JDMurray wrote: » AppSec is probably the most difficult domain in the CISSP CBK for non-software developers to grasp. It's difficult to relate the virtual/theoretical concepts of software engineering to equivalents in the real world (e.g., how an automobile operates, how a house is built, the workflow of project management). As to how many AppSec items you will see on your CISSP exam, no one outside of the (ISC)2 exam department really knows. Many exam items may contain information from two or three CBK domains, so counting the actual number of items per domain on any exam is not an easy thing to do. Just to be safe, assume that there are 25 exam items for each of the ten CISSP CBK domains. This makes 225 exam items that count towards the exam score, plus an additional 25 items that are experimental and are not counted. Unfortunately, this assumption doesn't get you out of studying the Application Security domain.
