FlashGenius Logo FlashGenius
SecurityX CAS-005 ยท Domain 1 of 4

Security Engineering
& Cryptography

The largest domain (31%) โ€” covers secure DevOps, modern and post-quantum cryptography, AI/ML security controls, and legacy system hardening.

31%
Exam Weight
5
Concept Areas
15
Flashcards
10
Quiz Questions
๐Ÿ  Hub 1 ยท Engineering 2 ยท Architecture 3 ยท Operations 4 ยท GRC โš–๏ธ vs CISSP

What Domain 1 Covers

At 31%, Security Engineering & Cryptography is the largest and most technically demanding domain. This is where CAS-005 diverges most from the older CASP+ โ€” new topics include post-quantum cryptography, AI/ML security, and compliance-as-code within engineering pipelines.

Objective A

Apply Secure Software Development

Integrate SAST, DAST, SCA, and SBoM into CI/CD pipelines and enforce security gates.

Objective B

Implement Advanced Cryptography

Configure TLS, PKI, HSMs, and post-quantum algorithms โ€” and build crypto-agile systems.

Objective C

Secure Specialized Environments

Harden SCADA/ICS, embedded, and IoT systems that can't follow standard patch cycles.

SAST / DAST / SCA SBoM Post-Quantum Crypto CRYSTALS-Kyber HSM Crypto Agility SCADA / ICS AI/ML Security
๐Ÿ†•
New in CAS-005: Post-quantum cryptography, AI/ML security controls, and compliance-as-code are entirely new topics not in CASP+ CAS-004. Budget extra study time here if you have a CAS-004 background.
๐Ÿ”ฌ
Lab-heavy domain: PBQs in this domain test hands-on skills โ€” configuring CI/CD security gates, TLS cipher suites, and PKI. Set up a home lab (Jenkins or GitLab CI + Snyk/SonarQube) alongside these study materials.

Key Concept Areas

Click each card to expand. Five areas cover the full Domain 1 objective set.

1. Secure DevOps & CI/CD Pipeline Security โ–พ
Testing Tools โ€” Know the Difference
  • SAST (Static Application Security Testing) โ€” analyzes source code or binaries without executing them. Runs early in the pipeline (pre-build).
  • DAST (Dynamic Application Security Testing) โ€” tests a running application by simulating external attacks. Runs against a deployed/staging environment.
  • SCA (Software Composition Analysis) โ€” scans third-party libraries and dependencies for known CVEs.
  • IAST โ€” hybrid approach that instruments the running app from within.
Supply Chain Transparency
  • SBoM (Software Bill of Materials) โ€” a complete inventory of every component (including transitive dependencies) in a software artifact. Critical for supply chain security audits.
  • IaC Security โ€” scanning Infrastructure-as-Code (Terraform, CloudFormation) for misconfigurations before deployment.
  • Container security โ€” image scanning (Trivy, Snyk), Dockerfile linting, runtime protection.
Security Gates
  • Fail builds automatically when vulnerabilities above a severity threshold are found.
  • Enforce code signing and artifact integrity checks throughout the pipeline.
๐Ÿ’ก
Study tip: Know which tool runs at which stage. SAST = pre-build, SCA = on dependency resolution, DAST = post-deploy to staging, SBoM = artifact creation.
2. Modern Cryptography & Key Management โ–พ
  • TLS 1.3 โ€” removed weak cipher suites, mandatory forward secrecy. Know preferred AEAD ciphers (AES-GCM, ChaCha20-Poly1305).
  • PKI operations โ€” root CA โ†’ subordinate CA โ†’ end-entity certificate hierarchy. OCSP for real-time revocation; CRL as the offline alternative. Certificate transparency logs.
  • Certificate pinning โ€” embedding expected public key or certificate in the app to prevent MitM with rogue certs. Risk: pins must be updated before expiry.
  • HSM (Hardware Security Module) โ€” dedicated hardware for secure key generation, storage, and cryptographic operations. Keys never leave the HSM in plaintext.
  • Tokenization โ€” replaces sensitive data with a non-sensitive token. The token has no mathematical relationship to the original (unlike encryption, which is reversible). Common in PCI DSS environments.
  • Key escrow โ€” third-party holds a copy of encryption keys for lawful access/recovery.
๐Ÿ’ก
Study tip: Tokenization โ‰  encryption. The key differentiator: tokens have no mathematical link to the original value, making them useless if stolen without the tokenization vault.
3. Post-Quantum Cryptography NEW in CAS-005 โ–พ
Why This Matters
  • Shor's algorithm โ€” a quantum algorithm that can factor large integers efficiently, breaking RSA and ECC in polynomial time on a sufficiently powerful quantum computer.
  • Grover's algorithm โ€” provides quadratic speedup for searching, effectively halving symmetric key strength (AES-256 becomes equivalent to AES-128).
NIST PQC Standardized Algorithms (2024)
  • CRYSTALS-Kyber (ML-KEM) โ€” lattice-based key encapsulation mechanism (KEM). Use for key exchange.
  • CRYSTALS-Dilithium (ML-DSA) โ€” lattice-based digital signature algorithm.
  • FALCON (FN-DSA) โ€” compact lattice-based signatures.
  • SPHINCS+ (SLH-DSA) โ€” hash-based signature scheme. Larger signatures but no lattice assumptions needed.
Crypto Agility
  • Design systems to swap cryptographic algorithms without full redesign.
  • "Harvest now, decrypt later" threat โ€” adversaries collecting encrypted traffic today to decrypt when quantum computers mature.
๐Ÿ’ก
Exam tip: Know CRYSTALS-Kyber = key exchange, CRYSTALS-Dilithium/FALCON = signatures, SPHINCS+ = hash-based signatures. Know Shor's breaks asymmetric, Grover's weakens symmetric.
4. AI/ML Security Controls NEW in CAS-005 โ–พ
  • AI threat modeling โ€” applying frameworks (STRIDE, MITRE ATLAS) to AI/ML pipelines to identify where adversaries can attack.
  • Adversarial ML โ€” model evasion (crafting inputs to fool classifiers), model poisoning (corrupting training data), model inversion (reconstructing training data from outputs). See also Domain 1 of SecAI+.
  • AI-assisted security tooling โ€” SAST/DAST tools enhanced with ML for better false-positive reduction and novel vulnerability detection.
  • Securing AI pipelines โ€” treating ML training and inference as part of the software supply chain: data integrity, model provenance, output monitoring.
  • Bias and fairness controls โ€” ensuring AI security tools don't produce discriminatory outcomes in access control or threat scoring.
๐Ÿ’ก
Study tip: This domain tests AI from the engineering perspective โ€” how to build secure AI systems and integrate security tooling. Contrast with SecAI+ which is purely AI-in-security operations.
5. Legacy & Specialized System Security โ–พ
SCADA / ICS / OT
  • Purdue Model โ€” hierarchical OT/IT architecture with levels from field devices (L0) to enterprise (L4/5).
  • OT/IT convergence โ€” as operational technology connects to IT networks, attack surface expands dramatically.
  • Compensating controls โ€” for systems that cannot be patched: network segmentation, air gaps, unidirectional gateways (data diodes), allowlisting.
Embedded Systems & IoT
  • Secure boot โ€” cryptographically verifies firmware integrity before execution, preventing unsigned firmware from loading.
  • Firmware analysis โ€” static and dynamic analysis of firmware images for vulnerabilities.
  • Hardware security โ€” TPM (Trusted Platform Module) for key storage and attestation; secure enclaves (Intel SGX, ARM TrustZone) for isolated execution.
๐Ÿ’ก
Study tip: The key phrase for legacy systems is "compensating controls" โ€” the exam tests whether you know the correct mitigations when patching is not an option.

Flashcards

15 terms covering Domain 1's engineering, cryptography, and post-quantum concepts. Click to flip.

Knowledge Check

Question 1 of 10 ยท Score: 0

๐ŸŽ‰

SecurityX CAS-005 ยท V1

Next up โ€” Domain 2: Security Architecture (27%)

Zero trust, SASE, cloud models, microsegmentation, and enterprise access controls.