One of our readers recently asked me an interesting question. He asked for recommendations about preparing for the CSSLP exam. It was a good question and I figured I’d add a blog post, based on my answer. So here it is for everyone:
There are several good ways to study for the CSSLP. These days everyone is also interested in saving money, so I’ll outline an approach that requires minimal investment on your part.
The preparation process should involve reading, learning, and practice. Reading is a good place to start and there is no shortage of information about software security. We’ve been doing software security for many years, so the principles are available online.
For Sale:
If you can purchase books, I’d recommend these:
The Security Development Lifecycle – by Michael Howard and Steve Lipner.
Software Security: Building Security In – by Gary McGraw
For Free
For free resources, you may want to read:
The State of the Art Report (SOAR) on Software Security Assurance is here.
There is general information available at the “Build Security In” website here.
Microsoft has a great set of security resources on the developer site, either at MSDN or available through the central security page here.
To be fair, I looked for free how-to material at IBM and RSA on the same topic, because I respect their security programs, but did not see the same kinds of documents. Most of the stuff I could find was intended to market a product or service offering. If you think I missed something, please let me know and I’ll update the post.
OWASP talks about the top web threats here and that might help understand more about vulnerabilities. Their development guide is also helpful.
I’ve compiled a few important papers on software security here on the site. You may find that they will provide some additional perspective on major issues we’ve faced over the years.
—
All of these resources should help you get started. I would also recommend looking through the domains and then selecting areas where you want to do some review. If you work in the area of software, it would also be a good idea to review your own practices and look at how yours compare to those in the references. This will help you to learn the reasoning behind the recommendations and should help you pass the exam.
Additionally, if you’re preparing and feel like you’re stuck, there is another commercial book, called the CSSLP Prep Guide by Alex Fry and Ronald Krutz. I’m ambivalent about this one. On one side, it contains many data points that might help you cram for the exam. If this is your style, the book might help. One the other side, I’m not sure that it’s very helpful beyond cramming for the exam. I didn’t see good explanations of strategy or for why you might apply one approach over another. I didn’t see any informed guidance or luminary insight that a practitioner might find valuable. It seemed to be a compilation rather than a text. From that perspective, I’m not sure that that it’s more valuable than Wikipedia. To be transparent about this, I received a complimentary copy from the publisher, but as you can tell, I’m not a big fan of their approach. Please make your own decisions.
Practice
Finally, practice, practice, practice. You can practice at work by reviewing the SDLC inside your organization. You can practice on your own by participating in security forums or working on open source projects. You can practice with associates at some of the security professional societies.
If you are not able to find a local community, participate in one of the online communities. You will find developer communities for every major development language and large projects may start threads on software security too. Working through Google or Bing would provide the best and most up to date information.
All of these things should help you get ready for the exam with a minimal financial investment. For any of you who might be preparing for the CSSLP exam, good luck and stay in touch. I’d like to know how it turns out.
Regards,
Jim Molini CISSP, CSSLP
Let me start by saying that I was wrong. Yep. That’s the best way to begin this post. This morning I read on Wired.com that Google had officially stopped censoring search results inside the People’s Republic of China. They ignored the naysayers and have stopped doing searches inside mainland China, instead asking users to go to their Hong Kong site for searches. Of course, it’s not likely that people inside mainland China will be able to get unfiltered search results from Hong Kong, but that’s beside the issue. 
