cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
norbertmurzsa
Newcomer I

Suggestions and Comments - Official ISC2 CSSLP Self-Paced Material

Hi all,

I've been preparing for the CSSLP exam for a while and would like to share some suggestions and comments about the material. I probably will not be able to summarize all of my suggestions in a single post, but am hoping that some of these will be addressed in the future to make the self-study material even more easily understood, comprehended and adopted.Unfortunately, I did not find a proper label for making suggestions/recommendations for content improvements. Hopefully, this also will be available sooner or later (or I may just use an incorrect place to do this - thank you for your understanding and patience).

 

From now on any of my suggestions will use the following structure:

 

Purpose: Why this suggestion is made.

Current state: What the CSSLP material includes to help the area described under 'Purpose'

Suggestion: Further improvements that can help the content even more accurate and optimized.

 

But first of all, I would like to thank ISC2 for creating the self-paced material and making available for the community.

 

= = =

 

Purpose: To receive more accurante feedback about the exam preparation material.

Current state: The pages of the Domain Catalog at https://isc2.obrizum.io/org/csslp include a "Did you understand the content?" question at the bottom of all pages where the candidate can rate her/his understanding about the presented materal of the page in percentage (e.g.: 80%).

Suggestion: While the percentage can provide some feedback to the content developers, it does not help about the exact areas where improvements may be recommended. I recommend adding a "Help us with your feedback" section on every page. This makes sure that the candidate has a fresh mind and idea about s/he found inappropriate or hard to understand, and a timely suggestion can be made to improve the content.

3 Replies
norbertmurzsa
Newcomer I

During the survey questions in Domain 5 I found the following question:

 

Why is the built-in approach for session management preferred over custom implementations?

  1. Custom implementations are easier to maintain
  2. Custom implementations are always more secure
  3. Built-in approaches are technology-specific
  4. Built-in approaches may not be free of vulnerabilities

According to the test the GREEN highlighted answer is the right one.

This is definitely incorrect. This statement may be true even for the built-in approaches, but this is not the reason why the built-in solution is the preferred option.

 

The correct answer here would probaly have been

- "Built-in implementations are always considered more secure" or

- "Built-in implementations have been thoroughly tested by various independend parties."

norbertmurzsa
Newcomer I

During the survey questions in Domain 7 I found the following question:

 

What additional information should vulnerability notifications provide?

  1. Descriptions of historical vulnerabilities
  2. Information about conflicting goals of stakeholders
  3. Details about the software development team
  4. Anticipated timelines for software development

While this may seem true with some further context, it lacks the full picture for this answer as:

"The notfications should also identify any planned longer-term remediation to be provided later by the software development (or maintenance) team, with anticipated timelines for delivery/implementation."

 

Without the first underlined item, using the second underlined item is just misleading.

norbertmurzsa
Newcomer I

During the survey questions in Domain 7 I found the following question:

 

Which of the following statements accurately describes the security measures taken in the iOS and Android platforms?

  1. iOS and Android platforms do not implement any security measures for app protection
  2. Both iOS and Android use sandboxing mechanisms
  3. Both iOS and Android platforms rely on code signing to verify the integrity and authenticity of apps
  4. Android apps have a sandboxing mechanism, while iOS apps do not have any restrictions on accessing user data

I selected #2 and #3 but I got an error message that my selections were incorrect.

However:

 

Taken from the examp preparation material:
"The only executable code that iOS will allow apps to run must be signed with an Apple-issued certificate."
"Like iOS, Android sandboxes its apps."
Taken from Google:
"...Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app update is from the same source. Devices only accept updates when its signature matches the installed app's signature."

 

So then, both platform uses sandboxing and code signing.