According to Gartner, an information technology (IT) research and consultancy company, “over 70% of breaches of security vulnerabilities exist at the application level.” This is because security is often not the first thought in the mind of software developers and vulnerabilities and exploitable holes might be present for a while before patches are finally issued. Application vulnerabilities are ranked today among the top cybersecurity threats to organizations in order of severity. So, without action, business will continue to be exposed to serious consequences, such as disruptions in its continuous operation.
An expert, like a Certified Secure Software Lifecycle Professional (CSSLP), can be called in to assume many roles: to implement software assurances; to incorporate application access controls; if not to execute programming that will improve the coding of scripts on-the-fly, or else to ensure the implementations of more secure applications. With the current dependence on Web applications and the rapid shift to virtual and mobile environments, an adequate number of CSSLPs who are dedicated to ensuring security through the software development lifecycle (SDLC) are a much-needed solution to pinpoint threats targeting web-based apps.
How can an IT professional prepare for this important role? The (ISC)² CSSLP might be the right answer as it is a base credential that tests a candidates’ competency against a measurable pattern of knowledge, skills, abilities (KSA) necessary to fulfill the software security needs of any company.
The International Information Systems Security Certification Consortium, Inc., (ISC)²® for short, sponsors the CSSLP certification and is working towards making the CSSLP the de facto industry standard for secure software development. “The CSSLP examination is designed to take a ‘People, Processes, Technology’ holistic view of software security that enables one to prevent many of the insecure problems that plague ubiquitous computing.” A CSSLP credential holder can incorporate security into all phases of the software lifecycle making it less likely to leave behind exploitable vulnerabilities.
Why CSSLP Certification?
The (ISC)² CSSLP certification is geared towards individuals who will have a role in the development of software systems using secure programming practices or that will be asked to protect an organization’s software from web security threats or cyber-attacks, such as code injection or cross-site scripting. The domains on which professionals are tested can serve as a basic guide to master all angles of the knowledge required to fulfill this type of position. The certification can also help businesses to screen applicants for relevant positions; the possession of this credential can ensure them the applicant has the skills, expertise, and significant knowledge to enhance software security throughout the development lifecycle.
There is still a shortage of qualified practitioners with application security skillsets, and the gap between demand and offer has grown in recent years. This poses a great opportunity for security-minded IT professionals to enter this sector and find ample opportunities for a lucrative career.
Who should obtain a CSSLP? The likeliest targets are:
- Software Architects
- Software Engineers
- Software Assurance Testers
- Application Security Specialists
- Security Managers
- Application Designers
- Software Developers
Any of the above professionals may benefit from this certification as well as anyone else who is involved in the Software Life Cycle activities.
The unique feature of this credential is that its CBKs overlap with those of other certifications and programs, covering similar job function areas as developers/coders but also including skills and abilities that can be critical in all other phases of the SDLC.
Getting CSSLP Certified
“You typically can’t become a security-specific developer until you’ve completed three years of work as a developer and two years as an auditor/tester,” indicates CyberDegrees.org. And to qualify for the CSSLP, you must have “a minimum of four years of cumulative paid full-time Software Development Lifecycle (SDLC) professional work experience in one or more of the eight domains of the (ISC)²® CSSLP CBK, or three years of cumulative paid full-time SDLC professional work experience in one or more of the eight domains of the CSSLP CBK with a four-year degree leading to a Baccalaureate, or regional equivalent in Computer Science, Information Technology (IT) or related fields.”
As part of the standard registration, candidates will be asked to pay the required (ISC)² exam fee (USD 599, EUR 555, GBP 479. Note, however, that with early registration, the examination costs $549). Then, applicants will need to schedule for the CSSLP examination, a computer-based test at locations within Pearson VUE’s testing network worldwide. A qualified candidate will be asked to meet the following requirements before the test day: Complete the Application Endorsement Form; Present a Detailed Resume of Experience and an Experience Assessment Application; and Agree to the (ISC)2 Code of Ethics; all is to be done on-line only.
In fact, an applicant needs to have acquired the necessary years of professional experience required and provide proof that needs to be endorsed by a member of (ISC)² in good standing. If one does not have the required experience, then they may still sit for the exam and become an Associate of (ISC)² until all other requirements are met.
The CSSLP certification evaluates potential candidates across eight different domains; the exam has 175 question, all multiple-choice, given over a 4-hour period. They are administered at
Pearson Professional Centers. The questions are developed from the skills and info contained within the CSSLP CBK with the following weights:
Secure Software Concepts – 13%
One will need to understand security implications and methodologies within centralized and decentralized environments across the enterprise s computer systems in software development.
Secure Software Requirements – 14%
One will need to understand the security controls required during the requirements gathering phase of the Secure Software Development Lifecycle.
Secure Software Design – 16%
One will need to understand the application design basics and be readily able to define specific security criteria elements of an attack surface through conducting various Penetration Testing exercises, as. This will reveal any vulnerabilities and identify the countermeasures that are needed to those mitigate risks.
Secure Software Implementation/Programming – 16%
One will need to know the coding standards that help developers avoid introducing flaws that can lead to security vulnerabilities, understand common software vulnerabilities and countermeasures, as well as be able to apply security testing tools.
Secure Software Testing – 14%
One will need to know the standards for software quality assurance as well as understand the concepts of functional and QA testing for security functionality and resiliency to attack.
Secure Lifecycle Management – 10%
One will need to know how to secure software throughout its entire lifecycle, from project initiation to product replacement or retirement, how to build it and keep it secure.
Software Development, Operations, and Maintenance – 9%
One will need to know how to handle security issues around steady state operations and management of software.
Supply Chain and Software Acquisition – 8%
On will need to know how to perform tasks required in managing the various risk levels for software development projects that are outsourced to a third party. Also, the exam candidate will need to know how to implement a process for interacting with various third parties on key topics issues such as the following:
- Vulnerability management;
- Service level agreement monitoring,
- Maintaining a chain of custody document(s) throughout the period of the software development project.
A passing grade is 700 out of 1000. The tested CBKs and questions are periodically reviewed to ensure the exam meets current professional requirements and industry standards and does mirror the knowledge and skills required by professionals in the field to meet ever-changing challenges. In fact, the exam did
change in 2017 with the updating of some domains:
|Previous CSSLP Domain Name||New CSSLP Domain Name|
|Domain 4. Secure Software Implementation/Coding||Domain 4. Secure Software Implementation/Programming|
|Domain 6. Software Acceptance||Domain 6. Secure Lifecycle Management|
|Domain 7. Software Deployment, Operations, Maintenance, and Disposal||Domain 7. Software Deployment, Operations, Maintenance|
What is the Best Way to Train for the CSSLP Exam?
These days, there is a growing wealth of information available for anyone interested in becoming a CSSLP, in the forms of textbooks, course material, professional training through accredited vendors or by the attendance of seminars or conferences.
Obviously, (ISC)² offers its own CSSLP Training Course Overview as well as plenty of material for self-study and opportunities to test knowledge with the Official (ISC)² CSSLP® Flash Cards. The Official (ISC)2® Guide to the CSSLP®, the 2nd edition also covers the required understanding of the eight CSSLP domains to assist candidates to study for the certification and beyond.
This is a valuable resource for those studying for the CSSLP examination; however, other books can also be an indispensable reference: the CSSLP Prep Guide emphasizes the application of secure software methodologies during the software development cycle and reviews all facets of what is involved on the CSSLP certification exam. Also included with this package are a plentiful supply of sample test questions and answers. You will also find exam tips, practice questions, and in-depth explanations by obtaining the CSSLP All-in-One Exam Guide. This resource is also designed to be an on-the-job reference.
Ethical Hacking Training – Resources (InfoSec)
A great Training Course is the CSSLP Training Boot Camp. “InfoSec Institute’s CSSLP Award Winning Boot Camp focuses on preparing students for the CSSLP exam through extensive mentoring and drill sessions, review of the entire body of knowledge, and practical question and answer scenarios, all through a high-energy seminar approach.” InfoSec Institute also offers some relevant skill sets that can help students and professionals best prepare to pass the exam:
- Skillset – CSSLP-Secure Lifecycle Management (For other skillsets, click here)
- Certification – CSSLP
How Can I Earn CPEs to Maintain My CSSLP Cert?
The cert holder must recertify every three years. This is done by accomplishing ongoing requirements to maintain the CSSLP credentials. To maintain one’s credential, an Annual Maintenance Fee (AMF) of US$35 applies, and at least 90 CPE credits in a three-year certification cycle must be earned. If the CPE requirements are not met, CSSLPs must retake the exam and will also be asked to pay the AMF of US$100.
There are many ways to earn the required CPEs. One possibility to maintain the CSSLP certification is by taking a Security Compass’s CSSLP online training course to earn 10 CPE credits after completion. Also, those who acquire any SSP certification from (ISC)2 & Security Compass earn 30 CPE credits to count towards the CSSLP certification as per (ISC)2’s CPE guidelines.
There are also a number of live seminars and conferences available to professionals:
- Gartner Security & Risk Management Summit 2018 (June 4 – 7 / National Harbor, MD) Those in attendance had the opportunity to earn 16.50 group “A” credits toward CSSLP recertification requirements.
- OWASP Annual AppSec EU Security Conference 2018 (July 2 – 6 / London) or AppSec USA (October 8-12 / Hosted at Fairmont San Jose, CA) which includes training sessions on various security application topics.
A CSSLP certification holder might want to explore further conference options for 2018 and beyond providing a range of continuing professional education (CPE) credits and training that might—or not—be associated with the domains of their credential.
Is the CSSLP Certification Worth the Effort? Salary and Job Outlook
First, earning a CSSLP certification can help set a professional apart from other job candidates. A CSSLP who is well rounded in all aspects of software creation and has engineer/developer-type skills – as a coder or a programmer – can truly apply to any field and any cybersecurity job openings that involve application security development.
CSSLPs can also expect good pay and opportunities for the foreseeable future. According to PayScale, the salary for a Certified Secure Software Lifecycle Professional (CSSLP) can start at about $90,000 per year as a Security Software Developer that has training and education across a number of disciplines, including applications and systems development security, and can exceed $140,000 as a Security Software Engineer that has a role in designing and building secure IT systems. Salaries, however, vary according to job title, location, and experience.
Software can hide a number of vulnerabilities and can pose additional security risks for end users; apart from app updates or patches, which resolve exploits it is best for companies to employ the talent of professionals like CSSLP credential holders that can identify weaknesses before a cybercriminal attempts to make the most of a security hole in a legitimate application. (ISC)² Certified Secure Software Lifecycle Professionals (CSSLP) with strong expertise in and commitment to app security can deliver secure application development by incorporating best practices, and ensuring security are embedded in every stage of the software development lifecycle.
Become a Security Software Developer. Retrieved from
Frank, C. E. & Werner, L. A. (2010, October). The benefit of the CSSLP certification for educators and professionals. The Journal of Computing Sciences in Colleges. Volume 26, Number 1. Retrieved from
Infosecurity Magazine. (2010, November 11). Majority of government personnel do not receive enough software security training. Retrieved from
(ISC)², Inc. (n.d.). Certified Secure Software Lifecycle Professional. Retrieved from
Korolov, M. (2017, April 5). What it takes to become an application security engineer. Retrieved from
McNulty, L. (2008, November). CSSLP. Information Security and Privacy Advisory Board December 2008 Meeting. Retrieved from
Mello, J. P. (2017). Application Security Report 2017. Retrieved from
Miessler, D. (2012, April 28). The Difference Between a Programmer, a Hacker, and a Developer. Retrieved from
Moramarco, S. (2018, January 5). Average CSSLP Salary in 2018. Retrieved from
Rubens, P. (2017, December 21). 2018 IT Security Employment Outlook: Which Security Skills and Certs are Hottest? Retrieved from
Security Compass. (2017, March 27). How to Obtain CPE Credits for Maintaining Application Security Certifications. Retrieved from https://blog.securitycompass.com/how-to-obtain-cpe-credits-for-maintaining-application-security-certifications-14705a49ba5c