Ok, I took the CSSLP exam. I got a 688 out of 700 today. I took the official online ISC2 course with a week's online webex training (which was different from the online work). I used the flash cards and all the resources. Out of the 175 questions there were quite a few questions not associated with the flash study cards or what appear to be from the office student guide. There were also questions about modeling (I will not name them due to not talking about what was on the test), but the models were never referenced in the official study guide. If I would have known I would have refreshed on the associated models. Not sure what is going on here, but I would expect the resources to review and understand to be successful in the exam would be in the Official Student Guide. It would hope someone from ISC2 would please comment on this concern.
I stand corrected on the exam being covered by ISC2. I re-read the e-mail and my wishful thinking saw one thing, but in fact it is another. ISC2 will allow anyone who has taken their course and failed the test to re-attend I believe the class free of charge. It's not the actual test. We'd still be out the money for taking a 2nd exam.
All of my study material had the models.
I did pass the test on the first pass. It was brutal. I studied the infamous CSSLP CBK ans the All-in-One. The CBK had the models. I also read the CISSP book by Shon Harris.
I have been a developer for about 30 years. Most of it as a developer or a manager of developer. I have a fair amount of security experience from a management prospective,
I found the test to be about 25% book knowledge and 75% experience and common sense.
The security experience was the key for my passing. There were definitely were not covered in the books.
That should have read:
There definitely were questions that were not covered by the book.
The CBK was the 2nd edition.
I totally went the self-trained route.
That should have read:
Official (ISC)2 Guide to the CSSLP CBK
I passed the exam, but only by the skin of my teeth, (I had to answer all 175 questions.) I am a software engineer, but have been more on the analysis side rather than the actual coding for the last five years. I studied by just reading the official CSSLP CBK, but there was certainly information on the test which was not thoroughly covered in the study guide. I also have my CISSP, and I feel that test was exponentially easier than the CSSLP. The CSSLP test is certainly designed for someone who has actual hands-on software development experience.
It's very misleading when you state Project Managers, Quality Assurance Analysts & even Business Analysts can take the exams and pass it.
It's also implied that this exams is geared for folks with software development life cycle knowledge but in my opinion, it's really not. It's more for folks with hard-core IT background for example, coders, developers, programmer's etc.
It appears that you may have misread or misinterpreted the information on the CSSLP exam.
Here is what the CSSLP information page says:
The CSSLP is ideal for software development and security professionals responsible for applying best practices to each phase of the SDLC – from software design and implementation to testing and deployment – including those in the following positions:
Software Architect Penetration Tester
Software Engineer Software Procurement Analyst
Software Developer Project Manager
Application Security Specialist Security Manager
Software Program Manager Quality Assurance Tester
There is no claim that individuals in any of those specialties can (or should) take the exam expecting to pass without preparation. The certification is one that covers knowledge that "security professionals responsible for applying best practices to each phase of the SDLC" should have. One reason that we have so much software without decent security built in is that a huge proportion of workers with SDCL responsibility, including oversight jobs like PM and QA, simply do not.
Similar to the basic philosophy of the CISSP CBK content, the CSSLP content CBK is based on knowledge that SDLC-involved workers should have, both to do their own jobs and also to understand what others in the SDLC environment should be doing. This broader knowledge is especially important for management level workers like project managers and software quality assurance workers, to be sure the architects, programmers, and covers are including the correct aspects.
Also, with regard to the expectation that the cram course will cover every question on the exam, I repeat the statement above by William @denbesten:
"f you read through these boards, you will find that there is no single source of material that will prepare you for an (ISC)² exam. The recommendations that you will consistently get are to use many references, to take lots of practice tests and to earn (much of) the required experience prior to sitting for the exam. (ISC)² exams are all about ability to apply your knowledge and experience in real-world situations. Although important, "book knowledge" is not enough to pass (ISC)² exams."
I had handos-on software development for all my carrer...and I can tell you that the exam was difficult even for me. It is more difficult than CISSP, I agree.