I took the CSSLP exam and ...

ISC2 promotes CSSLP as an application security cluefullness signal. Certification requires taking an exam, professional experience, and peer endorsement. This experience guide might help others through the exam process. Candidates have 240 minutes to answer 175 questions. Domain topics seem germane for AppSec. Simple enough.

First, pick study materials. Amazon reviews (smile.amazon.com) led me to Conklin & Shoemaker's, CSSLP Certification All-in-One Exam Guide, 1st Edition. As a baseline, I completed several chapter-end quizzes scoring 60-80% - not enough margin for a $599 exam. Proceeding through all chapters, I fortified retention and final review by building a brief study guide highlighting goals and steps for key artifacts. That one-pass exercise gave a 90%+ chapter quiz average which seemed safe. The book's 177 item bank on CD introduced new questions and selection types such as, "Choose all that apply." Several passes through gave 100% confidence in the material and showed a few clear errors in questions and scoring. The book really needs an errata and discussion site where such observations can be shared. Overall, information quality is good enough. Yet, as a 2013 reference, the book doesn't necessarily reflect the exam's 2017 content. So, I looked for an additional source as insurance.

Despite experience consulting with educational testing firms (not Pearson), I turned to online test banks taking the 10-15 sample questions each provides. Most displayed error-ridden PDFs but Skillset promised adaptive questioning to optimize study time. I signed up with my 10% off coupon (reddit). A 250 item simulated exam evaluates your knowledge. Limited time allowed me one pass through to carefully study wrong and right responses where I encountered new material and item types. The investment was wise (confirmation bias?) but be aware that some items are user contributed. Judge proper CSSLP responses for yourself. I place the site as a secondary reference.

Fair warning. Schedule your exam 3 months out OR opportunistically grab an opening 2-3 days out when/if one becomes available. I opted for a random 8:00 AM opening. The basic routine; show up, empty your pockets, give up biometrics (Suits? No way), and click away. After 125 items, I took a break, ate a breakfast bar, drank water, stretched, and returned refreshed to complete the items and check every one of the 28 questions I marked for reconsideration. I changed three. And because I'm into data, I did a histogram to see if I marked more questions as I got tired...nope - no visual pattern of exhaustion. 

Is the CSSLP material valuable? I'd say yes if you are not already familiar with the breadth of our AppSec domain. Consulting definitely already forced me across the breadth. Someone said that CSSLP is AppSec from a manager's perspective and that's correct. Personally, I learned more new information from PMP and Professional Engineer (PE) and that made studying CSSLP much harder - new info and working problems are easier to engage. Surprises? Well...the exam body of knowledge is aging. GDPR, for example, isn't a thing though we know better. You still need to know the old schemes. Did I pass? Yes, thanks. Best of luck!

#informationsecurity #cybersecurity #security #applicationsecurity #csslp #certification #isc2 #infosec