Phase 8: Domain 8 — Software Development Security

Phase 8: Domain 8 — Software Development Security (11%)

Timeline: May 21-23 (Week 7, second half)

Your weakest domain. You build CLI tools (netapi, dsec, domus-digitalis) but formal SDLC models and secure coding frameworks need dedicated study. Only 11% of exam but can’t afford to lose these points.

Key Concepts

SDLC Models

Model Key Characteristics

Waterfall

Sequential phases, no going back. Requirements → Design → Implementation → Testing → Deployment → Maintenance.

Agile

Iterative sprints, adaptive planning, continuous delivery. Scrum, Kanban.

Spiral

Risk-driven, iterative. Each cycle: plan → risk analysis → develop → evaluate.

DevOps

Dev + Ops integration. CI/CD pipelines (your domus-docs Cloudflare Pages).

DevSecOps

Security integrated into DevOps pipeline from the start.

RAD (Rapid Application Development)

Prototyping, user feedback, fast iteration.

Prototyping

Build prototype, get feedback, iterate.

OWASP Top 10 (Memorize)

  1. Broken Access Control — Missing authorization checks

  2. Cryptographic Failures — Weak crypto, exposed secrets

  3. Injection — SQL injection, command injection, LDAP injection

  4. Insecure Design — Flawed architecture, no threat modeling

  5. Security Misconfiguration — Default configs, unnecessary features enabled

  6. Vulnerable and Outdated Components — Unpatched libraries, known CVEs

  7. Identification and Authentication Failures — Weak passwords, no MFA

  8. Software and Data Integrity Failures — Unsigned updates, CI/CD poisoning

  9. Security Logging and Monitoring Failures — No audit trail, no alerting

  10. Server-Side Request Forgery (SSRF) — Server makes requests to internal resources

Secure Coding Practices

  • Input validation — whitelist over blacklist

  • Output encoding — prevent XSS

  • Parameterized queries — prevent SQL injection

  • Error handling — don’t leak stack traces

  • Least privilege in code — minimal permissions

  • Defense in depth — multiple layers of validation

Database Security

  • Polyinstantiation — same key, different data at different clearance levels

  • Inference — deriving classified info from unclassified data

  • Aggregation — combining unclassified data to derive classified conclusions

  • SQL injection prevention — parameterized queries, stored procedures, ORM

Testing Types

  • Unit testing — individual functions/methods

  • Integration testing — components working together

  • System testing — complete system validation

  • Acceptance testing — user/business validation

  • Regression testing — verify fixes don’t break existing functionality

Change and Configuration Management

  • Version control (your git workflows)

  • Change advisory board (CAB)

  • Release management, rollback procedures

  • Configuration baselines and auditing

Practice Questions

25 questions/day — spend extra time here since it’s your weakest domain.

Check Status

Read Study Guide Chapters 20-21 (Software Development)

[ ]

Watch Destination Certification MindMap — Domain 8

[ ]

SDLC models memorized (Waterfall, Agile, Spiral, DevOps)

[ ]

OWASP Top 10 memorized (all 10 in order)

[ ]

Secure coding practices understood

[ ]

Database security concepts (inference, aggregation)

[ ]

Testing types differentiated

[ ]

50+ practice questions completed (Domain 8 — extra due to weakness)

[ ]