CISSP Domain 8 Refresh: Software Development Security

In our cars, our watches, and even our refrigerators, software seems to be finding its way into everything. Along with its promise of increased productivity and data, however, are the risks that programming and other software development errors can introduce to our world. In 2017, The Atlantic magazine wrote of “The Coming Software Apocalypse” while TechRepublic,
estimates most modern software has one bug per 1000 lines of code. In this CISSP Domain 8 Refresh, we explore what this means for security professionals while also revisiting some of the certifications’ key concepts and terminology.

This section of Domain 8 dives deep into the world of software development. While it covers many key programming concepts, security professionals need to understand their role in providing a secure foundation for the design and delivery of software that meets customer needs. This includes terminology such as machine code run directly by the CPU, source code written for computer programs to run, and the compilers, interpreters, and bytecode that interpret, translate, and execute written code.

The section continues into an overview of the different kinds of software relative to how it is distributed. Open versus closed source software as well as freeware, shareware (which often requires payment after a trial period), and crippleware (where functions are disabled until payment is provided) are explored. The software development section ends with a review of software licensing, a key linkage back to Domain 1: Security and Risk Management, given the role security professionals play in maintaining compliance to terms of use.

Standing in stark contrast to the older, structured way of programming, Object-Oriented Design treats software as a collection of objects that communicate with each other and their environment. The concepts go further to include objects, methods, messages between objects, and a range of other qualities like (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Patrick Mallory. Read the original post at: