Exam CISA topic 1 question 168 discussion

Secure code reviews are a preventive control in a continuous deployment program. The primary purpose of a secure code review is to identify and mitigate security flaws before code is deployed to production. By examining the code for vulnerabilities and weaknesses during the development lifecycle, organizations aim to prevent potential security breaches and operational issues.

If the code review happens before deployment, it is preventive. It depends on the interpretation.

Answer: D and only D

Continuous deployment is a software development strategy that ensures that code changes to an application are automatically released into the production environment. This automation is accomplished through a series of predefined tests.

A. Detective

Secure code reviews are a measure of detective control. From the CISA Review Manual figure 1.5 under detective controls. • Use controls that detect and report the • Hash totals occurrence of an error, omission or • Check points in production jobs malicious act • Echo controls in telecommunications • Error messages over tape labels • Duplicate checking of calculations • Periodic performance reporting with variances • Past-due account reports • Internal audit functions • Review of activity logs to detect unauthorized access attempts • Secure code reviews • Software quality assurance

The answer is D , Because , Secure code review is a manual or automated process that examines an application's source code. The goal of this examination is to identify any existing security flaws or vulnerabilities. Code review specifically looks for logic errors, examines spec implementation, and checks style guidelines, among other activities.

why not A:Detective ?