Exam CISSP topic 1 question 92 discussion

The answer is C becuase of the keywords "financial institution" - in the Financial sector, functionality is tied directly to security.

Got to think like an adviser without getting into weeds and providing details solutions.

D. The software has been code reviewed. Code review is a process of inspecting code to identify potential security vulnerabilities. It is an important part of the software development lifecycle, and it can help to prevent security breaches. The other options are not as important as code review. The software has been signed off for release by the product owner: This is important, but it does not guarantee that the software is secure. The software has been branded according to corporate standards: This is also important, but it is not as important as security. The software has the correct functionality: This is important, but it is not as important as security.

again i forgot to select the answer

In assessing the security risk of the minimum viable product (MVP) for a financial organization's new application, the most important activity for the security analyst to assess is option D: The software has been code reviewed. Code review is a crucial security practice that helps identify and address security vulnerabilities and weaknesses in the software's code. By conducting a thorough code review, the security analyst can identify potential security flaws, coding errors, and vulnerabilities that could be exploited by attackers. This allows for the identification and mitigation of security risks before the software is released to customers, helping to ensure a higher level of security in the application.

C. An MVP is not a finished product, but a test: "An MVP allows you to prove a concept before committing too much time or budget to full-blown product development. Most agree that an MVP is a product with a minimal number of features needed to engage customers and validate a basic concept for further development. Importantly, it’s not final — the idea is that it’s something you augment and refine over time." https://thenewstack.io/building-an-minimum-viable-product-a-founders-guide-to-success/ "Minimum Viable Product is not a finished product or version 1.0. It is the smallest part of the product that clearly demonstrates its main functionality and is available to the public. MVP does not have to work, it can be a prototype of a web application explaining the main idea of a product, for example. MVP’s role is to get feedback from the user and learn what he likes about the product and what the things that he does not need are." https://www.scrumdesk.com/what-is-minimum-viable-product/

Option D is the only answer that is related to the security analyst duty.

A minimum viable product (MVP) is a version of a product with just enough features to be usable by early customers who can then provide feedback for future product development and updates / upgrades. The question specially asks about THE SECURITY RISK of the MVP. In other words, we already have an MVP, i.e., correct functionality. What we now want is to evaluate the security around this correctly functioning system, not to evaluate if it functions correctly.

a security analyst in this case is a pentester. it's not the job to check function, branding and especially not this job to accept a sign off of a product owner. so my vote is D

Keywords in the question: " works according to agile principles" "minimum viable product" so functionality is the main agenda - Ans is "C"

Keywords in the question: " works according to agile principles" "minimum viable product" so functionality is the main agenda - Ans is "C"

As a security analyst - You should only care if the code has been reviewed from security standpoint. All the other stuff...... let them deal with it.

MVP is being able to demonstrate the functionality of the product to the external customer base to ensure it meets requirements and the appetite to complete development

A, B, C do not impact security risk

B, C, and D are covered under A.