Jan 22, 2016: Passed CSSLP
I just took the CSSLP test today. Before taking it, I searched all over the web to find information on its difficulty level, but I had a hard time finding any. The little I found, I found on this forum. I thought I would share a few observations.
- I wouldn't bother with this certification if you already have the CISSP, unless you must get it for your job (like I did).
- Think like a manager
- Get the CSSLP All in One, study every chapter, do practice questions, and maybe grab another book
- Take the CISSP first (and Security+ before that, to help with that one)
- Make a first pass through the test questions, applying your knowledge of the material, followed by one or two more passes, paying even more close attention grammar and question structure.
- I have 25+ years experience as a Software Engineer. I recently have crossed over to Cyber Security Specialist, with a focus on secure coding.
- I was prepared for the question types because I took the CISSP two months ago. The questions are usually pretty vague, with key words like BEST, LEAST, FIRST, FINAL, MOST, etc. Usually, you could whittle away a couple of answers, but the two remaining always seemed to be up for debate or opinion as to which is the BEST, LEAST, etc...
- There were very few straight-forward "fact" questions. Out of 175 questions, I probably marked 150 the first pass! Out of that 150, there were probably 20 that didn't need marking, because I was just being overly cautious.
- Like the CISSP test that I took, it seems like there three sections that were the sources of most of the questions, with only a sprinkling of questions from the other. Besides the NDA that I signed, the reason I don't mention which those were is because I imagine it is like what I encountered on the CISSP. Another guy from my company made the same observation, but his three sections where most of his questions came from were completely different from the three sections that mine came from. I'm sure the CSSLP is the same way.
- The same aphorism applies to the CSSLP as the CISSP: "Think like a manager."
- Like the CISSP, it was worth my time to make a second pass through the questions, analyzing the sentence structure and grammar, key words, and "perspective" of the question (manager / techie, etc).
- The only book I used was All In One CSSLP Exam Guide. I read and highlighted each chapter, pretty much in order, and did the practice questions after each chapter. I made a second pass through every chapter, doing the questions at the end again. I also took ONE practice exam with the software the came from the book, rather than both. I found the software to be terribly confusing, with such bugs as "choose all that apply", but only allowing you to select one option, then counting it wrong! The practice questions were confusing, but less so than the actual test questions. However, I found MOST of the chapters to be clear and concise, except the last three, which looked like they were written by a government bureaucrat! (Secure Software Installation and Deployment, Secure Software Operations and Maintenance, and Supply Chain and Software Acquisition). I still think the book is worth getting, but you might want to supplement it with another one.
- One more caveat... I'm pretty good at taking multiple-choice tests.
The CSSLP seems to be the only certification around for SDLC. Like you mention, it is a management exam that focuses on process. If you are looking for one that is more technical and covers secure coding practices, you can check out GIAC GSSP or possibly EC Council's ECSP.
Agree with you on the AIO especially on the last 3 chapters. I find the CSSLP Offical Guide an easy read and a good supplement to the AIO. Mano illustrates concepts by providing .NET examples. You can buy it at 50% off using ISC2 promo code.
So what's next after CISSP and CSSLP?
Also, do we get drag & drop, hot spot and scenario based questions like in CISSP apart from multiple choice. Planning to take the exam in first week of Feb. Your inputs will be helpful.
The CSSLP exam is similar to CISSP you took but with less questions. Revealing more details will likely violate NDA conditions.
I had no drag and drop questions. There was not a lot of rote memorization. Most questions were about applying concepts. I think there were about three of the eight domains that had the vast majority of questions. I am not saying which those were, because I believe it is irrelevant. So far, what I've seen on the CISSP as well, is that it will often be the same way, with different three or four domains emphasized on different tests. I don't know if the questions are equally weighted, but I think not, because that is what I recall reading about the CISSP as well... that questions have different weights.
You need to focus on the wording of the questions, looking for key words, and if in doubt, ask yourself "how would a manager answer this question (especially ones with words like most, least, first, final, etc.
I am reading through the AIO but would really like to have a structured course and the boot camps are more than I'd like to pay.