This month I passed the (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) exam. As I have been studying with the new version revised in late 2020 and have taken the revised exam, I would like to share my experience with you.
My previous security certifications were always practically applied certifications, for example for pentesting. For me, the CSSLP was the first of its kind that does not focus only on hacking. Instead, the CSSLP focuses on a holistic view of the Secure Development Lifecycle.
What I particularly liked is the up-to-date frameworks and sources that are explained. The content has been updated significantly compared to the old study guide. For example, OWASP Dependency-Track or OWASP Threat Dragon are introduced in the official Student Guide (5th Edition).
How I did prepare for the exam
I took the official ISC2 CSSLP course. With the course you receive the mentioned Study Guide. Unfortunately, the student guide does not go into depth on these projects. But it guides someone who wants to secure software development to the right tools and frameworks. This includes Treat Modelling Tools, BSIMM, NIST, OWASP ASVS and many other projects that are properly classified and presented in the Study Guide. I found the official student guide (5th edition) to be a good basis. I also skimmed this study guide, which goes more into detail and it does have a Appendix with 140 example question. For the exam the terms from the glossary should be known.
Other resources to study for CSSLP
- CBK Study Guide
- CSSLP Flash Cards to learn the terms from the Glossary
- Pluralsight CSSLP Course or LinkedIn CSSLP Course
The exam took 3h in the 2020 revised version and contains 125 questions. I fully needed this time to read the questions carefully and re-check the marked questions. At the end of the exam you can jump again to already answered questions. But here I did not change much and relied on my first intuition.
In the exam I took you could not mark multiple answers as correct, it was always only one of 4 possible answers correct.
For me the presented contents were nothing completely new. However, I reflect that the contents covered are exactly the right ones, which I would have liked to read in this summarized form at an earlier point in my professional career. Therefore, in my opinion, the course is aimed precisely at Application Security Specialists, Security Architects and Security Champions. The certification allows me to prove my skills as an AppSec Specialist based on international standards. ISC2 publishes on its website the number of current members. As of this writing, there are 2.927 CSSLP certified. So CSSLP certification is a real niche compared to 147.591 CISSP certificate holders.
My favorite chapter was Supply Chain Security, where I learned the most. Especially after the recent SolarWinds incident, supply chain security is an important point that I didn’t pay much attention to before.
Hi Javan. Great post.. I’ve recently started my preparation for the CSSLP exam. Do you have a link or website where I could buy the “CSSLP official student guide (5th edition) “? have been searching but with no luck. Thank you!!!
Thanks for your message! I received the student guide with the course and updated the post. Wish you all the best for the exam!
Congratulations on the certification! May I know what was your study plan and the time taken ?
I had one of the official 5-day training courses. After the course, I prepared for about 3 to 4 weeks by reading the books and practicing some sample exam questions, after work. Since I prepared for it after work I can’t give much good information on it.
I just had the same official ISC2 training and i agree with you about your comments above. Especially, post assessment questions could have been harder as i am sure you have not got any easy questions like this during the exam? I am in the middle of rescheduling my exam or taking it, i am already a CISSP and had some years of experience with app sec. Are the questions were all memorization based or did you also get some scenario based ones as well? I studied just like the amount you did. Any comments to help me to decide whether or not taking it now ? Thanks.
Experience answers most oft the questions in the exam I think. If you answered the post assessment questions and you did not find a part where you had no idea about, then I think you are good to go for it. Wish you good luck!
Unfortunately I failed in the exam,
I found all questions depend on the experience and not rated to the official CBK study book.
Is there any other resources to study from