(ISC)2′s Newest Cash Cow: The CSSLP Certification

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security professionals. To his credit, Mr. Tipton stated very clearly that the CSSLP is not intended to measure one’s technical skillset. Unfortunately, it’s inevitable that employers will treat it as such.

You can read all the details on their website (except for the part about the certification not being a measure of practical skills). From what I can tell, the CSSLP is just the CISSP with different CBKs, or Common Bodies of Knowledge. As with the CISSP, they are going for broad knowledge, not depth. Starting in June 2009, you can get certified by taking a paper exam, likely a multiple choice test similar to the CISSP. Why June? Because the test isn’t even written yet — I’ve heard from several sources that they are actively soliciting their existing pool of CISSPs to help write test questions.

Ah, but what if you can’t wait that long and want to get certified right away? You’re in luck. If you act before March 31, 2009, you can get grandfathered in without even having to take the exam! That’s right, they call it the CSSLP Experience Assessment, and here are the requirements:

    • Upload a resume showing three years of experience related to software security, or four years if you don’t have a college degree
    • Write short essays (500 words maximum) discussing four CBKs of your choice
    • Get a CISSP to vouch for you
    • Pay $650

 

Let’s examine these requirements one at a time.

Three years of experience. (ISC)2 doesn’t provide any requirements on depth of experience, other than citing the broadly-defined CBKs. Considering they are targeting everyone from software developers to security assessors to business analysts (yes, really), chances are they are going to accept any experience that is even tangential to the SDLC or software security.

Short essays on four of the CBKs. I asked the (ISC)2 exhibitors specifically what they are looking for to satisfy this requirement, and they said the essays should be a general discussion of the CBK topic, optionally citing your personal experience in that area if you have any. This messaging is not quite aligned with the website guidance, which states that the essays should be “Accomplishment Records” which are self-reported descriptions of experience. Either way, with a maximum essay length of 500 words, it’s pretty obvious that substance is not (ISC)2′s first priority. Here’s one data point for you: I spoke to someone who has already submitted the CSSLP Experience Assessment, and he said it took about an hour to write the essays.

Get a CISSP to vouch for you. Actually this can be any (ISC)2 certified person, not just CISSPs. Contrary to what you’d expect, though, the person isn’t vouching for your skillset so much as they are confirming that the attestations on your resume are accurate.

Pay $650. You knew it was coming. After all, there is money to be made. How is it that qualifying for the CSSLP through professional experience should cost $650? If you’re taking the written exam, fair enough, (ISC)2 does incur the cost of administering and grading that exam (even though the Scantron machine is probably paid off by now). But $650 for the submitted-online Experience Assessment? If we assume that the person reading these essay submissions makes a rather generous $100k per year, then $650 accounts for roughly a day and a half. Will it really take that long to read a maximum of 2,000 words and pass judgment? Of course not. (ISC)2 wants to get as many people as possible to qualify based on “experience”, seeding the initial pool of CSSLPs and netting them $650 per head for doing next to nothing.

As Lee Kushner stated during his OWASP AppSec presentation (7 Habits of Highly Effective Career Managers), “the more people who own a cert, the less relevant it becomes.” Irrelevant — that’s exactly what the CISSP has become, and it’s exactly where the CSSLP is headed. Meanwhile, (ISC)2 will sit back and watch while you and your employers continue to fill their coffers.

In closing, let me acknowledge that this blog entry probably comes across as judgmental. I accept that. I’m not ranting against the idea of certifications, though admittedly I’m not a fan of them either. I am disappointed that (ISC)2, an organization with tremendous influence, could have created something more meaningful but chose not to. Why bother when people will just fork over the cash anyway?

Veracode Security Solutions

 

Security Threat Guides

Zach | September 29, 2008 11:24 am

I waited with great anticipation to see what you’d have to say about this, Chris — and you didn’t disappoint. Though a *gasp* CISSP myself (it was _required_ for a previous position), I still shake my head when I think about how many up-and-coming security professionals, and even some of my peers, drool over the proverbial alphabet-soup-entry-card that is the CISSP.

I, for one, am quite happy that some employers (including my current one) and fellow security weenies have been able to see beyond the TDMA behind folks names.

Tom Brennan | September 30, 2008 11:55 am

I guess they should look at the OWASP materials and extract some questions ;)

Tom Ryan | October 1, 2008 7:28 am

This grandfather clause will give the dumbest of the dumb the opportunity to get this certification. This could be a good talk for Black Hat. “Hacking the CLSSP” Chris can write the paper, I will create the fake resume, Tom Brennan can expense the $650 and we will submit my 5 year old nephew Antonio for the certification.

Dr. Pramod Damle | October 4, 2008 4:30 am

It’s good to have some certification that gives you a qualification in this much-needed area of application security and I am happy that (ISC)2 has taken an initative like SANS and OWASP. Over a period of time, CSSLP should gain the status of a world-class certification, like CISSP did in the past.

hellnbak | October 11, 2008 12:01 pm

@Dr. Pramod

Considering your business card alphabet soup:

CISA, CISM, SSCP, CISSP, PhD (Info Security)

Of course you are for this certification.

Letters after a name prove nothing but you were able to remember enough broad knowlege of a subject to pass an exam. It is really that simple.

coder | October 20, 2008 11:35 pm

Interestingly, CSSLP also stands for: Community Septic System Loan Program.

Chip Munk | December 26, 2008 7:05 pm

At a very core level I agree with what you say here. However, most C suite executives do not typically have a good understanding of the base issues. They understand what risk is, but leave the assessment up to the individual who is actually performing the analysis. I have explained Cross Site Scripting to several glassy eyed executives in the past and the only thing that has gotten through has been risk levels. While pitching a project to them (whether inside your own company or to a client) having a qualified individual with a certification that attests the core of the problem you are trying to address, helps give your proposal more weight. That is all that this or any other certification does.
In my mind, it is similar to me going to a qualified CPA every year to do my taxes. I am certain that there are several people who can get me more returns on my taxes than my CPA, the CPA qualification gives me peace of mind so that I don’t have to worry about the IRS coming to knock on my door.

PhilA | March 11, 2009 12:26 am

Lee is right, but it’s the ticket to ride on the train today.

Either get a ticket and hop on or be irrelevant from the start.

This is the same rhetoric about obtaining a college degree. Today, you need at least a Bachelor’s degree and tomorrow you’ll need a Master’s for many employers to even consider you.

Although it could be argued that you get an Online degree and it doesn’t count for much or your degree is questionable. That I agree with. Should I say University of Phoenix?

Prometheus | March 14, 2009 9:25 am

Interesting comment Chris,
for novices what you say is correct…
being in software development business for 15 years and acting as a Director of a Software Development Center I need to add some comments though:

1. I very much welcomed this (ISC)2 Certificate. I myself as a manager applied and hope to receive it soon. The chance of matching my experience with the CSSLP certification requirements appealed me. I suggest executives dealing with software development refresh themselves with these 7 CBKs of SSL and consider how it relates to their experiences.

2. I am on the side of those who believe in the need of CERTIFIED securite software LIFECYCLE (this already clearly states that is not assuring any proficiency in any vendor based development tool – for this anyone interested I humbly sıggest attend the existing vendor’s development tools certificate programs and keep low profile) aware developers/managers…

3. I would definetily favor the developers who posess this certificate.

4. On the application: yes I believe (ISC)2 gives credit to the experience on how you implement security in software lifecycle (and you need to be able to define your experience in a very short assays – I myself can easily understand from such a short essay if the writer has an experience or just throwing some nice thoughts he read from books,). I wish (ISC)2 continues with this requirement in their certificate application evaluations.

5. Topic is hot. I believe this certificate will gain the necessary respect soon.

6. Just forgetting about the 650 dollars. I willingly sacrificed this amount for a this certificate. For those who can not, don’t try to waste your money…it is definitely not for you. Choose another track, training or certification.

7. For the guys who go after certificates only (no experience…), it would be waste of money. Do not apply. Since even if you have your certificate from an CSSLP exam, but with no experience, you are not at the age. First get some development experience and then review your requirement for such sertificate.

All
Be happy, be healthy, enjoy life.

Chris Eng | March 17, 2009 3:07 pm

@PhilA:

“Either get a ticket and hop on or be irrelevant from the start.

This is the same rhetoric about obtaining a college degree. Today, you need at least a Bachelor’s degree and tomorrow you’ll need a Master’s for many employers to even consider you.”

Certification is the ticket to get started in security? Not true, and certainly not across the board. You’re fooling yourself if you think the day is going to come where security practitioners will need a Master’s degree to get hired. Not going to happen. Besides, lots of places will hire a smart security person without a bachelor’s degree, so your initial premise is wrong.

I do believe that college education has great value, just very little direct applicability (in most cases) to security work.

@Prometheus:

Thanks for your comments. I’d hire a developer with a language-specific GSSP cert before I’d hire one with a CSSLP. But that’s just me, and also, I don’t actually hire developers. :)

Imad Abu Zaid | March 18, 2009 5:23 am

I agree in most of the things you mentioned chris..but i also belive that the certificate will catch its seekers very soon -i was hoping from isc2 to make this certificate in two levels or 2 parts /naming
the first one is junior professional which does not require an exam like the presnt senareo and the professional or expert level must pass the test to get certified,
I am not sure about the metrics of evaluatioing the candidates essays,and what will be the reasons to drop some one application and inform him/her that he failed..at least in the exam senareo you would know if you done well or bad..but the essays issue i dont know i feel its floating.
Imad
PMP,CISSP,ITIL ITSM,CCCM

Brian Jensen | March 24, 2009 3:59 pm

Chris:

In many respects I do tend to side with you in the sense of creating certifications for the sake of certifications or cash flow. When you have individuals who desire to become certified for the sake of recognition and professional growth, they will easily become exploited by an industry that controls the value or perception of such certifications by using education and training as the primary hook. I concur, (ISC)2 did take a rather unorthodoxed approach here, but on the same token, look at ISACA’s recent CGEIT certification offering. Everyone wants to become an industry de facto standard but no one wants to align these into a global value because the fragmented industry has a greater profit margin than a cohesive one.

Having a CISA, CISM and CISSP are pretty much what I would consider the standard triad for security professionals. Going into more specialized areas such as the ITIL, GIAC, etc. are just additional layers of cake. Granted, the CSSLP may not have been executed as well as it could have been, but I do see a great value in the future for those who have the subject matter expertise to develop securely and incorporate security into software applications and products. Personally, I think this all ties down to execution and holding themselves and others to a certain standard — weakening that standard just to get momentum isn’t always desirable, but it is the way the certification industry works.

Cheers,
-Brian Jensen, CISSP, CISA, CISM

New Application Security Certification Launched | securosis.com | April 1, 2009 7:02 am

[...] We reviewed the program during development, and were overall pretty impressed. It has very similar requirements to the CSSLP, but is more cost effective for security practitioners… something we can all appreciate in [...]

tim | April 1, 2009 11:58 am

@Chris

“Certification is the ticket to get started in security? Not true, and certainly not across the board. You’re fooling yourself if you think the day is going to come where security practitioners will need a Master’s degree to get hired.”

While certification is not necessary to get started in security it IS necessary to get a job doing it. Furthermore I’ve worked for companies who would of never considered me for employment due to my lack of a bachelors and masters degree. I got in the door as a contractor and they waived the degree requirement when they offered me a permanent job once they saw the value. While this is not true in all cases – it is the norm.

Personally when I’m in a position where I am hiring or interviewing individuals I don’t even look at certs. Matter of fact if someone lists a half dozen certs on their resume I tend to put that resume at the bottom of the pile.

Chris Eng | April 1, 2009 12:13 pm

@tim:

“While certification is not necessary to get started in security it IS necessary to get a job doing it.”

I call BS. Many of the best security consultants and researchers I’ve worked with had no industry certifications. A handful did, but quite honestly, they were the minority.

I’m with you on the hiring thing. I’m looking for experience, not a bunch of letters. That being said, here’s a new cert that really shows some promise: http://www.asscert.com/ :>

Brad Andrews | April 7, 2009 11:42 am

Putting a resume on the bottom just because of certs is just as stupid as idolizing them.

Will the fact I have a bunch of SANS certs mean I am incompetent? I transitioned from software development to information security 3 years ago and I have been “piling up” certs since then. It is one of my “hobbies” at the present, though that “hobby” has also helped me supplement my development experience with a lot of security information in a fairly short time (relatively).

Am I worse for it? No. I would even argue that in certain roles I am stronger than someone who has been doing security the entire time since I have a lot of other quite varied experience that provides a much broader perspective.

I do want to get the CISSP to be done with it, though it will be of no help to my current job. I did apply for the CSSLP since I see little downside (other than the cost). I would love to see secure development processes more widespread.

Brad

CPKB | April 12, 2009 7:10 am

A thought on the (albeit temporary) essay assessment; although the essays are short, I feel an essay based assessment (and yes, I know its only for the initial seed of CSSLPs) is a substantially better test than a multiple choice exam.

With a multiple choice exam, you just have to be able to related and remember words without really understanding the context so well.. Whereas, with an essay you have to describe concepts in the appropriate context.

In terms of general security principles cert versus a technology specific cert, if you have the choice of someone who understands the generic principles and can apply them to any technology, i feel that this is much better than someone who only knows how to do the ‘right’ thing with a specific technology without necessarily understanding why and therefore cannot infer the principles and apply them in different situations to different technologies.

In general, I believe certification can be a good thing, the process for studying for a certification often means that you will learn more which is never bad. Having a certificate that attests to some level of knowledge is also not a bad thing. However, people have to take into account that testing procedures in general are flawed and relying solely on an individuals list of certifications is a badrisky thing to do.

dimo | April 14, 2009 3:45 am

hehehe, yes an ASS certification would blend in nicely next to the credentials of some of the people I’ve seen in the field, in fact, some are so qualified I think we should send them a complimentary plaque :)

well, you’ve sure redirected my mindset regarding CSSLP. I wasn’t too sure I wanted to do the CISSP after what I had read about it but I had already studied for it and was required to do so by my employer (although plans fell through and I ended up taking it on my own time later just to fume off).

The one that actually did look interesting to me was the GIAC:http://www.giac.org/, though I can’t claim to know much about it. Does anybody here have first hand knowledge about it? They seem to have a bunch of requirements; papers, labs and such-things that I guess help somewhat confirm that you actually understand what you’re talking about and are not just parroting well.

Cheers,

CertBert | July 9, 2009 12:38 pm

@Prometheus

If you, as an executive favor people who get this certificate, then I hope your company is not a vendor of products that we use. I bet I could get my mother to achieve this certificate, which requires merely some BS’ing in an essay, or memorizing a bunch of stuff so you can spew it on a multiple guess exam. My mom is smart, but not about computers or security . But she would definitely pass this exam after studying. And believe me, you would not want her developing applications for you. If you disfavor smart security people who don’t get this cert because they are smart enough to see that it’s meaningless, then you’re missing some talent, which I would be happy to acquire and use in my own company.

This is, pure and simple, a money-making scheme. Bernie Madoff would be proud.

Sinclair | November 8, 2009 10:30 am

People seem to forget that without certification there is very little proof of competence. I fully agree with all those sceptic people that a certificate doesn’t proof one’s skills but as a person who had to hire security professionals I know it is also impossible to establish someone skills in two one hour discussions.
I myself are an CISSP-ISSAP and will enter the CSSLP exam, if I have the skills why not proof it by doing an exam?? If you read the prep guide and the CBK requirements, you see it is quite different from CISSP (which was indeed of a disappointing level of depth – the one mile wide, one inch deep approach.), CSSLP offers more depth – ofcourse still rather superficial for the security professional – but then this category shhouldn’t be afraid to just do the exam…

And ofcourse I contribute to ISC2 financial gain, but there is also a lot of cost involved in developing the CBK and exams. Seeing the material, preparing for the exam, I think it fills an important gap.

Chris Eng | November 17, 2009 5:26 pm

@Sinclair:

“…without certification there is very little proof of competence.”

WITH certification there is also very little proof of competence, plus you waste a lot of money.

“…if I have the skills why not proof it by doing an exam?”

Because the exam does not test skills.

Michael White | February 26, 2010 8:09 am

Interesting comments by all. I wanted to add a quick note not to justify certifications but to share my own experience as a hiring manager. I manage a information assurance team for a DOD component. Anyone ever heard of the DOD 8570 which requires all IA workers to be certified based on the level of the IA position held. I have to have all of my workers certified within six months after their start date. The following certs are necessary:
A+,Network+,SSCP,Giac certs, and CISSP

I do not think i named all of them but you get the picture. This is a contractual obligation. It drives the cost of the contract through the roof. I also find it hard to find certified resources who will work for reasonable rates in my area which outside the DC area.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post