I recently passed the CSSLP certification and thought it may be useful to people if I did a brief write-up of my path to passing the exam, so here it is!
Why look at certification?
Software security, or rather a lack of software security has had a lot of press lately. This has led to security becoming a primary concern of the software development life cycle and makes at least some knowledge of security important for the whole team.
Gaining certification isn't just having some knowledge on the subject, but is a strong nod towards becoming specialised and any business needs that kind of specialism to really spread the knowledge and importance of security in our development life cycles. The more specialists a business has, the more they can increase each other’s knowledge and the knowledge of the teams around them, creating more security and hopefully more efficiency in the processes used to achieve it.
Certification will help you to improve on this key skill, which is good for you and good for the business. Double win.
Why did I look at certification?
Firstly and most importantly, because I really enjoy the subject, I enjoy podcasts about it, reading about it and practising it. We recently had an OWASP Shepherd tournament, which was great fun and a pleasure to be a part of.
I think the important question I asked myself here is at what point did I start to enjoy it. Which came first, the enjoyment or the hard work? I had an initial interest in security, but the hard work came before the real enjoyment. A life lesson right there.
How much work did it take?
Brace yourself – I spent a year revising for the exam.
It wasn't all highly focussed revision, near the start there were times when I didn't do a lot of direct revision, sometimes it would be listening to podcasts (while commuting), reading articles etc.
If I had worked hard I think I could have compressed all of the revision into 4-6 months. Really it depends on how much time you're willing to put in and how much knowledge you already have on the subject.
I tried a variety of resources:
Book 1 - CSSLP Certification All-in-One Exam Guide, Second Edition This was the basis for most of my revision, I read it cover to cover and took copious notes. It has questions at the end of each chapter and comes with sample exams (which were nowhere near as hard as the real thing). It also came with a PDF copy of the book, which I found very useful.
Book 2 - Official (ISC)2 Guide to the CSSLP CBK ((ISC)2 Press) I read this fairly late on in the year and while there was some benefit in having it, I found I preferred the format of book 1.
Anki - I used this a LOT. It's a flashcard application that lets you create your own flashcards and learn with them on desktop or mobile. All of my notes from book 1 went into this, meaning I could revise anywhere.
PluralSight – there is some excellent material here and it was good to have a resource that wasn't entirely based on reading text. There are some specific courses for CSSLP and there are also some aimed at CISSP that have content relevant to CSSLP. There's a 10 day free trial if you need it
Cybrary – this has some free video based courses aimed at CSSLP and they had some good content, perhaps not as polished as Pluralsight, but still useful
Quizlet - didn't feel much use, but really drills the info into you.
Security Now – this is a security based podcast. It comes in at about 2 hours a week of content and wasn't focused on the exam, but is a good resource for general security knowledge.
You get 4 hours to do 175 multiple choice questions (note: this looks like it's changing to 3 hours as of 15th September 2020 and will be 125 questions). I completed it in 3 hours 20 minutes and genuinely found it challenging. A lot of the practice exam questions I did required answers that you could memorise, but the real exam involved more realistic scenarios, where the answer was the one that best fit the scenario. This meant the real exam was considerably tougher than the practice exams I had taken.
You have to sign a non-disclosure agreement before taking the exam, so I'll say no more!
After the exam
You get a provisional result straight after the exam. It felt good having put in the hard work and then passing the exam. One of the best things was simply having people congratulate me and getting recognition for my efforts!
There is a requirement to earn Continuing Professional Education (CPE) credits to maintain the certification. In the case of CSSLP, you need to earn at leasts 30 CPE credits per year, one credit equates to around an hour of work. That time can take the form of a wide variety of things, such as attending OWASP or (ISC)2 events, listening to security podcasts, reading secuity magazines or whitepapers, writing a review of a security related book, presentations, further qualifications etc If you've got this far then you probably enjoy security, so it shouldn't be too onerous!
A useful document for this can be found https://downloads.isc2.org/certifications/cpe-guidelines.pdf
Security in software is a skill that crosses boundaries, if you work in the creation of software then there's a benefit to knowing more about security, whether you're a developer, tester, architect, business analysts, or anyone else involved, there's a benefit from increased security knowledge.
I'm looking forward to using, sharing and improving upon the knowledge I've gained. Care to join me?
If you've got any questions on the exam or software security then I'm happy to help!
Edit: I seem to appear in the official (ISC)2 brochure for the CSSLP, page 4. Great!
Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.