Exam CISSP topic 1 question 25 discussion

Answer is A. conduct a team review to discus about patterns for code review. in CISSP you think like a manager not like and analyst

We are asking to validate coding techniques, not to scan our code for vulnerabilities.

C. Using automated programs to test for the latest known vulnerability patterns.....security testing tools like dynamic and static analysis are automated and can help detect injection attacks and buffer overflow attacks among others.

C is correct. It's the BEST option because it's automated. I'm thinking of something like a SonarQube scan which provides code hotspots to be reviewed. I would say it's NOT option A because code can get longggg and really complex. Having a team of people review coding styles and techniques against injection and overflow attacks would take a long time. If anything, the team could get together and review the results from the automated program (making option C necessary FIRST, for option A to be more beneficial).

I thought we would have to think like a manager. Wouldn't it be "Scheduled team review of coding style and techniques for vulnerability patterns." Since scheduling would be the indicator for manager resposibilities.

Why it is not Option C, "Using automated programs to test for the latest known vulnerability patterns," is a useful method for identifying potential security vulnerabilities in code, but it is not the best method for validating secure coding techniques against injection and overflow attacks. Automated programs can only detect known vulnerabilities, and may not be able to identify new or unknown injection or overflow attacks. A combination of automated testing and human review, such as in option A, is often considered the best method for identifying and mitigating these types of attacks.

Agree with C.

C is correct answer. Application pentest.

Agree with "C" I thought A first... but application pentesting can get expensive fast and human makes mistakes.