Home / Study Resources / CSC Domain 3: Architecture and Design (18%) - Comp

CSC Domain 3: Architecture and Design (18%) - Complete Study Guide 2027

📅 Updated May 30, 2026 ⏱️ 9 min read 🎯 CSC Exam Prep
Table of Contents

Domain 3 Overview: Architecture and Design

Domain 3: Architecture and Design represents 18% of the CSC-210 exam, making it one of the most critical areas for exam success. This domain focuses on secure design principles, architectural patterns, and the fundamental concepts that underpin secure application development. Understanding these concepts is essential not only for passing the exam but for implementing robust security measures in real-world development projects.

18%
of Total Exam
14-15
Questions Expected
$367.50
Exam Cost

Architecture and design security forms the foundation upon which all secure applications are built. Unlike implementation-focused domains, Domain 3 emphasizes the strategic and planning aspects of secure development. This includes understanding how security principles integrate into the software development lifecycle from the earliest stages of design through deployment and maintenance.

Domain 3 Weight

With approximately 14-15 questions out of 80 total exam items, mastering this domain can significantly impact your overall score. Combined with Domain 5: Application Implementation, these two domains account for over half of the entire exam content.

Success in this domain requires a deep understanding of security architecture principles, design patterns, threat modeling methodologies, and the ability to apply these concepts across various technology stacks and deployment environments. As outlined in our comprehensive CSC Study Guide 2027, this domain builds directly upon the foundational knowledge covered in earlier domains.

Secure Design Principles

Secure design principles form the cornerstone of Domain 3 and represent fundamental concepts that every secure coder must master. These principles guide decision-making throughout the application development lifecycle and help developers create inherently secure systems.

Defense in Depth

Defense in depth is a layered security approach that assumes no single security measure is perfect. This principle requires implementing multiple security controls at different layers of the application and infrastructure stack. In application architecture, this translates to:

  • Presentation Layer Security: Input validation, output encoding, and session management
  • Business Logic Layer Security: Authorization controls, business rule validation, and secure workflows
  • Data Access Layer Security: Database security, connection pooling, and query parameterization
  • Infrastructure Security: Network segmentation, firewalls, and intrusion detection systems

Principle of Least Privilege

This principle dictates that users, processes, and systems should have only the minimum access rights necessary to perform their intended functions. In application design, this affects:

  • User role definitions and permissions
  • Service account configurations
  • API access controls
  • Database connection privileges
  • File system permissions

Fail Secure

Applications should fail to a secure state when errors occur or when security controls fail. This principle ensures that security is maintained even during unexpected conditions or system failures.

Common Design Mistake

Many applications fail open instead of failing secure, potentially exposing sensitive data or functionality when security controls malfunction. Always design systems to deny access by default when security mechanisms fail.

Zero Trust Architecture

Zero trust principles assume that no user, device, or network should be trusted by default, regardless of location or previous authentication. This approach requires continuous verification and validation of all access requests.

Secure Architectural Patterns

Understanding secure architectural patterns is crucial for the CSC exam and real-world application development. These patterns provide proven solutions to common security challenges and help developers avoid reinventing security mechanisms.

Model-View-Controller (MVC) Security

The MVC pattern separates application logic into three interconnected components, each with specific security considerations:

Component Security Responsibilities Key Vulnerabilities
Model Data validation, business logic security, database access control SQL injection, data exposure, business logic bypass
View Output encoding, secure rendering, client-side security XSS, information disclosure, template injection
Controller Input validation, authentication, authorization, session management Access control bypass, CSRF, session hijacking

Microservices Security Architecture

Microservices architectures present unique security challenges and opportunities. Key security considerations include:

  • Service-to-Service Authentication: Mutual TLS, service meshes, and API gateways
  • Distributed Authorization: Token-based systems, OAuth 2.0, and centralized policy management
  • Network Segmentation: Container networking, service discovery, and traffic encryption
  • Monitoring and Logging: Distributed tracing, centralized logging, and security event correlation

API Gateway Pattern

API gateways serve as a single entry point for client requests and provide centralized security controls including:

  • Rate limiting and throttling
  • Authentication and authorization
  • Request/response transformation
  • SSL termination
  • API versioning and routing
Exam Tip

The CSC exam frequently tests knowledge of how architectural patterns impact security. Focus on understanding the security implications of each pattern rather than just their functional benefits.

Threat Modeling in Design

Threat modeling is a systematic approach to identifying, analyzing, and mitigating potential security threats during the design phase. This proactive security measure is heavily emphasized in Domain 3 and connects directly to Domain 4: Risk Assessment and Management.

STRIDE Methodology

STRIDE is a widely-used threat modeling framework that categorizes threats into six main types:

  • Spoofing: Impersonating users, processes, or systems
  • Tampering: Unauthorized modification of data or code
  • Repudiation: Denying actions or transactions
  • Information Disclosure: Unauthorized access to sensitive information
  • Denial of Service: Disrupting system availability
  • Elevation of Privilege: Gaining unauthorized access or permissions

DREAD Risk Rating

DREAD provides a framework for assessing and prioritizing threats based on five factors:

  • Damage: How severe would the impact be?
  • Reproducibility: How easy is it to reproduce the attack?
  • Exploitability: How easy is it to launch the attack?
  • Affected Users: How many users would be impacted?
  • Discoverability: How easy is it to discover the vulnerability?

Attack Trees

Attack trees provide a visual representation of potential attack paths, helping developers understand how attackers might compromise their systems. This methodology is particularly useful for complex applications with multiple entry points and attack vectors.

Authentication and Authorization Architecture

Authentication and authorization represent critical components of secure application architecture. These systems must be designed to handle various scenarios while maintaining security and usability.

Authentication Mechanisms

Modern applications typically implement multiple authentication factors and methods:

  • Something You Know: Passwords, PINs, security questions
  • Something You Have: Tokens, smart cards, mobile devices
  • Something You Are: Biometric identifiers
  • Somewhere You Are: Location-based authentication

Single Sign-On (SSO) Architecture

SSO systems allow users to authenticate once and access multiple applications. Common SSO protocols include:

  • SAML 2.0: XML-based protocol for enterprise environments
  • OAuth 2.0: Token-based authorization framework
  • OpenID Connect: Identity layer built on OAuth 2.0
  • Kerberos: Network authentication protocol for enterprise environments
Authorization vs Authentication

Authentication verifies identity ("who you are"), while authorization determines permissions ("what you can do"). Both must be implemented securely and independently to prevent bypass vulnerabilities.

Role-Based Access Control (RBAC)

RBAC systems assign permissions to roles rather than individual users, simplifying administration and reducing the risk of excessive privileges. Key RBAC concepts include:

  • Role hierarchies and inheritance
  • Role separation and conflicts
  • Dynamic role assignment
  • Contextual access controls

Data Protection in Architecture

Data protection must be considered at every architectural level, from database design through application interfaces and user interactions. This comprehensive approach ensures sensitive information remains secure throughout its lifecycle.

Data Classification and Handling

Effective data protection begins with proper classification and handling procedures:

Classification Level Examples Protection Requirements
Public Marketing materials, published documentation Basic integrity controls
Internal Employee directories, internal communications Access controls, audit logging
Confidential Customer data, financial records Encryption, strong access controls, monitoring
Restricted Payment card data, health records End-to-end encryption, strict access controls, compliance monitoring

Encryption Architecture

Encryption must be implemented at multiple layers to provide comprehensive data protection:

  • Data at Rest: Database encryption, file system encryption, backup encryption
  • Data in Transit: TLS/SSL, VPN tunnels, message-level encryption
  • Data in Use: Application-level encryption, secure enclaves, homomorphic encryption

Key Management

Proper key management is essential for maintaining encryption effectiveness. Key architectural considerations include:

  • Key generation and distribution
  • Key rotation and lifecycle management
  • Key escrow and recovery procedures
  • Hardware security modules (HSMs)
  • Key separation and access controls

Network Security Architecture

Network security architecture encompasses the design and implementation of secure communication channels, network segmentation, and traffic monitoring. These components work together to protect applications from network-based attacks.

Network Segmentation

Proper network segmentation limits the scope of potential security breaches and provides defense in depth. Common segmentation strategies include:

  • DMZ (Demilitarized Zone): Isolated network segment for public-facing services
  • VLAN Segmentation: Logical separation of network traffic
  • Subnet Isolation: Physical or logical separation of network segments
  • Microsegmentation: Granular network controls at the workload level

Transport Layer Security

TLS provides encryption and authentication for network communications. Key TLS considerations include:

  • Protocol version selection (TLS 1.2 minimum, TLS 1.3 preferred)
  • Cipher suite configuration
  • Certificate management and validation
  • Perfect forward secrecy
  • Certificate pinning and transparency
Protocol Security

Legacy protocols like SSL 2.0/3.0 and TLS 1.0/1.1 contain known vulnerabilities and should not be used in production environments. Always implement the latest secure protocol versions.

Cloud Security Architecture

Cloud computing introduces unique architectural considerations and shared responsibility models that significantly impact application security. Understanding these concepts is increasingly important for the CSC exam as more organizations migrate to cloud environments.

Shared Responsibility Model

Cloud security responsibilities are divided between cloud service providers and customers based on the service model:

  • Infrastructure as a Service (IaaS): Customer responsible for OS, applications, and data
  • Platform as a Service (PaaS): Customer responsible for applications and data
  • Software as a Service (SaaS): Customer responsible for data and user management

Container Security

Container architectures require specific security considerations:

  • Base image security and vulnerability scanning
  • Container runtime security
  • Orchestration platform security (Kubernetes, Docker Swarm)
  • Network policies and service mesh security
  • Secrets management in containerized environments

Serverless Security

Serverless computing presents unique security challenges and opportunities:

  • Function-level isolation and permissions
  • Event-driven security monitoring
  • Dependency management and supply chain security
  • Cold start security implications
  • Serverless-specific vulnerability patterns

Study Strategies for Domain 3

Mastering Domain 3 requires a combination of theoretical knowledge and practical understanding. As detailed in our complete difficulty guide, this domain is considered moderately challenging due to its conceptual nature and broad scope.

Recommended Study Approach

Focus your study efforts on understanding the relationships between different architectural concepts rather than memorizing isolated facts. The exam tests your ability to apply security principles to real-world scenarios.

  • Week 1-2: Master fundamental security principles and design patterns
  • Week 3: Deep dive into threat modeling methodologies
  • Week 4: Focus on authentication and authorization architectures
  • Week 5: Study data protection and encryption implementations
  • Week 6: Review network and cloud security architectures

Practice Resources

Utilize multiple resources to reinforce your learning and identify knowledge gaps. Our comprehensive practice tests include scenario-based questions that mirror the actual exam format and difficulty level.

Study Tip

Create architecture diagrams for different scenarios and identify security controls at each layer. This visual approach helps reinforce the layered security concepts that are heavily tested in Domain 3.

Practice Questions and Exam Preparation

Domain 3 questions typically present architectural scenarios and ask you to identify appropriate security controls, design flaws, or improvement recommendations. Understanding the question patterns helps you prepare more effectively.

Common Question Types

Based on analysis of exam objectives and candidate feedback, Domain 3 questions commonly address:

  • Security principle application in given scenarios
  • Architectural pattern selection for specific requirements
  • Threat identification and mitigation strategies
  • Authentication and authorization design decisions
  • Data protection implementation approaches

Time Management Strategy

With 120 minutes for 80 questions, you have approximately 1.5 minutes per question. Domain 3 questions often require more analysis time due to their scenario-based nature, so practice efficient question analysis techniques.

For additional practice and detailed explanations, access our free practice tests that include Domain 3-specific questions with comprehensive answer explanations.

Integration with Other Domains

Domain 3 concepts frequently overlap with other exam domains. Understanding these connections helps you answer cross-domain questions more effectively:

  • Domain 1: Architecture terminology and fundamental concepts
  • Domain 2: Design phase responsibilities and secure development practices
  • Domain 4: Risk assessment techniques and threat analysis
  • Domain 5: Implementation of architectural security decisions

For a comprehensive understanding of how all domains interconnect, review our detailed guide to all 5 content areas.

What percentage of Domain 3 questions focus on cloud security?

While CertNexus doesn't publish specific breakdowns, cloud security concepts appear throughout Domain 3 questions. Expect 3-5 questions to have cloud-specific components, including shared responsibility models, container security, and serverless architectures.

How technical are the architecture questions on the CSC exam?

Domain 3 questions focus on conceptual understanding rather than implementation details. You need to understand security principles and architectural patterns but won't be asked to write code or configure specific technologies.

Should I memorize specific threat modeling frameworks?

Yes, you should understand STRIDE, DREAD, and attack tree methodologies. However, focus on understanding when and how to apply each framework rather than memorizing detailed procedures.

How important is understanding legacy vs. modern authentication methods?

Very important. The exam tests your ability to recommend appropriate authentication mechanisms for different scenarios, including understanding the security limitations of legacy approaches and benefits of modern methods like multi-factor authentication and SSO.

Do I need hands-on experience with specific architectural patterns?

While hands-on experience is beneficial, the exam focuses on understanding security implications of different patterns rather than implementation expertise. Conceptual knowledge combined with scenario analysis skills is most important for exam success.

Ready to Start Practicing?

Test your Domain 3 knowledge with our comprehensive practice questions designed to mirror the actual CSC exam format and difficulty level.

Start Free Practice Test
Take Free CSC Quiz →