Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
norbertmurzsa
Newcomer I
‎11-01-2024 09:31 PM
‎11-01-2024 09:31 PM

Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

Hi all,

I've been preparing for the CSSLP exam for a while and would like to share some suggestions and comments about the material. I probably will not be able to summarize all of my suggestions in a single post, but am hoping that some of these will be addressed in the future to make the self-study material even more easily understood, comprehended and adopted.Unfortunately, I did not find a proper label for making suggestions/recommendations for content improvements. Hopefully, this also will be available sooner or later (or I may just use an incorrect place to do this - thank you for your understanding and patience).

 

From now on any of my suggestions will use the following structure:

 

Purpose: Why this suggestion is made.

Current state: What the CSSLP material includes to help the area described under 'Purpose'

Suggestion: Further improvements that can help the content even more accurate and optimized.

 

But first of all, I would like to thank ISC2 for creating the self-paced material and making available for the community.

 

= = =

 

Purpose: To receive more accurante feedback about the exam preparation material.

Current state: The pages of the Domain Catalog at https://isc2.obrizum.io/org/csslp include a "Did you understand the content?" question at the bottom of all pages where the candidate can rate her/his understanding about the presented materal of the page in percentage (e.g.: 80%).

Suggestion: While the percentage can provide some feedback to the content developers, it does not help about the exact areas where improvements may be recommended. I recommend adding a "Help us with your feedback" section on every page. This makes sure that the candidate has a fresh mind and idea about s/he found inappropriate or hard to understand, and a timely suggestion can be made to improve the content.

Reply
5 Replies
norbertmurzsa
Newcomer I
‎11-25-2024 05:37 AM
‎11-25-2024 05:37 AM

During the survey questions in Domain 5 I found the following question:

 

Why is the built-in approach for session management preferred over custom implementations?

  1. Custom implementations are easier to maintain
  2. Custom implementations are always more secure
  3. Built-in approaches are technology-specific
  4. Built-in approaches may not be free of vulnerabilities

According to the test the GREEN highlighted answer is the right one.

This is definitely incorrect. This statement may be true even for the built-in approaches, but this is not the reason why the built-in solution is the preferred option.

 

The correct answer here would probaly have been

- "Built-in implementations are always considered more secure" or

- "Built-in implementations have been thoroughly tested by various independend parties."

Reply
0 Kudos
norbertmurzsa
Newcomer I
‎11-25-2024 06:17 AM
‎11-25-2024 06:17 AM

During the survey questions in Domain 7 I found the following question:

 

What additional information should vulnerability notifications provide?

  1. Descriptions of historical vulnerabilities
  2. Information about conflicting goals of stakeholders
  3. Details about the software development team
  4. Anticipated timelines for software development

While this may seem true with some further context, it lacks the full picture for this answer as:

"The notfications should also identify any planned longer-term remediation to be provided later by the software development (or maintenance) team, with anticipated timelines for delivery/implementation."

 

Without the first underlined item, using the second underlined item is just misleading.

Reply
0 Kudos
norbertmurzsa
Newcomer I
‎11-25-2024 06:27 AM
‎11-25-2024 06:27 AM

During the survey questions in Domain 7 I found the following question:

 

Which of the following statements accurately describes the security measures taken in the iOS and Android platforms?

  1. iOS and Android platforms do not implement any security measures for app protection
  2. Both iOS and Android use sandboxing mechanisms
  3. Both iOS and Android platforms rely on code signing to verify the integrity and authenticity of apps
  4. Android apps have a sandboxing mechanism, while iOS apps do not have any restrictions on accessing user data

I selected #2 and #3 but I got an error message that my selections were incorrect.

However:

 

Taken from the exam preparation material:
"The only executable code that iOS will allow apps to run must be signed with an Apple-issued certificate."
"Like iOS, Android sandboxes its apps."
Taken from Google:
"...Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app update is from the same source. Devices only accept updates when its signature matches the installed app's signature."

 

So then, both platform uses sandboxing and code signing.

Reply
0 Kudos
norbertmurzsa
Newcomer I
Sunday
Sunday

During the survey questions in Domain 8 I found the following question:

 

Which THREE of the following are recommended protocols for transferring files securely in the supply chain?

  1. Secure File Transfer Protocol (SFTP)
  2. Telnet
  3. Secure Shell (SSH) file transfer
  4. File Transfer Protocol (FTP)

Though, I generally don't consider FTP (Answer #4) as a secure file transfer protocol, I marked it as correct to meet the expected THREE correct answers, and because it include an additional secure extension to be used over TLS

 

If you want to use THREE correct answers in this question, I recommend updating it as follows:

 

Which THREE of the following are recommended protocols for transferring files securely in the supply chain?

  1. Secure File Transfer Protocol (SFTP)
  2. Telnet
  3. Secure Copy Protocol (SCP) in SSH protocol
  4. File Transfer Protocol Secure (FTPs)

 

Reply
0 Kudos
norbertmurzsa
Newcomer I
Sunday
Sunday

During the survey questions in Domain 8 I found the following question:

 

What is a characteristic of more sophisticated software supply chain attacks?

  1. Targeting patch sites with malware files
  2. Dependency on typical customers for detection
  3. Introduction of malware after code compilation and signing
  4. Accidental insertion of malware into source code

I think you probably wanted to say here that "introduce malicious logic into the source code prior to the code being digitally signed". When the code has compiled and digitally signed, adding a malware to the binary code can be easily detected by checking the digital signature of the product.

Reply
0 Kudos