Security

The Shadow of CSSLP

or "How I Passed CSSLP". My detailed feedback about preparation for CSSLP, study materials, training process, and passing CSSLP examination.

Alexandr Fadeev

9 min read
The Shadow of CSSLP

CSSLP is a challenging secure software lifecycle certification.

Certified Secure Software Lifecycle Professional (CSSLP) was issued by (ISC)Β² to Alexander Fadeev.
The vendor-neutral CSSLP credential validates that software professionals have the expertise to incorporate security practices – authentication, authorization and auditing – into each phase of the software development lifecycle, from software design and implementation to testing and deployment. CSSL…
Credly

I started my preparation right after becoming CISSP while I was still warmed up. I tried to not lose momentum: it's the moment when you have memorized a lot, you are motivated, you're ready for tricky questions. And basically, the strategy paid off, in 2.5 months I've got a new accomplishment.

Seems like I'm the ONLY CSSLP in Ukraine as for May 2021. 😎 🌍

However, look at this picture. πŸ‘‡ Does it mean that CSSLP is probably "smaller" and easier than CISSP? Spoiler alert! NO.

CISSP is the boss of security certifications. But CSSLP is a small sneaky bastard which is gonna hurt you much.

The exam appeared to be very tough. At least it was not easier than CISSP, even maybe harder.

The thing is that the smaller size of the knowledge base does NOT mean that the questions on the exam will be easier. Moreover, in my perception, the questions were even vaguer and trickier (not always for a good reason).

πŸ“ CSSLP does not overlap very closely with CISSP in the knowledge base, I saw maybe ~1-2% of similar questions on the exam. Consider CSSLP as a completely separate exam which is β€œan inch wide and a mile deep”.

Lessons Learned

It's not easy to find information about the format and content of the real examination. It is especially noteworthy compared to the richest amount of study materials and practice tests for the CISSP certification. Despite the fact there is a decent set of books and courses to study the theory, the lack of training materials can be the reason you might find CSSLP exam to be more difficult than the CISSP exam.

Be mentally prepared for the fact that there will be questions you're not ready to answer with 100% of confidence.

Don't worry, it's okay if you get slightly shocked on the exam. Just focus, you are still able to pass.

My experience helped me a lot. All in all, only experience can save your ass in the final battle. And that's why I appreciate my CSSLP achievement even more!

CSSLP Exam Overview

I took the exam in February 2021, and it was of the following format:

  • 125 questions.
  • 3 hours.
  • Multiple-choice (1 option to choose at a time).
  • You can't go back to the previous question.
  • It is not an adaptive examination (not a CAP), and you have to answer all 125 questions.

The CSSLP exam has been shrunk to 125 questions. Funny thing is that I thought it became adaptive. This assumption made me nervous when the exam didn't stop on the 1o1st question. I lost my focus, and it could make me fail. Thankfully, I passed. Again, stay focused.

  • CSSLP is an "English exam", like CISSP.β€Œβ€Œ
    There are questions to find the BEST answer, and particularly, it means that many questions are formulated in some vague way (that sucks).
    It will hurt those of you who are not native English speakers (like me) because sometimes there are questions where the answer is encoded into some synonym, and you probably see this word for the first time in your life, and your first step is to figure out what does the word mean in the context.
  • You are a manager.
    Answering questions, imagine that you are a manager, not a strictly technical person. It means, for instance, that you have to prefer a risk assessment answer versus an option which implies immediate execution.
  • There are many questions (but not too many) about the knowledge of concepts and terms.β€Œβ€Œ
    That's why I would suggest you NOT miss the theoretical part in your studying.

Training Process

Every certification needs its own dedication and mental preparation. Your current knowledge and skills are needed. But it is not enough.

You MUST improve:

  1. Knowledge.
  2. Mindset.
  1. You need to get ready for the format of the examination.
    Train your mindset. You will not find too much of insights related to the CSSLP, but you can find tips and tricks related to the other major (ISC)2 certification CISSP. Better yet, I would recommend preparing for the CISSP certification first, however, it's totally up to you. (It was my way though).
    • You need a mindset to quickly scan and understand questions.
    • You need to educate your inner voice to talk about every option. It helps a lot. Don't guess by particular words, rather try to utter every option inside of your mind, and explain why the option is correct, and why is not.
  2. Read the books.
    1. I started by reading "CSSLP All-in-One Exam Guide", but don't spend too much time on the final Chapters 18-20, they are completely messy, unstructured, and they won't get you the knowledge to pass the exam.
    2. Also, in my humble opinion, the "Official (ISC2) Guide to the CSSLP CBK" (2013) is much better: it is better structured, and it contains all the technical items you need to pass the exam. Just it's a bit too much bloated.
    3. You can find an "Essential CSSLP Exam Guide" audiobook which could be a convenient source for your preparation. There is a unique structure by functional roles in the company, not by the domains. The contents is pretty unique and decent.
      ⚠️ WARNING: I didn't use this book as the main source of knowledge in my preparation, I just went through a couple of freely available chapters. Therefore, I cannot assure you that you pass the exam just reading only this book.
  3. Take practice tests.
    I answered all questions after each chapter in "CISSP All-in-One". They do not reproduce the format of the real questions but you don't have much choice. You need to practice.
    Then I used CSSLP TotalTester which contains 350 multiple-choice questions. You get the license key from the "CSSLP All-In-One" book. I have been practicing until I could get 78-80% pass rate.

For reference, my pass rate by CSSLP All-in-One chapters:

Chapter Pass Rate
Chapter 1 100%
Chapter 2 100%
Chapter 3 93%
Chapter 4 73%
Chapter 5 86%
Chapter 6 66%
Chapter 7 80%
Chapter 8 73%
Chapter 9 80% (no prep.)
Chapter 10 66%
Chapter 11 80% (no prep.)
Chapter 12 66% (no prep.)
Chapter 13 73% (no prep.)
Chapter 14 80% (no prep.)
Chapter 15 80%
Chapter 16 80%
Chapter 17 86%
Chapter 18 73%
Chapter 19 66% (no prep.)
Chapter 20 skipped

⚠️ However, be careful with CSSLP TotalTester as well (see below). Besides of inconsistencies, it does not reflect what you're going to see on the real exam. Questions from the Official CBK book are much closer to what you'll get.

Validation Test Set

Keep one set of questions till the end of your studying as a validation set. I used questions in the "Official (ISC)2 Guide to the CSSLP CBK", which means that I never touched them until the very end of my preparation. By the way, Β I think the CBK book is the best source of the ultimate knowledge at the moment, even though the book hasn't been updated since 2013. The principles of secure software lifecycle are pretty universal and they have not been changed drastically for the last decade.

Video Courses

Let me put some links on the video course here because video is the best way to bootstrap the knowledge about the domain.

⚠️ I didn't study by these video courses, they have appeared just around the time of my examination. Therefore, I can't guarantee their quality. Nonetheless, I used video courses at the beginning of my CISSP preparation, therefore I know that video can be quite helpful.

Problem with CSSLP Training Materials

I'm still trying to correlate my feelings about passing the certification with the effectiveness of my training process.

CSSLP does not have the same level of consistency between a common body of knowledge and training materials compared to CISSP. There are inconsistencies between different books and practice tests, between the official guide, non-official books, and online practice tests.

My pretty subjective evaluation of the quality of publicly available training material for CISSP and CSSLP (in 2020-2021).

I've noticed a discrepancy in the concepts between CISSP and CSSLP, and my favorite one is the different definition of a data owner and a data custodian.

  1. In CISSP a data owner defines the criteria of data classification and classifies the data, while implementation goes to a data custodian.
  2. In CSSLP a data owner defines criteria (only), whereas both actions of data classification and applying the controls refer to a data custodian.

And you know what? I got exactly that question on the exam. I'm still not sure whether my answer was correct.

Another problem is that there are not many practice tests in the wild. I calculated at most ~800 from all sources. In contrast, there are thousands and thousands of practice tests for CISSP. Consider, that it is believed that you need to answer at least 3000-5000 tests in order to get prepared for CISSP.

If CSSLP is your first exam, all that remains is to rely on your experience and your luck.

Train hard, fight easy. But what if there is no trainer, there is no fight concept, there is only your willingness, pictures in the book, and some experience "from da streetz"?

Beware Scam

  1. You can find many weak and bad CSSLP practice tests on the Internet. For instance, you know if your quiz is a scam if you find questions about DIACAP there.
  2. E.g. this course on Udemy is not a real practice test for CSSLP.
  3. Skillset's practice exam is pretty weak, the questions are loosely combined by CSSLP domain titles, and I think the test cases have been taken from other certification buckets. I don't recommend spending time and money on that.

Still, You Can Do It

Mentally, just be ready for "high entropy". Rely on your experience. Trust your knowledge. Be slow. You're a manager. Try to imagine the real situations. If you completely lost, don't panic! Stay focused!

And that's basically it. I hope my feedback can help you prepare better. You can do it! Β 

Bonus: Be Careful With "CSSLP TotalTester"

I spent plenty of time with CSSLP TotalTester online system, and I found a lot of discrepancies there. Here is my chart of the issues:

  1. There are multichoice tests in the sense that you have to select from 2 to 4 options simultaneously. I didn't see this approach on the exam. The good thing is that it trains your mind pretty well.
  2. I found a question where RC4 marked as the best option to encrypt streaming video versus AES. RC4 cannot be an ultimate answer having AES in the list.
  3. There is a question about risk governance (I cannot post the full question here), where the answer is supposed to be in the governance realm as well. Suddenly, risk management has been accepted as the correct answer. It's completely confusing because governance and management are different beasts.
  4. One practice test assumed that source code analysis can be carried out on the system level. It is HOW? Tell me, how do you carry out source code analysis on the level of the system? A system is composed of subsystems, components, applications, interconnections, everything has been compiled (and there is source code on the components level) and integrated using different kinds of interfaces. Yes, I can reconstruct and evaluate the architecture by looking at the source code of separate components, but the "source code of the overall system" doesn't exist as a concept. Come on.
  5. A question about risk management was answered with a "risk analysis" option, while the "risk management" option was declined with the reasoning that the question is about... risk management. πŸ€• Don't try to understand it.
  6. Sometimes there is a learning explanation, where the wording is meaningful, but the invalid option is marked as correct.
  7. Vague wording, lack of detailed explanation (e.g. "it's just wrong" explanation of the accepted answer).