A security engineer is embedded with a development team to ensure security is built into products being developed.
The security engineer wants to ensure developers are not blocked by a large number of security requirements applied at specific schedule points.
Which of the following solutions BEST meets the engineer's goal?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The security engineer embedded with the development team wants to ensure that security is built into the products being developed without blocking the developers with a large number of security requirements applied at specific schedule points. The goal is to integrate security into the development process and not make it a bottleneck.
Option A suggests scheduling weekly reviews of all unit test results with the entire development team and conducting surprise code inspections between meetings. This approach may help identify security issues, but it may create additional overhead for developers and slow down the development process. It also relies heavily on human judgment and may not scale well as the size of the development team grows.
Option B suggests developing and implementing a set of automated security tests to be installed on each development team leader's workstation. This approach is a good step toward integrating security into the development process. Automated security tests can be integrated into the build process, ensuring that security is continuously tested throughout the development lifecycle. However, this approach may not be sufficient on its own as it only focuses on security testing and not on integrating security into the development process.
Option C suggests enforcing code quality and reuse standards into the requirements definition phase of the waterfall development process. This approach may help ensure that security is built into the development process from the beginning. However, the waterfall development process is a linear and sequential process that may not be suitable for all types of projects, and it may not be the best approach for projects that require flexibility and agility.
Option D suggests deploying an integrated software tool that builds and tests each portion of code committed by developers and provides feedback. This approach is a good step toward integrating security into the development process. The tool can be used to automate security testing and provide feedback to developers, ensuring that security is continuously tested throughout the development lifecycle. This approach is flexible and can be used with different development methodologies.
In conclusion, option D, deploying an integrated software tool that builds and tests each portion of code committed by developers and provides feedback, is the best solution as it provides a continuous and automated approach to integrating security into the development process, without creating a bottleneck or slowing down the development team.