Domain 8 – Section A Review: Secure Development

CISSP Domain 8 — Software Development Security Section A — Secure Development Review 10 Questions

This section integrates:

SDLC Security Integration (waterfall, Agile, DevSecOps, CI/CD security gates)
Development Ecosystem Controls (version control, build systems, SBOM, containers, IaC)
Software Security Testing (SAST, DAST, IAST, SCA, fuzz testing, penetration testing)
Acquired Software Governance (COTS, open source, cloud services, vendor assessment, EOL)
Secure Coding Standards (input validation, output encoding, parameterized queries, error handling)

Domain 8 questions require you to connect development governance to security outcomes. A secure coding standard without enforcement is just a document. A testing tool without coverage is just a dashboard. A vendor assessment without follow-up is just a checkbox.

1. Security Belongs in Every Phase

When a vulnerability reaches production, trace it backward. The fix is not more testing at the end — it is earlier integration of security activities. Requirements define what security looks like. Design determines whether it is achievable. Development implements it. Testing verifies it. Each phase has a role, and skipping any phase shifts the cost downstream.

2. Secure the Ecosystem, Not Just the Application

The development pipeline — version control, build servers, registries, secrets vaults — is either a security control or an attack vector. A compromised pipeline produces compromised software regardless of how well the application code is written. Govern the tools that build software with the same rigor you govern the software itself.

3. Testing Coverage Determines Testing Value

No single testing method detects all vulnerability types. SAST, DAST, SCA, IAST, and penetration testing each cover different dimensions. Measure outcomes (escape rate, time to remediate) not activity (scans performed). A green dashboard is only meaningful if the tools were configured to look in the right places.

4. Acquired Software Is Still Your Responsibility

Whether the software is COTS, open source, SaaS, or managed service, your organization retains accountability for the data it processes. Assess before adoption, monitor during operation, and plan for end of life.

Section A Decision Pattern

When facing a Domain 8 Section A question:

Identify what phase of the SDLC the scenario describes — where did the failure originate?
Determine whether the issue is in the application code, the development ecosystem, or acquired software
Match the testing method to the vulnerability type — SAST for code patterns, DAST for runtime behavior, SCA for components
Check for governance gaps — missing standards, unenforced policies, or unmeasured outcomes
Prefer answers that integrate security into existing processes over answers that create separate security stages

Section A – Practice Questions

Question 1

A development team using Agile methodology has no security activities in their sprint process. The security team proposes adding a separate two-week security review between every third sprint. The product owner objects that this will slow delivery by 40%.

What is the BEST approach to resolve this conflict?

A. Override the product owner’s objection because security takes priority
B. Integrate security stories into the backlog, add automated security testing to the CI pipeline, and include security acceptance criteria in the definition of done
C. Conduct security reviews only for features that the security team classifies as high risk
D. Accept the risk of no security review to maintain delivery speed

Answer & reasoning

Correct: B

Security integrated into the Agile process does not slow delivery — it becomes part of the sprint cadence. Security stories in the backlog, automated testing in CI, and security acceptance criteria make security a natural part of development rather than a separate bottleneck phase.

Question 2

An organization’s build server uses persistent storage and shared credentials. A security assessment finds cached API tokens from previous builds and direct network access from the build server to production databases.

What is the MOST critical remediation?

A. Add more disk space to the build server to prevent storage issues
B. Implement ephemeral build environments, individual credentials, and restrict network access from the build system to production
C. Encrypt the cached tokens on the build server
D. Schedule regular cleanup of the build server storage

Answer & reasoning

Correct: B

The build server has three compounding risks: persistent state (cached credentials), shared credentials (no individual accountability), and production network access (direct escalation path). Ephemeral environments eliminate cached state, individual credentials restore accountability, and network restrictions remove the direct path to production.

Question 3

A security team runs SAST scans on every build. The scan results show zero critical findings. An external penetration test then discovers a critical authorization bypass where any authenticated user can access any other user’s records by changing the record ID in the URL.

Why did SAST miss this vulnerability?

A. The SAST tool was not properly configured
B. SAST analyzes code patterns but cannot detect business logic and authorization flaws that depend on runtime context and application state
C. The penetration tester used techniques that SAST cannot replicate
D. SAST only scans for injection vulnerabilities

Answer & reasoning

Correct: B

Broken object-level authorization (BOLA/IDOR) is a business logic flaw that depends on how the application processes requests at runtime. SAST examines code structure but cannot understand the application’s authorization model in the context of actual user sessions. This type of vulnerability requires DAST, IAST, or manual penetration testing to detect.

Question 4

A critical open-source library used by 30 applications in the organization has a newly disclosed remote code execution vulnerability. The maintainer has not released a patch. The security team needs to determine which applications are affected.

What control enables the fastest identification of affected applications?

A. Run DAST scans against all 30 applications
B. Query the organization’s Software Bill of Materials (SBOM) database to identify every application using the affected library version
C. Ask each development team to manually check their dependencies
D. Wait for the maintainer to release a patch before assessing impact

Answer & reasoning

Correct: B

An SBOM database provides an immediate, queryable inventory of all components across all applications. The query identifies affected systems in minutes. Manual checks across 30 teams take days. DAST would not specifically detect the use of a library. Waiting for a patch delays response while the vulnerability is actively exploitable.

Question 5

An organization migrates its HR system to a SaaS provider. Six months later, a breach at the SaaS provider exposes employee records including social security numbers. The SaaS provider argues the breach was in their infrastructure, which is their responsibility under the shared responsibility model.

Is the SaaS provider’s argument valid regarding the organization’s obligations to employees?

A. Yes — the SaaS provider is solely responsible for infrastructure security
B. No — the organization retains accountability for protecting employee data regardless of where it is hosted, and should have assessed the provider’s controls and established contractual protections
C. Partially — responsibility is equally shared in all SaaS arrangements
D. Yes — once data is in the cloud, the provider assumes all data protection responsibility

Answer & reasoning

Correct: B

Accountability for data protection does not transfer with hosting. The organization chose the provider, decided what data to store there, and is responsible to its employees for protecting their personal information. Due diligence (vendor assessment, contractual requirements, encryption controls) should have been performed before migration.

Question 6

A web application displays stack trace information when a database query fails. The stack trace reveals the database type, table names, and the ORM framework version being used.

What TWO secure coding principles are violated?

A. Input validation and session management
B. Rate limiting and encryption
C. Fail-secure error handling and information leakage prevention
D. Output encoding and parameterized queries

Answer & reasoning

Correct: C

The application fails in an insecure manner by exposing internal details to users. Proper error handling shows generic messages to users while logging technical details internally. The stack trace provides attackers with database type (targeting specific exploits), table names (crafting injection attacks), and framework version (identifying known vulnerabilities). Both fail-secure and information leakage prevention are violated.

Question 7

A security manager tracks the number of SAST scans run per quarter as the primary metric for the software security program. The metric has tripled over the past year, but vulnerability escape rates to production have not changed.

What should the security manager change?

A. Increase the number of scans further until the escape rate decreases
B. Replace SAST with DAST for better detection
C. Shift from activity-based metrics (scans run) to outcome-based metrics (escape rate, mean time to remediate, vulnerability density) and investigate why increased scanning is not reducing production vulnerabilities
D. Reduce the number of scans since they are not producing results

Answer & reasoning

Correct: C

Activity metrics measure effort; outcome metrics measure effectiveness. More scans without improved results suggest the scans are poorly targeted, findings are not being acted upon, or the vulnerability types reaching production are not detected by SAST. The fix is outcome measurement combined with investigation of the disconnect between activity and results.

Question 8

A developer commits an AWS secret access key to a public repository. The commit is noticed and reverted within 15 minutes. The development manager considers the incident closed.

What critical step is the manager missing?

A. Filing a formal incident report with the security team
B. Rotating the exposed credential immediately, because git history preserves deleted commits and automated bots scan for exposed secrets within seconds
C. Changing the developer’s repository permissions
D. Updating the team’s coding standards documentation

Answer & reasoning

Correct: B

Reverting a commit does not eliminate the secret from git history, forks, clones, or cached copies. Automated credential scanning bots monitor public repositories and can exploit exposed secrets within seconds of the commit. The exposed key must be rotated immediately. Incident reporting and process improvement are also needed but are secondary to the immediate action of rotating the compromised credential.

Question 9

An organization wants to benchmark its software security program against peers in the healthcare industry. The security architect recommends using OWASP SAMM because it is well-known and freely available.

Is this the best choice for benchmarking against peers?

A. Yes — SAMM is the industry standard for software security assessment
B. No — BSIMM would be more appropriate because it provides data-driven benchmarking based on observed practices across organizations, while SAMM is prescriptive rather than comparative
C. Yes — SAMM includes industry-specific benchmarking data
D. No — ISO 27001 should be used for healthcare industry benchmarking

Answer & reasoning

Correct: B

BSIMM is a descriptive model that collects data from participating organizations and provides comparative benchmarking. SAMM is prescriptive — it tells you what to do, not how you compare to others. For peer benchmarking, BSIMM provides the comparative data the organization needs. SAMM would be the right choice for building an improvement roadmap after the benchmarking is complete.

Question 10

A COTS vendor announces end-of-support for a database management system used in production by the organization. The vendor will stop releasing security patches in 12 months. Migrating to the replacement product requires 18 months of development and testing.

What is the BEST governance approach?

A. Begin migration immediately and accept degraded functionality during the transition
B. Continue using the product after EOL with no changes since it has worked well historically
C. Start migration planning now, implement compensating controls (network isolation, enhanced monitoring, virtual patching) for the gap period, and obtain formal risk acceptance from management for operating EOL software
D. Switch to a completely different vendor to avoid the EOL situation

Answer & reasoning

Correct: C

The 6-month gap between EOL and migration completion requires governance: start migration now to minimize the gap, implement compensating controls for the period the software operates without vendor patches, and obtain formal risk acceptance so management is accountable for the decision to operate EOL software. Rushing migration risks disruption; ignoring EOL accumulates unpatched vulnerabilities.