CISSP Domain 8 Refresh: Software Development Security

August 7, 2018 by Patrick Mallory

In our cars, our watches, and even our refrigerators, software seems to be finding its way into everything. Along with its promise of increased productivity and data, however, are the risks that programming and other software development errors can introduce to our world. In 2017, The Atlantic magazine wrote of “The Coming Software Apocalypse” while TechRepublic,
estimates most modern software has one bug per 1000 lines of code. In this CISSP Domain 8 Refresh, we explore what this means for security professionals while also revisiting some of the certifications’ key concepts and terminology.

Software Development Overview

This section of Domain 8 dives deep into the world of software development. While it covers many key programming concepts, security professionals need to understand their role in providing a secure foundation for the design and delivery of software that meets customer needs. This includes terminology such as machine code run directly by the CPU, source code written for computer programs to run, and the compilers, interpreters, and bytecode that interpret, translate, and execute written code.

The section continues into an overview of the different kinds of software relative to how it is distributed. Open versus closed source software as well as freeware, shareware (which often requires payment after a trial period), and crippleware (where functions are disabled until payment is provided) are explored. The software development section ends with a review of software licensing, a key linkage back to Domain 1: Security and Risk Management, given the role security professionals play in maintaining compliance to terms of use.

Object-Oriented Design

Standing in stark contrast to the older, structured way of programming, Object-Oriented Design treats software as a collection of objects that communicate with each other and their environment. The concepts go further to include objects, methods, messages between objects, and a range of other qualities like inheritance, delegation, polymorphism, and polyinstantiation (or two instances of an object named the same, but with different data). Object-Oriented Design can also be used as a form of analysis and design including of security systems and rules. For example, segmenting a network can be broken into its component objects, the messages they share, and the functions they serve, resulting in the delivery of services to end users securely.

Application Development Methods

Domain 8 also covers the wide range of application development methodologies and the various ways teams work together to create, manage, test, and deliver software. The sequential, traditional Waterfall model is juxtaposed to the Agile development model, which allows for quick, flexible, and iterative software design. Further, Agile development can include Scrum teams of multidisciplinary professionals or Extreme Programming with pairs of programmers working closely with customers.

The Spiral model to software development is used to control risk by repeating steps of a project as the overall scope and goals expand with each “round” while Prototyping and Rapid Application Development (RAD) use quickly-developed mock-ups to demonstrate functionality and guide further development. Finally, regardless of the methodology used, security professionals need to be involved in each of the phases of the Software Development Life Cycle (SDLC), from development to secure disposal as well as the evaluation of code storage options, the security of Application Programming Interfaces (APIs), and software change management as refinements are introduced.

Database Concepts

No discussion of software development and security can be complete without understanding how the data that runs through it is structured and accessed so its integrity can be better maintained. While certainly not a full course on database design, Domain 8 reviews the types of databases (Relational, Hierarchical, and Object-Oriented), key database terminology, and how they can be queried, how read/write access is given, and many other functions. Yet, the focus for security professionals is on how unauthorized modifications to data can be mitigated through rules and controls as well as through database replication and shadowing data in the event of an error or failure.

Assessing Software Security

As was mentioned in the introduction, programming may always be inherently full of mistakes. Just how much so and what organizations want to do to mitigate them is a role of CISSP professionals. The first step comes in categorizing the types of software vulnerabilities, which also links back to Domain 3: Security Engineering. Ranging from buffer overflows to race conditions, security professionals need to be able to test and control for these vulnerabilities and help to institute changes in software requirements and design to mitigate against them.

If software is to be bought off the shelf, however, or will be custom-developed by a third party, security professionals can still play a key role. For example, with commercial off-the-shelf (COTS) software, testing the stated capabilities and controls claimed by the vendor as well as identifying its impact on existing systems needs to occur in a structured fashion. LIkewise, with custom software, security requirements can be baked into the contract, acceptance criteria, and on-going expectations for post-implementation support.


While Domain 8 is a wide-ranging and often meandering chapter for CISSP professionals, it mirrors the fluidity of the computing environment in which we are operating in today and will be for decades to come. Software design, our expectations for what it can do for us, and its integration into our lives as well as how data is stored and shared are introducing new security challenges that must be understood and faced head-on. Especially with the rise of the Internet of Things (IoT) and Artificial Intelligence (AI), it pays to sharpen the axe with CISSP Domain refreshes continually.

Posted: August 7, 2018


We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Patrick Mallory
View Profile

Patrick’s background includes Strategy and Cyber Risk Services consulting experience with Deloitte Consulting with both States and large Federal transportation and security agencies. He also served 3 years as a Deputy CIO for the City of Raleigh, where he assisted with the implementation of security policies, tools, and employee education initiatives as well as PCI, CJIS, and HIPAA compliance. He currently supports the IT infrastructure for the U.S. State Department.

Patrick also holds CISSP, CISM, and Security+ certifications as well as a PMP. He holds an MS in Information Technology – Cybersecurity and MS Public Policy from Carnegie Mellon University, where he assisted with graduate level teaching in the information security program.