🔒 Only 15 Spots — CISSP Sprint Cohort · Starts July 7th · Join the Waitlist →

My Story CISSP Programs and Pricing Podcasts Blog Resources Contact Login

CISSP Domain 8.4: Evaluating Acquired Software Security

May 07, 2026
 

 EPISODE SUMMARY

  • Podcast: CISSP Cyber Training Podcast | Host: Shon Gerber, vCISO, CISSP | Episode: CCT 345 (Replay) | Duration: 22:51

  • Opening News Segment: Shon covers the Chinese state-sponsored breach of the U.S. Treasury Department via BeyondTrust's PAM/Remote Support platform, using it as a real-world lens for cross-domain attacks. Adversaries (attributed to Silk Typhoon/APT27) exploited a compromised API key and zero-day vulnerabilities to move laterally across endpoints, cloud platforms, and third-party connections — logging in rather than breaking in. He references a CrowdStrike-sponsored article on defending against these threats.

  • CISSP Domain/Topic: Domain 8 — Software Development Security | Sub-domain 8.4: Assess the Security Impact of Acquired Software

  • Key Topics Table:

Topic Key Takeaway
Open Source Evaluation Assess community activity and maintenance signals; orphaned projects = hidden risk
COTS Software Risk No source code access makes deep vulnerability assessment nearly impossible
Managed Services / SaaS Prioritize encryption at rest/in transit and clear SLAs defining incident response
Shared Responsibility Model Cloud security clarity requires knowing who owns what — esp. account management
Threat Modeling Maps dependency risk and attack vectors across the software supply chain
Dependency Scanning Detects vulnerable libraries and frameworks embedded in acquired software
Sandbox Testing Validates software behavior in a controlled environment before production
Periodic Reassessment Evolving threats require ongoing software security reviews, not just point-in-time
Pen Testing vs. Static Analysis Pen testing simulates real-world attacks; static analysis inspects code for flaws
SLA Review Defines performance metrics and incident response expectations for managed services
Open Source Licensing Ensures legal/IP compliance; critical for developers and organizations alike
Third-Party SDLC Risk Lack of control over vendor development lifecycle is the primary integration risk

 

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!
FREE CISSP Exam Questions

Studying for the CISSP and want to test your knowledge?

Look no further, you can have 360 CISSP Exam Questions for FREE!
Sign up and get the following:
  • 360 Unique CISSP Exam Questions each month covering all 8 CISSP Domains
  • Receive updated CISSP Exam Questions via email each week
  • Access to weekly podcasts that dive deep into a specific CISSP Domain and CISSP Exam Questions
  • Special promotions on my CISSP Products before they become available to the public
  • So much more…..
How can you refuse…it is all FREE, just for signing up!
What do you have to lose, you can unsubscribe at any time!
Access Your Questions Now!

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

Learn More | Start Today

Have a Question about the CISSP or your cybersecurity career?

Click the link below and let me know what you are needing, and I can see how I can help!

Contact | Need Help?