Table of Contents

• Key Terms & Definitions
• Key Areas
• Software Development Security_Mindmap_Mindmap
• Resources
• Credits & Disclaimer

CISSP Mindmap – Domain 08

A comprehensive CISSP Mindmap Series will include all 8 Domains. This collection is designed to equip prospective CISSP professionals with essential resources for exam preparation, training and reference.

Secure Software Development Life Cycle (Secure SDLC): A process that incorporates security considerations and practices throughout the software development lifecycle, from initial design to deployment and maintenance, to ensure the software is secure by design.

Application Security (AppSec): Practices and tools used to protect applications from threats and vulnerabilities at all stages of the development process, including design, development, deployment, and maintenance.

Static Application Security Testing (SAST): A testing methodology that analyzes source code, byte code, or binary code for security vulnerabilities without executing the program.

Dynamic Application Security Testing (DAST): A testing methodology that examines an application during its runtime to identify security vulnerabilities by simulating attacks.

Software Composition Analysis (SCA): A process that identifies and evaluates the security, licensing, and quality of open-source and third-party components within an application.

Threat Modeling: A proactive approach to identify, assess, and mitigate potential security threats to a software application at an early stage in the development process.

Secure Coding Practices: Guidelines and best practices for writing software code that is resistant to vulnerabilities and exploits, including input validation, proper error handling, and adherence to principle of least privilege.

Encryption: The process of converting data into a coded format to prevent unauthorized access, commonly used for data at rest and data in transit within applications.

Identity and Access Management (IAM): Frameworks and technologies used to ensure that only authorized individuals can access certain resources, and that they can do so only in a manner approved by the organization.

Penetration Testing: The practice of simulating cyber-attacks on a computer system, network, or web application to identify security weaknesses that could be exploited by attackers.

Code Signing: The process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed.

OWASP Top Ten: A regularly updated report outlining the most critical security risks to web applications, published by the Open Web Application Security Project.

1. Understanding and Integrating Security in the Software Development Lifecycle (SDLC)

• Secure SDLC Processes: Adoption of security best practices throughout the stages of software development.
• Security Considerations in Software Acquisition: Assessing and mitigating risks when acquiring software from third parties.

2. Security Controls in Development Environments

• Secure Coding Standards and Guidelines: Implementing coding practices that prevent vulnerabilities.
• Code Review and Testing for Security: Techniques for identifying and fixing security issues in code.

3. Assessment and Testing of Software Security

• Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST): Tools and methodologies for identifying vulnerabilities in both non-running and running applications.
• Software Composition Analysis (SCA): Identifying risks in third-party components and libraries.

4. Secure Deployment and Maintenance

• Deployment Environment and Security: Ensuring secure configuration and management of environments where software is deployed.
• Patch Management and Software Updates: Processes for regularly updating software to address security vulnerabilities.

5. Database Security in Software Development

• Protection of Data: Techniques for securing data within applications, including encryption and tokenization.
• Database Security Models and Practices: Applying security controls to databases and ensuring secure database access.

6. Cloud, Mobile, and IoT Security Considerations

• Cloud Application Security: Understanding the shared responsibility model and implementing cloud-specific security controls.
• Mobile Application Security: Addressing security challenges unique to mobile platforms.
• Internet of Things (IoT) Security: Considerations for securing IoT devices and the data they generate and process.

7. Application Security Frameworks and Standards

• OWASP Guidelines: Leveraging the Open Web Application Security Project (OWASP) resources and tools for web application security.
• Common Security Standards and Frameworks: Familiarity with ISO/IEC standards, NIST guidelines, and other frameworks relevant to software development security.

8. Threat Modeling and Risk Management in Software Development

• Identifying and Assessing Software Threats: Methods for predicting and evaluating threats to software.
• Risk Management Strategies: Implementing practices to manage and mitigate risks throughout the software development lifecycle.

• (ISC)2 CISSP Official Study Guide (OSG) 9th Edition by Mike Chapple, James Michael Stewart, and Darril Gibson
  • Chapter 20-21, Pg941-1037
• CISSP All-in-One Exam Guide, Ninth Edition by Fernando Maymi and Shon Harris
  • Part VIII, Pg1079-1152
• Eleventh Hour CISSP® Study Guide, Third Edition by Eric Conrad, Seth Misenar, Joshua Feldma
  • Domain-08, Pg185-205
• Destination Certification – A Concise Guide by Rob Witcher, John Berti, Lou Hablas, Nick Mitropoulos
  • Domain-08, Pg443-476

• The Official (ISC)2 CISSP CBK Reference, 6th Edition by Arthur Deane and Aaron Kraus

  • Domain-08, Pg549-624

• (ISC)2 CISSP Official Practice Tests by Mike Chapple and David Seidl
• How to Think Like a Manager for the CISSP Exam by Luke Ahmed
• Boson Practice Exam
• Study Notes and Theory (SNT) by Luke Ahmed

• Mike Chapple’s CISSP Cert Prep on LinkedIn Learning.
• Kelly Handerhan’s CISSP Prep Course on Cybrary
• Destination CISSP Mindmap Video
• Pete Zerger’s CISSP Exam Cram 
• Prabh’s Coffee Shots
• Luke Ahmed’s Study Notes and Theory (SNT) 

We express our gratitude to the below-mentioned authors, creators, and sources which have been referred for the creation of our Interactive CISSP Mindmap – Mike Chapple and David Seidl (OSG), Luke Ahmed (SNT), Pete Zerger (Exam Cram), Prashant Mohan (Memory Palace) , Prabh (Coffee shots), Rob Witcher (destcert.com/)  and M. Waleed Khaliq (CISSP Concepts Guide).This Mindmap has been meticulously created to ensure that information is shared effectively. This Mindmap aims to offer a thorough grasp of essential concepts with a dedication to assist enhanced learning experiences. We hope that this resource helps people absorb information more thoroughly, which will lead to a broader understanding of each CISSP domains and is freely available for all.

We have already included some reference images and short notes for most of the topics so that users can more effectively refer to the content in the mindmap. If you have any information, images, or notes that can make the mindmap more effective, please feel free to share them.

https://github.com/sajinshivdas/CISSP_Interactive_Mindmap/tree/main/CISSP_Domain_08

For issues and concern please feel free to raise a issue in Github link https://github.com/sajinshivdas/CISSP_Interactive_Mindmap/issues

Connect with me www.linkedin.com/in/sajin-shivdas