For me it was just a coincidence but (1) CISSP (2) CSSLP and (3) CISM is indeed the best order to take the 3 exams, preferably within quick succession of each other. The gap between each exam should not be more than 2 months and can be as low as 1 month. CISSP has the broadest scope amongst all 3 certifications. It covers the 10 main domains of information security and is fairly technical in nature though not very in-depth on each topic. It also has the most study material available in terms of books, official guides and question banks.

CSSLP is the new kid on the block and has very little material available. However if you have just studied for the CISSP and have the requisite experience in supporting the software development process from a security perspective it is a breeze to clear the CSSLP. Very little extra study is required and most of the exam questions focus on applying security fundamentals to the domain of software development.

I expected the CISM to be tougher than the CISSP. I do not know how I formed this impression but I was wrong. CISM study topics are almost a proper subset of the CISSP study topics and for somebody who has studied recently for the CISSP the CISM should be fairly easy to clear. One reason why CISM may be considered equivalent to or better than CISSP by employers might be because of the experience requirement which mandates at least 3 years of information security management experience and overall 5 years of information security experience. CISSP requires just 4 years of information security experience for graduates. CISM has a few books and official guides and question banks available but they are much rarer than CISSP resources because the number of CISM candidates is very low. I could not find a single hard-copy book in any book store in Bangalore. In the end my company’s Books24x7 subscription and a friend’s CISM material from 2007 was what I used to brush up for the CISM exam.

In short if you plan to take these 3 exams take all of them in quick succession with CISSP being the first. If you are well-prepared for the CISSP you are automatically well-prepared for the CSSLP and CISM and you should exploit this to reduce repeat study for CSSLP and CISM.

Here are a few quick thoughts about what I liked and disliked about the exam:

LIKES

1. Focus on fundamentals – The exam focuses much more on fundamentals and less on exact knowledge of the various standards. This is on the whole good because a good professional should have solid fundamentals. Standards one can always refer to and interpret as and when the occasion arises. Also there are so many standards in the security space that it is virtually impossible and impractical to remember more than the basic details of each one.
2. Exam duration just about right – At 4 hours and 175 questions the length seems just about right. For those of you familiar with the CISSP exam you would have recognised that this is a snipe at the 250-question, 6-hour, marathon exam that is the CISSP
3. Hands-on experience more valuable for exam purposes than the CISSP exam – For a professional who has been in the secure software support role (in any capacity) for 4-5 years (which is actually one of the pre-requisites to the certification) this will be a fairly easy exam. Again this is quite unlike the CISSP where there are 10 overarching domains and even experienced professionals have to devote a decent amount of time in reading up about the domains that they have little hands-on experience in.

DISLIKES

1. Severe language and grammar ambiguity – All good multiple-choice exams have ambiguity in the exact choices, this is what differentiates candidates who have just studied for the exam from the candidates who actually know their stuff. This is the kind of ambiguity that makes you think before answering. However this ambiguity should be in the content, not in the interpretation of the questions. I think  the quality of the CSSLP questions was very poor from a language and grammar perspective. Security is a deep field where an extra word or a missing word can change the meaning of the statement altogether. I spent a lot of time guessing whether the framer of the question meant a certain thing or another thing altogether. I could not use the question comment forms too due to lack of time. However I do plan to contact ISC2 through more formal channels and give them this feedback as well as volunteering my time in improving the questions.
2. No official guide yet – The CSSLP certification was announced in September 2008. However the ISC2 Official Guide to the CSSLP is expected to be available only in May 2010. 1.5+ is a long time to put out an official guide. ISC2 should pull up its socks and should ideally put out an official guide within 3-6 months of a new certification being announced.

Right now there is just 1 book available for the CSSLP exam – The CSSLP Prep Guide by Ronald L. Krutz and Alexander J. Fry The book’s strength is coverage. It’s weaknesses are lack of depth, lack of consistency amongst various chapters, a tendency to regurgitate content from existing documents without explaining them, non-existent chapter-end summaries and very very poor practice questions both in the book and on the CD. In spite of these shortcoming on the whole I am glad I used this book and I highly recommend it if you plan to take the CSSLP soon. If the official guide were available I would have preferred it but till may 2010 this books seems to be your best bet for a single consolidated resource.

I have a number of tips, observations and resources on the preparation for the exam itself but that will be the topic for another post soon. Ciao!

When it comes to the masses security is 80% usability and just 20% technology.

Picture the following 2 scenarios involving an imaginary but very plausible conversation with my very real and reasonably tech-savvy Dad (2 email accounts, has an Orkut profile, uses Linux once in a while, online banking, composes videos of family photos with narration etc… is he cool or what!)

Scenario 1 (Google Chrome)

[ Varun ]

1. Dad open up Google Chrome.
2. Click on the page icon at the end of the address bar.
3. Select “New Incognito Window” from the menu options.

Whenever you do serious stuff such as online banking use this mode, OK?

[ Dad ] - Sure son! That’s easy. You are the bestest son ever!

Scenario 2 (Mozilla Firefox)

[ Varun ]

1. Dad open up the Windows Run dialog.
2. Type firefox -ProfileManager.
3. Click on “Create profile”.
4. Enter “Incognito” as the profile name.
5. Hit Finish.
6. Select “Incognito” from the list of profiles.
7. Click on”Start Firefox”.
8. Go to  Edit >> Preferences >> Privacy.
9. Select “Always clear my private data when I close Firefox”.
10. Unselect “Ask me before clearing private data” and you are done.

[ Dad ] - My dear Varun, let me tell you about something called Google Chrome and something called the Incognito mode… Step 1 – Open Google Chrome….

Browsing is an everyday affair for a large chunk of the computer user population. Privacy mode should be an equally “everyday” affair and should not involve them having to change settings, create new profiles, shortcuts etc.

Another reason why I prefer Google Chrome over Mozilla Firefox is the safer process model. Even if one were to use the Firefox Incognito mode the individual tabs are not protected from each other and bad stuff like CSRF (cross-site request forgery) and XSS (Cross-site scripting) can still happen. In Chrome, by design, individual applications/websites are cordoned off from each other. I am sure it is not fool-proof but it is way better than all current browsers.

Lastly the Google Chrome Incognito mode is a read-only mode. It does not write anything to disk. No cache, no cookies, nothing. It’s default behaviour is secure and there is nothing you can do to change it. The Incognito mode will remain what it is on every Google Chrome browser, whether it is my home PC or work PC.

The Firefox Incognito mode outlined in Shantanu’s post still writes to the hard disk. The cleaning up is post-event and not by design. Also if you do exactly what is mentioned in that post you are still NOT cleaning up persistent cookies, offline website data (created by extensions) and saved passwords. You have to check a few more boxes to clean these up. If a hardcore geek like Shantanu (the dude writes well, hacks stuff and has a bunch of interesting-looking downloads on his blog!) can oversee these options imagine what it imagines for people who want their browser to just work.

Am I drooling over Chrome’s Incognito feature? – Not exactly but I _am_ impressed. When designing software especially end-user software think secure by design, think secure out of the box, think usability and think of my Dad-equivalent whoever it might be in your case.

P.S. – Dad if you are reading this do you agree with me?

EDITS – 2008-09-12 Chrome not resilient to XSS, just CSRF (Thanks Shantanu!)