The Certified Information Systems Security Professional (CISSP) certification, granted by the International Information System Security Certification Consortium Inc., or (ISC)2, is one of the most prestigious vendor-neutral information systems security leadership certifications. The CISSP certification is a credential that signifies its holder possesses professional experience and demonstrates a high level of knowledge across information systems security domains.
(ISC)2 periodically updates the information systems security Common Body of Knowledge (CBK) to reflect the state of today’s organizations and environments. The latest version of the CISSP exam was released on May 1, 2021. This updated exam addresses the latest cybersecurity challenges.
Some of the noticeable changes from the previous exam are in the software security domain. New CISSP exam takers must demonstrate a deeper knowledge of developing secure software than those who took previous editions of the exam. Software security has taken on a higher profile.
Let’s look at how the 2021 CISSP exam changes add focus on developing secure software.
Why the CISSP certification is important
The CISSP certification is not the only cybersecurity certification, but it is one of the most respected certifications in the industry. Although criticized as an overly broad certification, its focus is on demonstrating a working knowledge in eight defined domains that cover most cybersecurity concerns. The CISSP exam focuses more on cybersecurity leadership and a grasp of pertinent concepts and topics, as opposed to a deep knowledge of a specialized practitioner. The certification tends to be more sought after by those either in or pursuing management and leadership positions.
There are currently over 147,000 CISSPs worldwide, and the certification enjoys international recognition as a high-quality and difficult-to-attain certification. The CISSP was the first information security credential to meet the ISO/IEC 17024 standard requirements, which define criteria for certification-granting organizations. The CISSP is also approved by the Department of Defense to satisfy multiple DoDD 8570 Level III certification requirements. And in May 2020, the UK National Recognition Information Centre (UK NARIC) granted the CISSP a Level 7 ranking, which equates the certification with a master’s degree.
The popularity of the CISSP certification, along with its longevity and demonstrated rigor, make it an attractive target for managers and executive leadership in information systems security roles. In short, there are many information systems security leaders who are CISSPs. Whatever (ISC)2 deems important in their CBK and exams will be considered important by its credential holders.
Changes to the 2021 CISSP exam related to application security
Domain 8 of the CISSP exam is Software Development Security, and it represents 11% of the questions test takers will encounter. The previous edition of the CISSP exam weighted Domain 8 at 10%. A single percentage increase in weight may not seem like very much, but some of the covered content has changed quite a bit. Previous coverage of Software Development Security was a bit generic and high-level, but the 2021 CISSP exam objectives are more granular with some interesting additions.
To give an overview of the CISSP exam objectives, here are the eight domains:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communications and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
Although there are changes throughout the exam, we will focus on those related most directly to application security development (Domain 8). The main additions for the 2021 exam are sprinkled among objective categories 8.1, “Understand and integrate security in the Software Development Life Cycle (SDLC),” 8.2, “Identify and apply security controls in software development ecosystems,” and 8.4, “Assess the security impact of acquired software.”
The changes cover a range of application security topics, and we will not cover all of them here. There are four main changes that are noteworthy to organizations that develop software:
- 8.1.1, development methodologies (e.g, agile, waterfall, DevOps and DevSecOps)
- 8.1.2, maturity models (e.g., the Capability Maturity Model [CMM] and Software Assurance Maturity Model [SAMM])
- 8.2.6, continuous integration and continuous delivery (CI/CD)
- 8.2.10, application security testing (e.g., static application security testing [SAST] and dynamic application security testing [DAST])
These four changes reflect how the software development industry has changed in recent years. The CISSP exam now shines a light on DevOps and DevSecOps, CMM and SAMM, CI/CD, and SAST and DAST. These topics are all important to most software development organizations, but it is important to see those topics elevated to prominence in an internationally recognized certification.
Due to the inclusion of these (and other) changes in the CISSP 2021 exam, everyone who takes this new exam must prepare to answer challenging questions on any of these topics. Proper preparation means learning about each of the topics on the exam and acquiring a working knowledge of how each one impacts risk and strategic planning.
Why the CISSP 2021 exam changes matter
Adding more application development topics on an exam is interesting, but its impact goes much further than mere interest. The CISSP certification is the most popular certification for cybersecurity leaders to pursue. In fact, the CISSP certification is often seen as a must-have for anyone who wishes to show mastery of the information systems security discipline.
In this light, it is safe to say that any future information systems security leaders who sit for the CISSP exam after May 1, 2021, will automatically have a better overview of application development security than their predecessors. While awareness does not automatically translate to understanding, having decision makers who at least have exposure to development issues is a good thing.
One of the obstacles many software development managers currently encounter is having to educate leaders on the need to invest in developing secure software. Convincing executives to invest in SAST and DAST or building DevSecOps teams has often been a hard sell. Illuminating these techniques and practices on an exam many leaders will take could be a game changer.
It is too early to make sweeping predictions, but for any leaders who take the new exam to get their CISSP credential, it can be said that they have at least been exposed to the most important topics that matter to developing secure software. That advancement alone may prove to shift the needle for software development support.