Geek-Guy.com

Domain 8: Software Development Security

Exam Weight: 10%

Domain 8 focuses on integrating security into the Software Development Life Cycle (SDLC). As a security researcher and analyst, this domain likely resonates with your work in threat actor analysis and data security. The key takeaway for the exam is that security should be a “baked-in” requirement from the start, not a “bolt-on” feature at the end.

1. The Software Development Life Cycle (SDLC)

Security must be integrated into every phase. The exam focuses on the “Shift Left” philosophy—identifying bugs when they are cheapest to fix.

  1. Requirements Analysis: Define security requirements (e.g., compliance, privacy).
  2. Design: Perform Threat Modeling and secure architecture review.
  3. Development (Coding): Use secure coding standards and perform Static Analysis (SAST).
  4. Testing: Perform Dynamic Analysis (DAST), Unit Testing, and Fuzzing.
  5. Deployment: Secure configuration and final security sign-off.
  6. Maintenance/Operations: Patching and vulnerability management.
  7. Disposal: Securely decommissioning software and data.

2. Software Development Methodologies

  • Waterfall: Linear and rigid. Security is often an afterthought in the final stages (High risk).
  • Agile: Iterative and fast. Security must be integrated into every “sprint.”
  • DevOps / DevSecOps: Focuses on automation and rapid deployment. DevSecOps integrates security into the CI/CD pipeline (Continuous Integration/Continuous Deployment).
  • Spiral: A risk-driven model that repeats phases until the project is complete.

3. Database Security and Concepts

Since you track Data Security (DSPM), these concepts are vital:

  • ACID Properties:
    • Atomicity: All parts of a transaction succeed, or none do.
    • Consistency: All transactions leave the database in a valid state.
    • Isolation: Transactions do not affect each other.
    • Durability: Once committed, a transaction survives system failures.
  • Security Issues:
    • Aggregation: Combining non-sensitive data to reveal sensitive info.
    • Inference: Using human logic to deduce sensitive info from authorized results.
    • SQL Injection: Inserting malicious code into entry fields for execution.

4. Software Vulnerabilities & Attacks

  • Buffer Overflow: Writing data past the end of a pre-allocated buffer.
  • Cross-Site Scripting (XSS): Injecting malicious scripts into trusted websites (targets the user).
  • Cross-Site Request Forgery (CSRF): Forcing a logged-in user to perform unwanted actions (targets the application).
  • Time of Check/Time of Use (TOC/TOU): A “Race Condition” where an attacker changes a file after the system has verified it but before it has used it.

5. Maturity Models & Acquisition

How do we measure how “good” a company is at software security?

  • SAMM (Software Assurance Maturity Model): An open-source framework by OWASP.
  • BSIMM (Building Security In Maturity Model): A descriptive model based on what companies are actually doing.
  • Capability Maturity Model Integration (CMMI): * Level 1: Initial (Chaotic).
    • Level 2: Repeatable.
    • Level 3: Defined (Documented).
    • Level 4: Managed (Quantitatively measured).
    • Level 5: Optimizing (Continuous improvement).