(ISC)² is one of the biggest organizations in education and certifications tailored for cybersecurity professionals. Their Certified Software Security Lifecycle Professional, aka CSSLP is their certification for Application Security. According to (ISC)²:

It shows employers and peers you have the advanced technical skills and knowledge necessary for authentication, authorization and auditing throughout the SDLC using best practices, policies and procedures established by the cybersecurity experts at (ISC)².

source

So, is this description accurate enough? Can the CSSLP help advance your career? Is it meaningful to retain the certification? This is what the current post is all about. If you are looking for tips and tricks on how to pass the exam then there are tons of other posts to help you out. Instead, I want to discuss the usefulness of the CSSLP for my career and everyday work as someone workingwith AppSec in Sweden.


Why get CSSLP certified?

The reasons can be various depending on your current status and your objectives. In my case, being a junior Application Security specialist, I was motivated by a senior member of my team to try going for the CSSLP. My colleague had suggested that the CSSLP can be a good way to “set the foundations” for AppSec and that the preparation can help me kickstart my AppSec career. On top of that it would show to my peers that I hold a respected certification.

Without giving it a second thought I jumped to it despite it not being an official requirement from my employer, but rather a simple suggestion. Looking back at that decision, I can’t say that I regret it.


Getting the certification

During the 7 months studying for the certification, I read two books, solved preparation exams and of course, passed the certification exam. I used the following two books to study:

  • CSSLP Certified Secure Software Lifecycle Professional All-in-One Exam Guide
  • Official (ISC)2 Guide to the CSSLP CBK ((ISC)2 Press)

Both books helped me a lot but I feel that the official guide is a must as it closely follows the structure and nature of the exam. Preparations tests is an absolute must in order to pass the exam. I already had several years of experience in software development and I knew all about the foundations of security.


Being certified, 1-3 years

First of all, being certified boosted my confidence, which was much needed since I was in the initial stages of my career. I don’t feel the same way now, 6 years later, but back then it was definetely something I felt proud for.

Secondly, CSSLP has helped me a lot with building cybersecurity and AppSec vocubulary, understanding and using terminologies and therefore, improving communication skills. I was more cabable to communicate correctly with improved AppSec terminology that was also better received by senior management. I would ofter find the wrong usage of terms by fellow coworkers frustrating.

Additionally, the CSSLP provided me with sufficient context for AppSec activities, such as fuzz-testing, software composition analysis and code reviews. There are of course hundeds of resources to learn the same things outside the scope of CSSLP, but having all that knowledge in one compact course/book was helpful. Worth noting is also the fact that being CSSLP certified means you can understand the basics of risk analysis; knowledge I found myself utilizing time after time to communicate with management, or when being part of a risk analysis workshop.

Moreover, the CSSLP helps to understand the basics of an application secutity program and how software development is structured. What methods are available for AppSec people to interact with developer teams and also how these methods work, at which development phases etc.


Maintain the certification

In order to continue being certified you need to earn a certain number of CPEs within the 3 year certification cycle and also, pay the annual fee.

In general, I haven’t found it hard to earch CPEs since there is a range of activities that qualify for CPEs that you will be doing anyhow. For example attending conferences, reading an AppSec book and so on.

What I do find very confusing though is how these CPEs are grouped into group A and group B CPEs. Long story short, I believe that (ISC)² tries to motive people to get credits through professional development (group B) as well, in combination with education. But trust me, it get irritating to see that your submission for CPEs is rejected with a note saying “this type of request does not qualify for group B credits” because of some dropdown you picked wrong. I mean…really..come on (ISC)²..

Motivating me to pay the annual fee gets harder every year especially after the realization that my CV outgrows the certificate title. Of course it feels nice to be able to put titles next to your name, but at this point noone will be suprised because I hold the CSSLP.


The verdict

Do I regret it? Definitely not.

Will I keep renewing my certification? I believe so, yes.

The CSSLP has helped me a lot during the initial stages of my career and I would recommend it to those being in the beginning stages of their AppSec career. This doesn’t mean that senior AppSec people should avoid it, but they should expect to learn less in the process of preparing for the exam.

Where I find real value in being (ISC)² certified is being part of a community of security people. I am not satisfied with how well this aspect of the certification is working and I really encourage (ISC)² to promote community activities even more.

If you are in AppSec and you have the time and energy to commit into studying for a few months then I believe there is something positive to get from CSSLP. As with any certification, it does not prove you are an expert, nor does it prove the opposite. But it does provide the evidence that you strived to improve as a professional by persuying a well respected certification and that you continue expanding your AppSec knowledge through education and work experience.