Which of the following is the BEST report for an IS auditor to reference when tasked with reviewing the security of code written for a newly developed website?
Q: BEST REPORT for reviewing the SECURITY OF CODE written for a newly developed website?
Answer: C
A static software composition analysis (SCA) report primarily focuses on identifying vulnerabilities in third-party libraries and components used in the software. While this type of analysis is valuable for identifying potential security issues arising from dependencies on external code, it may not provide comprehensive coverage of security issues specific to the custom code written for the website.
Penetration testing, on the other hand, involves actively probing and testing the website's code, configuration, and overall security posture by simulating real-world attack scenarios. This type of testing is more likely to uncover vulnerabilities specific to the custom code and implementation of the website, making the penetration test report a better choice for reviewing the security of the website's code.
By using static analysis tools to analyze source code, you can identify problems early in each process of a development project, allowing for quick fixes and reducing the cost of fixing bugs throughout the project.
While web application vulnerability reports (Option D) are valuable for assessing the security of a website, they primarily focus on testing the website in its deployed state and identifying vulnerabilities from an external perspective. On the other hand, static software composition analysis (Option B) specifically examines the codebase itself, making it the BEST choice for reviewing the security of code written for a newly developed website.
D is more comprehensive and shows you the state of the site in more real-world scenarios that could be overlooked in a static code analysis. Answer is D
C. Penetration test report
Penetration testing involves actively probing a system to identify vulnerabilities and weaknesses, including those within the code of a web application. This type of testing simulates real-world attacks and provides valuable insights into potential security risks. A penetration test report would detail the findings, vulnerabilities discovered, and recommendations for remediation, making it an essential reference for an IS auditor assessing the security of a newly developed website.
While the other options (A. Black box testing report, B. Static software composition analysis, and D. Web application vulnerability report) may also provide useful information, a penetration test report specifically focuses on assessing the security of the application in a real-world scenario, which is highly relevant for an IS auditor's security review.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
3008
Highly Voted 1 year, 6 months agoPakawat
Highly Voted 1 year, 5 months agoa84n
Most Recent 6 months, 2 weeks agoSwallows
8 months agoSwallows
5 months, 3 weeks agochoboanon
3 weeks agoSuperMax
1 year, 1 month ago3008
11 months, 2 weeks agosaado9
1 year, 6 months ago