ISC2 CSSLP

CSSLP certification: An overview

Application vulnerabilities are ranked today among the top cybersecurity threats to organizations. Companies often lack skilled professionals who have expertise in app development security. And without action, a business will continue to be exposed and face serious consequences, such as disruptions in continuous operation.

Companies are looking for talented workers who can implement software assurances, incorporate application access control and ensure the implementations of more secure coding. IT practitioners who are Certified Secure Software Lifecycle Professionals (CSSLP) might be the right answer to the needs of companies. With the current dependence on web applications and the rapid shift to virtual and mobile environments, an adequate number of CSSLPs who are dedicated to ensuring security through the software development lifecycle (SDLC) are a much-needed solution to pinpoint threats targeting web-based apps.

The International Information Systems Security Certification Consortium, (ISC)² for short, sponsors the CSSLP certification and is working towards making it the de facto industry standard for secure software development. The CSSLP validates knowledge of secure coding best practices, making it less likely for developers to leave behind exploitable vulnerabilities.

Why CSSLP certification?

The (ISC)² CSSLP certification is geared toward individuals who will have a role in the development of software systems using secure programming practices or that will be asked to protect an organization’s software from web security threats or cyberattacks, such as code injection or cross-site scripting. The domains on which professionals are tested can serve as a basic guide to master all angles of the knowledge required to fulfill this type of position. The certification can also help businesses screen applicants for relevant positions; the possession of this credential can ensure any company the applicant has the skills, expertise and significant knowledge to enhance software security throughout the development lifecycle.

There is still a shortage of qualified practitioners with application security skill sets, and the gap has grown in recent years. This poses a great opportunity for security-minded IT professionals to enter this sector and find ample opportunities for a lucrative career.

Who should obtain a CSSLP?

Software architects
Software engineers
Software assurance testers
Application security specialists
Security managers
Application designers
Software developers

Any of the above professionals may benefit from this certification as well as anyone else who is involved in SDLC activities.

The unique feature of this credential is that its common body of knowledge (CBK) overlaps with those of other certifications and programs, covering similar job function areas as developers/coders but also including skills and abilities that can be critical in all other phases of the SDLC.

Getting CSSLP certified

To qualify and be on your way to get certified, you must meet the CSSLP experience requirements: “A minimum of four years of cumulative paid full-time software development lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)² CSSLP CBK, or three years of cumulative paid full-time SDLC professional work experience in one or more of the eight domains of the CSSLP CBK with a four-year degree or regional equivalent in computer science, information technology (IT) or related fields.”

As part of the standard registration, candidates will be asked to pay the required (ISC)² exam fee ($599, 555 euros or 479 pounds). Then, applicants will need to register and schedule for the CSSLP examination, a computer-based test at locations within Pearson VUE’s testing network worldwide.

Candidates must successfully pass the required CSSLP exam that evaluates testers across eight different domains, which are covered in the CSSLP exam outline. The 125-question, multiple-choice exam is administered over three hours. In general, testers will receive their unofficial examination results before they leave the Pearson test center. For those who passed, the scores are not provided; for those who failed, a breakdown of the domains in proficiency levels will be provided.

Now on to exploring the domains, weights and subdomains of the CSSLP certification exam, which has been “refreshed to reflect the most pertinent issues that secure software professionals currently face, along with the best practices for mitigating those issues. Some topics have been updated while others have been realigned.”

CSSLP exam domains

Domain 1: Secure software concepts 10%

Core concepts
Security design principles

Domain 2: Secure software requirements 14%

Define software security requirements
Identify and analyze compliance requirements
Identify and analyze data classification requirements
Identify and analyze privacy requirements
Develop misuse and abuse cases
Develop security requirement traceability matrix (STRM)
Ensure security requirements flow down to suppliers/providers

Domain 3: Secure software architecture and design 14%

Perform threat modeling
Define the security architecture
Perform secure interface design
Perform architectural risk assessment
Model (non-functional) security properties and constraints
Model and classify data
Evaluate and select a reusable secure design
Perform security architecture and design review
Define secure operational architecture
Use secure architecture and design principles, patterns and tools

Domain 4: Secure software implementation 14%

Adhere to relevant secure coding practices
Analyze code for security risks
Implement security controls
Address security risks
Securely reuse third-party code or libraries
Securely integrate components
Apply security during the build process

Domain 5: Secure software testing 14%

Develop security test cases
Develop security testing strategy and plan
Verify and validate documentation
Identify undocumented functionality
Analyze security implications of test results
Classify and track security errors
Secure test data
Perform verification and validation testing

Domain 6: Secure software lifecycle management 11%

Secure configuration and version control
Define strategy and roadmap
Manage security within a software development methodology
Identify security standards and frameworks
Define and develop security documentation
Develop security metrics
Decommission software
Report security status
Incorporate integrated risk management (IRM)
Promote security culture in software development
Implement continuous improvement

Domain 7: Secure software deployment, operations, maintenance 12%

Perform operational risk analysis
Release software securely
Securely store and manage security data
Ensure secure installation
Perform post-deployment security testing
Obtain security approval to operate
Perform information security continuous monitoring (ISCM)
Support incident response
Perform patch management
Perform vulnerability management
Runtime protection
Support continuity of operations
Integrate service level objectives (SLO) and service level agreements (SLA)

Domain 8: Secure software supply chain 11%

Implement software supply chain risk management
Analyze security of third-party software
Verify pedigree and provenance
Ensure supplier security requirements in the acquisition process
Support contractual requirements

Having seen the eight domains, one may identify areas of study that may need additional attention before taking the exam. A passing grade is 700 out of 1,000.

What is the best way to train for the CSSLP exam?

(ISC)² offers CSSLP training material for self-study including the (ISC)² CSSLP Flashcards and the “Official (ISC)² Guide to the CSSLP, 2nd edition,” which covers the required understanding of the eight domains. These are valuable resources for those studying and preparing for the examination.

Other books can also be an indispensable reference: the “CSSLP Prep Guide” emphasizes the application of secure software methodologies during the software development cycle and covers all aspects of the CSSLP certification exam, with hundreds of sample test questions and answers available on the accompanying CD. You will also find exam tips, practice questions and in-depth explanations by obtaining the “CSSLP All-in-One Exam Guide.”

Official training partners, authorized by (ISC)², can also deliver the most relevant, up-to-date course content. This is also a good option in preparing students for the CSSLP exam through extensive hands-on courses and labs.

How can I earn CPEs to maintain my CSSLP certification?

Certified members are required to earn and submit CPE credits (with 90 CPE credits due in a three-year certification cycle) and pay $125 annually on the anniversary of their certification.

These CPE credits can be earned through various learning activities within these categories:

CPE activities offered by (ISC)²: attending a certification course, webinar or chapter meeting
CPE categories: education (group A or B), contributions to the profession (group A), professional development (group B) and unique work experience (group A)

Note: group A credits relate directly to activities in the areas covered by the specific domains of the CSSLP. Group B credits are gained through professional skills, education, knowledge or competency outside of the domains associated with the CSSLP certification.

CSSLP certification salary and job outlook

First of all, earning a CSSLP certification can help set a professional apart from other job candidates. A CSSLP who is well rounded in all aspects of software creation and has engineer/developer-type skills as a coder or programmer can truly apply to any field that involves application security development.

CSSLPs can also expect good pay and opportunities for the foreseeable future. According to PayScale, the salary for a CSSLP is about $108,366 per year. A senior security software engineer that has a role in designing and building secure IT systems can exceed $120,000. Salaries, however, vary according to job title, location and experience.

Pursuing a CSSLP certification

Software can hide several vulnerabilities and can pose additional security risks for end users. Apart from app updates or patches that resolve exploits, companies should employ the talent of a CSSLP who can identify weaknesses before a cybercriminal attempts to make the most of a security hole in a legitimate application. This is a professional who can deliver secure application development by incorporating best practices, and ensuring security is embedded in every stage of the software development lifecycle.

Sources:

CSSLP, (ISC)²
CSSLP Exam Outline, (ISC)²
CSSLP Domain Refresh FAQ, (ISC)²
CSSLP Domain Refresh guide, (ISC)²
The Ultimate Guide to the CSSLP, (ISC)²
Official (ISC)2® Guide to the CSSLP® CBK®, Second Edition, (ISC)²

Posted: April 7, 2021

Daniel Brecht

View Profile

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.