topic Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material in CSSLP Study Group

Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Sun, 03 Nov 2024 01:41:56 GMT

Hi all,

I've been preparing for the CSSLP exam for a while and would like to share some suggestions and comments about the material. I probably will not be able to summarize all of my suggestions in a single post, but am hoping that some of these will be addressed in the future to make the self-study material even more easily understood, comprehended and adopted.Unfortunately, I did not find a proper label for making suggestions/recommendations for content improvements. Hopefully, this also will be available sooner or later (or I may just use an incorrect place to do this - thank you for your understanding and patience).

From now on any of my suggestions will use the following structure:

Purpose: Why this suggestion is made.

Current state: What the CSSLP material includes to help the area described under 'Purpose'

Suggestion: Further improvements that can help the content even more accurate and optimized.

But first of all, I would like to thank ISC2 for creating the self-paced material and making available for the community.

= = =

Purpose: To receive more accurante feedback about the exam preparation material.

Current state: The pages of the Domain Catalog at https://isc2.obrizum.io/org/csslp include a "Did you understand the content?" question at the bottom of all pages where the candidate can rate her/his understanding about the presented materal of the page in percentage (e.g.: 80%).

Suggestion: While the percentage can provide some feedback to the content developers, it does not help about the exact areas where improvements may be recommended. I recommend adding a "Help us with your feedback" section on every page. This makes sure that the candidate has a fresh mind and idea about s/he found inappropriate or hard to understand, and a timely suggestion can be made to improve the content.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Mon, 25 Nov 2024 10:37:37 GMT

During the survey questions in Domain 5 I found the following question:

Why is the built-in approach for session management preferred over custom implementations?

Custom implementations are easier to maintain
Custom implementations are always more secure
Built-in approaches are technology-specific
Built-in approaches may not be free of vulnerabilities

According to the test the GREEN highlighted answer is the right one.

This is definitely incorrect. This statement may be true even for the built-in approaches, but this is not the reason why the built-in solution is the preferred option.

The correct answer here would probaly have been

- "Built-in implementations are always considered more secure" or

- "Built-in implementations have been thoroughly tested by various independend parties."

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Mon, 25 Nov 2024 11:17:24 GMT

During the survey questions in Domain 7 I found the following question:

What additional information should vulnerability notifications provide?

Descriptions of historical vulnerabilities
Information about conflicting goals of stakeholders
Details about the software development team
Anticipated timelines for software development

While this may seem true with some further context, it lacks the full picture for this answer as:

"The notfications should also identify any planned longer-term remediation to be provided later by the software development (or maintenance) team, with anticipated timelines for delivery/implementation."

Without the first underlined item, using the second underlined item is just misleading.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Mon, 27 Jan 2025 00:54:10 GMT

During the survey questions in Domain 7 I found the following question:

Which of the following statements accurately describes the security measures taken in the iOS and Android platforms?

iOS and Android platforms do not implement any security measures for app protection
Both iOS and Android use sandboxing mechanisms
Both iOS and Android platforms rely on code signing to verify the integrity and authenticity of apps
Android apps have a sandboxing mechanism, while iOS apps do not have any restrictions on accessing user data

I selected #2 and #3 but I got an error message that my selections were incorrect.

However:

Taken from the exam preparation material:
"The only executable code that iOS will allow apps to run must be signed with an Apple-issued certificate."
"Like iOS, Android sandboxes its apps."
Taken from Google:
"...Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app update is from the same source. Devices only accept updates when its signature matches the installed app's signature."

So then, both platform uses sandboxing and code signing.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Sun, 26 Jan 2025 23:45:20 GMT

During the survey questions in Domain 8 I found the following question:

Which THREE of the following are recommended protocols for transferring files securely in the supply chain?

Secure File Transfer Protocol (SFTP)
Telnet
Secure Shell (SSH) file transfer
File Transfer Protocol (FTP)

Though, I generally don't consider FTP (Answer #4) as a secure file transfer protocol, I marked it as correct to meet the expected THREE correct answers, and because it include an additional secure extension to be used over TLS

If you want to use THREE correct answers in this question, I recommend updating it as follows:

Which THREE of the following are recommended protocols for transferring files securely in the supply chain?

Secure File Transfer Protocol (SFTP)
Telnet
Secure Copy Protocol (SCP) in SSH protocol
File Transfer Protocol Secure (FTPs)

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Mon, 27 Jan 2025 00:53:03 GMT

During the survey questions in Domain 8 I found the following question:

What is a characteristic of more sophisticated software supply chain attacks?

Targeting patch sites with malware files
Dependency on typical customers for detection
Introduction of malware after code compilation and signing
Accidental insertion of malware into source code

I think you probably wanted to say here that "introduce malicious logic into the source code prior to the code being digitally signed". When the code has compiled and digitally signed, adding a malware to the binary code can be easily detected by checking the digital signature of the product.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Tue, 04 Feb 2025 09:18:13 GMT

Hi there,

I'm just completing the "Applied Scenarios" section of the course material.

I think the content is generally good.

Some notes that may help the people who complete this online course:

The offered source codes should be in TEXT windows instead of image files. This helps the candidate to copy and paste the codes quickly and run them. Some codes's syntax seems incorrect.
It would be good if the included code examples have description (what the code does). This mostly is self explanatory, but for some example, I'm not sure about the intention of the code comparing it to the previous example (e.g.: there is nothing new between example-1 and example-2)

thanks for considering the above.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Tue, 04 Feb 2025 10:00:24 GMT

Hi there,

I'm just completing the "Applied Scenarios" section of the course material.

While I was completing "Applied Scenario: Building Custom Security Tools (Domain 7)", I found the following issues at the second code example (send an HTTP GET request):

The material does not mention to install the following additional Python modules with pip
- requests
- bs4
The source code is incorrect or uses a syntax that is obsolete. See the corrected code below (I tried to include my source code and the script's output as TEXT but your system gave the following message - "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.") - So I stayed at the screenshots:

= = =

End its output looks like the following:

= = =

Sincerely.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Thu, 06 Feb 2025 05:35:39 GMT

Hi there,

I'm just wrapping up my preparation using the Official ISC2 CSSLP Self-Paced Material.

What I found was that the material at https://isc2.obrizum.io occasionally forgets the completed materials and re-marks them as "Incomplete".

For example the reviewed flashcards marked by a "Restart" button, while the flashcards that have not opened yet marked by a "Start" button. Even if I reviewed all of them the Obrizum.io app remarks them as unopened ones and reset the Completion level of the material from 100% back to 40-50-60-ish percentage.

I suggest to review how the app stores the time stamps of the completed materials.

Thanks

Norbert

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Sun, 09 Feb 2025 01:58:14 GMT

Purpose: To ensure clarity and fairness at the CSSLP training's multi-choice questions.

Current State: The existing Official ISC2 CSSLP Self-Paced training material consists of multiple-choice questions designed to aid in studying for the official ISC2 CSSLP exam. However, each question includes the statement: "You can select one or more answers," which is often misleading.

In contrast, the Official ISC2 Exam Question Developer Workshops use a more effective approach, requiring candidates to choose the single BEST answer that accurately addresses the question.

This inconsistency in question formatting leads candidates to mistakenly assume they must ALWAYS select more than one answer.

Suggestion: To ensure clarity and fairness, the exam material should explicitly indicate whether a question has a single correct answer or multiple correct answers, reducing confusion and aligning with ethical exam practices.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

dcontesti — Tue, 25 Feb 2025 16:18:01 GMT

@norbertmurzsa Sorry I did not see your original posts. They are very detailed.

Unfortunately, they may have also been missed by the folks who can do something to correct the issues.

@mariatirado I am not sure who this should go to but are you able to forward this chain to the correct folks internally?

Regards

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Wed, 26 Feb 2025 10:33:13 GMT

Hi guys,

I'm just finalizing my study and will book an exam very soon.

However, in the meantime I would like to redo the two lowest perfomed chapters' surveys for practising and further improvement.

The issue is that even if my license is still valid until the end of March 2025, the Official ISC2 CSSLP Online Self-Paced Training does not let me to redo the chapter end's surveys (practice questions) again.

HOME-> Domain #$NUMBER -> View -> Domain Catalog -> Survey -> Start -> End of the Content Catalog -> Click here for assessment -> ...and here it only ask about my "Overall Satisfaction" but there is no way to redo a previously (one time completed) survey!... OK. I revoke it. After giving feedback about the training byanswering 5-6 question, it actually let me to redo a survey (practice questions).

But I think people with less temper probably gives up trying this after the first of second "How satisfied are you with the training material?" Questions...if this comes instead of the survey they expect.

Please fix this.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Wed, 26 Feb 2025 10:47:15 GMT

I redo some past completed Domains' Survey (practice questions) and I found the following incorrect stem at Domain 2:

What is monitored to ensure that organization-wide operations remain within an acceptable level of risk?

Security architecture and security program
Security controls only
ISCM strategy
Changes in system development

I select one answer, then two, then three, then all the four.

Unfortunately, the "Check" button always remains inactive. It does not do anything when I click on it. So now, I stack here. (second question of the Survey).

Please fix this.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Wed, 26 Feb 2025 10:56:37 GMT

OK. I need to admit, I wasn't right.

The Check button only becomes available if at least one "Confidence rate" is set to more than 0%.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Wed, 26 Feb 2025 11:03:28 GMT

When I try to redo an earlier completed Domain's survey questions, after completing a few questions (3-4), the system drop me out to the "You Successfully Completed this Survey" page.

Luckily, the "Continue Learning" takes me back to the Survey to continue.

Just a note that the system says I completed everything even if only 74% of the Content was covered.

I think both should show 100% to announce the completion of the Domain.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Mon, 03 Mar 2025 10:33:15 GMT

During the survey questions in Domain 2 I found the following obsolete question:

What are the core business functions of SAMM

Governance, Construction, Verification, and Operation
Development, Implementation, Review, and Deployment
Strategy, Compliance, Training, and Testing
Assessment, Planning, Execution, and Monitoring

However, the current OWASP Software Assurance Maturity Model (SAMM) includes five (5) business function now that are: Governance, Design, Implementation, Verification and Operations.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Fri, 14 Mar 2025 22:44:30 GMT

I'm currently going through the full practice test again and agin until it let me.

Unfortunately, the application does not show my progress of how much percentage I completed and remains.
When giving an incorrect answer, the survey does not take me to the relevant section to show the right answer either.
It shows the current Domain though but I think it should offer more flexible user experience.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

norbertmurzsa — Sat, 22 Mar 2025 01:06:53 GMT

I have found the following survey question at Domain #2 which seems to be incorrect.

How does an adaptive software development approach differ from the Waterfall model?

Waterfall relies on short iterations, while adaptive deconstructs the project into small components
Adaptive uses unfamiliar territories, uncertain outcomes, and short time-boxed iterations
Waterfall is characterized by short time-boxed iterations, while adaptive uses long development iterations
Adaptive relies on long development iterations, while Waterfall uses short iterations

Waterfall does not do or rely on short iterations, or short time-boxed iteratons, so then we can remove A1, A3 and A4 from the list and remains A2 as CORRECT and it is true indeed.

However, the system does not accept this answer as CORRECT.

Can you please have a look at what the root cause here is? Thanks.

Re: Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

H508339 — Tue, 17 Jun 2025 20:32:02 GMT

I found the same issue.