CISSP Exam Preparation | 15 min read | Domain 8: Software Development Security

Domain 8 of the CISSP exam, Software Development Security, accounts for approximately 10% of the exam questions (around 15–20 questions out of 150–175 total). This domain tests your understanding of secure software development practices, from requirements gathering to deployment and maintenance.

Whether you're a security architect, developer, or risk manager, mastering this domain is crucial for passing the CISSP exam and implementing secure coding practices in real-world scenarios.

Why Domain 8 Matters

Software vulnerabilities remain one of the leading causes of security breaches. Understanding secure development lifecycles, code review practices, and security testing methodologies isn't just about passing an exam it's about protecting organizations from costly breaches and data compromises.

10 Essential CISSP Domain 8 Practice Questions

Let's dive into ten carefully crafted questions that cover the breadth of Domain 8. Each question includes detailed explanations and exam tips to solidify your understanding.

Question 1: Secure Development Lifecycle

Which phase of the Software Development Lifecycle (SDLC) is the MOST cost-effective time to address security requirements?

A. Implementation phase B. Testing phase C. Requirements gathering phase D. Deployment phase

✓ Correct Answer: C. Requirements gathering phase

Why this matters: Security requirements should be identified during the requirements gathering phase because fixing security issues becomes exponentially more expensive as development progresses. According to industry research, fixing a defect in production can cost 100x more than addressing it during requirements.

Real-world impact: Organizations that integrate security early (shift-left approach) reduce vulnerability remediation costs by 50–60% and decrease time-to-market by avoiding costly late-stage redesigns.

Why other options are wrong:

  • Implementation: Code is already being written based on requirements
  • Testing: Architecture is locked in, only surface-level fixes possible
  • Deployment: Most expensive time to make changes

💡 Exam Tip #1

The CISSP exam loves questions about "when" to do security activities.

Remember: earlier is almost always better and more cost-effective. When you see questions about SDLC phases, default to the earliest phase that makes logical sense.

Question 2: Database Security

An application stores credit card numbers in a database. Which approach provides the STRONGEST protection while maintaining the ability to process transactions?

A. Hashing the credit card numbers B. Encrypting the credit card numbers with strong encryption C. Using tokenization D. Masking the credit card numbers

✓ Correct Answer: C. Using tokenization

Why tokenization wins: Tokenization replaces sensitive data with non-sensitive tokens, removing credit card data from your environment entirely. The actual card numbers are stored securely at a PCI-compliant token vault provider. This dramatically reduces PCI DSS compliance scope.

Key distinction:

  • Hashing: One-way function, you can't retrieve original data (can't process transactions)
  • Encryption: Good, but keys must be managed and data remains in your environment
  • Tokenization: Removes sensitive data from your systems entirely
  • Masking: Display-only protection, original data still exists in storage

Question 3: Code Review

During a security code review, which type of analysis would BEST identify SQL injection vulnerabilities?

A. Dynamic application security testing (DAST) B. Static application security testing (SAST) C. Runtime application self-protection (RASP) D. Software composition analysis (SCA)

✓ Correct Answer: B. Static application security testing (SAST)

Understanding the tools:

SAST (White Box): Analyzes source code without executing it. Perfect for finding coding flaws like SQL injection, buffer overflows, and XSS during development. Can identify the exact line of vulnerable code.

Why SAST is best for this scenario: SQL injection vulnerabilities are code-level flaws in how queries are constructed. SAST can identify unsafe concatenation and lack of parameterized queries by analyzing the code structure.

Other options explained:

  • DAST: Tests running applications (black box). Can find SQL injection but doesn't show exact code location
  • RASP: Runtime protection, detects/blocks attacks in production, not for code review
  • SCA: Identifies vulnerabilities in third-party libraries/dependencies

💡 Exam Tip #2

Remember the acronym SAST = Source, DAST = Deployed:

  • SAST = Source code analysis (white box, early in SDLC)
  • DAST = Deployed application testing (black box, later in SDLC)

Questions about "code review" or "during development" typically point to SAST.

Question 4: API Security

A company is developing a REST API that will be consumed by third-party applications. What is the MOST secure method for authentication?

A. API keys transmitted in HTTP headers B. OAuth 2.0 with JWT tokens C. Basic authentication over HTTPS D. Session cookies with CSRF tokens

✓ Correct Answer: B. OAuth 2.0 with JWT tokens

Why OAuth 2.0 with JWT is superior:

OAuth 2.0 is the industry standard for API authorization, providing:

  • Delegated access: Third parties don't need user credentials
  • Granular scopes: Fine-grained permission control
  • Token expiration: JWTs include expiry times (exp claim)
  • Stateless authentication: Tokens contain all needed information
  • Revocation capability: Tokens can be revoked centrally

JWT advantages: Self-contained (includes claims), digitally signed (tamper-proof), and standard format (RFC 7519).

Why others fall short:

  • API keys: Static, no expiration, hard to rotate, no standardized format
  • Basic auth: Credentials sent with every request, no token expiration
  • Session cookies: Designed for browser-based apps, not API-to-API communication

Question 5: Secure Coding Practices

Which secure coding practice MOST effectively prevents buffer overflow vulnerabilities?

A. Input validation B. Output encoding C. Bounds checking D. Error handling

✓ Correct Answer: C. Bounds checking

Understanding buffer overflows: These occur when data exceeds allocated memory space, potentially overwriting adjacent memory and allowing code execution.

Why bounds checking is the answer: It explicitly verifies that data does not exceed buffer boundaries before writing. This is the direct, purpose-built defense against buffer overflows.

Implementation examples:

  • Using safe functions: strncpy() instead of strcpy()
  • Checking array indices before access
  • Validating string lengths before operations
  • Using languages with automatic bounds checking (Java, C#, Python)

Other options context:

  • Input validation: Important but general; doesn't specifically check buffer boundaries
  • Output encoding: Prevents XSS, not buffer overflows
  • Error handling: Manages errors but doesn't prevent overflows

Question 6: Change Management

Before deploying a security patch to production, what should be done FIRST?

A. Apply the patch to production during a maintenance window B. Test the patch in a non-production environment C. Notify all stakeholders about the upcoming patch D. Back up the production system

✓ Correct Answer: B. Test the patch in a non-production environment

Change management principle: Never deploy changes directly to production without testing, even for critical security patches.

Why testing comes first:

  • Patches can introduce new bugs or compatibility issues
  • May conflict with custom configurations
  • Could cause system instability or downtime
  • Might break dependent applications

Proper sequence:

  1. Test in development/staging environment
  2. Back up production system
  3. Notify stakeholders
  4. Apply to production during maintenance window
  5. Verify and monitor

Exception: Zero-day vulnerabilities under active exploitation might warrant emergency patching, but testing in a parallel production instance is still recommended if time permits.

💡 Exam Tip #3

CISSP questions often test your ability to prioritize. When you see "FIRST" or "MOST important," think about:

  • Prevention before detection: Stop problems before they occur
  • Testing before deployment: Validate changes in safe environments
  • Planning before action: Understand before implementing

The exam favors methodical, risk-averse approaches over quick fixes.

Question 7: Secure Software Acquisition

When acquiring third-party software, which action provides the GREATEST assurance of security?

A. Requiring the vendor to provide a penetration test report B. Reviewing the vendor's security certifications (ISO 27001, SOC 2) C. Including security requirements in the SLA D. Conducting an independent security assessment of the software

✓ Correct Answer: D. Conducting an independent security assessment of the software

Why independent assessment wins: You control the scope, methodology, and receive firsthand evidence of security posture. Third-party assessments eliminate reliance on vendor-provided information.

What an independent assessment includes:

  • Code review (if source is available)
  • Vulnerability scanning and penetration testing
  • Architecture review
  • Authentication and authorization testing
  • Data protection verification

Why other options are insufficient:

  • Vendor pen test: You don't control scope; may be outdated or limited
  • Certifications: Validate processes, not specific software security
  • SLA requirements: Contractual obligations, but no verification of actual security

Defense in depth: Best practice combines multiple approaches — independent assessment PLUS certifications PLUS strong SLAs.

Question 8: Database Integrity

Which database security control BEST ensures data integrity?

A. Database encryption B. Database access controls C. Database integrity constraints D. Database audit logging

✓ Correct Answer: C. Database integrity constraints

Integrity constraints defined: Rules enforced by the database to ensure data accuracy and consistency. They prevent invalid data from being entered or modified.

Types of integrity constraints:

  • Entity integrity: Primary keys must be unique and not null
  • Referential integrity: Foreign keys must reference valid primary keys
  • Domain integrity: Column values must meet defined criteria (data type, range, format)
  • User-defined integrity: Business rules enforced at database level

CIA Triad mapping:

  • Confidentiality: Encryption, access controls
  • Integrity: Constraints, checksums, digital signatures
  • Availability: Redundancy, backups, failover

The question specifically asks about integrity, making constraints the most direct answer.

💡 Exam Tip #4

Know your CIA Triad mappings cold! Many questions test whether you can identify which control addresses which aspect:

  • Confidentiality: Encryption, access controls, data masking
  • Integrity: Hashing, digital signatures, constraints, version control
  • Availability: Redundancy, backups, load balancing, DDoS protection

When you see these keywords in questions, immediately think about which CIA component is being addressed.

Question 9: Web Application Security

A web application is vulnerable to Cross-Site Request Forgery (CSRF). What is the BEST countermeasure?

A. Implement parameterized queries B. Use anti-CSRF tokens C. Enable HTTP Strict Transport Security (HSTS) D. Implement Content Security Policy (CSP)

✓ Correct Answer: B. Use anti-CSRF tokens

Understanding CSRF attacks: Attacker tricks authenticated users into executing unwanted actions on a web application where they're currently authenticated. The attack leverages the browser's automatic inclusion of session cookies.

How anti-CSRF tokens work:

  • Server generates unique, unpredictable token per session/request
  • Token embedded in forms and included with state-changing requests
  • Server validates token before processing request
  • Attacker cannot forge requests without valid token

Common CSRF patterns:

  • Synchronizer Token Pattern (most common)
  • Double Submit Cookie
  • SameSite Cookie Attribute (modern addition)

Why other options don't prevent CSRF:

  • Parameterized queries: Prevents SQL injection, not CSRF
  • HSTS: Forces HTTPS, doesn't prevent cross-site requests
  • CSP: Mitigates XSS, not CSRF
None
Cross-Site Request Forgery (CSRF)

Question 10: Software Maintenance

An organization discovers a critical vulnerability in production software. What is the MOST important factor in prioritizing the remediation?

A. The cost of implementing the fix B. The risk to the organization C. The complexity of the vulnerability D. The availability of a patch from the vendor

✓ Correct Answer: B. The risk to the organization

Risk-based approach: CISSP is fundamentally about risk management. Prioritization decisions should always be based on risk to the organization, not technical factors alone.

Risk calculation considers:

  • Likelihood: Is the vulnerability being actively exploited? Is it remotely exploitable?
  • Impact: What data/systems are affected? What's the business impact?
  • Threat landscape: Are attacks targeting this vulnerability increasing?
  • Compensating controls: What mitigations are already in place?

Example scenario: A critical remote code execution vulnerability in a public-facing system handling sensitive data poses HIGH RISK, regardless of fix complexity or cost. A low-severity vulnerability in an isolated internal system poses LOWER RISK despite being easy to fix.

Business impact trumps technical factors: This question tests whether you think like a security professional (risk-focused) versus a technician (technically-focused).

💡 Exam Tip #5

When in doubt, choose the RISK-based answer. CISSP is a risk management certification. Questions that include "MOST important" or "BEST" often have risk-based answers:

  • "Risk to the organization"
  • "Business impact"
  • "Likelihood and impact"
  • "Asset value"

Technical answers (cost, complexity, availability) are usually distractors.

Key Takeaways for Domain 8 Success

🎯 Core Concepts to Master

1. Secure SDLC Models: Understand Waterfall, Agile, DevSecOps, and where security fits in each model.

2. Security Testing Types: Know the difference between SAST, DAST, IAST, RASP, and SCA — including when to use each.

3. Common Vulnerabilities: Deeply understand OWASP Top 10 vulnerabilities and their countermeasures.

4. Database Security: Master encryption, tokenization, masking, and integrity constraints.

5. Secure Coding: Know input validation, output encoding, parameterized queries, bounds checking, and error handling.

6. Change and Configuration Management: Understand proper processes for patches, updates, and configuration control.

Domain 8 Exam Strategy

Timing Management: You have approximately 90–120 seconds per question on the CISSP exam. For Domain 8 questions, quickly identify the security principle being tested (shift-left, defense in depth, least privilege, CIA triad) before evaluating answer choices.

Common Distractors: Watch for technically correct answers that aren't the BEST answer. The exam often includes answers that work but aren't optimal. Look for keywords like "MOST," "BEST," "FIRST," and "PRIMARY" to guide your selection.

Real-World Application: CISSP tests managerial and strategic thinking, not just technical knowledge. If an answer focuses purely on implementation details rather than risk, governance, or business alignment, it's likely a distractor.

Study Resources and Next Steps

To further strengthen your Domain 8 knowledge:

  • Official (ISC)² CISSP Study Guide — Chapters on Software Development Security
  • OWASP Foundation Resources — Free, comprehensive secure coding guidance
  • NIST SP 800–64 — Security Considerations in the System Development Life Cycle
  • SANS Secure Coding Resources — Language-specific secure coding practices
  • Practice Exams — Take full-length practice tests to build endurance and identify weak areas

Final Thoughts

Domain 8 represents the foundation of building security into everything we create. Whether you're preparing for the CISSP exam or enhancing your secure development practices, the principles covered here protect organizations from the most common and costly security failures.

Remember: Security is not a feature you add — it's a mindset you embed. From requirements gathering to retirement, security considerations must be woven throughout the entire software lifecycle.

Master these ten questions and the concepts behind them, and you'll be well-prepared to tackle Domain 8 on exam day. Good luck on your CISSP journey!

🚀 Ready to Practice More?

These ten questions represent a starting point. To fully prepare for Domain 8, practice 50–100 questions covering all aspects of software development security. Focus on understanding the "why" behind each answer — the exam tests your judgment as much as your knowledge.

💬 Have questions about CISSP Domain 8? Understanding these concepts is crucial for exam success. Practice explaining these concepts to others — teaching is one of the best ways to solidify your knowledge.