CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
Imagine the implications of releasing software or an application riddled with vulnerabilities, with security thought of only after the fact. The 8th and final domain of the CISSP certification covers software development security, an essential consideration in an organization’s overall security approach for cybersecurity. This article will provide an overview of the domain and explain what’s new in the latest 2021 update.
Below are the subdomains and objectives covered by domain 8 of the CISSP certification exam. This domain accounts for 11% of the average weight of material covered in the exam.
Earn your CISSP, guaranteed!
Understand and integrate security in the Software Development Life Cycle (SDLC)
- Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps)
- Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
- Operation and maintenance
- Change management
- Integrated Product Team (IPT)
Identify and apply security controls in software development ecosystems
- Programming languages
- Libraries
- Tool sets
- Integrated Development Environment (IDE)
- Runtime
- Continuous Integration and Continuous Delivery (CI/CD)
- Security Orchestration, Automation, and Response (SOAR)
- Software Configuration Management (SCM)
- Code repositories
- Application security testing (e.g., Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST)
Assess the effectiveness of software security
- Auditing and logging of changes
- Risk analysis and mitigation
Assess security impact of acquired software
- Commercial-off-the-shelf (COTS)
- Open source
- Third-party
- Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)
Define and apply secure coding guidelines and standards
- Security weaknesses and vulnerabilities at the source-code level
- Security of Application Programming Interfaces (APIs)
- Secure coding practices
- Software-defined security
Below is additional information regarding software development security that will assist you as you get ready for the CISSP certification exam. Further information, such as a full listing of the domains and CISSP linear examination weights, can be found in the CISSP exam outline.
Development methodologies
Software lifecycle development does not have a final goal/destination planned (typically speaking). Instead, it is a continuous effort that uses steps at different phases of a development project. Over the years, different development methodologies have arisen, and they each have their different uses. The methodologies you will be expected to explain on the exam are Build and fix, Waterfall, V-shaped, Prototyping, Incremental, Spiral, Rapid application development, and Agile.
Capability Maturity Model Integration
Capability Maturity Model Integration, or CMMI, is a process level improvement program. In this program, organizations establish process areas and are assigned maturity levels. Below are the maturity levels you will need to know for the exam:
- Initial — at this level, the development process is inconsistent, unpredictable, inefficient and ad hoc.
- Repeatable — a formal structure providing quality assurance, change control and testing
- Defined — provides processes and procedures which are designed and followed throughout the project
- Managed — provides processes and procedures to collect development cycle data to assist in making improvements
- Optimizing — A model of continuous development cycle improvement
Application security testing
The security testing of applications in the software development cycle is key to minimizing security risks and vulnerabilities. You will be responsible for understanding two types of application security testing on the exam – Static application security testing (SAST) and Dynamic application security testing (DAST).
SAST uses automation to scan static code as an alternative to manual code review. It can find vulnerabilities in code at an incredibly fast rate. Due to limitations such as not finding vulnerabilities outside of the code, organizations may opt to combine SAST with multiple tools or other methods.
DAST is used to find vulnerabilities in code that is already running. This means that the application has to be already developed making DAST only available much later in the development process.
Assess security impact of acquired software
New for the 2021 CISSP exam update are four examples of acquired software security considerations. Commercial-off-the-shelf is software that you download and install. Since you don’t have access to the code base and libraries, you will have to rely on vendor patches and dynamic testing to test its security.
Open source has everything available to the public, which makes the security testing similar to in-house with the limitation that you can’t fix things at the pace you can with in-house development.
Third-party software is not owned, installed, or managed by you, but it can have its own vulnerabilities. To address security concerns, organizations could require the use of computing devices such as VDIs to limit exposure to security risks.
Managed services (e.g., software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS) is managed software that you also don’t own, install, or maintain, but you may be able to configure. Vendors often publish security audit information so the public can keep an eye on any security issues that may arise and may allow for their clients to engage in penetration testing and security reviews.
Earn your CISSP, guaranteed!
Software-defined security
New for the 2021 CISSP exam update, software-defined security is being increasingly used by organizations. Software-defined security means that the software (and automation) is controlled by the software itself. It can manage security considerations such as the firewall rules that dictate which ports web servers use for provisioning.
Conclusion
The 8th and final domain of the CISSP certification covers software development security. This area is essential to consider in your organization’s overall security approach because of the wide range of impacts it can have.
For more on the CISSP certification, view our CISSP hub.
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- Due care vs. due diligence and the CISSP
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
