Getting certified in CSSLP
According (ISC)² the CSSLP is ideal for software development and security professionals responsible for applying best practices to each phase of the SDLC. For years I am working in software development and since a few years as security professional, but I never got the CSSLP certification. And now it was time to start with it, since I had the opportunity to follow a training in CSSLP (Certified Secure Software Lifecycle Professional).
Certified Secure Software Lifecycle Professional (CSSLP)
At a security consultant company I was able to follow a CSSLP training of 10 days spread over 10 weeks. I really liked this, It covers the various people, processes and technology elements of developing software securely throughout the lifecycle of a software development project. The CSSLP includes all of the ideas and principles needed to build secure software from requirements analysis to implementation, release and operations The CSSLP certification is vendor agnostic and language agnostic. The objective of the certification is to provide acrential that talks to the individual’s ability to contribute to the delivery of secure software though the use of best practices.
The exam outline
The exam exist out of 125 multiple choice questions and you have 3 hours to finish the exam. The exam will be done in English for most people. To pass the exam you need to get 700 points out of 1000 points. If I interpret it correctly, the questions are divided over the 8 domains, so you have to get a total of 700 points out of 1000. This gives me the impression that this is different from CISSP. At CISSP you have to get all domains 70% correct. This may be due to the computer adeptive test (CAT) variant.
DOMAIN PERCENTAGE OF EXAMINATION
Similar to CISSP, there are 8 domains to learn at CSSLP. The weight of the domains gives an impression about which you will get a lot of questions and where you may have to spend more time studying. On the other hand, a strategy could also be to learn only the information you don’t master well, this might save some time. I’m still not sure what the best strategy is to learn. The 8 domains speak for themselves when you see them. 
CSSLP training and study material
When I signed up for the course, I already understood that the session would be only online (virtual) in English. This was because there are few teachers available for CSSLP during that time slot. The training could be followed online for five days. For myself, I decided to pay attention during the course because I often find online training more difficult than in class.
We started the training with an introduction to why security is important when developing software. Our teacher took the time to lay the foundations well so that we had the basic knowledge to go through the domains.
The domains were discussed sequentially and at the end of each domain we answered a number of practice questions. I found that I had a good knowledge of CISSP and that this came in handy in addition to my work experience in software development. While doing assignments and practice questions, I got the impression that my knowledge was sufficient to take the exam. But in order to pass the exam, I decided to schedule some time anyway to make the questions from the books and then look up the gaps in my knowledge that I would discover by answering the questions in the books and then learn them.
Books
After three days of training, I received my first book for CSSLP. The book that we used to follow the training online.
Book 1: Official (ISC)2 Guide to the CSSLP CBK ((ISC)2 Press) 2nd Edition
Book 2: CSSLP Certification All-in-One Exam Guide, Second Edition 2nd Edition
Book 3: Essential CSSLP Exam Guide: Updated for the 2nd Edition
In contrast to the CISSP CBK book, I found Book 1 (CSSLP CBK) more clearly described. So unlike the CISSP CBK book I have opened this book more often to look up and read things. It is fair to mention that book 1 and book 2 are already somewhat outdated. In some cases, this can also be clearly seen in techniques that are (hopefully) no longer used, such as Adobe Flash. I have used book 3 the least myself, although subjects are clearly explained, I have chosen to use the other two books more. This was my preference because there were no practice questions in this last book.
Flashcards
When studying for my CISSP exam I used the Official (ISC)² CISSP Flash Cards. With this in mind, I have also added the Official (ISC)² CSSLP Flash Cards to my study material for CSSLP. Members can order the flashcards free of charge from (ISC)² on their website. I used the flashcards when I was waiting somewhere or when I was on my way somewhere by public transport. The advantage of the flashcard is that this can be done quickly and can actually be done anywhere. Of course, this alone is not enough to pass the exam, but every little bit is taken into account.
Practice exams
A number of practice exams can be found on the internet. Many of these questions have nothing to do with the actual exam. In my opinion, these questions on the internet do not resemble the questions of the exam. This is because there are topics in the questions, that aren’t even offered in CSSLP’s course materials. My advice is therefore to only use the questions that come from the CSSLP books. In order to be able to make practice questions, I made the questions for myself in Hot potatoes and exported them to an HTM file. This way I could practice the questions on the computer.
The exam
Monday morning November 22, 2021 I had scheduled the exam at 09:30 at Pearson Vue. I had scheduled the exam so early so that I could start the exam as fit as possible. I arrived a little befor 09:00 by public transport. After a short check on who I am, it was time to start the exam.
When the exam starts you have five minutes to agree to the terms and conditions. If you do not do this, you will not be able to continue to obtain the certificate. After agreeing to the conditions, it was really time to start the exam. On the screen I saw that 125 questions had to be answered. The clock was ticking back from 180 minutes. Enough time to answer the questions.
After 60 minutes I had answered just over 50 questions. Enough time left to answer the rest of the questions. I kept going from one question to another. Sometimes I knew the answer right away and other times I had to read the question 3 times before I could answer the question. Time ticked by and I felt I was not there yet. By now I was around 90 questions and I was thinking about counting down to the last question. Although the time was ticking, I had plenty of time to finish my questions. Every now and then I would have questions that I really didn’t know the answer to and then I would try to interpret the question by parsing the question word for word. The questions passed by as time went on and suddenly I had answered the last question and had already clicked further. A notification was on my screen that I had finished the exam and could walk to the reception.
At the reception I was greeted kindly and she asked if I had passed the exam. I had to answer that I didn’t know this and that’s when I heard the printer. She took the paper out of the printer and said, this is a good Monday for you, congratulations, you passed.