This month I passed the (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) exam. As I have been studying with the new version revised in late 2020 and have taken the revised exam, I would like to share my experience with you.
My previous security certifications were always practically applied certifications, for example for pentesting. For me, the CSSLP was the first of its kind that does not focus only on hacking. Instead, the CSSLP focuses on a holistic view of the Secure Development Lifecycle.
What I particularly liked is the up-to-date frameworks and sources that are explained. The content has been updated significantly compared to the old study guide. For example, OWASP Dependency-Track or OWASP Threat Dragon are introduced in the official Student Guide (5th Edition).
How I did prepare for the exam
I took the official ISC2 CSSLP course. With the course you receive the mentioned Study Guide. Unfortunately, the student guide does not go into depth on these projects. But it guides someone who wants to secure software development to the right tools and frameworks. This includes Treat Modelling Tools, BSIMM, NIST, OWASP ASVS and many other projects that are properly classified and presented in the Study Guide. I found the official student guide (5th edition) to be a good basis. I also skimmed this study guide, which goes more into detail and it does have a Appendix with 140 example question. For the exam the terms from the glossary should be known.
Other resources to study for CSSLP
- CBK Study Guide
- CSSLP Flash Cards to learn the terms from the Glossary
- Pluralsight CSSLP Course or LinkedIn CSSLP Course
The exam took 3h in the 2020 revised version and contains 125 questions. I fully needed this time to read the questions carefully and re-check the marked questions. At the end of the exam you can jump again to already answered questions. But here I did not change much and relied on my first intuition.
In the exam I took you could not mark multiple answers as correct, it was always only one of 4 possible answers correct.
For me the presented contents were nothing completely new. However, I reflect that the contents covered are exactly the right ones, which I would have liked to read in this summarized form at an earlier point in my professional career. Therefore, in my opinion, the course is aimed precisely at Application Security Specialists, Security Architects and Security Champions. The certification allows me to prove my skills as an AppSec Specialist based on international standards. ISC2 publishes on its website the number of current members. As of this writing, there are 2.927 CSSLP certified. So CSSLP certification is a real niche compared to 147.591 CISSP certificate holders.
My favorite chapter was Supply Chain Security, where I learned the most. Especially after the recent SolarWinds incident, supply chain security is an important point that I didn’t pay much attention to before.