Domain 8 of 8 · Chapter 2 of 5

Dev Environment Security

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The development ecosystem as an attack surface
  • Language, runtime, and third-party libraries as inherited risk
  • Application Security Testing: SAST vs. DAST vs. IAST vs. SCA
  • Securing the SCM repository and the CI/CD pipeline
  • Exam-pattern recognition

Application Security Testing methods: what each one sees and misses

MethodRuns the app?Needs source access?Finds bestBlind toEarliest in SDLC
SAST (static)No: analyzes source/bytecode/binaryYesSource-level coding flaws (injection, insecure APIs); pinpoints the exact lineRuntime, configuration, and environment flaws; tends to false positivesCoding (very early)
DAST (dynamic)Yes: attacks from outsideNo (black-box)Runtime/deployment flaws; confirms a finding is actually exploitableCannot point to the offending line; only tests reachable surfacesTesting (running app required)
IAST (interactive)Yes: instruments from insideYes (agent in the runtime)Correlates code location with runtime confirmation: fewer false positivesNeeds coverage from exercising the app; agent adds runtime overheadTesting (with instrumentation)
SCANo: inspects the dependency manifestNo (reads components/manifests)Known-vulnerable third-party components (CVEs) and license risk; feeds the SBOMFlaws in the team's own first-party codeCoding and continuously after

Decision tree

Flaw in a third-partycomponent / library?YesNo (own code)SCAknown-vuln components; SBOMSource code available?No (black-box)YesDASTruns app; confirms exploitabilityNeed runtime confirmation +the responsible code line?NoYesSASTearliest; exact line; staticIASTagent; location + confirmationAlways: run SCA continuously alongside the source scannersthe methods are complementary, not substitutes

Cheat sheet

  • Every tool in the development ecosystem is an attack surface, not just the source code
  • The SSDF (NIST SP 800-218) hardens the environment and artifacts, not just the code
  • Choosing a memory-safe, type-safe language is itself a security control
  • Third-party libraries are inherited risk because a flaw ships inside an already-trusted package
  • Software Composition Analysis inventories dependencies and flags known-vulnerable components
  • An SBOM is a component-transparency layer that speeds response but does not prevent vulnerabilities
  • SAST reads code without running it: earliest, pinpoints the line, but blind to runtime
  • DAST attacks the running app from outside with no source: confirms exploitability but not the line
  • IAST instruments the running app to combine code-level location with runtime confirmation
  • Match the AST method to the flaw class. They are complementary, not interchangeable
  • The SCM repository is the integrity boundary: govern it with least privilege, branch protection, and peer review
  • The CI/CD pipeline is both the enforcement gate and a high-value target
  • Build credentials and signing keys belong in a secrets vault, never hard-coded in pipeline files or source
  • Sign build artifacts so downstream stages and consumers can verify provenance and detect tampering
  • The IDE and developer tool sets are part of the supply chain. Manage and patch them
  • At CISSP altitude, name the control or method and the decision, not the operator keystrokes

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-218: Secure Software Development Framework (SSDF) v1.1 Whitepaper
  2. CISA: The Case for Memory Safe Roadmaps
  3. NIST Cyber Supply Chain Risk Management (C-SCRM)
  4. NTIA: The Minimum Elements For a Software Bill of Materials (SBOM) Whitepaper
  5. NIST SP 800-204C: Implementation of DevSecOps for a Microservices-based Application Whitepaper
  6. NIST Glossary: SAST (static application security testing)
  7. NIST Glossary: DAST (dynamic application security testing)