Preventive controls: These controls are designed to stop vulnerabilities from occurring in the first place. They are proactive measures that aim to prevent threats and errors before they happen. --> Secure Coding Guidelines / QC before implementation
Detective controls: These controls are designed to detect vulnerabilities or threats that have already occurred. They are reactive measures that identify issues after they have happened.
--> Code Review after deployment
...an auditor is performing a code review to DETECT vulnerabilities, IMO doesn't matter when and how, if the code is in production and so the question sounds.
After searching more about this, I believe code revision after code development or change is preventive because you prevent error or weak code. However, if you are doing it periodically even if there are no changes, it becomes detective, similar to checking logs and doing security scans.
secure code reviews basically are detective controll. But be sure that word periodic change it all. The correct answer is C Preventive. In any given scenario that says periodic or continous development the answer should be C.
Secure code reviews are conducted to proactively identify and mitigate security vulnerabilities in software code before they can be exploited. By systematically reviewing code for potential security flaws and weaknesses, organizations can prevent security breaches and minimize the risk of unauthorized access, data breaches, or other security incidents. Therefore, secure code reviews serve as a preventive measure aimed at reducing the likelihood and impact of security incidents.
As per CISA -Control Objectives : Effectiveness and efficiency of operations:
Detective:
Use controls that detect and report the occurrence of an error, omission or malicious act
1. secure code reviews
The answer should be B, detective controls are designed to find errors or problems. Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
veli_117
1 month, 1 week agoveli_117
1 month, 1 week agoRS66
4 months, 3 weeks agoshalota2
5 months, 1 week agoa84n
6 months, 3 weeks agoSwallows
7 months, 2 weeks agoSwallows
5 months, 2 weeks agokclow
1 year, 2 months agoShanzee
1 year, 4 months agosachhin
1 year, 4 months agoi91290
1 year, 4 months agomibg83
1 year, 5 months ago007Georgeo
1 year, 6 months agoPeter_CISA
1 year, 7 months agoMAKAYA
1 year, 10 months agotest5y7kq
1 year, 11 months agoJulianleehk
1 year, 11 months agoLilik
2 years, 1 month agoJulianleehk
2 years, 1 month ago