- What Domain 8 Actually Covers
- Why Software Development Security Matters on the Exam
- Core Topics You Must Own in Domain 8
- Security Across the SDLC: What CISSP Expects You to Know
- Secure Coding Principles and Common Vulnerabilities
- Software Security Controls and Acquisition
- A Focused Study Schedule for Domain 8
- How CISSP Tests Domain 8 Knowledge
- Prerequisites and Certification Context
- Frequently Asked Questions
- Domain 8: Software Development Security carries 10% of the CISSP exam weight, equal to Domain 2: Asset Security.
- The exam covers the full SDLC from requirements through decommissioning, not just coding vulnerabilities.
- CISSP questions test managerial and risk-based thinking, not syntax or specific programming language knowledge.
- The English CAT exam runs 100-150 items in 3 hours; adaptive scoring means every question matters from the start.
What Domain 8 Actually Covers
Domain 8: Software Development Security is one of eight domains tested on the CISSP exam, and it carries 10% of the total exam weight under the April 15, 2024 exam outline that remains current for 2026. That weight ties it with Domain 2: Asset Security as the smallest domains by percentage, but "smallest" does not mean ignorable. For candidates with a development or application security background, Domain 8 is often a confidence booster. For those who came up through network operations or governance roles, it can be a genuine gap.
The domain does not ask you to write code. CISSP is a management and architecture credential, not a developer certification. What it does ask is whether you understand how insecure software gets built, how security integrates into every phase of development, how to evaluate third-party software risk, and how to govern a development organization so that security is a first-class concern rather than an afterthought bolted on before release.
Why Software Development Security Matters on the Exam
Every organization runs software, and most organizations write or configure software of some kind. Security professionals who cannot evaluate development practices, assess vendor software risk, or specify security requirements for new systems are operating with a significant blind spot. ISC2 built Domain 8 into the CISSP blueprint precisely because a well-rounded security leader must be able to engage credibly with development teams, procurement decisions, and software audit findings.
Employers who hire for CISSP-required or CISSP-preferred roles-government agencies, financial institutions, healthcare systems, defense contractors, and large technology companies-expect their security architects and managers to handle situations where software is the threat surface. When you sit for the exam at a Pearson VUE testing center and pay the $749 USD fee, you are demonstrating that competence across all eight domains, including this one.
Domain 8 also connects directly to other domains you will study. Software vulnerabilities are a risk management concern (Domain 1: Security and Risk Management at 16%, the largest domain). Secure software architecture ties to Domain 3: Security Architecture and Engineering at 13%. Application layer attacks are network threats covered in Domain 4: Communication and Network Security. Understanding those intersections helps you answer questions that blend domain knowledge, which is exactly what the computer adaptive format is designed to surface.
Core Topics You Must Own in Domain 8
Domain 8: Software Development Security - Major Topic Areas
ISC2 organizes Domain 8 around several interconnected subject areas. Candidates should be comfortable explaining and applying each of the following:
- Security in the Software Development Life Cycle (SDLC)
- Development environment security controls
- Software security effectiveness (code review, testing methodologies)
- Acquired software security impact (COTS, open source, third-party libraries)
- Secure coding guidelines and standards (OWASP, CERT Secure Coding)
- Software configuration management
- Database security and data exposure risks
- Malicious code and application attack types
Notice that the list includes acquired software. Many candidates focus almost entirely on in-house development and neglect the security implications of commercial off-the-shelf (COTS) software, open-source components, and cloud-hosted platforms. CISSP expects you to evaluate vendor security claims, assess patch management obligations, and understand software escrow arrangements-all management-layer concerns.
Security Across the SDLC: What CISSP Expects You to Know
Requirements Phase
Security requirements must be defined before a single line of code is written. CISSP candidates should understand how to elicit security requirements from stakeholders, how misuse cases differ from use cases, and why privacy requirements have legal implications that surface during this phase. Data classification decisions made here echo through every subsequent phase.
Design Phase
This is where threat modeling enters the picture. Candidates must understand STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) as a threat categorization framework, and be familiar with architectural patterns like defense in depth applied to software. Separation of privilege, least privilege, and fail-secure defaults are design principles CISSP tests in both conceptual and scenario-based questions.
Implementation and Coding
While you will not debug code on the exam, you need to understand why certain coding practices create vulnerabilities. Buffer overflows, integer overflows, improper input validation, and race conditions all appear in Domain 8 material. You also need to understand what a code review process should include, the difference between static and dynamic analysis, and when to use each.
Testing Phase
CISSP draws a clear line between different types of software testing. Unit testing, integration testing, system testing, regression testing, and user acceptance testing each have a role. From a security perspective, candidates must understand penetration testing of applications, fuzzing, white-box versus black-box testing approaches, and how to interpret findings in a risk context rather than just a technical one.
Operations, Maintenance, and Decommissioning
Software does not stop being a security concern after it ships. Change management, patch application, configuration baselines, and vulnerability disclosure policies all fall within this phase. Decommissioning raises data remanence concerns that connect back to Domain 2: Asset Security. The CISSP exam routinely tests whether candidates understand that the end of a software system's life requires deliberate security action, not just turning off a server.
Secure Coding Principles and Common Vulnerabilities
The OWASP Top 10 is not explicitly an ISC2 publication, but its concepts align tightly with what CISSP tests. Candidates should understand injection attacks (SQL, LDAP, command injection), broken authentication, sensitive data exposure, XML external entities, security misconfigurations, cross-site scripting (XSS), insecure deserialization, and using components with known vulnerabilities. What matters for CISSP is not the OWASP ranking but the underlying reason each vulnerability exists and what control category addresses it.
| Vulnerability Type | Root Cause | Primary Control Category |
|---|---|---|
| SQL Injection | Improper input validation; dynamic query construction | Parameterized queries; input sanitization |
| Buffer Overflow | Lack of bounds checking in memory allocation | Secure coding standards; compiler protections; code review |
| Cross-Site Scripting (XSS) | Unsanitized output rendered in browser | Output encoding; content security policy |
| Insecure Direct Object Reference | Missing access control on object identifiers | Authorization checks; indirect reference maps |
| Race Condition (TOCTOU) | Time gap between resource check and use | Atomic operations; mutual exclusion (mutex) |
| Malicious Code / Backdoors | Insider threat; supply chain compromise | Code review; integrity verification; software bill of materials |
Database security deserves its own attention within this domain. Candidates should understand inference attacks, aggregation, polyinstantiation, and how database views and stored procedures can limit data exposure. These topics appear in scenario questions about data warehouse environments and multi-level security systems.
Software Security Controls and Acquisition
A significant portion of Domain 8 deals with software you did not build. When an organization buys an enterprise resource planning system, integrates an open-source library, or subscribes to a SaaS platform, the security team must assess risk without access to source code. CISSP tests your understanding of:
- Software escrow: Arrangements ensuring access to source code if a vendor fails, relevant to business continuity planning
- Software Bill of Materials (SBOM): Inventory of components, dependencies, and their versions to identify known vulnerabilities
- Third-party audits and certifications: SOC 2 reports, penetration test summaries, and vendor vulnerability disclosure programs as due diligence inputs
- Configuration management: Baseline configurations, change control boards, and version control as operational security controls
- DevSecOps integration: How security gates, automated scanning, and security champions programs embed security into continuous integration pipelines
Key Takeaway
When a CISSP question describes a scenario where an organization is purchasing software from a vendor, think about what a security manager would demand before signing the contract: vulnerability disclosure terms, patch SLAs, source code escrow, and audit rights. The technically correct answer is almost always the one that preserves security governance over the long term.
A Focused Study Schedule for Domain 8
Domain 8 at 10% of exam weight is a mid-priority domain that most candidates can cover in two to three focused weeks, depending on their development background. The schedule below assumes you are studying Domain 8 in the context of the full eight-domain exam and have already covered heavier domains like Security and Risk Management (16%) and Security Architecture and Engineering (13%).
SDLC Phases and Methodologies
- Map security activities to each SDLC phase (requirements through decommissioning)
- Compare waterfall, agile, spiral, and RAD models and their security implications
- Study threat modeling frameworks: STRIDE, PASTA, attack trees
- Practice on CISSP adaptive practice questions targeting SDLC scenario items
Secure Coding, Testing, and Vulnerability Types
- Study common vulnerability categories and their root causes (use the table above)
- Understand static analysis vs. dynamic analysis vs. interactive analysis (SAST, DAST, IAST)
- Review database security concepts: inference, aggregation, polyinstantiation
- Cover malicious code types: viruses, worms, trojans, logic bombs, rootkits
Acquired Software, Configuration Management, and Integration Review
- Study COTS and open-source risk assessment approaches
- Review software escrow, SBOM, and vendor audit concepts
- Connect Domain 8 topics to Domain 1 risk management and Domain 3 architecture concepts
- Take a full-length timed CISSP practice exam and analyze Domain 8 weak areas
Use spaced repetition specifically for the vulnerability taxonomy table and the SDLC phase-to-control mappings. These are the two areas where Domain 8 questions most commonly trip up candidates who understand the concepts but cannot quickly recall which control category applies to a given scenario under time pressure. The English CAT exam gives you 3 hours for 100-150 items, and Domain 8 questions will be scattered throughout, not grouped.
How CISSP Tests Domain 8 Knowledge
The CISSP computer adaptive test does not present questions in domain order, and it blends multiple-choice items with advanced innovative item formats including drag-and-drop, hotspot, and matching questions. Domain 8 appears frequently in scenario-based questions where a developer or development manager situation is described and you must identify the best security response.
A common Domain 8 question structure presents a flawed development process-perhaps a team that performs security testing only at the end of the SDLC-and asks what the security manager should recommend. The distractors often include technically correct options that are applied at the wrong phase or that address symptoms rather than root causes. CISSP rewards the answer that fixes the process at the earliest opportunity, reflecting the principle that defects are cheaper to remediate during design than during testing or after deployment.
Another frequent pattern tests your ability to distinguish between security controls that belong to the development team versus the operations team versus the security governance function. DevSecOps questions, for example, might ask who is responsible for approving a security exception in a CI/CD pipeline-and the right answer reflects organizational accountability, not technical capability.
Prerequisites and Certification Context
Before you can sit for the CISSP, you must meet ISC2's experience requirements: five years of cumulative paid work experience in at least two of the eight CISSP domains. A one-year waiver is available for candidates with a qualifying four-year degree or approved credential. If you do not yet meet the experience threshold, you can take the exam and become an Associate of ISC2, then fulfill the experience requirement within six years.
For candidates whose background is primarily in software development or application security, Domain 8 experience may already satisfy one of your two required domains. However, you will still need to demonstrate experience in at least one additional domain. Reviewing the full experience and endorsement process in detail through resources like CISSP Experience Requirements: How to Qualify and Apply is an important step before you register through Pearson VUE and pay the $749 USD exam fee.
Once certified, CISSP holders must earn 120 Continuing Professional Education (CPE) credits over the three-year certification cycle and pay annual maintenance fees to ISC2. Professionals with a software development security specialty often find that attending secure coding conferences, participating in application security working groups, and contributing to OWASP chapter events all qualify for CPE credit while keeping their Domain 8 knowledge current.
For a complete picture of all eight domains, the full exam structure, and how Domain 8 fits into your overall preparation strategy, the CISSP Domain 8: Software Development Security Study Guide 2026 provides a comprehensive reference you can return to throughout your study cycle.
Frequently Asked Questions
No. The CISSP is a managerial and architectural credential. Domain 8 tests your ability to govern software security, evaluate development practices, and identify risk-not to write or debug code. Candidates with no development background can fully master Domain 8 through focused study of SDLC security principles and vulnerability concepts at a conceptual level.
The English CAT exam includes 100-150 total items, and Domain 8 accounts for 10% of the exam weight. The adaptive format means the exact number of Domain 8 questions will vary by candidate; ISC2 does not publish a fixed per-domain item count. Budget your study time accordingly and do not assume you can skip this domain because it is weighted at 10%.
The OWASP Top 10 documentation available at owasp.org is free and authoritative. For CISSP purposes, focus on understanding why each vulnerability category exists and what control category addresses it-not on specific exploitation techniques. Map each OWASP category to an SDLC phase where it could have been prevented and a control type that mitigates it.
Yes, if that experience involves security responsibilities within the Domain 8 scope-such as security code reviews, application security testing, SDLC process design, or software risk assessments. Pure development work without a security dimension may not qualify. ISC2 evaluates the security relevance of your experience, and your endorser must attest to the accuracy of your claims.
Domain 8 overlaps significantly with Domain 1 (risk management applied to software risk), Domain 3 (secure architecture principles applied to software design), Domain 6: Security Assessment and Testing (software testing methods), and Domain 7: Security Operations (change management and configuration control for software in production). Cross-domain questions are common in the CAT format, so studying Domain 8 in isolation is less effective than understanding these connections.
Ready to Start Practicing?
Test your Domain 8 knowledge with adaptive CISSP practice questions that mirror the real exam's scenario-based format. Identify your weak areas across all eight domains before you sit at the Pearson VUE testing center.
Start Free Practice Test