When I started the CSSLP certification path, I realized that the seriousness with which the evaluation was conceived it was considerably greater than what I expected. The attempt, in my opinion quite successful, by those who produce the certification test is to create a set of very practical questions (not non-theoretical, you need to be demonstrated to know how to use those concepts in the field), very varied and well protected, not subject to leak of any kind (needless to search the web or the deep web, the brain dumps are not found).
In short, the exam is serious.
The content is completely respectable, the CSSLP has a very practical character, much more than the CISSP. Educational material is useful not only for the purpose of passing the exam itself, but is a good reference in working life not only for those who develop software, but also for managers, project managers, software engineers and anyone involved in production in this area .
To pass the exam a course helps, but that's not all. Certainly the experience in one or more of the domains indicated by the CBK is fundamental, otherwise one should rely a little too much on the imagination to respond to questions of practical application. The advice is: get yourself questions, questions, lots of questions. Courses provide useful simulation exams, but unlike other certifications, they are not exhaustive.
I would try to get more simulation exams possible, also because in all those I tried there are no questions that are found in the exam. The bunker with the questions is evidently well protected. So the second tip is: study well and in depth, the exam costs and having to repeat could be unpleasant in all respects. Personally I bought the "CSSLP Certification All-in-one Exam Guide", very useful and well done, but I found the CSSLP CBK of the ISC2 more complete. After studying on both I passed the exam. The assessment questions of these two books serve only as a verification of your understanding of what you read, but for the examination it takes much more.
On the web you can find different material that can help, the excellent ISC2 courses are very valid.
Good work and good luck to those who want to try this certification exam.
Welcome to the CSSLP club! There are not nearly enough of us, which is sad given the importance of trying to prevent the introduction of vulnerabilities today before they become CVEs tomorrow.
Yes, It's true. Initially I believed that many people with software development experience would have considered this certification to be important, but for some reason it is not. Yet the worst vulnerabilities arise just during the software development life cycle. I do not understand the reason for this underestimation...
Not being a developer myself I cannot speak with authority on the subject, but I suspect that what attracts most people to development in the first place, is the desire to make things work, security aspects come into play much later.
Until sufficient experience in development is acquired, there is no impetus of building something secure that does not work.
I don't disagree, but would say the following:
Security is a property of software or a system, and it is a subset of quality. You can have a secure piece of crap. You can also have an insecure system that does what the user expected. Neither of those are really quality products, though.
Unfortunately, this is largely related to the fact that software engineering is not a professional engineering discipline in the way that civil engineering is. If a civil engineer with a PE designs a bridge that fails due to design issues, then he will lose his PE license and can no longer ply his trade, similar to a lawyer being disbarred. People have such low expectations for software systems in general that if we don't have to reboot our computer every morning we think it's a win. Software engineers don't lose their license to write or design software if they ship a product with a bunch of CVEs in it.
This is why I'm not excited about self-driving cars, or really any auto project coming out of silicon valley. That community has not really had to learn to develop products with the burden of real-life consequences. "Fail early and fail often" doesn't translate well to life-and-death situations. Just look at all the Tesla "auto pilot" crashes. "Woops, well, at least we can issue over-the-air updates!" Or, you know.. you could have relentlessly tested your product and used seasoned control systems engineers to write the minimal amount of code necessary. Eternal beta for gmail doesn't matter. Eternal beta for my ABS system is not something I'm willing to bet my life on, and an ABS system that is accessible via the satnav, which is remotely accessible -- I will NOT be buying that.
I think (ISC)2 does say that CSSLP is ideal for QA folks. I think they need to do a better job of selling that angle though. The more straight QA folks are able to take AppSec into their own hands, the better. Bugs are bugs. Squash them all.
CSSLP (certified secure software lifecycle professional) is a certification from (ISC)2 that focuses on application security within the software development lifecycle (SDLC).