Hi,
I plan on taking the CSSLP certification exam. On reading the guide I came across the required experience section. All domains start with the word "Secure". I have 4 years experience in software design and development. Though the "secure" part is implied, my current (and past) job description doesn't call it out. Provided I pass the exam, what could be the possible roadblocks when seeking endorsement. Is having experience in software design, development and testing enough?
Thanks!
If your past development projects had security components (which I would be surprised NOT having), and you were involved, you might want to summarize the specific security related methodologies you have used, including design, plan, and execution, that might give you some idea on your security related experiences, and may even provide some credentials related to CSSLP.
Just a thought...
Some rambling thoughts...
I’d say at a high level try answering some of these top of head non-exhaustive questions:
Did you do it securely? Where you following the OWASP TOP ten?Did you enforce requirements traceability?was threat modeling practiced? Can you list the safeguards and mitigations used? What development methodologies did you use, and how was security put into those? Did you build security software? Was it recent experience? Did you review code, and/use use static or dynamic scanning tools to discovery vulnerabilities? Dis the software you built have authentication, authorisation and accounting functions? What development methodologies did you use? Was quality enforced? Do you have a clear process for flaw remediation? Did you make decisions on how to securely implement a function? Did you refactor code? We’re you using source code control, and did this help to prevent regressions? How did you end of life code/products, was it secure? If you reused software modules, were they of known Pedigree and provenance? Did you use FIPS validated Cryptographic modules? When designing were you also thinking about abuse of the software as well as standard use? Was least priveledge employed? How as data classified, and could you say why? How did your applications create, store, use, share archive and destroy data? Did you design and map data flows? Where you considering the laws and regulations the software would run in?
Nowhere near exhaustive wall of text but chances if it’s yes, or you can talk It and have good examples, and it was consistent then it probably qualifies. It’s experience rather than job description.
if you go through the exam outline it breaks it all out nicely for you.
https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CSSLP-Exam-Outline-v1013.ashx
A review seminar either remotely or in person is a good idea.
If someone is a member in good standing and knows your work, then I’d say your path is easier/smoother, if you need a stranger or ISC2 to do the endorsement then it might take longer. I’d say roadblocks are more about code of ethics, accurate statement of what your role entails and experience, it might take longer but that’s ok.
Bottom line justify it to yourself with the same rigour you’d think about the safety of your software, and you of start to argue with yourself about the trade off you made from different angles, then I’d say that it qualifies(probably).