Domain 8 Capstone: Software Development Security

Executive Pattern Summary

Domain 8 is the final domain in the CISSP, and it connects directly to every domain that precedes it. Software is the mechanism through which organizations deliver value, process data, and execute business logic. Every security principle covered in Domains 1 through 7 is either implemented in software or undermined by it. Before working through these capstone questions, internalize how software security governance ties the entire CISSP body of knowledge together:

1. Governance starts at requirements. Domain 1 (Security and Risk Management) established that governance structures drive everything downstream. In Domain 8, this translates directly: if security requirements are missing from the SDLC, no amount of testing, tooling, or talent will compensate. Requirements are the governance entry point for software.
2. Assets include the pipeline. Domain 2 (Asset Security) taught that you cannot protect what you do not know about. The development ecosystem — repositories, build servers, container registries, secrets vaults — is a set of high-value assets that must be inventoried, classified, and protected with the same rigor as production systems.
3. Architecture extends to application design. Domain 3 (Security Architecture and Engineering) established secure design principles: defense in depth, least privilege, fail secure. These principles apply directly to software architecture. A threat model is an architecture artifact. Attack surface reduction is a design decision.
4. Identity governs access at the application layer. Domain 5 (Identity and Access Management) defined authentication, authorization, and session management. In Domain 8, these are implemented in code through secure session handling, parameterized authorization checks, and token-based authentication. A broken authorization model in code defeats even the best IAM infrastructure.
5. Testing is assessment applied to software. Domain 6 (Security Assessment and Testing) established the principle that you measure what matters. SAST, DAST, IAST, SCA, and penetration testing are the Domain 6 principles applied specifically to software. Outcome metrics (escape rate, remediation time) follow the same assessment philosophy.
6. Secure operations depend on secure deployment. Domain 7 (Security Operations) covers change management, vulnerability management, and incident response. CI/CD pipelines are the change management mechanism for software. Vulnerability management for applications requires SBOM visibility. Incident response for application breaches requires the logging and error handling built into the code itself.
7. Software risk is organizational risk. Every application vulnerability represents organizational risk. The software supply chain — COTS, open source, cloud services — is a risk management problem that extends Domain 1’s principles into the products and services the organization acquires. Vendor assessment, EOL governance, and shared responsibility models are all risk management applied to software dependencies.

Domain 8 – Capstone Questions

Question 1

A financial services company builds a new trading platform using Agile methodology. The security team was not involved until the product was ready for deployment. A pre-production penetration test reveals 47 vulnerabilities, including 12 classified as critical.

What is the root cause of this situation?

A. The penetration testing team was too aggressive in their assessment
B. Agile methodology is inherently incompatible with security
C. Security was excluded from the development process and only introduced at the end, missing opportunities to prevent vulnerabilities during requirements, design, and development
D. The development team lacked technical skills

Question 2

An organization’s CI/CD pipeline deploys to production automatically when all tests pass. A developer with commit access introduces a backdoor through a legitimate-looking code change that passes all automated tests.

What pipeline control is missing?

A. More automated test coverage
B. Mandatory peer code review with approval from a second developer before code is merged to the deployment branch
C. A dedicated security team member to review every commit
D. Longer test execution windows to detect anomalous behavior

Question 3

A DAST scan of a web application returns zero findings. The security team signs off on the deployment. Two weeks later, a customer reports that they can view other customers’ order histories by modifying order IDs in the URL.

What type of vulnerability did DAST miss, and why?

A. SQL injection — DAST was not configured with the correct payloads
B. Cross-site scripting — DAST cannot detect DOM-based XSS
C. Broken object-level authorization (IDOR) — DAST tested with a single user context and could not detect that authorization checks were missing for cross-user data access
D. Server-side request forgery — DAST does not test internal server connections

Question 4

An organization mandates that all development teams use a centralized secrets vault for credential management. During an incident investigation, the team discovers that three microservices store database credentials in environment variables that are logged to the application’s debug output.

What governance failure does this reveal?

A. The secrets vault has insufficient capacity for all microservices
B. The mandate exists as policy but lacks enforcement mechanisms — no automated checks verify that applications actually retrieve credentials from the vault rather than embedding them locally
C. Microservices architecture is incompatible with centralized secrets management
D. The debug logging feature should be removed from the application

Question 5

A healthcare organization uses a SaaS electronic health records (EHR) system. The SaaS provider suffers a breach that exposes patient records. The provider claims the breach was in their infrastructure and not the customer’s responsibility. Patients sue the healthcare organization.

What governance principle determines the organization’s liability?

A. The SaaS provider is solely liable because they managed the infrastructure
B. Liability depends on which party had the most recent SOC 2 audit
C. The healthcare organization retains accountability for patient data protection regardless of hosting location; due diligence in vendor selection, contractual protections, and regulatory compliance remain the organization’s obligations
D. Neither party is liable because the breach was caused by an external attacker

Question 6

A development team uses an open-source JSON parsing library. A critical remote code execution vulnerability is published for the library. The maintainer has been inactive for six months and has not responded to the disclosure.

What is the organization’s BEST immediate response?

A. Wait for the maintainer to release a patch
B. Fork the library, apply the fix internally, deploy the patched version, and begin evaluating alternative maintained libraries for long-term replacement
C. Remove all JSON parsing functionality from the application
D. Block all JSON input at the web application firewall

Question 7

A security architect proposes implementing RASP (Runtime Application Self-Protection) on a critical application that has several known but unfixed vulnerabilities. The development team argues that RASP makes fixing the vulnerabilities unnecessary.

What is the correct position?

A. The development team is correct — RASP provides equivalent protection to fixing the vulnerabilities
B. RASP is a compensating control that provides protection while vulnerabilities are being fixed, but it does not replace the need to remediate the underlying defects
C. RASP and vulnerability remediation are unrelated activities
D. Neither RASP nor remediation is needed if the application is behind a WAF

Question 8

An organization uses container images from a public registry for development and production workloads. A security scan reveals that 40% of the images contain known high-severity vulnerabilities in their base operating system layers.

What governance change should be implemented?

A. Block all access to public container registries and require all images to be built from organization-approved, hardened base images maintained in a private registry
B. Add vulnerability scanning to the deployment pipeline only
C. Accept the risk since public images are widely used across the industry
D. Update the vulnerable images once per year during the annual security review

Question 9

A Terraform configuration is committed to version control that creates an AWS S3 bucket with public read access and no encryption. The configuration passes CI/CD pipeline checks and is deployed to production.

What control was missing from the pipeline?

A. Manual review of all infrastructure changes by the operations team
B. Automated IaC security scanning that checks templates against security policies before deployment
C. Encryption of the Terraform state file
D. Additional unit tests for the Terraform modules

Question 10

An organization’s security metrics show that mean time to remediate vulnerabilities has increased from 15 days to 45 days over the past year, even though the number of security engineers has doubled.

What is the MOST likely explanation?

A. The additional engineers are not properly trained
B. The volume and complexity of vulnerabilities has outpaced staffing growth, or the remediation process has bottlenecks unrelated to staffing (prioritization, developer handoff, testing cycles, deployment windows)
C. The metrics calculation has changed
D. Vulnerability scanning tools are producing more false positives

Question 11

During a code review, a reviewer discovers that the application constructs SQL queries by concatenating user input directly into the query string. The developer argues that input validation on the web form prevents SQL injection.

Why is the developer’s argument insufficient?

A. Input validation is too slow for high-traffic applications
B. Client-side and server-side validation can be bypassed through encoding techniques, API manipulation, or other input paths; parameterized queries provide structural protection regardless of input content
C. SQL injection is no longer a relevant attack vector
D. Input validation only works for numeric fields

Question 12

An organization acquires a COTS ERP system. During integration, the team discovers that the ERP system requires a database service account with full administrative privileges to function.

What should the security team do?

A. Grant the administrative privileges as the vendor requires
B. Refuse to deploy the ERP system
C. Negotiate with the vendor to identify the minimum required privileges, implement compensating controls (enhanced monitoring, network segmentation) if broad privileges cannot be reduced, and document the risk
D. Create a separate database instance with no other data for the ERP system

Question 13

A DevOps team deploys 50 times per day. The compliance team requires change management documentation for every production change. The DevOps team says traditional change management is impossible at this deployment velocity.

How should this conflict be resolved?

A. Exempt DevOps deployments from change management requirements
B. Reduce deployment frequency to accommodate manual change documentation
C. Automate change management within the CI/CD pipeline: automated approval workflows, deployment logs, rollback capability, and audit trails satisfy the documentation requirements at deployment speed
D. Have the compliance team review changes in monthly batches

Question 14

An application security team implements SAST, DAST, and SCA across all applications. Six months later, a critical business logic vulnerability is discovered in the payment processing module during a manual penetration test. The automated tools did not flag it.

What does this reveal about the testing program?

A. The automated tools are misconfigured and need recalibration
B. Business logic vulnerabilities require human analysis that automated tools cannot replicate; the testing program needs manual penetration testing and code review for high-risk business functions alongside automated tooling
C. SAST, DAST, and SCA are not useful tools for application security
D. The testing program should replace automated tools with manual testing

Question 15

A vendor provides a critical integration library for the organization’s payment processing. The vendor refuses to provide an SBOM, share penetration test results, or agree to a right-to-audit clause. They offer a SOC 2 Type II report.

What is the BEST governance approach?

A. Accept the SOC 2 report as complete assurance and proceed
B. Terminate the vendor relationship immediately
C. Accept the SOC 2 report as partial assurance, conduct independent security testing of the library, implement monitoring around the integration, and formally document the residual risk of limited vendor transparency
D. Require the vendor to comply with all requests or lose the contract

Question 16

An organization’s container images are built from approved base images and scanned at build time. Three months after deployment, a critical vulnerability is discovered in the base image’s OpenSSL library. The security team does not know which running containers use the affected version.

What process gap exists?

A. The base images should have been built without OpenSSL
B. Container images should be rescanned periodically in the registry and runtime, and a container SBOM should map deployed containers to their component versions for rapid vulnerability identification
C. The vulnerability is the base image maintainer’s responsibility
D. Containers should be replaced with virtual machines for better vulnerability tracking

Question 17

A security team discovers that developers are using personal GitHub accounts to store proprietary source code because the corporate repository has restrictive branch policies that slow their workflow.

What is the root cause of this shadow development problem?

A. Developers are intentionally circumventing security controls
B. The corporate repository branch policies create friction that pushes developers toward unsanctioned alternatives; governance should balance security requirements with developer workflow usability
C. Personal GitHub accounts are acceptable for storing proprietary code
D. The organization should block access to GitHub entirely

Question 18

An organization wants to improve its software security program but does not know where to start. The CISO asks the security architect to create a three-year improvement roadmap with specific practices and maturity levels.

Which framework is MOST appropriate for this purpose?

A. BSIMM, because it provides industry benchmarking data
B. NIST CSF, because it covers all aspects of cybersecurity
C. OWASP SAMM, because it provides a prescriptive maturity model with defined practices, levels, and improvement activities specifically for software security programs
D. ISO 27001, because it provides a certifiable security management system

Question 19

A web application under development uses a framework that automatically encodes output to prevent XSS. A developer discovers that the automatic encoding breaks a feature that requires rendering user-submitted HTML content (a rich text editor). The developer disables output encoding for that feature.

What should the security team require?

A. Re-enable automatic encoding and remove the rich text feature
B. Accept the risk since only authenticated users can submit content
C. Implement HTML sanitization using an allowlist-based library that strips dangerous elements while preserving safe formatting, and add specific security testing for the rich text feature
D. Implement client-side JavaScript to filter dangerous HTML tags

Question 20

An organization completes its first BSIMM assessment and discovers that it performs significantly below peers in the “security testing” practice area. The assessment also reveals that the organization has no formal SDLC security integration, no SBOM program, and no secure coding standards.

Given limited budget, where should the organization invest FIRST?

A. Security testing tools (SAST, DAST, SCA) to close the benchmarking gap
B. SDLC security integration, because embedding security into the development process creates the foundation that makes all other practices effective
C. SBOM tooling, because supply chain risk is the highest-profile threat
D. Secure coding standards, because they directly reduce vulnerability introduction