CSSLP
Certified Secure Software Lifecycle Professional
Secure SDLC, threat modelling, secure architecture across product teams.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition score› Built for these roles
› Exam format
125 multiple-choice questions over 3 hours, English. Pearson VUE proctored. AMF is shared with any other ISC2 cert you hold.
Standard ISC2 retake policy: 30/60/90 day waits.
› Recertification
90 CPEs over three years (avg 30/yr) included under the ISC2 $135/yr Annual Maintenance Fee shared across all your ISC2 credentials.
› NICE Framework work roles
The NIST NICE work-role IDs this cert maps to. NICCS lookup.
› Core domains covered
The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.
SBOM, vendor risk assessment, software supply chain attacks, dependency management.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
› Prerequisites
Four years of professional experience in the SDLC (two with degree). CISSP or equivalent concept fluency recommended.
- Secure software architecture
- Threat modeling methodologies
- Supply-chain and deployment security
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No vendor-gated prereqs.
No certs require this one.
No follow-on certs reference this one yet.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
- Official (ISC)² CSSLP CBK Reference, 3rd Ed. — Wiley/ISC2
- CSSLP All-in-One Exam Guide (3rd Ed.) — McGraw Hill
- Boson ExSim-Max for CSSLP
› Version & lifecycle
› Salary signal
Application security engineer / secure-SDLC lead, US, 5+ years.
ISC2 Workforce Study + Glassdoor 'Application Security Engineer' aggregations · 2024 · US base only · p25–p75 range
› How it compares
Both target secure development — CSSLP is broader process-and-lifecycle, GWEB is web-app-specific.
↔ Compare side-by-sideOSWE is offensive web-app exploitation (proves it can be broken); CSSLP is defensive design (proves it can be built right).
↔ Compare side-by-side› Careers that commonly pursue this cert
Embed security into the software development lifecycle. Shift left to catch vulnerabilities before they reach production.
Embedded in a product team — owns threat modelling, secure design, libraries, dependency risk, and increasingly the AI-specific hardening of LLM features the product ships.
› Common exam traps to study
Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.