Domain 8 CISSP · 11% of exam weight

Software Development Security

Domain 8 covers security throughout the software development lifecycle — from requirements through deployment and maintenance. As an engineering manager, this domain maps directly to your daily work.

5 Lessons Secure SDLC · Secure Coding · DevSecOps · Threat Modeling · Supply Chain & API

Why Domain 8 Matters for an EM

Unlike theoretical domains, Domain 8 is where security meets the code you ship every day. CISSP expects you to understand how to build security into software — not bolt it on later. Every lesson in this domain has a direct analog in Platform C's Go microservices, Platform A's Java 8 stack, and your GitHub Actions pipelines.

11%

Exam Weight

Lessons

25+

Practice Questions

High-Yield CISSP Topics in Domain 8 Shift-left security (1-10-100 rule) · STRIDE threat model · OWASP Top 10 & API Top 10 · DevSecOps pipeline gates · SBOM & supply chain · SQL injection prevention · TOCTOU race condition · Polyinstantiation & database security

Lessons

Secure Software Development Lifecycle

Security activities at each SDLC phase, shift-left principles, the 1-10-100 cost rule, development methodologies (Waterfall/Agile/DevOps/Spiral), and software acquisition security.

SDLC Phases Shift-Left 1-10-100 Rule Methodologies

→

Secure Coding Practices & OWASP Mapping

Injection prevention in Go/Java, parameterized queries, input validation (allowlist vs blocklist), common Go vulnerabilities (TOCTOU, SSRF, path traversal), memory safety, error handling, and secrets management.

SQL Injection Input Validation TOCTOU crypto/rand

→

DevSecOps & CI/CD Security

Integrating security into GitHub Actions pipelines (gosec, govulncheck, Trivy, cosign), security gate philosophy (block vs warn), secret scanning in Git history, IaC security, container image best practices.

GitHub Actions SAST Gates Trivy TruffleHog

→

Threat Modeling: STRIDE & PASTA

Full STRIDE breakdown (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, EoP), PASTA 7-stage methodology, attack trees, STRIDE vs PASTA comparison, applied to Platform C eKYC Vendor eKYC integration.

STRIDE PASTA Attack Trees DFD

→

Supply Chain Security, API & Database Security

SBOM, SLSA framework, SolarWinds/Log4Shell/XZ supply chain attacks, OWASP API Top 10 (BOLA, BFLA), aggregation/inference attacks, polyinstantiation, PostgreSQL Row-Level Security for multi-tenant Platform C.

SBOM BOLA API Top 10 Polyinstantiation

→

Domain 8 Quick Reference

Topic	Key Concept	Lesson
Shift-Left Security	Fix in requirements ($1) vs production ($10,000+) — 1-10-100 rule	Lesson 01
SQL Injection Prevention	Parameterized queries mandatory; never concatenate user input	Lesson 02
Input Validation	Allowlist > blocklist; server-side is mandatory, client-side is UX only	Lesson 02
DevSecOps Gates	Security gates must BLOCK (exit code 1) — advisory warnings are not controls	Lesson 03
STRIDE	Spoofing / Tampering / Repudiation / Info Disclosure / DoS / Elevation of Privilege	Lesson 04
BOLA vs BFLA	BOLA = access another user's DATA (object); BFLA = access a privileged FUNCTION	Lesson 05
SBOM	Software Bill of Materials — enables rapid CVE impact assessment	Lesson 05
Polyinstantiation	Same primary key at multiple classification levels — prevents inference attacks	Lesson 05

Ready to Start? Begin with Lesson 01 on Secure SDLC — the foundation that every other lesson builds on. Expected time: ~20 minutes per lesson with quizzes.

← Master Index Start: Lesson 01 — Secure SDLC →