Domain 8 CISSP Exam: Software Development Security

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 8: Software Development Security

1 / 88

What is the difference between auditing and logging?

A. Auditing is the recording of events, while logging is an official or systematic inspection of something

B. Auditing focuses on the implementation and effectiveness of software security controls, while logging is merely the recording of events

C. Auditing and logging are two words for the same concept

D. Auditing and logging are not important for software security

2 / 88

What is the ultimate goal of DevSecOps?

A. To create a perfect security solution that is delivered years from now.

B. To ensure security is an add-on to the SDLC.

C. To favor iteration over perfection and ensure security is built into the process an organization uses to develop and operate its information systems.

D. To migrate NIST documentation from SDLC security to security engineering processes.

3 / 88

Which of the following is NOT a security function that cryptography can provide when applied to APIs?

A. Confidentiality

B. Integrity

C. Availability

D. Access control

4 / 88

What is the most immediate security drawback of COTS software?

A. The cost of COTS software is high

B. Organizations using COTS software cannot directly make changes to the source code

C. COTS software does not have a robust feature set

D. COTS software is not readily available for sale to the public

5 / 88

What is one-way certificate-based authentication?

A. Both parties exchange certificates and validate them.

B. Only one party provides a certificate asserting an identity.

C. A simple authentication scheme that is part of the HTTP protocol and sends a username:password string encoded in base64.

D. Another organizations identity and access management tools are used to control access.

6 / 88

Which of the following is a tool designed to review the underlying code of a program without actually running the program itself, and identify problems like improper coding that could lead to buffer overflow conditions?

A. Code repositories

B. Debuggers

C. Compilers

D. Static code analysis tools

7 / 88

What should be considered when performing a risk assessment for software development environments?

A. Only the systems handling the most sensitive or highly regulated data

B. Only new technologies

C. System changes and code risks

D. All of the above

8 / 88

What is one of the advantages of automated testing over manual testing in a CI/CD pipeline?

A. Automated testing can be done less frequently than manual testing

B. Automated testing can test a smaller portion of the application than manual testing

C. Automated testing can be integrated into the IDE and communicate testing results directly to developers

D. Automated testing can only be used for unit testing

9 / 88

Which of the following is an important practice for measuring software security effectiveness?

A. Ignoring changes to software environments.

B. Only logging and auditing changes to production environments.

C. Conducting risk analysis and mitigation for software security.

D. Treating software development tools and source code as unimportant assets.

10 / 88

Which of the following is best described as a community-developed list of software and hardware weakness types that is integrated with security products such as scanning tools as a common way of identifying and reporting on potential weaknesses in information systems?

A. CWE

B. CVE

C. SDLC

D. DNS

11 / 88

Which SDLC phase includes activities such as change management?

A. Initiation

B. Development

C. Deployment and delivery

D. Operations and maintenance

12 / 88

Which of the following is a challenge when securing software in a complex computing environment?

A. Limited number of software providers

B. Single entity responsible for all software development

C. Code delivered dynamically via web browser

D. Use of open-source software only

13 / 88

What is the purpose of maturity models in software development and security?

A. To guarantee success in any particular endeavor

B. To determine the level of competency and effectiveness of an organizations practices

C. To reduce costs associated with management, operational, or security overhead

D. To address all possible risks a software development project might face

14 / 88

Which of the following is a common component of maturity models in the software development security domain?

A. Targets

B. Compliance standards

C. Hardware specifications

D. Networking protocols

15 / 88

What is the purpose of Continuous Integration (CI) in software development?

A. To exclusively merge the developers code to a shared location without reducing integration costs and time.

B. To reduce integration costs and time by continuously merging developers code to a shared main location.

C. To minimize the number of code reviews by integrating code less frequently.

D. To streamline deployment by deploying code automatically to a production environment with no manual intervention needed.

16 / 88

What is the importance of using validated libraries in an organization?

A. It reduces the time required to write code from scratch.

B. It ensures the compatibility and reuse of elements.

C. It increases the dependability of software.

D. It reduces the need to address compliance requirements.

17 / 88

What is a key principle of Agile development that supports the security goal of availability and also helps meet changing confidentiality and integrity needs?

A. Following rigid development models like Waterfall

B. Avoiding all-at-once releases in favor of smaller, more frequent releases

C. Focusing strictly on following processes over meeting needs

D. Avoiding involvement of the security team in the development process

18 / 88

What are some proactive risk mitigations available in the software development domain?

A. Ignoring security concerns during software development

B. Not implementing secure coding standards and guidelines

C. Implementing maturity models and DevSecOps

D. Failing to address security while developing information systems

19 / 88

What factors guide an organizations choice of development methodology?

A. Only the time available

B. Tolerance for errors or bugs in the software

C. Complexity of the project

D. All of the above

20 / 88

What are common components found in maturity models?

A. Practices, levels, metrics, and checkpoints.

B. Domains, levels, criteria, and targets.

C. Goals, practices, audits, and measurements.

D. Standards, targets, metrics, and levels.

21 / 88

What is the primary difference between a weakness and a vulnerability in software?

A. Weaknesses are exploitable and vulnerabilities are not

B. Vulnerabilities are exploitable and weaknesses may or may not be

C. Weaknesses and vulnerabilities refer to the same thing

D. Weaknesses only impact non-security aspects of a system

22 / 88

What is the advantage of using SOAR over legacy methods for incident response?

A. SOAR allows for more holistic analysis

B. SOAR enables faster automated response

C. Legacy methods are more reliable

D. Legacy methods are more cost effective

23 / 88

Which NIST Special Publication replaced the one that originally described security in the SDLC?

A. SP 800-64

B. ISO/IEC/IEEE 15288

C. SP 800-160

D. None of the above

24 / 88

What is a trusted computing base (TCB)?

A. It is a hardware component that runs the application code

B. It is a software component that enforces security policies within the system

C. It is a collection of all hardware, software, and firmware responsible for enforcing security

D. It is a device driver that mediates access to the hardware

25 / 88

What is the Attack Surface factor that provides an explanation of the factors needed to exploit a weakness in software development security based on the Common Weakness Scoring System (CWSS)?

A. Business Impact (BI)

B. Authentication Strength (AS)

C. Technical Impact (TI)

D. Likelihood of Discovery (DI)

26 / 88

What is the purpose of a REST API?

A. To create a custom communication scheme for each application.

B. To expose functions using URLs similar to web applications.

C. To exchange messages between system components.

D. To execute functions across nodes in distributed systems.

27 / 88

What is a disadvantage of the Waterfall methodology?

A. It is too flexible and cannot handle complex requirements

B. It allows for new requirements to be incorporated during the design phase

C. It enforces strict control processes that hinder project progress

D. It is inflexible and cannot handle changing requirements

28 / 88

What is the Secure by design principle?

A. A collection of best practices for delivering more secure software

B. Practices that require the inclusion of security at the outset of a system: in the design phase

C. A set of practices and principles that can be used to drive enterprise change to a culture of security

D. Shifting security “to the left” in the software development lifecycle

29 / 88

Which software development methodology is designed to be executed in a repetitive series and places a heavy focus on risk assessment, analysis, and evaluation?

A. The Cleanroom methodology

B. The Prototype model

C. The Waterfall methodology

D. The Spiral methodology

30 / 88

Which of the following is NOT a domain within the Cybersecurity Maturity Model Certification (CMMC)?

A. Risk Management

B. Access Control

C. Software Development Security

D. Situational Awareness

31 / 88

Which language may require access to privileged functions on user machines such as local file access, which is a major security concern since the code comes from an untrusted party across the internet?

A. HTML

B. CSS

C. JavaScript

D. Python

32 / 88

What is the difference between strong and weakly typed programming languages?

A. Strongly typed languages allow for dynamic type checking when an application is run, while loosely typed languages require all variable type declarations to be checked at compile time.

B. Strongly typed languages require all variable type declarations to be checked at compile time, while loosely typed languages allow for dynamic type checking when an application is run.

C. Strongly typed languages always perform dynamic type checking to ensure data matches the expected type, while loosely typed languages rely solely on static type checking at compile time.

D. Strongly typed languages and loosely typed languages have no differences.

33 / 88

Which of the following is a factor for organizations to consume information systems as managed services?

A. Reduction in power consumption

B. Availability of physical hardware

C. Direct and indirect financial incentives

D. Compliance with regulatory standards

34 / 88

What is the purpose of input sanitization?

A. To validate the syntax and semantic value of data

B. To render supplied data harmless and safeguard against injection attacks

C. To enforce correct values of data through design decisions

D. To reject data that does not match API layer expectations

35 / 88

What is a significant challenge in assessing and controlling acquired software compared to custom-built software?

A. Acquired software is typically more expensive than custom-built software.

B. Acquired software is often developed by a third-party service provider.

C. Acquired software is more likely to contain vulnerabilities than custom-built software.

D. Acquired software is less complex than custom-built software.

36 / 88

What is a key activity to be audited during the design phase of the SDLC?

A. Review of testing activities

B. Verification of oversight functions

C. Formal risk assessment and decision processes

D. Documentation reviews to verify testing activities were conducted

37 / 88

Which programming paradigm treats both data and functions as objects, known as classes, which can be linked together through defined interactions?

A. Declarative programming

B. Imperative programming

C. Procedural programming

D. Object-oriented programming

38 / 88

What is the primary benefit of implementing access controls in a code repository to protect confidentiality of source code?

A. To allow any authorized user to make changes to the code

B. To restrict access to the code only to authorized users

C. To prevent changes to the code without authorization

D. To allow developers to work on a particular software element

39 / 88

What is the main difference between compiled and interpreted languages?

A. Compiled languages are faster than interpreted languages

B. Compiled programs can run on any system type, whereas interpreted programs are specific to a particular system type

C. Interpreted languages expose their source code to end users, whereas compiled languages do not

D. Interpreted languages are translated into machine-readable format before being run, while compiled languages are translated into machine-readable format when they are run.

40 / 88

What is the purpose of branching in code repositories?

A. To restrict access to the main code

B. To allow multiple users to make changes simultaneously

C. To isolate code changes from the main code to allow for nondestructive testing

D. To merge code changes into the main code

41 / 88

What is the goal of Integrated Product Teams (IPTs) in software development security?

A. To remove security and compliance requirements from the system design process

B. To combine both product and process design to ensure a product has a holistic set of requirements used to design both systems and business processes

C. To ensure developers are the only stakeholders involved in the system development process

D. To delay or impede traditional software development processes

42 / 88

What is the importance of integrating security activities throughout each phase of the software development lifecycle (SDLC)?

A. It is not necessary to integrate security activities throughout each phase of the SDLC as long as security requirements are identified before development begins

B. It is only necessary to integrate security activities during the development phase of the SDLC

C. Integrating security activities throughout each phase of the SDLC is crucial to effectively implement software security

D. Integrating security activities throughout each phase of the SDLC is not relevant to software security

43 / 88

What is a key resource provided by OWASP to assist with API security?

A. A cheat sheet for SQL injection prevention

B. A list of the top 10 web application vulnerabilities

C. A cheat sheet for REST APIs

D. A guide for securing server hardware

44 / 88

Which of the following is a key concern when evaluating Open Source Software (OSS)?

A. Lack of any commercial support

B. Validation of source code integrity is not essential

C. Belief that relying on outside testing and evaluation is sufficient

D. Complexity and technical skills required for OSS use

45 / 88

At what level of the Capability Maturity Model Integration (CMMI) do organizations focus on process improvement?

A. Initial

B. Managed

C. Quantitatively managed

D. Optimizing

46 / 88

What is one of the benefits of using standard web protocols in REST APIs?

A. They do not require any developer effort.

B. They provide strong encryption for confidentiality.

C. They utilize TLS for encrypting data in transit.

D. They require certificate-based authentication.

47 / 88

What is a disadvantage of dynamic application security testing (DAST)?

A. DAST tools can only understand one programming language

B. DAST tools cannot test running applications

C. DAST tools can cause performance issues in production environments

D. DAST tools are difficult for non-developers to access

48 / 88

Which of the following is a common component of maturity models?

A. Product development

B. Networks and infrastructure

C. Domains

D. Customer service

49 / 88

Which phase of the Software Development Lifecycle (SDLC) involves testing to ensure the system is fit for purpose and meets requirements?

A. Initiation

B. Development

C. Deployment and delivery

D. Operations and maintenance

50 / 88

Which application security testing approach combines elements of SAST, DAST, and penetration testing, often using complex algorithms and machine learning to analyze source code and correlate vulnerabilities discovered during dynamic testing?

A. Static Application Security Testing (SAST)

B. Dynamic Application Security Testing (DAST)

C. Interactive Application Security Testing (IAST)

D. Runtime Application Self-Protection (RASP)

51 / 88

What is the purpose of change management in software development security?

A. To prevent all changes to a system

B. To allow changes to adapt to changing requirements or circumstances while addressing security concerns

C. To ensure that security is not a concern when making changes

D. To entirely remove the security departments supervision over change management processes

52 / 88

What is the benefit of integrating testing activities closer to development activities in Agile methodologies?

A. Testing activities can be skipped entirely.

B. Testing activities can be conducted against larger targets.

C. Fixes are generally easier, and delivered functionality has fewer bugs and vulnerabilities.

D. Testing activities can take longer, but the outcome is generally better.

53 / 88

What is a key role of QA in a DevOps team?

A. To manage change management reviews

B. To develop software

C. To provide feedback to developers when a test fails

D. To monitor privileged access

54 / 88

What should be considered when selecting an API security testing tool?

A. Only the sensitivity level of data handled by the API

B. Only the technologies in use for the API, such as SOAP or REST

C. Only the features exposed by the API

D. All of the above

55 / 88

Which of the following vulnerabilities is related to handling of usersupplied XML and may cause the application to execute unwanted remote code or load malicious data from an external storage location?

A. Injection

B. Sensitive Data Exposure

C. XML External Entities (XXE)

D. Insecure Deserialization

56 / 88

Which advantage does Software-Defined Security not offer?

A. Enhanced availability

B. Increased security tool flexibility

C. Micro-targeting

D. Reduced complexity in traditional security tools

57 / 88

What is the importance of standardized secure coding practices in software and system development processes?

A. They help increase revenue of the organization.

B. They make it easier for developers to complete coding projects quickly.

C. They minimize flaws and bugs, and detect and fix vulnerabilities easily.

D. They are not important in software development.

58 / 88

In which phase of the Software Development Lifecycle is the business need and case for a system expressed, requirements documented, and resources allocated?

A. Development

B. Deployment and delivery

C. Operations and maintenance

D. Initiation

59 / 88

What is the benefit of an integrated development environment (IDE) for developers?

A. To increase the number of tools needed to manage development tasks

B. To ensure inconsistency by combining various tools

C. To reduce the overhead of managing multiple tools and increase productivity

D. To limit the types of programming languages that can be used

60 / 88

What is the purpose of maturity models in software development security?

A. To provide a way of measuring an organizations current state of ability and define a desired goal state for software development

B. To measure the number of employees in an organization who have skills and abilities relating to software development security

C. To provide a way of measuring an organizations progress in marketing its software development security services

D. To provide a way of measuring an organizations financial progress in software development security

61 / 88

What is the benefit of using SOAR in incident response?

A. SOAR removes the need for human intervention in incident response

B. SOAR frees up human time and attention by handling repetitive tasks, which allows them to focus on novel threats

C. SOAR increases the chances of false positives leading to unwanted action

D. SOAR slows down response times compared to an automated system with visibility into and automation abilities across the infrastructure.

62 / 88

Which type of application security testing tool evaluates non-running application elements like compiled binaries and is easily incorporated in an IDE and developer workflow, with automated testing performed when developers check code in and immediate feedback to developers in a format that is easy for them to understand?

A. Dynamic application security testing (DAST)

B. Interactive application security testing (IAST)

C. Runtime application self-protection (RASP)

D. Static application security testing (SAST)

63 / 88

What is an important consideration that must be taken when designing APIs?

A. APIs do not require the same level of access management as user accounts

B. APIs are never designed for system-to-system communication

C. APIs are not typically used to attack a systems confidentiality, integrity, or availability

D. APIs must be designed with the same level of rigor applied to user access management to ensure the functionality exposed cannot be exploited to attack the systems confidentiality, integrity, or availability

64 / 88

What are characteristics that are similar across maturity models?

A. Domains, levels, criteria, and targets

B. Domains, levels, requirements, and targets

C. Practices, levels, criteria, and requirements

D. Domains, targets, levels, and requirements

65 / 88

Which frameworks provide assurance related to cloud services and applications?

A. HIPAA and FERPA

B. GDPR and CCPA

C. SOC, CSA STAR, and the ISO 27000 family

D. NIST SP 800-53 and CIS Controls

66 / 88

What is code escrow?

A. A contractual arrangement between a software development organization and a trusted third party to deposit a copy of the source code

B. A security control that prevents third-party software from being installed on an organizations systems

C. A mitigation strategy that enforces service-level agreements (SLAs) for third-party software development

D. A process for ensuring that third-party developers are proficient at software development

67 / 88

Which stage of software development introduces risks such as new attack vectors or regulatory compliance burdens?

A. Planning

B. Requirements

C. Design

D. Operations and maintenance

68 / 88

Which SDLC phase involves activities such as archiving or transitioning data to a replacement system?

A. Deployment and delivery

B. Operations and maintenance

C. Disposal

D. Development

69 / 88

What is the range of CVSS scores?

A. 0 to 5

B. 0 to 10

C. 1 to 10

D. 5 to 10

70 / 88

Which of the following is a type of security tool that can provide near-continuous feedback to improve the security of software during development?

A. Firewall

B. Antivirus software

C. Application security testing tool

D. Encryption software

71 / 88

What is an essential requirement for data ingestion and automation of responses in SOAR platforms?

A. The use of LDAP protocols

B. The use of SQL databases

C. The use of APIs

D. The use of SSH encryption

72 / 88

In which cloud service model(s) is the consumer responsible for applying software patches to any software they deploy?

A. Infrastructure as a Service (IaaS)

B. Platform as a Service (PaaS)

C. Software as a Service (SaaS)

D. Both A and B

73 / 88

Which of the following is a common configuration item (CI) in software configuration management (SCM)?

A. End-user documentation

B. Product packaging

C. Source code

D. Marketing materials

74 / 88

What was the initial purpose of the Capability Maturity Model?

A. To measure and improve the burgeoning field of software development in the 1980s

B. To evaluate the capabilities of government contractors to deliver projects on time and on budget

C. To formalize a set of best practices common across successful projects

D. To measure the processing power and decreasing costs of computer systems

75 / 88

What is the Software Assurance Maturity Model (SAMM)?

A. A descriptive framework for implementing a software security program

B. A prescriptive framework for implementing a software security program

C. A security framework for implementing a software development program

D. A testing framework for implementing a software security program

76 / 88

What security measures should be in place to protect a software repositorys communication and network access?

A. Access control procedures like request approvals and routine reviews

B. Tools like data loss prevention (DLP) and intrusion detection

C. Implementing protocols like HTTPS and Transport Layer Security (TLS), or secure access solutions like a VPN or proxy service

D. Cloud-hosted software repositories offer high availability and resilient configurations

77 / 88

Which of the following contains a technology-neutral OWASP Secure Coding Practices Quick Reference Guide?

A. The Carnegie Mellon University Software Engineering Institute (CMU SEI)

B. The Top 10 Secure Coding Practices

C. The Cheat Sheet Series

D. The Coding Standards

78 / 88

Which of the following tasks is the responsibility of a security practitioner during operation and maintenance?

A. Identifying system upgrades or updates

B. Performing regression testing

C. Remediating vulnerabilities in third-party software

D. Provisioning access to test environments

79 / 88

When selecting security controls for software development, what should be integrated into existing SDLC processes for the systems they are designed to protect?

A. Risk transfer strategies

B. Direct costs like software purchases

C. Indirect costs like staff productivity

D. Residual risk acceptance

80 / 88

Which type of application security testing tool is not tightly integrated with an IDE and provides easy access to non-developers but can cause performance issues in a production environment?

A. Static application security testing (SAST)

B. Dynamic application security testing (DAST)

C. Interactive application security testing (IAST)

D. Runtime application self-protection (RASP)

81 / 88

What are the main purposes of logs in software development security?

A. Logs are only created to satisfy internal oversight goals rather than external compliance requirements.

B. Logs are generated to prevent risks from occurring and to ensure compliance with legal and regulatory requirements.

C. Logs are primarily used for operational troubleshooting and performance management purposes.

D. Logs are useful for audit and monitoring purposes and to demonstrate compliance with documented governance.

82 / 88

Which standard replaced NIST SP 800-64 to align security considerations with the SLC processes identified in ISO 15288?

A. NIST SP 800-160

B. ISO/IEC/IEEE 15288

C. National Institute of Standards and Technology Special Publication

D. Systems and software engineering

83 / 88

Which of the following is true about guidelines and standards in software development security?

A. Guidelines are generally mandatory while standards are recommendations

B. Guidelines and standards are usually not necessary for software developers

C. Software developers can choose to ignore guidelines and standards if they prefer their own practices

D. Guidelines provide recommendations while standards are generally mandatory

84 / 88

What is syntax in programming languages?

A. A set of instructions used to build programs that are executed by a computer

B. A particular way of writing instructions in programming languages

C. Methods to manipulate data in programming languages

D. Specific sets of instructions to achieve a data processing goal

85 / 88

What is the purpose of Common Vulnerabilities and Exposures (CVE) ID?

A. To indicate when a vulnerability was discovered or reported

B. To provide a description of the vulnerability including workarounds or fixes

C. To tie common cybersecurity vulnerabilities back to Common Weakness Enumeration (CWE)

D. To provide a consistent way to identify and describe common cybersecurity vulnerabilities

86 / 88

Which of the following application security testing tools executes alongside the application as it is run?

A. Static application security testing (SAST)

B. Dynamic application security testing (DAST)

C. Interactive application security testing (IAST)

D. Runtime application self-protection (RASP)

87 / 88

What are some common components found in maturity models?

A. Domains, Levels, Criteria, and Targets

B. Domains, Metrics, Targets, and Metrics Gathering Practices

C. Phases, Levels, Criteria, and Metrics Gathering Practices

D. Domains, Maturity Levels, Measures, and Targets

88 / 88

Which of the following is true about the Building Security-In Maturity Model (BSIMM)?

A. BSIMM is not useful for organizations to measure and improve the software security

B. An internal function dedicated to software security known as the software security group (SSG) is responsible for implementing and maturing the organizations chosen software security initiatives (SSIs)

C. The BSIMM sets out 50 activities across four domains of practice: Governance, Intelligence, Software Security Development Lifecycle (SSDL), and Deployment

D. SSIs that are observed less-frequently are considered to be widely adopted practices

Your score is

🔒 Hands-On Cybersecurity Course + INTERNSHIP 🔒

Visit to Cyber Course

CISSP Domain 8: Mastering Software Development Security

Are you ready to tackle CISSP Domain 8?
This domain emphasizes the importance of secure software development practices in information security.

Key topics covered in Domain 8:

Mastering Domain 8 for CISSP Success

This knowledge is crucial not only for passing the CISSP exam but also for your career in cybersecurity. You’ll learn how to integrate security throughout the development process, avoid common vulnerabilities, and implement effective security measures.

Utilize Free CISSP Practice Tests

Utilize our free CISSP practice tests to assess your knowledge. These tests, complete with detailed explanations, will help you prepare thoroughly for the exam.

Beyond the Exam: Developing Essential Skills

Mastering Domain 8 goes beyond passing the exam. It’s an opportunity to develop skills in creating secure and reliable software, positioning you as a true information security professional. For official information, visit the ISC² CISSP page.

We wish you success on your CISSP journey.
Use this guide and the practice tests to approach Domain 8 with confidence!

Back to All CISSP Domains / Home

CISSP Domain 8: Mastering Software Development Security

Key topics covered in Domain 8:

Mastering Domain 8 for CISSP Success

Utilize Free CISSP Practice Tests

Beyond the Exam: Developing Essential Skills

Explore our other free practice tests:

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

CISSP Domain 8: Mastering Software Development Security

Key topics covered in Domain 8:

Mastering Domain 8 for CISSP Success

Utilize Free CISSP Practice Tests

Beyond the Exam: Developing Essential Skills

Explore our other free practice tests:

Fill up to receive the FREE CISSP deck!

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.