CISSP: Domain 8 - Software Development Security - Module 1

This course is the first of 3 modules of Domain 8 of the CISSP, covering Software Development Security.

Learning Objectives

The objectives of this course are to provide you with the ability to:

  • Understand and apply security in the Software Development Life Cycle (SDLC)
  • Enforce security controls in the development environment

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back to the Cloud Academy presentation of the CISSP Examination Preparation Review Seminar presented to you by Cloud Academy. Today we're going to get into the final domain, Software Development Security, Domain Eight. Although information security has traditionally emphasized system-level access controls, the security professional needs to ensure that the focus of the enterprise security architecture includes applications because many of the information security incidents now involve software vulnerabilities in one form or another.

Application vulnerabilities also allow an entry point to attack systems, sometimes at a very deep level. Web application vulnerabilities have frequently been used in this manner. Malware is much more than a mere nuisance now. It is now a major security risk faced by every enterprise that connects to the external networks and allows external data to be ported to their internal systems in some form. Development of in-house systems, commercial and off-the-shelf software and controls the choice, maintenance and configuration of application must be given greater attention than has been the case in the past.

Unfortunately, at the same time, too few security professionals have a significant programming or systems development background. In addition, training and programming in development tends to emphasize speed and productivity over quality, let alone considerations of security. From the perspective of many developers, security is an impediment, a roadblock. This perception is changing, and in the current development environment the security professional needs to take care not to be seen as a problem to be avoided.

When examined, most major incidents, breaches, and outages will be found to involve software vulnerabilities. Software continues to grow increasingly larger and more complex with each release. In addition, software is becoming much more standardized, both in terms of the programs and code used, as well as the protocols and interfaces involved. Although this provides benefits in training and productivity, it also means that a troublesome characteristic may affect computing and business environments quite broadly. Also, legacy code and design decisions taken decades ago are often still involved in current systems and interact with new technologies and operations in ways that may open up additional vulnerabilities that the security professional may or may not be aware of. The security professional needs to be aware of the important security concepts that apply during software development, operation and maintenance processes. Software includes both operating system software and application software, as we well know.

The computing environment is multiple layers of this kind of technology. The foundation, of course, is the hardware of the computer system and the functions that are built into that hardware. In some cases, a layer of microcode, or firmware is implemented to generate or ease the use of certain common operations. The operating system itself provides management of all computer hardware resources, as well as a number of software and data resources required for proper operation. In addition, the operating system manages a variety of utilities and functions that are necessary for overall system security and audit. The applications sit on top of the operating system and associated utilities. The user interacts with data and the network resources through these applications. In some cases, there are additional layers, very often in terms of the interface, either with user or between systems. In addition, these systems may now be built on a distributed basis, with portions or aspects of the programming running on a variety of different machines.

When examining application security, one must consider that the applications that users use to do their jobs interact with the operating system. However, also be aware that the fundamental concepts of application development also apply to operating system software development, even though most users purchase an operating system. Thus, although enterprises do not develop operating systems code, they do design, develop and operate and maintain proprietary applications relevant to their business needs. Analysis and mitigation of software vulnerabilities uses similar concepts in both cases, although the significance of the vulnerabilities in the operating system are rather greater. The information security professionals must, therefore, thoughtfully apply these concepts to the specifics of their own company or situation.

Software must be considered both an asset to be assessed early in the risk management process and as a tool with vulnerabilities that may require the addition of mitigation or specific controls and safeguards to the system. Thus the security professional must be conversant in the principles of software development and lifecycles so that he or she can apply the appropriate controls in contextually effective ways to ensure effective security and improve overall product quality and performance. The security professional must be able to grasp the impact imperfect software can have on the enterprise if it is exploited by a threat or misused by an untrained employee. He or she must be able to translate such impacts into action plans directed at prevention and remediation of these. The security professional must, therefore, be able to see themselves as a team member working alongside developers, QA personnel and operations staff to improve risk management, rapid response, better integration, and smoother operations in order to create a more productive and a more secure infrastructure.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.