How to prepare for CSSLP exam

Last week I passed the Certified Secure Software Lifecycle Professional (CSSLP) certification exam. It was an experience from preparation all the way through to taking exam at the test center.

I thought I would share my experience here to help others who are aspiring to take this exam or learn about secure software development practices.

First question people ask, is this exam hard? My answer to this question is yes and no. I have seen some pass rate numbers for this exam. It varies between 53% to 70%.

I tell others that if you have been following minimum secure development practices in your career, then you will not find it difficult to pass this exam. The questions in the exam are common sense questions with few curve balls that require knowledge of some jargon and acronyms like CVE, CWE, OWASP etc. If I was not bound by NDA, I could provide a sample question.

If you are taking the exam without some background in security, there can be some learning curves. But the curve is not that steep that you can not overcome with some studying.

So how did I prepare for this exam. First thing first, go to (ISC)² website to get preliminary information about what topics are covered under the exam. Next, find out about exam details like how many questions will be asked, what is the duration of the exam and what are the passing criteria. I will mention that information here as well. There will be 125 questions that you will be required to answer in 180 minutes. You will need to score 700 points out of 1000 points. This seems to be the standard format for most of the certification exams.

One thing that got me by surprise at the end of the exam was that you can not go back to review any answers. I think it was mentioned on (ISC)² website and I did not pay attention to it. As soon as you provide the answer to question number 125, you are done. The terminal will ask you to conclude the exam. There is one piece of advice I will give to everybody, do not rush into answering questions. Take your time before moving on to the next question. A time of 180 minutes is more than sufficient to answer 125 questions. Again, YOU CANNOT GO BACK.

Now, what study materials can you use to prepare for this exam? There are 3 options that you have. One, join some instructor-led training course. Unless your company is paying for it, it can be pricy. Second, you can join self-paced training courses. These are not as expensive as instructor-led courses. Still, it is not cheap. Third, use some study guides and books to read.

How did I prepare? I bought Official (ISC)² Guide to the CSSLP, Second Edition book. I also bought CSSLP Certified Secure Software Lifecycle Professional All-in-One Exam Guide, Third Edition book. The official guide is about 800 pages and All-in-Exam book is about 400 pages. I will recommend these two boxes and do the sample quizzes at the end of each chapter. I did one more thing. LinkedIn learning has on-line courses on CSSLP. I watched videos on all 8 sections of this exam. The best part about these videos is that you can listen to them while you are driving. LinkedIn videos served as an option of instructor-led training.

I did what I did during my college days. I read one chapter from both books, tried a quiz at the end of the chapter and then watched the video of that section. I tried a new idea of using Generative AI to help through some of the sections. No, I did not use ChatGPT. I used Google’s Search Labs. I have a reason for using Search Labs. In the chapter, there will be reference to some external specifications and regulations. So, I will ask Search Labs to talk about it. Its answer will intelligently lead me to more questions and answers. I found it very helpful. You may have your own way to using AI, but this is what I do. I do not want to start any argument about what is better, ChatGPT or Google.

Another question that people ask is how long it takes to prepare for and pass this exam. This is one question that I cannot answer for you. A lot will depend on your experience and the time you will have to study. If you want to know how long it took for me, send me a message and I will answer in private.

One thing I can attest to is that you will learn a lot of new things while preparing for this exam. Even if you do not take the exam, all software developers should take time to read though material for this exam. It will be worth it.

If you have any questions about this exam or need any help, feel free to message me. I will be more than happy to help you.




17.3 °C / 63.1 °F

weather conditions Haze

Monthly Posts

Blog Tags