Introduction
This domain focuses on embedding security throughout the Software Development Life Cycle (SDLC), including requirements, design, implementation, testing, deployment, and maintenance phases.
For ICT professionals, most vulnerabilities originate during development. Applying secure design and coding practices early reduces risk, cost, and complexity later.
Outcome 1
Understand secure SDLC models and practices.
Outcome 2
Identify and prevent common software vulnerabilities.
Outcome 3
Apply testing and review techniques to ensure security.
Figures
Secure SDLC
Design
Build
Test
Deploy
Operate
Improve
Security Testing Types
SAST
DAST
IAST
RASP
Fuzzing
Code Review
Case Examples
SQL Injection
Improper input validation allows attackers to manipulate database queries and access or modify sensitive data.
- Use parameterized queries
- Validate input properly
Vulnerable Dependency
Using outdated libraries introduces known vulnerabilities into applications, allowing attackers to exploit publicly documented weaknesses.
- Use dependency scanning
- Maintain updates
Glossary (50 Terms)
| # | Term | Definition |
|---|---|---|
| 1 | SDLC | The structured process of planning, designing, building, testing, deploying, and maintaining software systems with integrated security practices. |
| 2 | Secure Coding | Practices that ensure software is written to prevent vulnerabilities such as injection, buffer overflows, and improper input handling. |
| 3 | Threat Modeling | A process used during design to identify potential threats, vulnerabilities, and mitigations before implementation begins. |
| 4 | SAST | Static Application Security Testing analyzes source code without execution to identify vulnerabilities early in the development process. |
| 5 | DAST | Dynamic Application Security Testing evaluates running applications to identify vulnerabilities during execution. |
| 6 | IAST | Interactive Application Security Testing combines static and dynamic techniques by analyzing applications during runtime with instrumentation. |
| 7 | RASP | Runtime Application Self-Protection monitors application behavior and blocks attacks during execution in real time. |
| 8 | Fuzz Testing | Testing technique that sends random or malformed input to identify unexpected behavior and vulnerabilities. |
| 9 | Code Review | Manual or automated examination of source code to identify security flaws and ensure adherence to secure coding standards. |
| 10 | Input Validation | Ensuring that user input is properly checked and sanitized to prevent injection and other attacks. |
| 11 | Output Encoding | Encoding data before output to prevent injection attacks such as cross-site scripting. |
| 12 | Authentication Logic | Code that verifies user identity and must be implemented securely to prevent bypass or exploitation. |
| 13 | Session Management | Handling user sessions securely, including session tokens, expiration, and protection against hijacking. |
| 14 | Dependency Management | Managing third-party libraries to ensure they are secure and up to date. |
| 15 | OWASP Top 10 | A widely recognized list of common web application security risks used as a guideline for secure development. |
| 16 | Buffer Overflow | A vulnerability where data exceeds allocated memory, potentially allowing execution of malicious code. |
| 17 | SQL Injection | An attack that manipulates database queries through unsanitized input to access or modify data. |
| 18 | XSS | Cross-site scripting allows attackers to inject malicious scripts into web applications viewed by other users. |
| 19 | CSRF | Cross-site request forgery tricks users into performing unintended actions on authenticated applications. |
| 20 | Secure Design | Incorporating security principles into system architecture from the beginning of development. |
| 21 | DevSecOps | Integrating security practices into DevOps workflows to ensure continuous security throughout development. |
| 22 | CI/CD | Continuous integration and deployment pipelines that automate building, testing, and deploying software. |
| 23 | Code Signing | Using digital signatures to verify the authenticity and integrity of software code. |
| 24 | Secure Build | Ensuring that build processes are protected against tampering and produce trusted outputs. |
| 25 | Secrets Management | Secure handling of credentials such as API keys and passwords within applications. |
| 26 | Static Analysis | Analyzing code without execution to identify vulnerabilities and coding issues. |
| 27 | Dynamic Analysis | Analyzing applications during execution to detect runtime vulnerabilities. |
| 28 | Software Assurance | Confidence that software is free from vulnerabilities and functions as intended securely. |
| 29 | Security Requirements | Defined security expectations that must be met during software development. |
| 30 | Secure API | Designing APIs with proper authentication, validation, and access controls to prevent misuse. |
| 31 | Microservices Security | Protecting distributed services through secure communication and isolation. |
| 32 | Container Security | Ensuring containers are securely configured and isolated from other environments. |
| 33 | Supply Chain Security | Protecting software from vulnerabilities introduced through third-party components or processes. |
| 34 | Vulnerability Management | Identifying, prioritizing, and fixing software vulnerabilities throughout its lifecycle. |
| 35 | Patch Management | Applying updates to fix software vulnerabilities and improve security. |
| 36 | Security Testing | Evaluating applications to identify vulnerabilities and weaknesses. |
| 37 | Secure Deployment | Ensuring applications are deployed in hardened and secure environments. |
| 38 | Logging | Recording application events to support monitoring and incident investigation. |
| 39 | Monitoring | Observing application behavior to detect anomalies and threats. |
| 40 | Secure Configuration | Applying secure settings to systems and applications to reduce attack surface. |
| 41 | Hardening | Reducing vulnerabilities by disabling unnecessary features and applying secure configurations. |
| 42 | Secure Defaults | Designing systems with secure configurations enabled by default. |
| 43 | Error Handling | Managing errors securely to avoid revealing sensitive information. |
| 44 | Code Quality | Maintaining high standards in code to reduce bugs and vulnerabilities. |
| 45 | Security Review | Evaluating software for compliance with security requirements and best practices. |
| 46 | Penetration Testing | Simulating attacks against applications to identify exploitable vulnerabilities. |
| 47 | Compliance | Ensuring software meets regulatory and organizational security standards. |
| 48 | Security Architecture | Designing application structures that enforce security principles and controls. |
| 49 | Continuous Improvement | Iteratively improving software security based on testing results and emerging threats. |
| 50 | Secure Lifecycle | Integrating security practices throughout all phases of software development and maintenance. |