Domain 8: Software Development Security

Last updated: December 1, 2025 in CISSP Domains

Building Code That Holds

Domain 8 accounts for 11% of the CISSP exam. Software runs everything. Every business process, every security control, every data transaction flows through code someone wrote. Insecure software creates vulnerabilities that no amount of network security or access control can fix.

Most organizations bolt security onto finished software. They scan for vulnerabilities, patch what they find, deploy web application firewalls. That approach catches known problems. It misses design flaws requiring architectural changes. Secure software development builds security in from the start.

Secure SDLC REQUIREMENTS Security reqs Threat model DESIGN Secure arch Design review DEVELOP Secure coding Code review TEST SAST/DAST Pen testing DEPLOY Hardening Config mgmt Security Integrated at Every Phase Cost to Fix Security Flaws (Relative) Req: 1x Design: 5x Code: 10x Test: 20x Prod: 100x

Secure Development Methodologies

Microsoft’s Security Development Lifecycle (SDL) integrates security requirements, threat modeling, secure coding standards, and security testing throughout development. The OWASP SAMM helps organizations assess and improve secure development practices.

DevSecOps integrates security into DevOps practices. Automated security testing runs with every commit. Infrastructure as code enables security review of deployment configurations. Container security scanning checks images before deployment.

Common Software Vulnerabilities

The OWASP Top Ten identifies critical web application security risks. Understanding these matters because they appear repeatedly across applications.

  • Injection occurs when untrusted input gets interpreted as commands. SQL injection inserts malicious SQL into queries. The fix: parameterized queries, input validation, never concatenating user input into commands.
  • Broken authentication allows attackers to compromise passwords, keys, or sessions. Weak passwords, credential stuffing, improper session timeout all fall here. Fix with MFA, secure session management, proper credential storage.
  • Cross-site scripting (XSS) injects malicious scripts into pages viewed by others. Stored XSS persists in databases. Reflected XSS bounces off server responses. Fix with output encoding and content security policies.
  • Insecure deserialization allows manipulation of serialized objects, potentially achieving remote code execution. Avoid deserializing untrusted data entirely when possible.

SQL Injection: How It Works Normal Request: Username: john → SELECT * FROM users WHERE name=’john’ Malicious Request: Username: ‘ OR ‘1’=’1 → SELECT * FROM users WHERE name=” OR ‘1’=’1′ Result: Returns ALL users – attacker bypasses authentication Condition ‘1’=’1′ is always true Prevention – Parameterized Query: PreparedStatement: SELECT * FROM users WHERE name = ? Input treated as data, not code. Injection attempt fails safely.

Secure Coding Practices

Input validation checks all data entering the system. Whitelist validation is safer than blacklist—define what’s allowed rather than blocking what’s dangerous. Validate server-side; client-side validation provides no security.

Output encoding prevents injection by ensuring data renders as data, not code. Context matters—HTML encoding differs from JavaScript encoding differs from SQL escaping.

Error handling affects security. Verbose errors help attackers. Log detailed errors server-side; show generic messages to users. Never expose stack traces in production.

Security Testing in Development

SAST (Static Application Security Testing) analyzes source code without execution. Finds vulnerabilities early. Generates false positives requiring review. DAST (Dynamic Application Security Testing) tests running applications. Finds runtime issues SAST misses.

Software Composition Analysis (SCA) identifies vulnerabilities in third-party libraries. Modern applications depend heavily on open-source components. A vulnerable library affects every application using it.

API Security API Gateway Authentication Rate Limiting REST API Endpoints GET /users POST /users PUT /users/id DELETE /users/id Requirements: OAuth 2.0 | Input validation | TLS | Audit logging

Software Supply Chain

Software Bill of Materials (SBOM) documents all components in an application. When vulnerabilities are disclosed, SBOM enables rapid identification of affected systems. The CISA SBOM guidance promotes standardized formats.

Vendor security assessment evaluates third-party practices before acquisition. SOC 2 reports, pen test results, certifications provide assurance. Contract language should require security practices and breach notification.

Connecting to Other Domains

Domain 3 provides secure design principles that Domain 8 implements in code. Domain 6 testing verifies development security practices work. Domain 5 access control implements within applications.

The practice questions include vulnerability identification, secure coding decisions, and methodology selection.

Software vulnerabilities cause most security incidents. Networks can be secured. Users can be trained. But vulnerable code creates holes attackers will find. Domain 8 teaches how to build software that resists attack by design.

author avatar
Elias Ward
Elias is a deep coding specialist who has spent most of his career working in places most people never hear about. Starting with a background in secure systems and backend development, he eventually moved into roles that required quiet precision and the ability to build or fix technology in environments where reliability mattered more than recognition.
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *