Domain 8 Software Development Security 10%
8.1 Understand and integrate security in the Software Development Life Cycle (SDLC)
- Development methodologies (e.g., Agile, Waterfall, DevOps, DevSecOps, Scaled Agile Framework)
- Maturity models (e.g., Capability Maturity Model (CMM), Software Assurance Maturity Model (SAMM))
- Operation and maintenance
- Change management
- Integrated Product Team
8.2 Identify and apply security controls in software development ecosystems
- Programming languages
- Libraries
- Tool sets
- Integrated Development Environment
- Runtime
- Continuous Integration and Continuous Delivery (CI/CD)
- Software Configuration Management
- Code repositories
- Application security testing (e.g., static application security testing (SAST), dynamic application security testing (DAST), software composition analysis, Interactive Application Security Test (IAST))
8.3 Assess the effectiveness of software security
- Auditing and logging of changes
- Risk analysis and mitigation
8.4 Assess security impact of acquired software
- Commercial off-the-shelf (COTS)
- Open source
- Third-party
- Managed services (e.g., enterprise applications)
- Cloud services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
8.5 Define and apply secure coding guidelines and standards
- Security weaknesses and vulnerabilities at the source-code level
- Security of application programming interfaces (API)
- Secure coding practices
- Software-defined security