I finally took the CSSLP certification exam this Saturday Nov 7. I think I did quite well though there were a ton of ambiguous questions on the exam and I was very unhappy and disappointed due to that. Not ambiguous as in makes-you-ponder-carefully-between-options-ambiguous but ambiguous as in language-and-grammar-usage-ambiguous.
Here are a few quick thoughts about what I liked and disliked about the exam:
- Focus on fundamentals – The exam focuses much more on fundamentals and less on exact knowledge of the various standards. This is on the whole good because a good professional should have solid fundamentals. Standards one can always refer to and interpret as and when the occasion arises. Also there are so many standards in the security space that it is virtually impossible and impractical to remember more than the basic details of each one.
- Exam duration just about right – At 4 hours and 175 questions the length seems just about right. For those of you familiar with the CISSP exam you would have recognised that this is a snipe at the 250-question, 6-hour, marathon exam that is the CISSP
- Hands-on experience more valuable for exam purposes than the CISSP exam – For a professional who has been in the secure software support role (in any capacity) for 4-5 years (which is actually one of the pre-requisites to the certification) this will be a fairly easy exam. Again this is quite unlike the CISSP where there are 10 overarching domains and even experienced professionals have to devote a decent amount of time in reading up about the domains that they have little hands-on experience in.
- Severe language and grammar ambiguity – All good multiple-choice exams have ambiguity in the exact choices, this is what differentiates candidates who have just studied for the exam from the candidates who actually know their stuff. This is the kind of ambiguity that makes you think before answering. However this ambiguity should be in the content, not in the interpretation of the questions. I think the quality of the CSSLP questions was very poor from a language and grammar perspective. Security is a deep field where an extra word or a missing word can change the meaning of the statement altogether. I spent a lot of time guessing whether the framer of the question meant a certain thing or another thing altogether. I could not use the question comment forms too due to lack of time. However I do plan to contact ISC2 through more formal channels and give them this feedback as well as volunteering my time in improving the questions.
- No official guide yet – The CSSLP certification was announced in September 2008. However the ISC2 Official Guide to the CSSLP is expected to be available only in May 2010. 1.5+ is a long time to put out an official guide. ISC2 should pull up its socks and should ideally put out an official guide within 3-6 months of a new certification being announced.
Right now there is just 1 book available for the CSSLP exam – The CSSLP Prep Guide by Ronald L. Krutz and Alexander J. Fry The book’s strength is coverage. It’s weaknesses are lack of depth, lack of consistency amongst various chapters, a tendency to regurgitate content from existing documents without explaining them, non-existent chapter-end summaries and very very poor practice questions both in the book and on the CD. In spite of these shortcoming on the whole I am glad I used this book and I highly recommend it if you plan to take the CSSLP soon. If the official guide were available I would have preferred it but till may 2010 this books seems to be your best bet for a single consolidated resource.
I have a number of tips, observations and resources on the preparation for the exam itself but that will be the topic for another post soon. Ciao!