New (ISC)2 Certification (CSSLP)

JDMurrayJDMurray Admin Posts: 13,039 Admin
I just received notice of a new (ISC)2 certification for secure software development practices and expertise. I assume an "assessment" is the exam beta. I think I know what I'll be doing immediately after the CISSP.
Dear Valued Member,

I am pleased to inform you that (ISC)2 launched a brand new certification program designed to validate secure software development
practices and expertise and address the increasing number of application vulnerabilities. The need for education and certification
in this area has become an overwhelming global concern in the industry and as a certifying body and proponent of continuing
professional education we were presented the opportunity to provide a solution to address the issue.

The Certified Secure Software Lifecycle Professional (CSSLP) aims to stem the proliferation of security vulnerabilities resulting
from insufficient development processes by establishing best practices and validating an individual's competency in addressing
security issues throughout the software lifecycle (SLC). It takes a holistic approach to software security. Code-language neutral,
it will be applicable to anyone involved in the SLC, including analysts, developers, software engineers, software architects,
project managers, software quality assurance testers and programmers. CSSLP is the only certification in the industry that ensures
that security is considered throughout the entire software lifecycle.

Subject areas covered by the CSSLP include the software lifecycle, vulnerabilities, risk, information security fundamentals and
compliance. Candidates must demonstrate four years of professional experience in the SLC process or three years experience and a
bachelor's degree (or regional equivalent) in an IT discipline.

The seven domains of the CSSLP CBK are:

Secure Software Concepts
Secure Software Requirements
Secure Software Design
Secure Software Implementation/Coding
Software Acceptance
Software Deployment, Operations, Maintenance and Disposal

Currently, (ISC)2 is seeking qualified professionals who meet experience and other requirements to participate in the assessment.
For more information and to register for the Open CSSLP Experience Assessment, visit www.isc2.org/csslp. You could become one of the
first CSSLP holders and be asked to contribute to the exam development process and assist in other program development tasks.

Applications for the CSSLP Open Experience Assessment will be accepted from September 25, 2008 (EST) through March 31, 2009, with
the first education seminars slated for Q2 2009 and first exam administration June 2009.

A wide range of respected organizations have expressed their support for the CSSLP, including: Microsoft, Symantec, DSCI (NASSCOM),
SANS, SRS International, Software Assurance Forum for Excellence in Code (SAFECode), Cisco, Xerox, SAIC, ISSA, and Frost & Sullivan.


Executive Director (ISC)2


  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Wow, that seems to be right up your alley. Good luck with that.
  • Options
    JDMurrayJDMurray Admin Posts: 13,039 Admin
    I've already sent away for the CSSLP information and I'll post more details as I get them. There is an "Associate" version of this cert and the "assessment" exam is $650US. The first exams won't be administered until June 2009, so there's time to study-up. The marketing brochure is available online.
  • Options
    shednikshednik Member Posts: 2,005
    I think they came out with that cert just for you JD! :D
  • Options
    JDMurrayJDMurray Admin Posts: 13,039 Admin
    I should point out that there are already several secure software development certifications from organizations like SANS, IEEE, and ISSECO. So if anyone is interested in software security certs there's no reason to wait for the CSSLP to be released.
  • Options
    JDMurrayJDMurray Admin Posts: 13,039 Admin
    I've been looking into the CSSLP a little further and it appears that from September 30, 2008 to March 31, 2009 an CSSLP Experience Assessment is available for qualified people to obtain the CSSLP certification without actually taking the exam. The required steps of the assessment are:
      1. Complete the application form 2. Agree to the (ISC)2 Code of Ethics 3. Submit your resume showing fours years of security-related software development experience (three years if you have a college degree) 4. Write and submit four, 500-word English-only essays explaining your experience in four of the seven domains of the CSSLP CBK 5. Obtain an endorsement from a member of the (ISC)2 (CISSP, SSCP, etc.) 6. Pay $650 7. Pass the vetting and background check
    If you don't pass the assessment you will still be able to take the CSSLP exam (at no additional cost) when it becomes available in June 2009.

    Although this sounds like a great opportunity for people with software engineering experience to grab a cert from a respected vendor without actually taking the exam, there are already negative views being blogged about this "opportunity" devaluing the cert before it is released. Because passing a difficult exam is part of the worth of a certification, I tend to agree.
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    JDMurray wrote:
    I tend to agree.

    I'm with you; that seems like a pretty weak way to earn a certification.
  • Options
    the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    They tend to do this "get the cert through experience" to get it widely accepted. As long as there is a screening process I don't feel it devalues a cert. Especially when its the ISC2, very well respected and screened. I have a professor who helped develope the CISSP exam. He put it to me this way: his father was a safety inspector in California for over twenty years and one day he gets this letter in the mail. The letter explained that this company was developing a cert and that they wanted to give it to him based on the experience he already had. My professor said no, figuring what was the point? Well, in the end this cert happen to become the standard for safety inspectors and was pretty much a requirement a few years later. So when my professor was offered the CISSP and a chance to develope it he jumped at the chance.
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • Options
    JDMurrayJDMurray Admin Posts: 13,039 Admin
    Yes, but the CSSLP assessment isn't a recruitment for people to help develop the CSSLP cert. It's not even a call for CSSLP exam beta testers. Instead, it looks like a way to quickly pump up the number of CSSLP cert holders and get a lot of cash into the (ISC)2 coffers. It really depends on how rigorous the assessment vetting is. I would really like to know what the rejection rate ends up being.
  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Also, I don't care how much you know, but you will always learn something new while studying for an exam. Just because someone has years of experience doesn't mean they've mastered all the material that the exam encompasses. Processes like this could allow people with some large gaps of knowledge slip through the cracks, and that will devalue the certification overall. It's like JD said though, it depends on the quality of the process.
  • Options
    robertguessrobertguess Member Posts: 18 ■□□□□□□□□□
    Ok deleted sorry about that JD. I have a new question. Congrats on your pass for the SSCP and thank you for the blog. I will read that soon:) You are currently studying your CISSP?

    I recently spoke to someone in the field he holds multiple certifications and experience. He said the CISSP was the hardest exam he has faced. How are you going about your CISSP? He did suggest a book I will look up.
    IT certification training adviser
  • Options
    JDMurrayJDMurray Admin Posts: 13,039 Admin
    robertguess, I think you need to delete your post and make it a new post in the Off-Topic forum. You'll get a better response that way.
Sign In or Register to comment.