Year-End Learning Carnival: Get Free Courses and Up to 50% off on Career Booster Combos!
D H M S

Old CSSLP vs New CSSLP Certification

With breaches, hacks and other security incidents occurring all around the world across every sphere of our digital life, it is imperative to stitch security into every phase of the software life cycle and prevent these incidents. This is exactly what the CSSLP certification from (ISC) 2 does.
The ‘Certified Secure Software Lifecycle Professional’ (CSSLP) from (ISC)2 is ideal for software professionals and security professionals to apply security practices to each phase of the ‘Software Development Life cycle’.

In order to stay relevant with the rapid changes in technology and software, (ISC) 2 follows a rigorous and methodical approach to update its credential exams such as CSSLP. Here are the changes that were proposed and which went into effect September 15, 2020.

Exam information:

Old CSSLP New CSSLP
Exam Duration 4 hours 3 hours
Exam items 175 125
Passing score 700 out of 1000 700 out of1000
Experience requirements Candidates were expected to have a minimum of four years cumulative work experience in one or more of the eight domains of the CSSLP CBK. Candidates should have a minimum of four years cumulative work experience in one or more of the eight domains of the CSSLP CBK.

These are the domain name changes that went into effect September 15, 2020(changes are marked in red)

Old CSSLP New CSSLP
Domain 1: Secure Software Concepts Domain 1: Secure Software Concepts
Domain 2: Secure Software Requirements Domain 2: Secure Software Requirements
Domain 3: Secure Software Design Domain 3: Secure Software Architecture and Design (NAME CHANGE)
Domain 4: Secure Software Implementation / Programming Domain 4: Secure Software Implementation (NAME CHANGE)
Domain 5: Secure Software Testing Domain 5: Secure Software Testing
Domain 6: Secure Lifecycle Management Domain 6: Secure Software Lifecycle Management (NAME CHANGE)
Domain 7: Software Deployment, Operations and Maintenance Domain 7: Secure Software Deployment, Operations, Maintenance (NAME CHANGE)
Domain 8: Supply Chain and Software Acquisition Domain 8: Secure Software Supply Chain (NAME CHANGE)

The weightage of the domains have changed as well and they are reflected below: (decrease in weightage are marked in red and increase in weightage are marked in green)

Exam information:

Old CSSLP New CSSLP
Domain 1: Secure Software Concepts 13% 10%
Domain 2: Secure Software Requirements 14% 14%
Domain 3: Secure Software Architecture and Design 16% 14%
Domain 4: Secure Software Implementation 16% 14%
Domain 5: Secure Software Testing 14% 14%
Domain 6: Secure Software Lifecycle Management 10% 11%
Domain 7: Secure Software Deployment, Operations, Maintenance 9% 12%
Domain 8: Secure Software Supply Chain 8% 11%

These are the detailed changes for each of the new domains of CSSLP (changes are noted in BOLD)

Old CSSLP New CSSLP
Domain 1:
  • Core Concepts
  • Security Design Principles
  • Core Concepts
  • Security Design Principles
Domain 2:
  • Identify Security Requirements
  • Interpret Data Classification Requirements
  • Identify Privacy Requirements
  • Develop Misuse and Abuse Cases
  • Include Security in Software Requirements Specifications
  • Develop Security Requirement Traceability Matrix
  • Define Software Security Requirements
  • Identify and Analyze Compliance Requirements
  • Identify and Analyze Data Classification Requirements
  • Identify and Analyze Privacy Requirements
  • Develop Misuse and Abuse Cases
  • Develop Security Requirement Traceability Matrix (STRM)
  • Ensure Security Requirements Flow Down to Suppliers/Providers
Domain 3:
  • Perform Threat Modeling
  • Define the Security Architecture
  • Performing Secure Interface Design
  • Performing Architectural Risk Assessment
  • Modeling (Non-Functional) Security Properties and Constraints
  • Model and Classify Data
  • Evaluate and Select Reusable Secure Design
  • Perform Design Security Review
  •  Design Secure Assembly Architecture for Component-Based Systems
  • Use Secure Design Principles and Patterns Use Security Enhancing Architecture and Design Tools
  • Use Secure Design Principles and Patterns
  • Perform Threat Modeling
  • Define the Security Architecture
  • Perform Secure Interface Design
  • Perform Architectural Risk Assessment
  • Model (Non-Functional) Security Properties and Constraints
  • Model and Classify Data
  • Evaluate and Select Reusable Secure Design
  • Perform Security Architecture and Design Review
  • Define Secure Operational Architecture
  • Use Secure Architecture and Design Principles, Patterns and Tools
Domain 4:
  • Follow Secure Coding Practices
  • Analyze Code for Security Vulnerabilities
  • Implement Security Controls
  • Fix Security Vulnerabilities
  • Look for Malicious Code
  • Securely Reuse Third Party Code or Libraries
  • Securely Integrate Components
  • Apply Security During the Build Process
  • Debug Security Errors
  • Adhere to Relevant Secure Coding Practices
  • Analyze Code for Security Risks
  • Implement Security Controls
  • Address Security Risks
  • Securely Reuse Third-Party Code or Libraries
  • Securely Integrate Components
  • Apply Security During the Build Process
Domain 5:
  • Develop Security Test Cases
  • Develop Security Testing Strategy and Plan
  • Identify Undocumented Functionality • Interpret Security Implications of Test Results
  • Classify and Track Security Errors
  • Develop or Obtain Security Data
  • Perform Verification and ValidationSecure Test Data
  • Develop Security Test Cases
  • Develop Security Testing Strategy and Plan
  • Verify and Validate Documentation
  • Identify Undocumented Functionality
  • Analyze Security Implications of Test Results
  • Classify and Track Security Errors
  • Secure Test Data
  • Perform Verification and Validation
Domain 6:
  • Secure Configuration and Version Control
  • Establish Security Milestones
  • Choose a Secure Software Methodology
  • Identify Security Standards and Frameworks
  • Create Security Documentation
  • Develop Security Metrics
  • Decommission Software
  • Report Security Status
  • Support Governance, Risk and Compliance(GRC)
  • Secure Configuration and Version Control
  • Define Strategy and Roadmap
  • Manage Security Within a Software Development Methodology
  • Identify Security Standards and Frameworks
  • Define and Develop Security Documentation
  • Develop Security Metrics
  • Decommission Software
  • Report Security Status
  • Incorporate Integrated Risk Management (IRM) • Promote Security Culture in Software Development
  • Implement Continuous Improvement
Domain 7:
  • Perform Implementation Risk Analysis
  • Release Software Securely
  • Securely Store and Manage Security Data
  • Ensure Secure Installation
  • Perform Post-Deployment Security Testing
  • Obtain Security Approval to Operate
  • Perform Security Monitoring
  • Support Incident Response
  • Support Patch and Vulnerability Management
  • Support Continuity of Operations
  • Perform Operational Risk Analysis
  • Release Software Securely
  • Securely Store and Manage Security Data
  • Ensure Secure Installation
  • Perform Post-Deployment Security Testing
  • Obtain Security Approval to Operate • Perform Information Security Continuous Monitoring (ISCM)
  • Support Incident Response
  • Perform Patch Management
  • Perform Vulnerability Management
  • Runtime Protection
  • Support Continuity of Operations
  • Integrate Service Level Objectives (SLO) and Service Level
Domain 8:
  • Analyze Security of Third Party Software
  • Verify Pedigree and Provenance
  • Provide Security Support to the Acquisition Process
  • Implement Software Supply Chain Risk Management
  • Analyze Security of Third-Party Software
  • Verify Pedigree and Provenance
  • Ensure Supplier Security Requirements in the Acquisition Process
  • Support Contractual Requirements

These are the detailed changes between the old CSSLP and the New CSSLP certification exam that came into effect, September 15, 2020. We hope that this document helps you to prepare for the new CSSLP exam and crack it right away!

For more of InfoSec Train’s courses and webinars, do visit us at InfosecTrain.

 

AUTHOR
Jayanthi Manikandan ( )
Cyber Security Analyst
Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train.
Your Guide to ISO IEC 42001
TOP
whatsapp