To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?
A common problem to all Agile development approaches is what to do about tests that take longer than a development cycle. For example, fuzz testing critical pieces of code takes longer than an average Agile sprint. SAST scans of large bodies of code often take an order of magnitude longer than the build process. DevOps is no different—with CI and CD, code may be delivered to users within hours of its creation, and it may not be possible to perform complete static analysis or dynamic code scanning. To address this issue, DevOps teams run multiple security tests in parallel to avoid delays. They break down large applications into services to speed up scans as well.
Validation against known critical issues is handled by unit tests for quick spot checks, with failures kicking code back to the development team. Code scanners are typically run in parallel with unit or other functional tests. CCAK P# 356
Option A could be the answer, as per CCAK (page 353). Teams support out of band testing (parallel).
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
4f2a581
3 months, 3 weeks agosozidyqa
9 months, 1 week agosai_murthy
9 months, 1 week agoKarthikeyanTK
1 year, 9 months ago