A security engineer is working with a software development team.
The engineer is tasked with ensuring all security requirements are adhered to by the developers.
Which of the following BEST describes the contents of the supporting document the engineer is creating?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The security engineer tasked with ensuring all security requirements are adhered to by the developers is creating a supporting document that will outline the measures that need to be taken to ensure the security of the software being developed.
Option A, a series of ad-hoc tests that each verify security control functionality of the entire system at once, may be an approach to testing the security controls, but it does not necessarily describe the contents of the supporting document being created by the security engineer.
Option B, a series of discrete tasks that, when viewed in total, can be used to verify and document each individual constraint from the SRTM (Security Requirements Traceability Matrix), is a possible approach to documenting and verifying each individual constraint from the SRTM, but it is not a complete answer to what the contents of the supporting document would be.
Option C, a set of formal methods that apply to one or more of the programming languages used on the development project, would be relevant to secure coding practices but would not necessarily address all the security requirements.
Option D, a methodology to verify each security control in each unit of developed code prior to committing the code, is the best answer. The supporting document created by the security engineer should include a methodology to verify each security control in each unit of developed code prior to committing the code. This ensures that security controls are built into the software from the start and that potential security vulnerabilities are identified and addressed early in the development process.
In summary, the contents of the supporting document that the security engineer is creating would include a methodology for verifying each security control in each unit of developed code prior to committing the code. This methodology will ensure that security controls are built into the software from the start and potential vulnerabilities are identified and addressed early in the development process.