Skip to main content

New Page

What's New in Domain 8?

8.2 Identify and Apply Security Controls in Software Development Ecosystems

Programming Concepts:

  • Programming languages
  • Libraries
  • Tool sets
  • Integrated Development Environment (IDE)
  • Runtime
  • Code repositories
  • Continuous Integration and Continuous Delivery (CI/CD)

Note: Security Orchestration, Automation, and Response (SOAR) is covered in Domain 3.

Software Configuration Management (SCM):

  • DevOps and DevSecOps
  • Configuration management

Code Repositories:

  • Stores source code and related artifacts (like libraries).
  • Secure Handling:
    • Don’t commit sensitive info.
    • Protect access.
    • Sign your work.
    • Update development tools, e.g., Visual Studio Code, Notepad++.

Git is the most widely used modern version control system.

Code Libraries:

  • Enhances application security & reduces risk.
  • Different languages have varied vulnerabilities.
  • Lower level languages like C need safe memory and string libraries to avoid buffer overflows.
  • Other libraries handle encryption, data transfer, and secret management.

Runtime:

  • Describes when a software is in operation.
  • Dynamic Application Security Testing (DAST) checks security during runtime.
  • For bought software, runtime assessment is mandatory (source code isn’t available).
  • If you have the source code, conduct both source code and runtime scans.

For containers: Scan images during build & runtime, especially for open-source images.

CI/CD:

  • Ensure identity & access management (include MFA).
  • Securely store secrets & avoid hard-coded ones in code.
  • Role-based access control & least privilege access.
  • Automate vulnerability scanning in the CI/CD pipeline.
  • Use release versioning for better recovery & issue tracking.

Configuration Management:

  • Tracks system setups for hardware & software.
  • Baselining (snapshot at a given time) is crucial.
  • Use system & component-level versioning.

Configuration management bridges the gap between hardware and software.

Examples:

  1. Code Scanning – Checks for vulnerabilities in code.
  2. Static Application Security Testing (SAST) – No execution; inside-out testing. Requires source code.
  3. Dynamic Application Security Testing (DAST) – Requires execution; outside-in testing. Doesn’t need source code.

Exam Outline Topics:

  • 8.1 Understand and integrate security in the SDLC.
  • 8.2 Identify and apply security controls in development environments.
  • 8.3 Assess the effectiveness of software security.
  • 8.4 Assess security impact of acquired software.
  • 8.5 Define and apply secure coding guidelines and standards.
Back to top