CSSLP certification: An overview

Daniel Brecht
April 7, 2021 by
Daniel Brecht

Application vulnerabilities are ranked today among the top cybersecurity threats to organizations. Companies often lack skilled professionals who have expertise in app development security. And without action, a business will continue to be exposed and face serious consequences, such as disruptions in continuous operation.

Companies are looking for talented workers who can implement software assurances, incorporate application access control and ensure the implementations of more secure coding. IT practitioners who are Certified Secure Software Lifecycle Professionals (CSSLP) might be the right answer to the needs of companies. With the current dependence on web applications and the rapid shift to virtual and mobile environments, an adequate number of CSSLPs who are dedicated to ensuring security through the software development lifecycle (SDLC) are a much-needed solution to pinpoint threats targeting web-based apps.

The International Information Systems Security Certification Consortium, ISC2 for short, sponsors the CSSLP certification and is working towards making it the de facto industry standard for secure software development. The CSSLP validates knowledge of secure coding best practices, making it less likely for developers to leave behind exploitable vulnerabilities.

Why CSSLP certification?

The ISC2 CSSLP certification is geared toward individuals who will have a role in the development of software systems using secure programming practices or that will be asked to protect an organization’s software from web security threats or cyberattacks, such as code injection or cross-site scripting. The domains on which professionals are tested can serve as a basic guide to master all angles of the knowledge required to fulfill this type of position. The certification can also help businesses screen applicants for relevant positions; the possession of this credential can ensure any company the applicant has the skills, expertise and significant knowledge to enhance software security throughout the development lifecycle.

There is still a shortage of qualified practitioners with application security skill sets, and the gap has grown in recent years. This poses a great opportunity for security-minded IT professionals to enter this sector and find ample opportunities for a lucrative career.

Who should obtain a CSSLP? 

  • Software architects
  •  Software engineers
  •  Software assurance testers
  •  Application security specialists
  •  Security managers
  •  Application designers
  •  Software developers

Any of the above professionals may benefit from this certification as well as anyone else who is involved in SDLC activities.

The unique feature of this credential is that its common body of knowledge (CBK) overlaps with those of other certifications and programs, covering similar job function areas as developers/coders but also including skills and abilities that can be critical in all other phases of the SDLC.

Getting CSSLP certified

To qualify and be on your way to get certified, you must meet the CSSLP experience requirements: “A minimum of four years of cumulative paid full-time software development lifecycle (SDLC) professional work experience in one or more of the eight domains of the ISC2 CSSLP CBK, or three years of cumulative paid full-time SDLC professional work experience in one or more of the eight domains of the CSSLP CBK with a four-year degree or regional equivalent in computer science, information technology (IT) or related fields.”

As part of the standard registration, candidates will be asked to pay the required ISC2 exam fee ($599, 555 euros or 479 pounds). Then, applicants will need to register and schedule for the CSSLP examination, a computer-based test at locations within Pearson VUE’s testing network worldwide.

Candidates must successfully pass the required CSSLP exam that evaluates testers across eight different domains, which are covered in the CSSLP exam outline. The 125-question, multiple-choice exam is administered over three hours. In general, testers will receive their unofficial examination results before they leave the Pearson test center. For those who passed, the scores are not provided; for those who failed, a breakdown of the domains in proficiency levels will be provided.

Now on to exploring the domains, weights and subdomains of the CSSLP certification exam, which has been “refreshed to reflect the most pertinent issues that secure software professionals currently face, along with the best practices for mitigating those issues. Some topics have been updated while others have been realigned.” 

 CSSLP exam domains

Domain 1: Secure software concepts 10%

  • Core concepts
  • Security design principles

Domain 2: Secure software requirements 14%

  • Define software security requirements
  •  Identify and analyze compliance requirements
  • Identify and analyze data classification requirements
  • Identify and analyze privacy requirements
  • Develop misuse and abuse cases
  • Develop security requirement traceability matrix (STRM)
  • Ensure security requirements flow down to suppliers/providers

Domain 3: Secure software architecture and design 14%

  • Perform threat modeling
  • Define the security architecture
  • Perform secure interface design
  • Perform architectural risk assessment
  • Model (non-functional) security properties and constraints
  • Model and classify data
  • Evaluate and select a reusable secure design
  • Perform security architecture and design review
  • Define secure operational architecture
  • Use secure architecture and design principles, patterns and tools

Domain 4: Secure software implementation 14%

  • Adhere to relevant secure coding practices
  • Analyze code for security risks
  • Implement security controls
  • Address security risks
  • Securely reuse third-party code or libraries
  • Securely integrate components
  • Apply security during the build process

Domain 5: Secure software testing 14%

  • Develop security test cases
  • Develop security testing strategy and plan
  • Verify and validate documentation
  • Identify undocumented functionality
  • Analyze security implications of test results
  • Classify and track security errors
  • Secure test data
  • Perform verification and validation testing

Domain 6: Secure software lifecycle management 11%

  • Secure configuration and version control
  • Define strategy and roadmap
  • Manage security within a software development methodology
  • Identify security standards and frameworks
  • Define and develop security documentation
  • Develop security metrics
  • Decommission software
  • Report security status
  • Incorporate integrated risk management (IRM)
  • Promote security culture in software development
  • Implement continuous improvement

Domain 7: Secure software deployment, operations, maintenance 12%

  • Perform operational risk analysis
  • Release software securely
  • Securely store and manage security data
  • Ensure secure installation
  • Perform post-deployment security testing
  • Obtain security approval to operate
  • Perform information security continuous monitoring (ISCM)
  • Support incident response
  • Perform patch management
  • Perform vulnerability management
  • Runtime protection
  • Support continuity of operations
  • Integrate service level objectives (SLO) and service level agreements (SLA)

Domain 8: Secure software supply chain 11%

  • Implement software supply chain risk management
  • Analyze security of third-party software
  • Verify pedigree and provenance
  • Ensure supplier security requirements in the acquisition process
  • Support contractual requirements

Having seen the eight domains, one may identify areas of study that may need additional attention before taking the exam. A passing grade is 700 out of 1,000.

What is the best way to train for the CSSLP exam?

ISC2 offers CSSLP training material for self-study including the ISC2 CSSLP Flashcards and the “Official ISC2  Guide to the CSSLP, 2nd edition,” which covers the required understanding of the eight domains. These are valuable resources for those studying and preparing for the examination.

Other books can also be an indispensable reference: the “CSSLP Prep Guide” emphasizes the application of secure software methodologies during the software development cycle and covers all aspects of the CSSLP certification exam, with hundreds of sample test questions and answers available on the accompanying CD. You will also find exam tips, practice questions and in-depth explanations by obtaining the “CSSLP All-in-One Exam Guide.”

Official training partners, authorized by ISC2, can also deliver the most relevant, up-to-date course content. This is also a good option in preparing students for the CSSLP exam through extensive hands-on courses and labs.

How can I earn CPEs to maintain my CSSLP certification?

Certified members are required to earn and submit CPE credits (with 90 CPE credits due in a three-year certification cycle) and pay $125 annually on the anniversary of their certification.

These CPE credits can be earned through various learning activities within these categories:

  • CPE activities offered by ISC2: attending a certification course, webinar or chapter meeting
  •  CPE categories: education (group A or B), contributions to the profession (group A), professional development (group B) and unique work experience (group A)

Note: group A credits relate directly to activities in the areas covered by the specific domains of the CSSLP. Group B credits are gained through professional skills, education, knowledge or competency outside of the domains associated with the CSSLP certification.

CSSLP certification salary and job outlook

First of all, earning a CSSLP certification can help set a professional apart from other job candidates. A CSSLP who is well rounded in all aspects of software creation and has engineer/developer-type skills as a coder or programmer can truly apply to any field that involves application security development.

CSSLPs can also expect good pay and opportunities for the foreseeable future. According to PayScale, the salary for a CSSLP is about $108,366 per year. A senior security software engineer that has a role in designing and building secure IT systems can exceed $120,000. Salaries, however, vary according to job title, location and experience.

Pursuing a CSSLP certification

Software can hide several vulnerabilities and can pose additional security risks for end users. Apart from app updates or patches that resolve exploits, companies should employ the talent of a CSSLP who can identify weaknesses before a cybercriminal attempts to make the most of a security hole in a legitimate application. This is a professional who can deliver secure application development by incorporating best practices, and ensuring security is embedded in every stage of the software development lifecycle.


Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.