UnixTime

Research Note

EXAM-038 - Secure Development and Architecture

- Treating secure SDLC as only code scanning. - Treating acquired applications as outside application security requirements. - Treating architecture principles as generic slogan...

On this page

Memory cue

Last-day cue

A.8.25 = secure development rules. A.8.26 = approved application security requirements. A.8.27 = secure architecture and engineering principles.

What the exam is likely testing

Control Exam cue
A.8.25 Secure development standards are mandatory, checked, and applied to suppliers
A.8.26 Application security requirements are identified, specified, approved, and tested
A.8.27 Secure engineering principles are documented, maintained, and applied in design

Common wrong answers

  • Treating secure SDLC as only code scanning.
  • Treating acquired applications as outside application security requirements.
  • Treating architecture principles as generic slogans.
  • Letting contractors use unmanaged security standards.
  • Assuming go-live approval replaces early security requirements.