Old CSSLP vs New CSSLP Certification

With breaches, hacks and other security incidents occurring all around the world across every sphere of our digital life, it is imperative to stitch security into every phase of the software life cycle and prevent these incidents. This is exactly what the CSSLP certification from (ISC) 2 does.
The ‘Certified Secure Software Lifecycle Professional’ (CSSLP) from (ISC)2 is ideal for software professionals and security professionals to apply security practices to each phase of the ‘Software Development Life cycle’.

In order to stay relevant with the rapid changes in technology and software, (ISC) 2 follows a rigorous and methodical approach to update its credential exams such as CSSLP. Here are the changes that were proposed and which went into effect September 15, 2020.

Exam information:

	Old CSSLP	New CSSLP
Exam Duration	4 hours	3 hours
Exam items	175	125
Passing score	700 out of 1000	700 out of1000
Experience requirements	Candidates were expected to have a minimum of four years cumulative work experience in one or more of the eight domains of the CSSLP CBK.	Candidates should have a minimum of four years cumulative work experience in one or more of the eight domains of the CSSLP CBK.

These are the domain name changes that went into effect September 15, 2020(changes are marked in red)

Old CSSLP	New CSSLP
Domain 1: Secure Software Concepts	Domain 1: Secure Software Concepts
Domain 2: Secure Software Requirements	Domain 2: Secure Software Requirements
Domain 3: Secure Software Design	Domain 3: Secure Software Architecture and Design (NAME CHANGE)
Domain 4: Secure Software Implementation / Programming	Domain 4: Secure Software Implementation (NAME CHANGE)
Domain 5: Secure Software Testing	Domain 5: Secure Software Testing
Domain 6: Secure Lifecycle Management	Domain 6: Secure Software Lifecycle Management (NAME CHANGE)
Domain 7: Software Deployment, Operations and Maintenance	Domain 7: Secure Software Deployment, Operations, Maintenance (NAME CHANGE)
Domain 8: Supply Chain and Software Acquisition	Domain 8: Secure Software Supply Chain (NAME CHANGE)

The weightage of the domains have changed as well and they are reflected below: (decrease in weightage are marked in red and increase in weightage are marked in green)

Exam information:

	Old CSSLP	New CSSLP
Domain 1: Secure Software Concepts	13%	10%
Domain 2: Secure Software Requirements	14%	14%
Domain 3: Secure Software Architecture and Design	16%	14%
Domain 4: Secure Software Implementation	16%	14%
Domain 5: Secure Software Testing	14%	14%
Domain 6: Secure Software Lifecycle Management	10%	11%
Domain 7: Secure Software Deployment, Operations, Maintenance	9%	12%
Domain 8: Secure Software Supply Chain	8%	11%

These are the detailed changes for each of the new domains of CSSLP (changes are noted in BOLD)

	Old CSSLP	New CSSLP
Domain 1:	Core Concepts Security Design Principles	Core Concepts Security Design Principles
Domain 2:	Identify Security Requirements Interpret Data Classification Requirements Identify Privacy Requirements Develop Misuse and Abuse Cases Include Security in Software Requirements Specifications Develop Security Requirement Traceability Matrix	Define Software Security Requirements Identify and Analyze Compliance Requirements Identify and Analyze Data Classification Requirements Identify and Analyze Privacy Requirements Develop Misuse and Abuse Cases Develop Security Requirement Traceability Matrix (STRM) Ensure Security Requirements Flow Down to Suppliers/Providers
Domain 3:	Perform Threat Modeling Define the Security Architecture Performing Secure Interface Design Performing Architectural Risk Assessment Modeling (Non-Functional) Security Properties and Constraints Model and Classify Data Evaluate and Select Reusable Secure Design Perform Design Security Review Design Secure Assembly Architecture for Component-Based Systems Use Secure Design Principles and Patterns Use Security Enhancing Architecture and Design Tools Use Secure Design Principles and Patterns	Perform Threat Modeling Define the Security Architecture Perform Secure Interface Design Perform Architectural Risk Assessment Model (Non-Functional) Security Properties and Constraints Model and Classify Data Evaluate and Select Reusable Secure Design Perform Security Architecture and Design Review Define Secure Operational Architecture Use Secure Architecture and Design Principles, Patterns and Tools
Domain 4:	Follow Secure Coding Practices Analyze Code for Security Vulnerabilities Implement Security Controls Fix Security Vulnerabilities Look for Malicious Code Securely Reuse Third Party Code or Libraries Securely Integrate Components Apply Security During the Build Process Debug Security Errors	Adhere to Relevant Secure Coding Practices Analyze Code for Security Risks Implement Security Controls Address Security Risks Securely Reuse Third-Party Code or Libraries Securely Integrate Components Apply Security During the Build Process
Domain 5:	Develop Security Test Cases Develop Security Testing Strategy and Plan Identify Undocumented Functionality • Interpret Security Implications of Test Results Classify and Track Security Errors Develop or Obtain Security Data Perform Verification and ValidationSecure Test Data	Develop Security Test Cases Develop Security Testing Strategy and Plan Verify and Validate Documentation Identify Undocumented Functionality Analyze Security Implications of Test Results Classify and Track Security Errors Secure Test Data Perform Verification and Validation
Domain 6:	Secure Configuration and Version Control Establish Security Milestones Choose a Secure Software Methodology Identify Security Standards and Frameworks Create Security Documentation Develop Security Metrics Decommission Software Report Security Status Support Governance, Risk and Compliance(GRC)	Secure Configuration and Version Control Define Strategy and Roadmap Manage Security Within a Software Development Methodology Identify Security Standards and Frameworks Define and Develop Security Documentation Develop Security Metrics Decommission Software Report Security Status Incorporate Integrated Risk Management (IRM) • Promote Security Culture in Software Development Implement Continuous Improvement
Domain 7:	Perform Implementation Risk Analysis Release Software Securely Securely Store and Manage Security Data Ensure Secure Installation Perform Post-Deployment Security Testing Obtain Security Approval to Operate Perform Security Monitoring Support Incident Response Support Patch and Vulnerability Management Support Continuity of Operations	Perform Operational Risk Analysis Release Software Securely Securely Store and Manage Security Data Ensure Secure Installation Perform Post-Deployment Security Testing Obtain Security Approval to Operate • Perform Information Security Continuous Monitoring (ISCM) Support Incident Response Perform Patch Management Perform Vulnerability Management Runtime Protection Support Continuity of Operations Integrate Service Level Objectives (SLO) and Service Level
Domain 8:	Analyze Security of Third Party Software Verify Pedigree and Provenance Provide Security Support to the Acquisition Process	Implement Software Supply Chain Risk Management Analyze Security of Third-Party Software Verify Pedigree and Provenance Ensure Supplier Security Requirements in the Acquisition Process Support Contractual Requirements

These are the detailed changes between the old CSSLP and the New CSSLP certification exam that came into effect, September 15, 2020. We hope that this document helps you to prepare for the new CSSLP exam and crack it right away!

For more of InfoSec Train’s courses and webinars, do visit us at InfosecTrain.

AUTHOR
Jayanthi Manikandan ()
Cyber Security Analyst

“ Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train. “