Re: Not too happy with CSSLP Exam - Page 3

MDChris · ‎05-30-2018

Ok, I took the CSSLP exam. I got a 688 out of 700 today. I took the official online ISC2 course with a week's online webex training (which was different from the online work). I used the flash cards and all the resources. Out of the 175 questions there were quite a few questions not associated with the flash study cards or what appear to be from the office student guide. There were also questions about modeling (I will not name them due to not talking about what was on the test), but the models were never referenced in the official study guide. If I would have known I would have refreshed on the associated models. Not sure what is going on here, but I would expect the resources to review and understand to be successful in the exam would be in the Official Student Guide. It would hope someone from ISC2 would please comment on this concern.

j_M007 · ‎09-13-2018

Good points Cragin.

I considered the CSSLP exam, but I would not sit for it until I have more experience and book learning under my belt.

What I am doing now is trying to comprehend the CSA CCSK materials, which seem pretty extensive. As well, since CSA and (ISC)2 are cooperating on cloud computing security education (from what I have read), I figure this will give me muscles to tackle CSSLP if need be.

The fundamental notions of security models are covered in the CISSP (I cannot speak for CSSLP study materials; but to paraphrase what others have said: "Your Mileage May Vary"). I would think (again everyone please chime in and disabuse of the notion!) that a fundamental security training -- like CISSP -- would be required for the CSSLP.

None of the exams is a cake walk; and that's a good thing. I wouldn't want doctors, engineers, architects, etc. on whom I depend for life and safety to have gotten a rubber stamp from an organization and then work on my issues.

On the contrary, I would hope these exams are tough as nails and that they call on experience and maturity.

To end on a hopeful note:

Another thing I am doing is making the NIST 500 and 800 series cloud documents my bed time reading.

What readers of this forum might do is to check out the similar observations from CISSP exam takers.

All best success and respect to all.

wncramsey · ‎11-18-2018

You mention take plenty of practice tests, but that's an issue too.

One resource, has a ton of questions in which almost every question is choose all that apply. So after studying the material and taking these with the mindset of multiple responses, I take the test and not a single question was able to choose multiple answers.

Another resource, also has a lot of questions, but they are nothing like the first resource in content. Which resource is correct?

You are taking a practice test and you run across a topic that you don't remember, so you go back to the official text book (pdf version) and run a search for the topic, NOTHING! You run the same search on the All in One book (also pdf version) and still NOTHING! So do you delve more into the topic or do you think that because it's not mentioned at all....

Andy69 · ‎11-19-2018

The real exam is made so that there are no questions around the Internet and books that you'll face at the exam just because the target is to test the experience in the 8 fields and your skill in resolving problems counting on what you studied. That's why the exam is difficult. You have to get in the soul of what you read in the CBK. Keep doing the tests you find on the net, because this is the way to test your understanding of what you get from the CBK. The rest is in your practical sense, common sense and experience in software development lifecycle.

j_M007 · ‎11-19-2018

@wncramsey wrote:
You mention take plenty of practice tests, but that's an issue too.

REPLY: Not really. You are practicing how to take the test itself; you have, hopefully, acquired the knowledge and experience (discalimer -- not the personal "YOU," rather the general "you"!)
Practice tests are like "sparring", nothing like stepping into the ring and getting one in the face and the gut. ;-(
For more on that watch the Pugilist of Papineau confront Senator Patrick "Brass Knuckles" Brazeau and do the Marquess of Queensbury in Ottawa.
https://www.thestar.com/news/canada/2012/04/01/underdog_justin_trudeau_beats_patrick_brazeau_in_thri...

Actual match: https://www.youtube.com/watch?v=fYlWiZMhaLE

Another resource, also has a lot of questions, but they are nothing like the first resource in content. Which resource is correct?
Likely neither. Content is changing constantly. It's not really testing your knowledge -- but it REALLY helps to bring that to the game, too.

You are taking a practice test and you run across a topic that you don't remember, so you go back to the official text book (pdf version) and run a search for the topic, NOTHING! You run the same search on the All in One book (also pdf version) and still NOTHING! So do you delve more into the topic or do you think that because it's not mentioned at all....
You make flash cards, join a study group, sweat and sweat. The, more than likely, you won't get that question on the exam anyway.

Here are a few things, I have encountered in MANY years.

The more you know, the more you know, how little you know.
Knowledge and wisdom are far vaster than the span of humanity. Space, time, knowledge and wisdom, like Art, are ceaseless. Humanity, rather, has a lease of life.
Do your best, study as much as you can, realize that the only one to praise or to blame after the fact is the guy looking at you in the mirror.
You learn more from defeat than you learn from success. Defeat allows you to empathize; success after success (and getting pre-masticated riches handed to you on a platter) causes you to gloat, bloat, bleat, belittle and bully. Sic semper tyrranus!
https://www.thestar.com/news/canada/2012/04/01/underdog_justin_trudeau_beats_patrick_brazeau_in_thri... ...

Actual match: https://www.youtube.com/watch?v=fYlWiZMhaLE
Then again, what can we know?

Best regards, and keep truckin'

SalPortaro · ‎11-19-2018

I totally agree with Andy69.

How many people have you worked with that have an alphabet of certifications after their names but do not have the slightest idea of what they are doing? (Microsoft exams are notorious for this) I want the exam to test knowledge, not memorization.

I found the CSSLP to be excruciatingly hard. I left the booth knowing I failed. But I passed.

There were questions that were nowhere in the CBK. So be it. I still believe that experience and common sense were more important then test exams.

As far as issues with test exams, unless you got them from ISC2, it is not on them.

SalPortaro · ‎11-19-2018

I totally agree with Andy69.

How many people have you worked with that have an alphabet of certifications after their names but do not have the slightest idea of what they are doing? (Microsoft exams are notorious for this) I want the exam to test knowledge, not memorization.

I found the CSSLP to be excruciatingly hard. I left the booth knowing I failed. But I passed.

There were questions that were nowhere in the CBK. So be it. I still believe that experience and common sense were more important then test exams.

As far as issues with test exams, unless you got them from ISC2, it is not on them.

j_M007 · ‎11-19-2018

Then I agree with you, too. 😉 As the father of the Model T has been quoted as saying, "

“Whether you think you can or whether you think you can't, you're right."

Not at all about book learning (although that helps); more about sweating out the questions and finding the least egregious,

BTW, congrats on passing this!

hungngo · ‎12-23-2018

Hi MDChris,

I'm sorry that your attempt on the CSSLP exam wasn't a success. I also took the exam and fortunately passed it on the first, yesterday. However, I have to admit that it was more difficult than the CISSP that I took 7 years ago. I was already an experience security professional when I took the CISSP exam, and in the last 7 years, I have gained even much experience and knowledge. Yet, I still think that the CSSLP exam is a tough one. I relied mostly on my experience in software development and security engineering and technical knowledge (software engineering and security theories) to pass the exam. I started to study for the exam just three weeks before the exam date. I spent 24 hours to view the videos on PluralSight and glanced through the All in One book.

With that said, I have to say that both the PluralSight videos and the All in One book go over the threat modeling and other security models. Evidently, the exam outline clearly states that. You can obtain and review the outline here: https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CSSLP-Exam-Outline-v1013.ashx

(Note that I'm just a regular (ISC)2 member with no further affiliation to the organization in any other way.)

I hope the above information helps and all the best to you if you plan to go for another try.

DHollomon · ‎12-31-2018

I too sat for the CSSLP this past Oct and bombed. I also contacted the isc2 team but didn’t get a response. Reading the general keep at it response I’m kind of glad I didn’t. I also have software security, testing, and development under my belt (12+ years).

I studied for this test the all-in-ones, videos, practice tests, etc... I didn’t go into this thinking I know everything, I worked hard. I knew I failed when I finished the exam. I came back to my study material and like most the questions/topics weren’t covered.

It’s disheartening to me as I read each person’s experience. I see a lot of “experience requirements and common sense” type responses. IMO we have the experience and studied it should be enough to pass this exam. Or at least come close.

How many resources does one need? If I’m using the study guide and using the additional reference materials-it’s only natural that one would think they have a good chance of passing the exam.

(sighs...)

ETA: Tried to get all the typos plus you/we is used in the general sense.

hungngo · ‎01-03-2019

@DHollomon

To be honest, when I finished the exam, I wasn't 100% confident that I passed until I saw the score. I marked 20+ questions for review and after going back to review them, I still couldn't narrow down to the final answers on all of them. It's a tough exam. When/if I ever get a chance, I'd love to volunteer at the (ISC)2 to see how the exam questions are selected and all the reasons behind it.

The way I see it, I wanted to have the cert as a way to show others what I know. Having CSSLP listed on my resume will likely boost my chance of getting job interviews as a software security engineer but we all know that the cert is definitely not the golden standard by any mean. I know many talented software security engineers who don't want to get the cert (or any certs for that matter). At the end of the day, all that matters it's what you can get done on the job.