Certification guide
Certified Secure Software Lifecycle Professional (CSSLP) is ISC2’s credential for the people who build software securely — developers, architects, application security engineers, and DevSecOps leads who bake security into every phase of the development lifecycle rather than bolting it on at the end. Where the CISSP asks how you would run a security program, the CSSLP asks how you would ship code that was never vulnerable in the first place: which requirement to write, which design pattern to choose, which test to run before release. It covers more domains than any other ISC2 exam — eight, tracking the lifecycle from concept through supply chain.
The current exam outline took effect September 15, 2023, and ISC2 has since embedded AI security throughout it: securing LLM integrations against prompt injection, defending training data and model weights, governing generative AI coding assistants, testing models for bias and drift, and extending the SBOM into an AI bill of materials. Unlike the SSCP and CISSP, the CSSLP remains a linear (non-adaptive) exam — a fixed set of items you can flag and revisit. Our practice questions reflect the current AI-integrated outline, not the pre-2023 one.
Secure Software Concepts
Domain 1 · 12%The vocabulary everything else is built on: confidentiality, integrity, availability, authentication, authorization, accountability, and nonrepudiation, plus the classic design principles — least privilege, segregation of duties, defense in depth, fail secure, economy of mechanism, complete mediation, open design, psychological acceptability. Expect questions that hand you a design decision and ask which principle it embodies or violates, including how these principles bend when the component is a probabilistic AI model.
Secure Software Lifecycle Management
Domain 2 · 11%Running security as a program across the SDLC: control gates and break/build criteria inside Agile and waterfall, maturity frameworks like SAMM and BSIMM, security metrics, secure decommissioning at end of life, and translating technical risk into business terms. The refresh adds MLSecOps — governing generative AI coding assistants and retraining loops without letting them bypass your gates.
Secure Software Requirements
Domain 3 · 13%Getting security in writing before a line of code exists: functional and non-functional security requirements, compliance and privacy obligations, data classification and ownership, misuse and abuse cases, and the traceability matrix that connects each requirement to its tests. AI additions scope requirements for third-party LLMs — acceptable hallucination thresholds and boundaries on autonomous actions.
Secure Software Architecture and Design
Domain 4 · 15%The heaviest domain: threat modeling with STRIDE and PASTA, attack surface evaluation, architectural risk assessment, and secure design across microservices, cloud service models, IoT, embedded, mobile, and trusted computing with TPMs. You’ll weigh trade-offs — where the trust boundary goes, which reusable technology to select, and how to draw Zero Trust boundaries around inference engines and vector databases.
Secure Software Implementation
Domain 5 · 14%Where code meets keyboard: input validation and output encoding, parameterized queries, session management, error handling, secure logging, cryptographic agility, and analyzing code for risk with SAST, manual review, and software composition analysis — plus build-time protections like code signing and compiler hardening. New material targets prompt injection defenses and vetting AI-generated code.
Secure Software Testing
Domain 6 · 14%Proving the controls work: test strategy and standards, DAST and IAST, penetration testing, fuzzing, fault injection, cryptographic validation, regression and misuse-case testing, CVSS-based finding classification, and protecting test data derived from production. The refresh adds probabilistic testing for embedded ML models — bias, drift, and adversarial evasion.
Secure Software Deployment, Operations, Maintenance
Domain 7 · 11%Shipping and running it safely: signed build artifacts, secrets and configuration management, environment hardening, continuous monitoring into a SIEM, incident response and root-cause analysis, patch and vulnerability management, runtime protections like RASP and WAF, and continuity planning — plus watching production models for algorithmic drift and adversarial manipulation.
Secure Software Supply Chain
Domain 8 · 10%The smallest domain by weight but the one regulators care most about: SBOM creation and maintenance, third-party component risk assessment, pedigree and provenance verification, build environment security, supplier security requirements in acquisition, and contractual protections like code escrow and right to audit. The AI-era extension is the AI-BOM — tracking model weights, training datasets, and ML libraries the way you track packages.
Our CSSLP practice exam delivers 90 questions per attempt, stratified to the official domain weights, on a 130-minute timer matched to the real exam’s pace — with a plain-language explanation behind every question that tells you why the best answer beats the near-misses. ISC2 scores the live exam on a 700-out-of-1000 scale; we set the pass mark at 70% as the honest raw-score equivalent, so a passing run here means genuine coverage across all eight domains — not luck in the heavy ones.
ISC2 CSSLP - Practice Exam
Practice Exam J: 90 original questions stratified to the official CSSLP exam outline (effective September 15, 2023) — Secure Software Concepts x11, Lifecycle Management x10, Requirements…
Subscribe to startTrademark notice & independence. ISC2®, CSSLP®, CISSP®, and CBK® are registered marks of ISC2, Inc. Certifym.net is operated by Certifym Exam Services, LLC and is not affiliated with, endorsed by, or sponsored by ISC2, Inc. Certification names and marks are used solely to identify the certifications for which our independent practice materials are designed. The CSSLP exam outline and its domain structure are the property of ISC2, Inc.; candidates should download the official, current exam outline directly from isc2.org.
All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISC2 examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam.
