Get to Know the CSSLP

• Why Become a CSSLP Why Become a CSSLP

  Here are just a few reasons to earn your CSSLP certification:

  • Instant credibility. The CSSLP proves you’re a subject matter expert in application security. It shows you have desirable skills for employers around the world, giving you more opportunities.
  • Increased compensation. While pay practices vary by employer, many CSSLPs find that this software security certification can lead to pay gains and “skill premiums.”
  • Relevant, new knowledge. Earning the CSSLP is a great way to expand your security knowledge, in addition to affirming your expertise. It offers continuing education, so you can keep your skills current and relevant.
  • Versatile skills. The CSSLP isn’t product specific, so you can easily apply your skills to different technologies and methodologies.
  • A broader perspective. As a CSSLP, you have a holistic understanding of best practices, policies and procedures throughout the software development life cycle. And you have the skills to advise others on how to build secure software. This expertise can set you up for new jobs and opportunities.
  • Better protect your organization. You make software safer. You make the world safer. Simple as that. As a CSSLP, you have the power to protect your organization — and all the people counting on it to keep their sensitive data safe.
    
    

  What the Industry Is Saying About the CSSLP

  • Ranked #4 on the Certification Salary Survey 75 list with an annual salary of USD$143,150 in 2016 — Certification Magazine
  • Named one of the 8 Most In-Demand IT Security Certifications — CIO
  • Ranked #1 out of 20 Technology Certification That Are Paying Off in higher compensation — Foote Partners, ZDNet.com

  ANSI-Accredited
  The CSSLP certification is accredited by the American National Standards Institute (ANSI). This means it complies with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 Standards. Why is accreditation important when choosing a certification program? Visit the Institute for Credentialing Excellence website for details.

   
• Should You Pursue the CSSLP? Should You Pursue the CSSLP?

  When it comes to software security certifications, we know you have choices. The CSSLP is the right choice for you if you:

  • Are involved in any phase of the software development lifecycle (SDLC), and you’re responsible for application security practices.
  • Want to show initiative. You’re always looking for new ways to challenge yourself and create safer applications from desktop to cloud.
  • Want to stay on top of your craft. You need to stay current, so you can conquer new application vulnerabilities.
  • Would like to be seen as the subject matter expert on security vulnerabilities — such as with application stacks, single sign-on initiatives or webhook integrations.
  • Want to ensure that security is not an after-thought in software development.
  • Need to better engage your key stakeholders throughout application development.
  • Want to do your best to protect your organization and keep sensitive data safe.

  The CSSLP is ideal for those working in roles such as:

  • Software Architect
  • Software Engineer
  • Software Developer
  • Application Security Specialist
  • Software Program Manager
  • Quality Assurance Tester
  • Penetration Tester
  • Software Procurement Analyst
  • Project Manager
  • Security Manager
  • IT Director/Manager
• Mastering the Domains on the Exam Mastering the Domains on the Exam

  The CSSLP exam tests your skills in eight domains. Think of the domains as specific knowledge areas you need to know based on your experience and education.
  

  The domains draw from a range of software security topics within the (ISC)² Common Body of Knowledge (CBK). The CBK contains the largest and most complete collection of best practices, policies and procedures to ensure a security initiative across all the SDLC, regardless of methodology. 

  Here’s a closer look at the CSSLP domains and how they’re weighted on the exam:

  Domains	Weight
  1. Secure Software Concepts	13%
  2. Secure Software Requirements	14%
  3. Secure Software Design	16%
  4. Secure Software Implementation/Programming	16%
  5. Secure Software Testing	14%
  6. Software Lifecycle Management	10%
  7. Software Deployment, Operations and Maintenance	9%
  8. Supply Chain and Software Acquisition	8%
  Total	100%

  Secure Software Concepts

  • Core concepts
  • Security design principles

  Secure Software Requirements

  • Identify security requirements
  • Interpret data classification requirements
  • Identify privacy requirements
  • Develop misuse and abuse cases
  • Include security in software requirement specifications
  • Develop security requirement traceability matrix

  Secure Software Design

  • Perform threat modeling
  • Define the security architecture
  • Perform secure interface design
  • Perform architectural risk assessment
  • Model (non-functional) security properties and constraints
  • Model and classify data
  • Evaluate and select reusable secure design
  • Perform design security review
  • Design secure assembly architecture for component-based systems
  • Use security enhancing architecture and design tools
  • Use secure design principles and patterns

  Secure Software Implementation/Programming

  • Follow secure coding practices
  • Analyze code for security vulnerabilities
  • Implement security controls
  • Fix security vulnerabilities
  • Look for malicious code
  • Securely reuse third party code or libraries
  • Securely integrate components
  • Apply security during the build process
  • Debug security errors

  Secure Software Testing

  • Develop security test cases
  • Develop security testing strategy and plan
  • Identify undocumented functionality
  • Interpret security implications of test results
  • Classify and track security errors
  • Secure test data
  • Develop or obtain security test data
  • Perform verification and validation testing (e.g., IV&V)

  Software Lifecycle Management

  • Secure configuration and version control
  • Establish security milestones
  • Choose a secure software methodology
  • Identify security standards and frameworks
  • Create security documentation
  • Develop security metrics
  • Decommission software
  • Report security status
  • Support governance, risk and compliance (GRC)

  Software Deployment, Operations and Maintenance

  • Perform implementation risk analysis
  • Release software securely
  • Securely store and manage security data
  • Ensure secure installation
  • Perform post-deployment security testing
  • Obtain security approval to operate
  • Perform security monitoring (e.g., managing error logs, audits, meeting SLAs, CIA metrics)
  • Support incident response
  • Support patch and vulnerability management
  • Support continuity of operations

  Supply Chain and Software Acquisition

  • Analyze security of third party software
  • Verify pedigree and provenance
  • Provide security support to the acquisition process

  Get your free exam outline.
• Getting CSSLP Training That’s Right for You Getting CSSLP Training That’s Right for You

  Prepare for your CSSLP exam through a combination of training courses and individual study. And learn from (ISC)² — the creator of the CSSLP CBK!
  
  Simply choose the best training format for your schedule, needs and learning style.

  • In-Person Training Seminars
  • Online Training Seminars

  

  Classroom-Based Training

  • Ideal for hands-on learners. We offer the most thorough review of the CSSLP CBK, industry concepts and best practices.
  • Five-day training events delivered in a classroom setting. Eight hours a day.
  • Available at (ISC)² facilities and through (ISC)² Official Training Providers worldwide.
  • Led by authorized instructors.

  Get details on Classroom-Based Training.

  ---

  

  Private On-Site Training

  • A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
  • Tailored to your team’s schedule, budget and certification requirements.
  • Conveniently taught in your office space or a local venue.
  • Led by authorized instructors

  Get details on Private On-Site Training.

  

  Instructor-Led Training

  • Participate from the convenience of your computer. This saves you travel time and expense.
  • Weekday, weekend and evening options to fit your needs.
  • Comprehensive review of the CBK, so you’re ready for this cybersecurity certification.
  • Delivered in a variety of schedules with weekday, weekend, and evening options to suit your needs.
  • Access to recordings of all course sessions for 60 days.
  • Led by authorized instructors.


  Get details on Instructor-Led Seminars. >

  ---

  CSSLP Training Course Overview

  Our training helps you fully prepare for this software security certification. You will:

  • Review and refresh your information security knowledge (including information security concepts and industry best practices).
  • Identify areas you need to study for the CSSLP exam.

  You can expect an in-depth review of the eight domains of the CSSLP CBK — including discussion of industry best practices and timely software security concepts.
  
  (ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.
  
  Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

  Self-Study Tools

  In addition to training, we offer resources to help you with self-study. Our resources include the: 

  • CAP CBK Guide Official (ISC)² Guide to the CSSLP CBK Textbook
    
  • CAP Exam Outline Exam Outline
  • CAP Flashcards Interactive Flashcards
• Taking Your CSSLP Exam Taking Your CSSLP Exam

  Length of exam	Up to 4 Hours
  Number of questions	175 Questions
  Question format	Multiple Choice
  Passing grade	A passing score is 700 out of 1000 points
  Exam Languages	English
  Testing Center	Pearson Vue Testing Center

   

  Ready to sign up for the exam? Visit the Pearson VUE website to create an account and book your exam.

• Maintaining or Regaining CSSLP Certification Maintaining or Regaining CSSLP Certification

  Maintaining or Regaining Your CSSLP Certification

  Once you’ve earned this software security certification, you become a member of (ISC)². You enter one of the largest communities of information security professionals in the world. You gain access to unparalleled global resources and networking.

  Quite simply, you have endless opportunities to grow and refine your craft.

  But certification is a privilege that must be earned and maintained.

  To remain in good standing with your CSSLP, you need to:

  • Abide by the (ISC)² Code of Ethics.
  • Earn and post Continuing Professional Education (CPE) credits.
  • Pay your Annual Maintenance Fee (AMF).

  Here’s a closer look at each.

  Abiding by the (ISC)² Code of Ethics
  You agree to fully support and follow the (ISC)² Code of Ethics.

  Earning and Posting CPE Credits
  Software security is constantly changing. (You know this well!) You need to earn CPE hours to stay well-rounded and keep up your expertise.
  
  For the CSSLP, you need to earn and post a minimum of 30 CPE credits per year. You need to do so before your certification annual anniversary date.

  CPEs may sound like a big task. However, (ISC)² makes it easy for you to earn your CPE credits on a regular basis.

  We offer access to:

  • Live educational events around the world.
  • Online seminars that can be taken in the comfort of your home or office. They’re available exclusively to (ISC)² members.
  • And many more learning opportunities.

  Paying Annual Maintenance Fees (AMFs)
  Once you earn this software security certification, you must pay USD$100 each year of your three-year certification cycle. Your payment is due before your certification or recertification annual anniversary date.

  Your payments help ensure that (ISC)² has the financial resources to:

  • Be a functional, dynamic entity for leading information security professionals (like you) far into the future.
  • Develop more CPE opportunities.
  • Continue to meet the certification needs and requirements of information security professionals.
  • Maintain member records.

  How to Regain Membership if Your CSSLP Ceases
  If you wish to regain membership, you’ll need to:

  • Pay any outstanding AMF payments. (This needs to take place before you sit for the exam.)
  • Retake and pass the exam to become certified again.
  • Contact Member Services to reactivate your certification after you pass the exam.

  Do you have questions about maintaining your CSSLP certification? Ask Member Services.