Skip to content

Chapter 9: Domain 8: Software Development Security

Abstract

This chapter introduces Domain 8 of the CISSP®, Software Development Security. The most important aspects of this domain are related to managing the development of software and applications. Approaches to software development that attempt to reduce the likelihood of defects or flaws are a key topic in this domain. In particular, the Waterfall, Spiral, and Rapid Application Development (RAD) models of software development are considered. Another significant portion of this chapter is dedicated to understanding the principles of Object-Oriented programming and design. A basic discussion of several types of software vulnerabilities and the issues surrounding disclosure of the vulnerabilities are also a topic for this domain. Finally, databases, being a key component of many applications, are considered.

Keywords

  • DevOps
  • Extreme Programming
  • Object
  • Object-Oriented Programming
  • Procedural languages
  • Spiral Model
  • Systems Development Life Cycle
  • Waterfall Model

Exam objectives in this chapter:

  • Programming Concepts
  • Application Development Methods
  • Databases
  • Object-Oriented Design and Programming
  • Assessing the Effectiveness of Software Security
  • Artificial Intelligence

Unique Terms and Definitions

  • Extreme Programming (XP)—an Agile development method that uses pairs of programmers who work off a detailed specification
  • Object—a “black box” that combines code and data, and sends and receives messages
  • Object-Oriented Programming—changes the older procedural programming methodology, and treats a program as a series of connected objects that communicate via messages
  • Procedural languages—programming languages that use subroutines, procedures, and functions
  • Spiral Model—a software development model designed to control risk
  • Systems Development Life Cycle—a development model that focuses on security in every phase
  • Waterfall Model—an application development model that uses rigid phases; when one phase ends, the next begins

Introduction

Software is everywhere: not only in our computers, but also in our houses, our cars, and our medical devices, and all software programmers make mistakes. As software has grown in complexity, the number of mistakes has grown along with it. We will learn in this chapter that programmers may make 15–50 mistakes per thousand lines of code, but following a programming maturity framework such as the Capability Maturity Model Integration (CMMI) can lower that number to 1 mistake per thousand. That sounds encouraging, but remember that the Microsoft Vista operating system has 50 million (50,000,000) lines of code. Newer OSs such as Windows 11 likely have more.

As our software has grown in complexity, the potential impact of a software crash has also grown. Many cars are now connected to the Internet and use “fly by wire” (software) to control the vehicle: in that case, the gearshift is no longer directly mechanically connected to the transmission; instead, it serves as an electronic input device, like a keyboard. What if a software crash interrupts I/O? What if someone remotely hacks into the car and takes control of it, as demonstrated by Charlie Miller and Chris Valasek?

Developing software that is robust and secure is critical: this chapter will show how to do that. We will cover programming fundamentals such as compiled versus interpreted languages, as well as procedural and object-oriented programming languages. We will discuss application development models such as the Waterfall Model, Spiral Model, Extreme Programming (XP), and others. We will also discuss newer concepts such as DevOps. We will describe common software vulnerabilities, ways to test for them, and maturity frameworks to assess the maturity of the programming process and provide ways to improve it.