Which two practices help make the security of an application a more integral part of the software development lifecycle? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AE.
DevOps is a set of practices that emphasizes collaboration and communication between developers and other IT professionals while automating the process of software delivery and infrastructure changes. Security is a critical aspect of software development and should be integrated into the software development lifecycle (SDLC) to ensure that vulnerabilities are detected and addressed early on.
There are several practices that can help make security an integral part of the SDLC, but the question asks specifically for two. The two practices that can help make the security of an application a more integral part of the SDLC are:
A. Add a step to the CI/CD pipeline that runs a dynamic code analysis tool during the pipeline execution.
B. Add a step to the CI/CD pipeline that runs a static code analysis tool during the pipeline execution.
Static code analysis tools analyze the source code of an application without executing it and can detect security vulnerabilities such as buffer overflows, SQL injection, and cross-site scripting. Dynamic code analysis tools, on the other hand, analyze the code as it is being executed and can detect vulnerabilities such as authentication and authorization issues, input validation errors, and data leakage. Both of these tools are essential for detecting and addressing security vulnerabilities early in the SDLC.
C. Using only software modules that are written by the internal team is not necessarily a best practice for improving application security. It is important to use software modules that have been thoroughly vetted for security vulnerabilities, whether they are developed in-house or externally. Additionally, third-party modules may provide functionality that is not available internally and may reduce development time.
D. Adding a step to the CI/CD pipeline to modify the release plan so that updated versions of the software are made available more often is not a practice that directly contributes to improving application security. However, frequent releases can enable developers to address security vulnerabilities and other issues more quickly.
E. Ensuring that the code repository server has enabled drive encryption and stores the keys on a Trusted Platform Module or Hardware Security Module is a good practice for securing the code repository server. However, it does not directly contribute to improving application security. It is important to secure the code repository server, but it is equally important to ensure that security is integrated throughout the SDLC.