Ok, I took the CSSLP exam. I got a 688 out of 700 today. I took the official online ISC2 course with a week's online webex training (which was different from the online work). I used the flash cards and all the resources. Out of the 175 questions there were quite a few questions not associated with the flash study cards or what appear to be from the office student guide. There were also questions about modeling (I will not name them due to not talking about what was on the test), but the models were never referenced in the official study guide. If I would have known I would have refreshed on the associated models. Not sure what is going on here, but I would expect the resources to review and understand to be successful in the exam would be in the Official Student Guide. It would hope someone from ISC2 would please comment on this concern.
Good points Cragin.
I considered the CSSLP exam, but I would not sit for it until I have more experience and book learning under my belt.
What I am doing now is trying to comprehend the CSA CCSK materials, which seem pretty extensive. As well, since CSA and (ISC)2 are cooperating on cloud computing security education (from what I have read), I figure this will give me muscles to tackle CSSLP if need be.
The fundamental notions of security models are covered in the CISSP (I cannot speak for CSSLP study materials; but to paraphrase what others have said: "Your Mileage May Vary"). I would think (again everyone please chime in and disabuse of the notion!) that a fundamental security training -- like CISSP -- would be required for the CSSLP.
None of the exams is a cake walk; and that's a good thing. I wouldn't want doctors, engineers, architects, etc. on whom I depend for life and safety to have gotten a rubber stamp from an organization and then work on my issues.
On the contrary, I would hope these exams are tough as nails and that they call on experience and maturity.
To end on a hopeful note:
Another thing I am doing is making the NIST 500 and 800 series cloud documents my bed time reading.
What readers of this forum might do is to check out the similar observations from CISSP exam takers.
All best success and respect to all.
You mention take plenty of practice tests, but that's an issue too.
One resource, has a ton of questions in which almost every question is choose all that apply. So after studying the material and taking these with the mindset of multiple responses, I take the test and not a single question was able to choose multiple answers.
Another resource, also has a lot of questions, but they are nothing like the first resource in content. Which resource is correct?
You are taking a practice test and you run across a topic that you don't remember, so you go back to the official text book (pdf version) and run a search for the topic, NOTHING! You run the same search on the All in One book (also pdf version) and still NOTHING! So do you delve more into the topic or do you think that because it's not mentioned at all....
The real exam is made so that there are no questions around the Internet and books that you'll face at the exam just because the target is to test the experience in the 8 fields and your skill in resolving problems counting on what you studied. That's why the exam is difficult. You have to get in the soul of what you read in the CBK. Keep doing the tests you find on the net, because this is the way to test your understanding of what you get from the CBK. The rest is in your practical sense, common sense and experience in software development lifecycle.
@wncramsey wrote:You mention take plenty of practice tests, but that's an issue too.
REPLY: Not really. You are practicing how to take the test itself; you have, hopefully, acquired the knowledge and experience (discalimer -- not the personal "YOU," rather the general "you"!)
Practice tests are like "sparring", nothing like stepping into the ring and getting one in the face and the gut. ;-(
For more on that watch the Pugilist of Papineau confront Senator Patrick "Brass Knuckles" Brazeau and do the Marquess of Queensbury in Ottawa.
Actual match: https://www.youtube.com/watch?v=fYlWiZMhaLE
Another resource, also has a lot of questions, but they are nothing like the first resource in content. Which resource is correct?
Likely neither. Content is changing constantly. It's not really testing your knowledge -- but it REALLY helps to bring that to the game, too.
You are taking a practice test and you run across a topic that you don't remember, so you go back to the official text book (pdf version) and run a search for the topic, NOTHING! You run the same search on the All in One book (also pdf version) and still NOTHING! So do you delve more into the topic or do you think that because it's not mentioned at all....
You make flash cards, join a study group, sweat and sweat. The, more than likely, you won't get that question on the exam anyway.
Here are a few things, I have encountered in MANY years.
https://www.thestar.com/news/canada/2012/04/01/underdog_justin_trudeau_beats_patrick_brazeau_in_thri... ...
Actual match: https://www.youtube.com/watch?v=fYlWiZMhaLE
Best regards, and keep truckin'
I totally agree with Andy69.
How many people have you worked with that have an alphabet of certifications after their names but do not have the slightest idea of what they are doing? (Microsoft exams are notorious for this) I want the exam to test knowledge, not memorization.
I found the CSSLP to be excruciatingly hard. I left the booth knowing I failed. But I passed.
There were questions that were nowhere in the CBK. So be it. I still believe that experience and common sense were more important then test exams.
As far as issues with test exams, unless you got them from ISC2, it is not on them.
I totally agree with Andy69.
How many people have you worked with that have an alphabet of certifications after their names but do not have the slightest idea of what they are doing? (Microsoft exams are notorious for this) I want the exam to test knowledge, not memorization.
I found the CSSLP to be excruciatingly hard. I left the booth knowing I failed. But I passed.
There were questions that were nowhere in the CBK. So be it. I still believe that experience and common sense were more important then test exams.
As far as issues with test exams, unless you got them from ISC2, it is not on them.
Then I agree with you, too. 😉 As the father of the Model T has been quoted as saying, "
“Whether you think you can or whether you think you can't, you're right."
Not at all about book learning (although that helps); more about sweating out the questions and finding the least egregious,
BTW, congrats on passing this!
Hi MDChris,
I'm sorry that your attempt on the CSSLP exam wasn't a success. I also took the exam and fortunately passed it on the first, yesterday. However, I have to admit that it was more difficult than the CISSP that I took 7 years ago. I was already an experience security professional when I took the CISSP exam, and in the last 7 years, I have gained even much experience and knowledge. Yet, I still think that the CSSLP exam is a tough one. I relied mostly on my experience in software development and security engineering and technical knowledge (software engineering and security theories) to pass the exam. I started to study for the exam just three weeks before the exam date. I spent 24 hours to view the videos on PluralSight and glanced through the All in One book.
With that said, I have to say that both the PluralSight videos and the All in One book go over the threat modeling and other security models. Evidently, the exam outline clearly states that. You can obtain and review the outline here: https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CSSLP-Exam-Outline-v1013.ashx
(Note that I'm just a regular (ISC)2 member with no further affiliation to the organization in any other way.)
I hope the above information helps and all the best to you if you plan to go for another try.
To be honest, when I finished the exam, I wasn't 100% confident that I passed until I saw the score. I marked 20+ questions for review and after going back to review them, I still couldn't narrow down to the final answers on all of them. It's a tough exam. When/if I ever get a chance, I'd love to volunteer at the (ISC)2 to see how the exam questions are selected and all the reasons behind it.
The way I see it, I wanted to have the cert as a way to show others what I know. Having CSSLP listed on my resume will likely boost my chance of getting job interviews as a software security engineer but we all know that the cert is definitely not the golden standard by any mean. I know many talented software security engineers who don't want to get the cert (or any certs for that matter). At the end of the day, all that matters it's what you can get done on the job.