Ok, I took the CSSLP exam. I got a 688 out of 700 today. I took the official online ISC2 course with a week's online webex training (which was different from the online work). I used the flash cards and all the resources. Out of the 175 questions there were quite a few questions not associated with the flash study cards or what appear to be from the office student guide. There were also questions about modeling (I will not name them due to not talking about what was on the test), but the models were never referenced in the official study guide. If I would have known I would have refreshed on the associated models. Not sure what is going on here, but I would expect the resources to review and understand to be successful in the exam would be in the Official Student Guide. It would hope someone from ISC2 would please comment on this concern.
After reading all the horror stories regarding the CSSLP, I think it might be best for me to hold off until the exam has been refreshed. It would have been a nice fit to round out my other certs since it's the only one that I know of that focuses on actual secure development.
Any suggestions on what I should concentrate on next? I've been in IT security and development for a very long time but just recently I decided tick off all the certs. I have a CISSP, CCSP, CIPT & CISM (and that's just since late January). What about OSCP? ISSAP? or CPP? Thanks in advance.
I wouldn't let a thread like this put me off. No disrespect meant to anyone that has posted in here, but these types of threads often turn into "echo chambers" for negative views.
I have heard of as many, if not more, people passing this exam as failing.
Yes, there is no current single source of authoritative study material, but as with all ISC2 exams the suggested reference list is aligned with the current exam so the information required to pass the exam is out there.
Just my opinion, but based on what I've encountered with the CCSP being heavy on doublespeak style questions, and with the CCSP being the newest of ISC2's certifications I think it represents the way in which ISC2 are moving. As such, I would expect any revisions of the CSSLP to introduce more of these types of questions rather than reduce them, so if you are keen to earn this certification and avoid those types of questions as much as possible I would take the CSSLP sooner rather than later. (I would just say, as I have in my other posts, I also find these types of questions annoying, but if you know the material all they do is slow you down.)
As to other certifications you should go for, only you can really answer that! What is your motivation for earning the certifications? What are your interests? What subjects do you have skills and experience in?
Just note with the CISSP concentrations such as ISSAP you need to have your CISSP endorsement application approved before you can take the exams. Of course that doesn't stop you from studying while the endorsement is pending.
Great point @AlecTrevelyan. As someone who passed the first time, I can tell you that the way questions are asked definitely makes it harder, but if you know the material you can still pass. For those of you NOT coming from a software development background as an engineer, it's going to be even tougher, but still doable. Aside from having something to put on your resume, the content covered under this test is invaluable to software development. The schools aren't teaching it, but this stuff is super-relevant to today's world.
As a side note for those complaining about the official study material, I have gone through both ISC2's CISSP and CSSLP material and found it to be difficult but sufficient. On the other hand, I have also had the substantial misfortune to have to suffer through two of ISACA's official guides (CISA and CISM) and I can tell you without reservation you should thank the security Gods the CSSLP manual was not written by those people. I still have nightmares from that.
I have been (re)reading the Art of War. Sunzi's principles seem to apply here:
26. Now the general who wins a battle makes many calculations in his temple ere the battle is fought. The general who loses a battle makes but few calculations beforehand. Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose.
( I. Laying Plans )
(Before you embark on any conquest, be it business, pleasure, a trip to the store, securing your perimeters. Make sure you have all your stuff together: The Moral Law (your supports personally and professionally); Heaven (take ALL the time in the world - if you have not mastered the material, don't go in hoping for a miracle - miracles tend to happen to those who have prepared them); Earth (i.e., the complete mastery of your battlefield -- the CSSLP CBK -- [and other knowledge of securing the cloud from Layer 8 (the user) to Layer 1); The Commander (you yourself - can you handle the stress of battle for the prize); Method and Discipline (it seems that those who are not complaining might have counted the cost in time effort, glue and horseshoes.)
17. Thus we may know that there are five essentials for victory: (1) He will win who knows when to fight and when not to fight. (2) He will win who knows how to handle both superior and inferior forces. (3) He will win whose army is animated by the same spirit throughout all its ranks. (4) He will win who, prepared himself, waits to take the enemy unprepared. (5) He will win who has military capacity and is not interfered with by the sovereign.
18. Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
(III. Attack by Stratagem )
Many, many pearls of wisdom for prospective CSSLPs to consider:
also CSA, OWASP, and lots of other stuff
Here’s a not so farfetched example of one of the types of questions from the exam – “If the sky was dim in the morning and your shirt was pressed in the afternoon – why was your brother-in-law wearing a bow tie at the reception you just spoke at if you didn’t want to speak at all?”
Here’s another one – “If a primate ran backwards in circles for 5 miles, then ran forwards for 2 ½ miles, would he be more likely or less likely to be tired if he just ran on one hand the entire time?”
I know these are funny and over the top but not too far over the top. Whoever takes this exam will see questions that are very similar to those above that while I was taking the exam I was actually laughing because I was thinking – who in the heck wrote these questions and how did they write them, did they take the normal type of questions you may see in the CSSLP CBK book at the end of the chapters – salt them with a random verb or noun or whatever to replace every 4th word in the question and let it fly like that?
Venting here - My issue is – if you have an official book, study guide, study material, flash cards that all point to this is will be tested - study that – including practice style questions that provide a sense of what will be on the exam.
Then when it comes time for “game day” and you see the way the actual questions are written in a style that the wording of the questions make it nearly impossible to ascertain what it is that is even being asked in the question(s) themselves – 175 of those types of questions.
These questions are “layered” questions and what I mean by that is they have about 5 layers of depth for each question that you first have to unravel depth 1 and understand what depth 1 is talking or referring to – before moving on to depth 2 and so on and so forth and if you get one of the depths wrong or if you are thrown off by one poorly written question - all the depths going forward of your thinking can be affected.
– On top of that is the “TIME” factor which becomes an issue with this exam because you only have 4 hours to take it which is where the headaches/brain aches come into play.
I have come to one conclusion – this is done on purpose to maximize failure rates.
Now whether that be for profit or out of design or no one is QAing the questions because this exam is not popular enough yet to bring any attention or focus on or not enough people are complaining about this - is left up to be determined.
Why write about this? – because I have the PMP and CISSP so I have taken long/tough exams and have passed them and while the questions on those exams may have been light versions of a couple of these types of poorly worded or tricky depth/layered questions found on the CSSLP - those whole exams were not made up with these types of questions which is the issue I have with the CSSLP – all 175 questions are these terribly written hard to figure out what is being asked layered questions.
If I ever do pass this exam, it won’t be because I felt like “yeah I really study well!” it will be because I somehow got lucky enough to figure out what it was that those extremely tricky depth worded questions were “trying” to ask and figure out enough of those to pass this thing.
I won’t come away with – I really understood that content well! – because that’s not how this exam is written and that’s the issue everyone I have spoken with has with this exam.
It is sad to hear the concerns raised here and I empathize with the candidates. One thing that you need to realize is that official guide to the CBK does not teach to the exam - none of them do. (ISC)2 Book writers and educators are separated from the exam development process - they have to be otherwise there would be a conflict of interest. Practice exams are no substitute for real life working experience and that makes a difference. Chin-up and try again.Good luck!