cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MDChris
Newcomer II

Not too happy with CSSLP Exam

Ok, I took the CSSLP exam.  I got a 688 out of 700 today.  I took the official online ISC2 course with a week's online webex training (which was different from the online work).  I used the flash cards and all the resources.  Out of the 175 questions there were quite a few questions not associated with the flash study cards or what appear to be from the office student guide.  There were also questions about modeling (I will not name them due to not talking about what was on the test), but the models were never referenced in the official study guide.  If I would have known I would have refreshed on the associated models.  Not sure what is going on here, but I would expect the resources to review and understand to be successful in the exam would be in the Official Student Guide.  It would hope someone from ISC2 would please comment on this concern.

102 Replies
MDChris
Newcomer II

Sorry. That’s a problem. I would hope ISC2 would want to see people be successful. If the course writers and the test writers are not in sync then ISC2 has a serious communication and structure problem.
rslade
Influencer II

> havinsomefun (Newcomer I) posted a new reply in Member Support on 04-26-2019

>   Then when it comes time for “game day” and you see the way
> the actual questions are written in a style that the wording of the questions
> make it nearly impossible to ascertain what it is that is even being asked in
> the question(s) themselves

Check out the CISSP sample/example questions that I'm posting at
https://community.isc2.org/t5/Certifications/CISSP-questions/m-p/18626
I know it's not CSSLP content, but the style of the questions should be the same,
and many of the same approaches to the different types of questions should apply.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
You should never be proud of doing what's right. You should just
do what's right. - Dean E. Smith
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
havinsomefun
Newcomer II

rslade - Thanks for replying with the CISSP example questions. 

 

Although I did pass the CISSP the first time I took it in 3 hours - I did like the questions from the CISSP exam.  They were pretty straight forward and not tricky for the most part.  Just had to do some thinking on the test takers part.

 

The CSSLP exam questions were all at least "3" sentences or more deep - I did not see many if any 1 sentence question(s).  That is what I meant by the layered and depth questions that in my opinion are meant to confuse the test takers because there are so many twists and turns to

the questions and that's where the TIME issue comes into play. 

 

If you have to reread the questions several times to get an inclining of an understanding of where they are going with the questions and what they are trying to ask – that’s where the issues for this exam start.

millerstreet
Viewer II

If anyone would post links to materials used in studying for this exam (and reviews), that would be helpful.  Esp the links...

 

I'm still skeptical of this certification in regards to value, as I've only seen ONE job posting from my company (very large tech, hardware and software, 20k+ emp's) that had this listed as even a 'nice to have' cert...

 

havinsomefun
Newcomer II

Yes, there's really not much value in the Cert unless you are just very interested in the material and find it the subject matter helpful for your daily job, but that doesn't answer the question of why ISC2 worded so the exam purposefully confusing.  it's a real turn off for people who may want to take this exam.

wncramsey
Newcomer II

That's the part we have been frustrated with (lack of good study questions)

The questions on 2 of the sites I used, were nothing like the questions on the actual exam.

 

CSSLP is recognized as an alternative in many jobs that call out CISSP.

 

 

rslade
Influencer II

> wncramsey (Newcomer I) posted a new reply in Member Support on 06-26-2019 03:51

> Sent from my iPhone

Braggart.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
People everywhere confuse what they read in newspapers with news.
- A.J. Liebling
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
StarBlue
Newcomer I

@millerstreet 

One of the biggest backers of this cert is US Gov't such as DoD, NSA, etc.  If you are a senior level software developer (not a contractor), then you have to have either CISSP, CSSLP, or CompTIA's CASP+.  However, the rumblings are CASP+ might be removed.  I haven't seen a lot of drive from outside Federal Service for CSSLP, but for at least my org it is the only one they want.

As for study material, I have looked and I can't find any example questions that are even CLOSE to the real ones; haven't dove into the dark web yet.  I talked to an author of a book recently released and he told me that ISC2 has a legal team that pays close attention to what is available.  If a question appears that even remotely appears like one of the real ones; they treaten to sue the author/publisher/website out of existence.  Then ISC2 removes that question from their bank of exam questions.  Remember, ISC2 has a NDA that is pretty much iron clad.  NSA probably has less restrictive legal papers than ISC2.

I took a six month break from this BS, but I am now starting back in it as I have hopes to take the exam towards the end of the year.  I have been told the best info is the horrible CBK from ISC2 (make sure it is the 2013 version and not 2011); but please ignore the pathetic spelling, confusing layout, wrong DOMAIN NAMES, bogus questions with the WRONG ANSWERS, etc.  Others have told me to read CSSLP Certification All In One Exam Guide (Second Edition, Conklin / Shoenmaker, 2019), Essential CSSLP Exam Guide (Second Edition, Martin, 2019).  I was told by an ISC2 instructor to know just the titles of the NIST SP 800 documents; ah no, know a little about each one.  In your spare time, go to https://www.isc2.org/Certifications/References and the CSSLP section.  A lot of those titles are out of print, but an absolute understanding of the entire SDLC is a must.  There is someone on this board that has claimed they took it five times, they claimed they really didn't know why they passed as they felt totally prepared each time they went in.  So it is an absolute crap shoot, one that ISC2 loves as they get a lot of money and that makes them feel elitest I guess.  If you don't have to have this cert, I would do CompTIA; they are a much better company than ISC2 IMHO.

 

j_M007
Community Champion

Constructive comments.

 

If you have to reread the questions several times to get an inclining of an understanding of where they are going with the questions and what they are trying to ask – that’s where the issues for this exam start.

 

Agreed. It seems that many are complaining about the lack of clarity regarding the questions. Perhaps ISC^2 can explain how the questions are arrived at? I presume it is the same process as for the CISSP exam.

StarBlue
Newcomer I

Two things, ISC2 does not seem to even paying attention to this forum topic; I think their last input to this was back on page 1 or 2.  If they are paying attention, they are not responding or engaging in this discussion.  After I failed, communicated a lot of my frustration at the questions, scoring, lack of transparency, and a litany of other grievances.  I got a bit of information out of them, but most of the rest of it came from others.  They have an exam board that apparently ask those that have passed the exam to submit questions for review and placement into the "The Bank".  If they find an exact copy of an exam question anywhere (books, online, etc), it is immediately stricken from 'The Bank".  I assume then a team of lawyers then also become involved to find find the leaker(s).  Remember, the NDA you sign before taking the test is pretty rigid; like any other professional certification.

 

Secondly, I have heard the CISSP is focused differently.  It went from a 6 hour exam with over 200+ questions to a Computer Adaptive Test.  That means after you answer so many at a medium level, it kicks up to hard, and if you continue to get them right it jumps to the next area and after all areas covered; you pass.  There is no going forward and backwards on the questions.  So I've heard they questions are a bit more to the point; not four sentances long.  Still a very hard exam, I give props to anyone that has ever passed it.  However, I don't know anyone yet to have done CSSLP and CISSP both; so it would be good to hear if anyone reading this that has done so to reply.  

I asked ISC2 if the CSSLP was going to go CAT; but I got a non answer that the Exam Board is always evaluating the exam and can make changes at any time.  I've seen on the boards the CISSP is like a river 1 inch wide and 1 mile deep; where as the CSSLP is a river a mile wide and 1 inch deep.  I agree, the CSSLP requires you to know a ton of SDLC topics; many of which it too broad to have real world experience in all of the domains covered.  I doubt anyone making a corporate Disaster Recovery Plan would also be a coder or even a Supply Chain investigator tracing the geneology of a piece of software purchased from a 3rd party.

Unfortunately my work told me that while they have exempted about 95% of the coders from taking this exam; my position is one that still needs it.  I dread taking the test again, but I guess it is time to cough up the $$$ and try again and again and again. 😛