Active with progress tracking.
    ⚠️ Accountability: Every risk must have a named owner who accepts responsibility for mitigation. No owner = no action!
  3. Step 3: Establish Key Risk Indicators (KRIs)
    🎯 Goal: Define leading indicators that provide early warning of increasing risk exposure.

    📝 Why This Matters: KRIs are predictive metrics. Unlike KPIs (lagging), KRIs warn BEFORE incidents occur. CRISC emphasizes continuous risk monitoring.

    💻 Actions:
    1. Click "KRI Configuration"
    2. Cyber Attack KRI: Number of phishing attempts per week
    - Threshold: Yellow at 50/week, Red at 100/week
    3. Patch Management KRI: % critical systems unpatched >30 days
    - Threshold: Yellow at 5%, Red at 10%
    4. Vendor Risk KRI: % third parties without security assessment
    - Threshold: Yellow at 20%, Red at 30%
    5. Incident Response KRI: Mean Time to Detect (MTTD)
    - Threshold: Yellow at 8 hours, Red at 24 hours
    6. Compliance KRI: Number of open audit findings
    - Threshold: Yellow at 5, Red at 10
    7. Data Loss KRI: Number of DLP policy violations per month
    - Threshold: Yellow at 20, Red at 50
    8. Monitoring Frequency: Weekly automated reporting with monthly review
    9. Click "Enable KRIs"

    Dashboard displays KRI Status with current values and trend indicators.
    🎓 Exam Tip: KRIs = leading indicators (predict future risk). KPIs = lagging indicators (measure past performance). Know the difference!
  4. Step 4: Design Executive Risk Reporting
    🎯 Goal: Create board-level risk reporting with heat maps, trends, treatment status.

    📝 Why This Matters: CRISC Domain 3 requires communicating risk to stakeholders. Board needs concise, visual, actionable risk reporting.

    💻 Actions:
    1. Click "Executive Reporting"
    2. Report Audience: Select Board of Directors and Audit Committee
    3. Report Frequency: Select Quarterly with ad-hoc for critical risks
    4. Report Format: Select Dashboard with heat map + executive summary + trend analysis
    5. Content Sections: Check all boxes:
    - Risk Heat Map (Likelihood vs Impact)
    - Top 10 Risks with Response Status
    - KRI Scorecard with RAG Status
    - Risk Treatment Progress
    - Emerging Risks and Threats
    - Cyber Insurance Status
    6. Presentation Style: Select Visual dashboards with minimal text, business language
    7. Distribution: Select Secure portal with access controls
    8. Click "Generate Report Template"

    System generates sample report preview. Dashboard shows Reporting Framework = Configured.
    💡 Best Practice: Board cares about BUSINESS RISK, not technical details. Translate cyber risk into business impact: revenue loss, reputation, compliance!
Enterprise Risk Management PlatformDataCorp Risk Dashboard

Response Strategies

Status: Not Defined

Coverage: 0/15 risks

Treatment Plans

Status: Not Created

In Progress: 0

KRI Monitoring

Status: Disabled

Active KRIs: 0

Reporting

Framework: Not Configured

Last Report: -

Top Critical Risks (Sample)
Risk IDRisk DescriptionImpactLikelihoodInherent RiskResponse
RISK-001Ransomware attack on critical systemsCriticalHighCRITICALNot Defined
RISK-002Third-party vendor data breachHighMediumHIGHNot Defined
RISK-003Cloud misconfiguration exposureHighMediumHIGHNot Defined
RISK-004Insider threat - privileged abuseHighLowMEDIUMNot Defined
RISK-005Regulatory non-compliance (GDPR)HighMediumHIGHNot Defined
RISK-006Legacy system end-of-supportMediumHighMEDIUMNot Defined
Progress: 0/4
Score: 0/100
🎉

Congratulations! All 10 Cybersecurity Lab Modules Completed!

You are now ready for your cybersecurity certification exams!

💡 Pro Tip: Boost Your Success Rate!

Complete our comprehensive practice exams for Security+, CySA+, PenTest+, SecurityX, and CISSP to pass your certification on the first attempt!

Get Practice Exams from CertLabz

Join thousands of successful certification candidates who passed on their first attempt!