Archives For CSSLP


June 26, 2016 — Leave a comment

Life prepares you many surprises. You can plan your life as accurately as humanly possible, but you will eventually need to reconsider your plans.
It is not necessarily a bad thing, though. And in my case, I trust it has been for the better.
After I switched to Proactive Support from the Consulting organization within Microsoft, to focus 100% of my time to Security, I planned to improve all my initiatives, blog included. I discovered soon that I needed to dedicate all myself to cope with my deficiencies around Infrastructural Security and to meet the already challenging goals my new organization has defined for me, plus the goals I defined for myself, that is mostly doing whatever I can to expand the importance of Application Security within Microsoft.
This has meant much additional work for me, but also very important successes, like achieving the CSSLP certification (finally!) and recognitions like having been made WW Lead of the Security Development Lifecycle Community within Microsoft, side by side with my good friend Kiyoshi Watanabe, who is an Application Security expert from Japan.
New duties mean more things to do and less time for other things, as I discovered last year. This is the reason why I have written nothing since I switched: I had no juice left to think to anything but the most essential things.
Now it is different: my goals for the new year are set to be more projected toward the community of Application Security practicians inside and outside Microsoft, because I feel it to be critical for the world I live in and my own future.
Stay tuned for new content and (possibly) a very big surprise, soon. 🙂

Security is really a thing of Passion: it is so huge a topic and evolving so fast, that you have to fully commit yourself to it if you want to do it properly. So, it is very important to build a solid foundation on which to grow and expand your knowledge.

Security is also a Community thing: you have to be fully connected if you want to be up to date and to create the trust around you needed to do your job. And one of the most important things if you want to be part of a Community, is to know its “Lingo”.

This is precisely what (ISC)2 is and what it does. First and foremost, it is a Community of Security Professionals, which collects common knowledge around the main Security Topics. It defines some of the most recognized Security Certifications, like CISSP and SSCP, and collaborates with many Security Organizations to provide continuous training to its members.

One of those certifications is particularly relevant for Software Development: this is CSSLP. I have studied it and I am in the process of obtaining this certification, therefore I have grown some strong feelings on that and the various tools provided to achieve it.

CSSLP is currently in its second incarnation, and it is composed of 8 Domains (as described in the (ISC)2 site):

The first incarnation lacked the last Domain.

All in all, this represents a fully holistic approach for Software Development, based on proven concepts and tools (many from Microsoft’s own SDL!) and provides a very good overview of the main topics to be considered by Architects and Software Developers. There are also some key concepts that I have seen here for the first time so clearly exposed, like the reason why you have to keep your software behaves like cheese: after some time it stinks and you have to replace it! In other words, you have to plan for its retirement even before it is released! The 7th Domain discuss specifically this concept.

So, it is really key to study for CSSLP even if you are not planning to certify, because it gives you some important tools for understanding that needs to be done.

Speaking of which, the next question is: how do you study for CSSLP?

I have seen some tools, in the quest for the certification, which I am going to briefly discuss here: I will probably expand on some of them in the near future.

First of all, there  is the Official (ISC)2 Guide to the CSSLP CBK, Second Edition: this is the official book from (ISC)2 and it is a good starting point. I would say that the quality is average: I have found some inaccuracies and some parts are oversimplified.

A better reference could be the CSSLP Certification All-in-One Exam Guide. This is an unofficial book covering the original 7 Domains. I have read most of it and its content is really good, but its lack of coverage for the last Domain is a pity. I would recommend buying it as first book if you do not want to certify for CSSLP, otherwise it would be a good integration of the official book.

There are also additional tools, for greater budgets: the first one I would get, if you can afford it, would be the Security Compass CSSLP Training. This is a comprehensive course on every Domain of CSSLP, in CBT form: it is very convenient and its length feels ok, being around 10 hours. I have completed it and I can say that contains good material, well explained and fully understandable; now and then, there are some simple exercises to test your knowledge. Even if the course is definitely mature, there are some glitches, but they are regularly fixed and the support is fast in helping if there is any need. Even if full of goods, this Security Compass training cannot be considered a complete solution for trying to certify. First of all, the exercises are not nearly enough to have a feeling of the certification: it would be great if Security Compass would supplement it with some sample questions that would simulate the actual certification. Secondary, I would have liked the ability to download the course material, to consume it offline: this is not possible.

Speaking of test simulation, fortunately there are a couple of tools provided by (ISC)2 to enjoy some actual questions:

The first one is a good solution and provides up to 300 real questions – not actual questions, but something that has been used in the past or that is really similar to actual questions from the exam, but comes with a cost. The iOS App is way much cheaper but provides a very limited set of questions.

Last but not least, you could use some Training in class or online (a recent addition to the (ISC)2 offering), but this comes with greater costs and imposes some toll on your schedule.

Concluding this roundup, I can definitely say that (ISC)2 certifications are a really good opportunity for entering the Security Community from the front door, to achieve credibility and to gain some very good tools and reasons to keep yourself up to date and committed to Security.