Domain8by EraserClap
CISSP Study Guide · Domain 8

CISSP Domain 8 Explained: Software Development Security

Domain 8 is where security meets the development lifecycle. It is about 10% of the exam, and it rewards understanding why a control works.

A practical guide with free practice questions · by Domain8

The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.

Software Development Security covers building, testing, and maintaining software so that security is engineered in from the start. On the exam it leans on judgment: which fix is BEST, or what to do FIRST, when several options look reasonable. New to it? See why Domain 8 is the hardest CISSP domain and how to beat it.

Want to drill Domain 8? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.

Study free at Domain8 →

1. The secure SDLC

Security lives at every phase, not just a final review.

2. Common software flaws

Recognize root causes:

3. Core defenses

Build them in by design:

4. Security testing

Layered assurance:

5. Supply chain and AI/LLM risk

Modern Domain 8:

Free practice questions

Try these in the exam's "best answer" style, then expand for the explanation.

1. A code review finds user input concatenated directly into SQL strings. Which fix MOST fundamentally prevents injection rather than merely reducing the attack surface?
  1. Place a web application firewall in front of the app
  2. Escape special characters in each input string
  3. Use parameterized queries / prepared statements
  4. Suppress database error messages in responses
Show answer
C. Parameterized queries bind input as data so it can never be parsed as SQL — a structural fix. A WAF, manual escaping, and hiding errors only reduce or obscure exposure.
2. A developer leaves a hidden access path in code for later use. What is it, and how should it be handled?
  1. A race condition that can be ignored
  2. A buffer overflow fixed by patching the OS
  3. A useful feature that should be documented
  4. A back door (maintenance hook); remove before release
Show answer
D. Maintenance hooks / back doors are a top development security risk and must be removed prior to release.
3. An application renders output from a third-party LLM influenced by user prompts. How should developers treat that output?
  1. As untrusted; validate and encode it
  2. As trusted since the model produced it
  3. As pre-sanitized by the provider
  4. As safe because the connection uses HTTPS
Show answer
A. LLM output can carry injected or malicious content; treat it as untrusted and validate and encode it for the output context.

Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.

Study free at Domain8 →

Frequently asked questions

Do I need to be a programmer to pass Domain 8?

No. You need secure-development concepts and risk-based judgment, not coding skill. Focus on root-cause fixes and evaluating third-party and AI risk.

How big is Domain 8 on the exam?

Roughly 10% — smaller than Domain 1, but often where non-developers feel least comfortable.

More CISSP domain guides

D1 · D2 · D3 · D4 · D5 · D6 · D7 · All guides

Part of the Domain8 CISSP study series. Study free at domain8.eraserclap.com.

Domain8 is an independent study aid by Clarent Advisory LLC, doing business as EraserClap, not affiliated with or endorsed by ISC2. "CISSP" is a trademark of ISC2.