Top of Page
 

CSSIP LogoCertified Secure Software Lifecycle Professional

 

Rise to the Challenge of Making Applications Safer

PLEASE NOTE: Effective July 1, 2017, the CSSLP exam is based on a new exam outline. Please refer to the CSSLP Exam Outline for details. 

Too often there’s a “patch approach” to keeping software and applications safe — but not on your watch. You make sure security isn’t an after-thought.

Prove you’re an expert with the CSSLP: a global software security certification that recognizes those who have leading application security skills.

As a CSSLP, you have an internationally-recognized ability to incorporate security practices — authentication, authorization and auditing — into each phase of the software development lifecycle (SDLC). The CSSLP shows you can:

  • Develop an application security program in your organization
  • Reduce production costs, source code vulnerabilities and delivery delays.
  • Enhance the credibility of your organization and your team.
  • Reduce losses due to insecure software breaches.
Make a difference in your career starting today. Get your CSSLP.

Steps to Certification

  1. Step 1
  2. Step 2
  3. Step 3
  4. Step 4

Get the Needed Experience

To qualify for the CSSLP, you must have:

  • A minimum of four years of cumulative, paid, full-time Software Development Lifecycle (SDLC) professional experience
  • In one or more of the eight domains of the CSSLP Common Body of Knowledge (CBK)

Earning a four-year college degree or regional equivalent will waive one year of the required experience. Only a one-year exemption is granted for education.

Don’t have the required work experience yet? You can take and pass the CSSLP exam to earn an Associate of (ISC)² designation. Then, you’ll have up to five years to earn your required work experience for the CSSLP.

Create an Account at Pearson VUE and Schedule Your Exam

To schedule an exam, you must create an account at Pearson VUE.

Pearson VUE is the leading provider of global, computer-based testing for certification and licensure exams. You can find details on testing locations, policies, accommodations and more on their website.

Once you’ve set up your account and are ready to register, you’ll need to:

Pass the Exam

This is the day to show your greatness! You’ll have four hours to complete the 175 exam questions.

You must pass the exam with a scaled score of 700 points or greater.

Want more details? Read our exam scoring FAQs. >

Subscribe to the (ISC)² Code of Ethics and Get Endorsed

Let’s say you pass the exam. Then what?

Before this software security certification can be awarded, you have to:

  • Subscribe to the (ISC)² Code of Ethics.
  • Have your application endorsed.

Your endorsement form must be completed and signed by an (ISC)² certified professional. He or she needs to be an active member who can confirm your professional experience.

(ISC)² can endorse you if you can’t find a certified individual.

You have nine months from the date of the exam to complete these steps. If you don’t, you have to retake the exam to get certified.

Want to learn more? Read our endorsement assistance guidelines. >

Get to Know the CSSLP

  • Why Become a CSSLP Why Become a CSSLP

    Here are just a few reasons to earn your CSSLP certification:

    • Instant credibility. The CSSLP proves you’re a subject matter expert in application security. It shows you have desirable skills for employers around the world, giving you more opportunities.
    • Increased compensation. While pay practices vary by employer, many CSSLPs find that this software security certification can lead to pay gains and “skill premiums.”
    • Relevant, new knowledge. Earning the CSSLP is a great way to expand your security knowledge, in addition to affirming your expertise. It offers continuing education, so you can keep your skills current and relevant.
    • Versatile skills. The CSSLP isn’t product specific, so you can easily apply your skills to different technologies and methodologies.
    • A broader perspective. As a CSSLP, you have a holistic understanding of best practices, policies and procedures throughout the software development life cycle. And you have the skills to advise others on how to build secure software. This expertise can set you up for new jobs and opportunities.
    • Better protect your organization. You make software safer. You make the world safer. Simple as that. As a CSSLP, you have the power to protect your organization — and all the people counting on it to keep their sensitive data safe.

    What the Industry Is Saying About the CSSLP

    Wondering whether this designation makes sense for you? Talk to a certification consultant. >

    ANSI-Accredited
    The CSSLP certification is accredited by the American National Standards Institute (ANSI). This means it complies with the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 17024 Standards. Why is accreditation important when choosing a certification program? Visit the Institute for Credentialing Excellence website for details. >

     
  • Should You Pursue the CSSLP? Should You Pursue the CSSLP?

    When it comes to software security certifications, we know you have choices. The CSSLP is the right choice for you if you:

    • Are involved in any phase of the software development lifecycle (SDLC), and you’re responsible for application security practices.
    • Want to show initiative. You’re always looking for new ways to challenge yourself and create safer applications from desktop to cloud.
    • Want to stay on top of your craft. You need to stay current, so you can conquer new application vulnerabilities.
    • Would like to be seen as the subject matter expert on security vulnerabilities — such as with application stacks, single sign-on initiatives or webhook integrations.
    • Want to ensure that security is not an after-thought in software development.
    • Need to better engage your key stakeholders throughout application development.
    • Want to do your best to protect your organization and keep sensitive data safe.

    The CSSLP is ideal for those working in roles such as:

    • Software Architect
    • Software Engineer
    • Software Developer
    • Application Security Specialist
    • Software Program Manager
    • Quality Assurance Tester
    • Penetration Tester
    • Software Procurement Analyst
    • Project Manager
    • Security Manager
    • IT Director/Manager

  • Mastering the Domains on the Exam Mastering the Domains on the Exam

    The CSSLP exam tests your skills in eight domains. Think of the domains as specific knowledge areas you need to know based on your experience and education.

    The domains draw from a range of software security topics within the (ISC)² Common Body of Knowledge (CBK). The CBK contains the largest and most complete collection of best practices, policies and procedures to ensure a security initiative across all the SDLC, regardless of methodology. 

    Here’s a closer look at the CSSLP domains and how they’re weighted on the exam:

    Domains

    Weight

    1. Secure Software Concepts

    13%

    2. Secure Software Requirements

    14%

    3. Secure Software Design

    16%

    4. Secure Software Implementation/Programming

    16%

    5. Secure Software Testing

    14%

    6. Software Lifecycle Management

    10%

    7. Software Deployment, Operations and Maintenance

    9%

    8. Supply Chain and Software Acquisition

    8%

    Total

    100%

    Secure Software Concepts

    • Core concepts
    • Security design principles

    Secure Software Requirements

    • Identify security requirements
    • Interpret data classification requirements
    • Identify privacy requirements
    • Develop misuse and abuse cases
    • Include security in software requirement specifications
    • Develop security requirement traceability matrix

    Secure Software Design

    • Perform threat modeling
    • Define the security architecture
    • Perform secure interface design
    • Perform architectural risk assessment
    • Model (non-functional) security properties and constraints
    • Model and classify data
    • Evaluate and select reusable secure design
    • Perform design security review
    • Design secure assembly architecture for component-based systems
    • Use security enhancing architecture and design tools
    • Use secure design principles and patterns

    Secure Software Implementation/Programming

    • Follow secure coding practices
    • Analyze code for security vulnerabilities
    • Implement security controls
    • Fix security vulnerabilities
    • Look for malicious code
    • Securely reuse third party code or libraries
    • Securely integrate components
    • Apply security during the build process
    • Debug security errors

    Secure Software Testing

    • Develop security test cases
    • Develop security testing strategy and plan
    • Identify undocumented functionality
    • Interpret security implications of test results
    • Classify and track security errors
    • Secure test data
    • Develop or obtain security test data
    • Perform verification and validation testing (e.g., IV&V)

    Software Lifecycle Management

    • Secure configuration and version control
    • Establish security milestones
    • Choose a secure software methodology
    • Identify security standards and frameworks
    • Create security documentation
    • Develop security metrics
    • Decommission software
    • Report security status
    • Support governance, risk and compliance (GRC)

    Software Deployment, Operations and Maintenance

    • Perform implementation risk analysis
    • Release software securely
    • Securely store and manage security data
    • Ensure secure installation
    • Perform post-deployment security testing
    • Obtain security approval to operate
    • Perform security monitoring (e.g., managing error logs, audits, meeting SLAs, CIA metrics)
    • Support incident response
    • Support patch and vulnerability management
    • Support continuity of operations

    Supply Chain and Software Acquisition

    • Analyze security of third party software
    • Verify pedigree and provenance
    • Provide security support to the acquisition process
  • Getting CSSLP Training That’s Right for You Getting CSSLP Training That’s Right for You

    Prepare for your CSSLP exam through a combination of training courses and individual study. And learn from (ISC)² — the creator of the CSSLP CBK!

    Simply choose the best training format for your schedule, needs and learning style.

     

    Classroom-Icon

    Classroom-Based Training

    • Ideal for hands-on learners. We offer the most thorough review of the CSSLP CBK, industry concepts and best practices.
    • Five-day training events delivered in a classroom setting. Eight hours a day.
    • Available at (ISC)² facilities and through (ISC)² Official Training Providers worldwide.
    • Led by authorized instructors.

    Get details on Classroom-Based Training. >


    School-Icon

    Private On-Site Training

    • A cost-effective and convenient training solution if your organization has 10 or more employees taking the exam.
    • Tailored to your team’s schedule, budget and certification requirements.
    • Conveniently taught in your office space or a local venue.
    • Led by authorized instructors

    Get details on Private On-Site Training. >

    Instructor-Icon

    Instructor-Led Training

    • Participate from the convenience of your computer. This saves you travel time and expense.
    • Weekday, weekend and evening options to fit your needs.
    • Comprehensive review of the CBK, so you’re ready for this cybersecurity certification.
    • Delivered in a variety of schedules with weekday, weekend, and evening options to suit your needs.
    • Access to recordings of all course sessions for 60 days.
    • Led by authorized instructors.


    Get details on Instructor-Led Seminars. >


    CSSLP Training Course Overview

    Our training helps you fully prepare for this software security certification. You will:

    • Review and refresh your information security knowledge (including information security concepts and industry best practices).
    • Identify areas you need to study for the CSSLP exam.

    You can expect an in-depth review of the eight domains of the CSSLP CBK — including discussion of industry best practices and timely software security concepts.

    (ISC)² authorized instructors lead all our training. You’re learning from industry experts who understand you. They know how to make the content highly relatable. And they go through a rigorous process to teach to our CBK.

    Plus, we use proven adult learning techniques to reinforce topics. This approach increases how much information you retain. Our techniques are highly interactive. They focus on real-world learning activities and scenarios, so you get the most out of training.

    Self-Study Tools

    In addition to training, we offer resources to help you with self-study. Our resources include the: 

  • Taking Your CSSLP Exam Taking Your CSSLP Exam
    Length of exam Up to 4 Hours
    Number of questions    175 Questions
    Question format Multiple Choice
    Passing grade A passing score is 700 out of 1000 points
    Exam Languages English
    Testing Center Pearson Vue Testing Center

     

    Ready to sign up for the exam? Visit the Pearson VUE website to create an account and book your exam.

  • Maintaining or Regaining CSSLP Certification Maintaining or Regaining CSSLP Certification

    Maintaining or Regaining Your CSSLP Certification

    Once you’ve earned this software security certification, you become a member of (ISC)². You enter one of the largest communities of information security professionals in the world. You gain access to unparalleled global resources and networking.

    Quite simply, you have endless opportunities to grow and refine your craft.

    But certification is a privilege that must be earned and maintained.

    To remain in good standing with your CSSLP, you need to:

    • Abide by the (ISC)² Code of Ethics.
    • Earn and post Continuing Professional Education (CPE) credits.
    • Pay your Annual Maintenance Fee (AMF).

    Here’s a closer look at each.

    Abiding by the (ISC)² Code of Ethics
    You agree to fully support and follow the (ISC)² Code of Ethics.

    Earning and Posting CPE Credits
    Software security is constantly changing. (You know this well!) You need to earn CPE hours to stay well-rounded and keep up your expertise.

    For the CSSLP, you need to earn and post a minimum of 30 CPE credits per year. You need to do so before your certification annual anniversary date.

    CPEs may sound like a big task. However, (ISC)² makes it easy for you to earn your CPE credits on a regular basis.

    We offer access to:

    • Live educational events around the world.
    • Online seminars that can be taken in the comfort of your home or office. They’re available exclusively to (ISC)² members.
    • And many more learning opportunities.

    Paying Annual Maintenance Fees (AMFs)
    Once you earn this software security certification, you must pay USD$100 each year of your three-year certification cycle. Your payment is due before your certification or recertification annual anniversary date.

    Your payments help ensure that (ISC)² has the financial resources to:

    • Be a functional, dynamic entity for leading information security professionals (like you) far into the future.
    • Develop more CPE opportunities.
    • Continue to meet the certification needs and requirements of information security professionals.
    • Maintain member records.

    How to Regain Membership if Your CSSLP Ceases
    If you wish to regain membership, you’ll need to:

    • Pay any outstanding AMF payments. (This needs to take place before you sit for the exam.)
    • Retake and pass the exam to become certified again.
    • Contact Member Services to reactivate your certification after you pass the exam.

    Do you have questions about maintaining your CSSLP certification? Ask Member Services. >

Free SSCP Exam Outline

Get Started Today

Download your free CSSLP Exam Outline >