CSSLP, anyone?

tedjamestedjames Member Posts: 1,182 ■■■■■■■■□□
Been away for awhile, but now I'm back, baby! I'm considering pursuing the CSSLP certification. Looks like there hasn't been much discussion on this topic.

My functional title is Application Security Engineer, and I've spent the last five years working on a software development team testing web applications (white box), teaching developers about security and getting them to write more secure code (uphill battle), implementing SecDevOps principles, SDLC, etc. I'm wondering if, at this point, I really need to pursue this certification. I plan to stay at this job until I retire in 2026. I'll likely continue my career somewhere else at that point unless my current employer makes it worth my while to stay. I'm not looking at job listings and employer requirements regarding this certification. I don't care if CSSLP is not in a lot of job descriptions. I tend to think more about how the knowledge I would gain might benefit my work. I don't really care about having more letters behind my name, either. I'm really just hoping to add to my knowledge so I can be a more rounded appsec person.

All that said, if you have prepared for and taken this exam, do you feel that what you learned has benefited you more than, say, a couple of cheap Udemy, etc., courses might give you? Was it worth your $600 and all the time you spent studying? Thanks!

Comments

  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    tedjames said:
    I tend to think more about how the knowledge I would gain might benefit my work. I don't really care about having more letters behind my name, either. I'm really just hoping to add to my knowledge so I can be a more rounded appsec person.
    I've had this same thought with regards to pivoting my own career towards AppSec. I never found a opportunity to do so in my work experience. Now with AI being added to all the source code checking tools I'm wondering is the market for AppSec humans will be narrowing over the next few years.
  • tedjamestedjames Member Posts: 1,182 ■■■■■■■■□□
    Thanks for the reply. We're starting to use AI-powered DAST and SAST tools. While they are producing results, there are still many false positives that have to be tuned out. Additionally, as with any scanner, a human still has to interpret the results. I try to give the developers only what they need regarding discovered vulnerabilities. I follow that up with manual testing. I don't see AI being able to replicate that kind of work anytime soon (well, not this year, anyway).
Sign In or Register to comment.