CSSLP
Certified Secure Software Lifecycle Professional
Secure SDLC, threat modelling, secure architecture across product teams.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition score› Built for these roles
› Exam format
125 multiple-choice questions over 3 hours, English. Pearson VUE proctored. AMF is shared with any other ISC2 cert you hold.
Standard ISC2 retake policy: 30/60/90 day waits.
› Recertification
90 CPEs over three years (avg 30/yr) included under the ISC2 $135/yr Annual Maintenance Fee shared across all your ISC2 credentials.
› NICE Framework work roles
The NIST NICE work-role IDs this cert maps to. NICCS lookup.
› Core domains covered
The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
Reference architectures, control frameworks (NIST SP 800-53, CIS Controls), secure-by-design patterns, threat modeling, trust-boundary design, technology standards.
SBOM, vendor risk assessment, software supply chain attacks, dependency management.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
› Prerequisites
Four years of professional experience in the SDLC (two with degree). CISSP or equivalent concept fluency recommended.
- Secure software architecture
- Threat modeling methodologies
- Supply-chain and deployment security
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No vendor-gated prereqs.
No certs require this one.
No follow-on certs reference this one yet.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
- Official (ISC)² CSSLP CBK Reference, 3rd Ed. — Wiley/ISC2
- CSSLP All-in-One Exam Guide (3rd Ed.) — McGraw Hill
- Boson ExSim-Max for CSSLP
› Version & lifecycle
› Salary signal
Application security engineer / secure-SDLC lead, US, 5+ years.
ISC2 Workforce Study + Glassdoor 'Application Security Engineer' aggregations · 2024 · US base only · p25–p75 range
› How it compares
Both target secure development — CSSLP is broader process-and-lifecycle, GWEB is web-app-specific.
↔ Compare side-by-sideOSWE is offensive web-app exploitation (proves it can be broken); CSSLP is defensive design (proves it can be built right).
↔ Compare side-by-side› Careers that commonly pursue this cert
Embed security into the software development lifecycle. Shift left to catch vulnerabilities before they reach production.
Embedded in a product team — owns threat modelling, secure design, libraries, dependency risk, and increasingly the AI-specific hardening of LLM features the product ships.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.