Software vulnerabilities rarely exist in isolation. They are usually the direct result of how software was designed, built, tested, and released. That is why CISSP Domain 8 places strong emphasis on software development methodologies—not to turn security professionals into project managers, but to ensure we understand where security risks emerge and how they can be mitigated.
In real enterprise environments, security teams do not choose the development methodology—but they must operate effectively within it. A security control that works well in a Waterfall environment may completely fail in an Agile or DevOps pipeline.
CISSP Domain 8 expects you to understand:
- How each methodology works
- Where security fits (or is often missed)
- The strengths and weaknesses of each model from a risk perspective
Agile Software Development
Agile is not a single methodology—it is an umbrella term that includes Scrum, XP, Kanban, and other iterative approaches. What defines Agile is its non-linear, incremental nature, where development and testing occur continuously.
Key Agile Characteristics
- Short development cycles (sprints)
- Continuous testing and integration
- Rapid feedback loops
- Frequent releases
- Flexibility over rigid documentation
From a security standpoint, Agile fundamentally changes how risk is managed. Security cannot wait for a “final testing phase” because there isn’t one.
Real-World Security Insight
In Agile environments, security teams that insist on heavyweight approvals often get bypassed. Successful organisations embed security directly into sprint planning, backlog grooming, and definition-of-done criteria. This is where DevSecOps naturally evolves.
Waterfall Model
The Waterfall model is the oldest and most traditional SDLC methodology. It follows a rigid, sequential approach where each phase must be completed before moving to the next.
Waterfall Phases
- Requirements
- Design
- Implementation
- Verification
- Maintenance
Waterfall is easy to manage and document, which is why it still appears in regulated industries such as government, healthcare, and defence.
Security Strengths and Weaknesses
- Strength: Security requirements can be clearly defined upfront
- Weakness: Security flaws discovered late are extremely expensive to fix
From experience, Waterfall often gives management a false sense of security because “everything was signed off,” even when threat models were outdated before coding began.
V-Model (Verification and Validation Model)
The V-Model is an extension of Waterfall that explicitly maps testing activities to each development phase. For every development stage, there is a corresponding validation phase.
Why Security Teams Like the V-Model
- Testing is not optional
- Security verification is planned, not reactive
- Strong alignment with compliance and audit requirements
Why It Struggles in Modern Environments
The V-Model is inflexible. Once requirements are locked, adapting to new threats—such as zero-day vulnerabilities—becomes extremely difficult.
CISSP candidates should recognise the V-Model as thorough but slow, making it suitable for high-assurance systems but poorly suited to fast-moving threat landscapes.
Spiral Software Development Model
The Spiral model is designed for risk-driven development, making it one of the most security-aware methodologies in Domain 8.
Each loop of the spiral includes:
- Planning
- Risk analysis
- Engineering
- Evaluation
Security Perspective
Unlike most models, Spiral explicitly identifies and mitigates risks at every iteration. This makes it particularly valuable for:
- Large enterprise systems
- Safety-critical software
- Systems handling sensitive data
In practice, Spiral is often combined with Agile techniques to manage both risk and speed.
DevOps (and DevSecOps)
DevOps combines development and operations into a single continuous delivery pipeline. It focuses on automation, collaboration, and rapid deployment.
Why DevOps Changes Security Forever
Traditional security gates simply do not work in DevOps. When deployments happen multiple times per day, security must be:
- Automated
- Embedded
- Continuous
Security in DevOps
- Infrastructure as Code (IaC) scanning
- Automated security testing
- Continuous vulnerability monitoring
- Secure CI/CD pipelines
In mature organisations, DevOps naturally evolves into DevSecOps, where security becomes a shared responsibility—not a bottleneck.
Scrum Methodology
Scrum is one of the most widely used Agile frameworks. It organises work into time-boxed sprints, supported by regular ceremonies such as daily stand-ups and sprint reviews.
Why Scrum Matters in CISSP
Scrum highlights the importance of:
- Continuous stakeholder feedback
- Incremental delivery
- Rapid response to change
From a security perspective, Scrum environments require ongoing risk assessment, not annual security reviews.
Lean Software Development
Lean development originates from Toyota’s manufacturing principles and focuses on maximising value while eliminating waste.
Lean Principles Relevant to Security
- Eliminate unnecessary controls
- Focus on high-impact risks
- Build quality in from the start
- Empower teams
Security professionals often find Lean challenging because it discourages heavy documentation. However, when done correctly, Lean can significantly reduce attack surface by removing unused features and complexity.
Prototype Model
The Prototype methodology involves building an early working model of the system to gather feedback before full development.
Security Considerations
Prototypes are often built quickly—and insecurely. A common real-world mistake is allowing prototype code to enter production unchanged, introducing serious vulnerabilities.
CISSP expects you to recognise that prototypes must be:
- Clearly labelled
- Properly secured
- Re-engineered before production use
Rapid Application Development (RAD)
RAD prioritises speed and user feedback over formal planning.
RAD Security Risks
- Reduced documentation
- Inconsistent security controls
- Increased reliance on third-party components
RAD can be effective for internal tools, but CISSP candidates should recognise that security debt accumulates quickly if governance is weak.
Feature-Driven Development (FDD)
FDD is an iterative, model-driven methodology designed for large teams.
FDD Phases
- Develop overall model
- Build feature list
- Plan by feature
- Design by feature
- Build by feature
FDD provides strong progress visibility, which is valuable for security tracking and risk reporting.
Extreme Programming (XP)
Extreme Programming emphasises:
- Frequent releases
- Continuous testing
- Pair programming
- Constant customer feedback
Security Advantages
- Issues are identified early
- Code quality improves through collaboration
- Security flaws surface faster
XP aligns well with secure coding practices, but only if developers are trained in security fundamentals.
Choosing the “Right” Methodology from a Security View
There is no universally “secure” methodology. Security success depends on:
- Organisational maturity
- Threat landscape
- Regulatory requirements
- Team skill levels
CISSP Domain 8 tests your ability to evaluate trade-offs, not memorise definitions.
Final Thoughts: Why This Matters for CISSP and Beyond
In real-world breaches, post-incident reviews often reveal that:
- Security was added too late
- Risks were misunderstood
- Methodology constraints were ignored
Understanding software development methodologies allows security professionals to influence decisions early, where security is cheapest and most effective.
CISSP Domain 8 is not about software theory—it’s about preventing the next breach before the first line of code is written.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.