Assessing Security Throughout the Software Development Life Cycle (SDLC) | CAS-003 Exam
Question
A deployment manager is working with a software development group to assess the security of a new version of the organization's internally developed ERP tool.
The organization prefers to not perform assessment activities following deployment, instead focusing on assessing security throughout the life cycle.
Which of the following methods would BEST assess the security of the product?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.C.
Option A: Static code analysis in the IDE environment
Static code analysis is a method of analyzing the source code of an application to identify security vulnerabilities and coding errors. The analysis is done without executing the code, and is usually performed using specialized tools that can scan the code for common programming mistakes or known vulnerabilities. This method can be useful for identifying potential issues early in the development cycle, before the application is deployed.
Option B: Penetration testing of the UAT environment
Penetration testing involves simulating an attack on a system to identify vulnerabilities that could be exploited by an attacker. The purpose of penetration testing is to identify security weaknesses that could be used to gain unauthorized access to the system or data. Testing the User Acceptance Testing (UAT) environment can help to identify any security flaws in the environment before the application is deployed to production.
Option C: Vulnerability scanning of the production environment
Vulnerability scanning is a method of identifying vulnerabilities in a system or application by scanning it for known vulnerabilities. This method is often automated and can be performed regularly to identify new vulnerabilities as they are discovered. Scanning the production environment can help to identify any security weaknesses that may exist in the environment after the application has been deployed.
Option D: Penetration testing of the production environment
Penetration testing of the production environment involves simulating an attack on the live system to identify vulnerabilities that could be exploited by an attacker. This method can be useful for identifying security weaknesses that may not have been identified during testing or that may have been introduced since the application was deployed.
Option E: Peer review prior to unit testing
Peer review involves having other developers review the code to identify potential issues. This can be useful for identifying coding errors and potential security issues early in the development cycle. However, it may not be as effective as other methods for identifying security issues.
Answer:
The best method for assessing the security of the product would be option A, static code analysis in the IDE environment. This method allows for early identification of potential security issues, before the application is deployed. While the other options may also be useful for identifying security issues, they are typically performed later in the development cycle or after the application has been deployed. By focusing on security throughout the development life cycle, the organization can ensure that security is integrated into every phase of the project, reducing the risk of security vulnerabilities being introduced later in the process.
