Jan 22, 2016: Passed CSSLP
I just took the CSSLP test today. Before taking it, I searched all over the web to find information on its difficulty level, but I had a hard time finding any. The little I found, I found on this forum. I thought I would share a few observations.
- I wouldn't bother with this certification if you already have the CISSP, unless you must get it for your job (like I did).
- Think like a manager
- Get the CSSLP All in One, study every chapter, do practice questions, and maybe grab another book
- Take the CISSP first (and Security+ before that, to help with that one)
- Make a first pass through the test questions, applying your knowledge of the material, followed by one or two more passes, paying even more close attention grammar and question structure.
- I have 25+ years experience as a Software Engineer. I recently have crossed over to Cyber Security Specialist, with a focus on secure coding.
- I was prepared for the question types because I took the CISSP two months ago. The questions are usually pretty vague, with key words like BEST, LEAST, FIRST, FINAL, MOST, etc. Usually, you could whittle away a couple of answers, but the two remaining always seemed to be up for debate or opinion as to which is the BEST, LEAST, etc...
- There were very few straight-forward "fact" questions. Out of 175 questions, I probably marked 150 the first pass! Out of that 150, there were probably 20 that didn't need marking, because I was just being overly cautious.
- Like the CISSP test that I took, it seems like there three sections that were the sources of most of the questions, with only a sprinkling of questions from the other. Besides the NDA that I signed, the reason I don't mention which those were is because I imagine it is like what I encountered on the CISSP. Another guy from my company made the same observation, but his three sections where most of his questions came from were completely different from the three sections that mine came from. I'm sure the CSSLP is the same way.
- The same aphorism applies to the CSSLP as the CISSP: "Think like a manager."
- Like the CISSP, it was worth my time to make a second pass through the questions, analyzing the sentence structure and grammar, key words, and "perspective" of the question (manager / techie, etc).
- The only book I used was All In One CSSLP Exam Guide. I read and highlighted each chapter, pretty much in order, and did the practice questions after each chapter. I made a second pass through every chapter, doing the questions at the end again. I also took ONE practice exam with the software the came from the book, rather than both. I found the software to be terribly confusing, with such bugs as "choose all that apply", but only allowing you to select one option, then counting it wrong! The practice questions were confusing, but less so than the actual test questions. However, I found MOST of the chapters to be clear and concise, except the last three, which looked like they were written by a government bureaucrat! (Secure Software Installation and Deployment, Secure Software Operations and Maintenance, and Supply Chain and Software Acquisition). I still think the book is worth getting, but you might want to supplement it with another one.
- One more caveat... I'm pretty good at taking multiple-choice tests.