https://community.isc2.org/t5/CSSLP-Study-Group/certificate-pinning-is-it-a-good-thing/m-p/61146#M154 <P>First of all, I can virtually guarantee that there would not be a question "Is cert pinning a good thing?".&nbsp; &nbsp;That is way to much like a trivia question for an&nbsp;(ISC)² exam.&nbsp;&nbsp;<SPAN>(ISC)² exams are much more about "problem solving" and "applied knowledge".&nbsp; &nbsp;</SPAN></P><P>&nbsp;</P><P>Second, exams are refreshed every 3 years, so what matters with the CSSLP (in theory) is not the state of the art in 2013, but rather what it was on Sep 15, 2020 (and soon, Sep 15, 2023).&nbsp; But, even that rule of thumb fails because when a question stops performing well (e.g. high-scoring exam takers tend to pick the same "wrong" answer), the question is removed from the pool and put on the "fix me" pile.</P><P>&nbsp;</P><P>Third, the "Official Guide" is but one of about 25 <A href="https://www.isc2.org/Certifications/References" target="_blank">references</A> used to build the CSSLP exam. And, the exam is written by certificate holders, not&nbsp;(ISC)² nor textbook authors.&nbsp; So, I would not put much weight in one (old) reference that does not match current practice, regardless of its author.</P> Tue, 25 Jul 2023 02:59:58 GMT denbesten 2023-07-25T02:59:58Z https://community.isc2.org/t5/CSSLP-Study-Group/certificate-pinning-is-it-a-good-thing/m-p/60837#M148 <P>This is a topic that comes up more than a few times in exam preparation, either as a control or a possible mitigation.</P><P>&nbsp;</P><P>I ask because a lot of the CBK is 10 years old and strategies like certificate pinning were common back then.&nbsp; But some of these strategies have been re-examined and found to have flaws.&nbsp; Certificate pinning is one of them.&nbsp; Digicert recommends&nbsp;<A href="https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning" target="_blank" rel="noopener">to stop certificate pinning</A>&nbsp; because at times keys have been exposed and outages can occur when certificates expire.&nbsp; Even OWASP tries to steer you towards public key pinning rather than certificate pinning.</P><P>&nbsp;</P><P>For the purposes of the CSSLP is certificate pinning considered a deprecated control or should I just think back to 10 years ago when a question pops up <span class="lia-unicode-emoji" title=":winking_face:">😉</span>&nbsp;<STRONG> I think the answer to this is yes because I see it in the official curriculum.</STRONG> But in 2023, no one is recommending this practice anymore.&nbsp; Perhaps the CBK needs to be updated.</P> Fri, 14 Jul 2023 17:13:54 GMT https://community.isc2.org/t5/CSSLP-Study-Group/certificate-pinning-is-it-a-good-thing/m-p/60837#M148 terpsfanatic 2023-07-14T17:13:54Z https://community.isc2.org/t5/CSSLP-Study-Group/certificate-pinning-is-it-a-good-thing/m-p/61146#M154 <P>First of all, I can virtually guarantee that there would not be a question "Is cert pinning a good thing?".&nbsp; &nbsp;That is way to much like a trivia question for an&nbsp;(ISC)² exam.&nbsp;&nbsp;<SPAN>(ISC)² exams are much more about "problem solving" and "applied knowledge".&nbsp; &nbsp;</SPAN></P><P>&nbsp;</P><P>Second, exams are refreshed every 3 years, so what matters with the CSSLP (in theory) is not the state of the art in 2013, but rather what it was on Sep 15, 2020 (and soon, Sep 15, 2023).&nbsp; But, even that rule of thumb fails because when a question stops performing well (e.g. high-scoring exam takers tend to pick the same "wrong" answer), the question is removed from the pool and put on the "fix me" pile.</P><P>&nbsp;</P><P>Third, the "Official Guide" is but one of about 25 <A href="https://www.isc2.org/Certifications/References" target="_blank">references</A> used to build the CSSLP exam. And, the exam is written by certificate holders, not&nbsp;(ISC)² nor textbook authors.&nbsp; So, I would not put much weight in one (old) reference that does not match current practice, regardless of its author.</P> Tue, 25 Jul 2023 02:59:58 GMT https://community.isc2.org/t5/CSSLP-Study-Group/certificate-pinning-is-it-a-good-thing/m-p/61146#M154 denbesten 2023-07-25T02:59:58Z