Exam CISSP topic 1 question 89 discussion

A. Official study guide, page26 Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.

While threat modeling is undoubtedly valuable, vendor assessment aligns more closely with the question's focus on acquired software: Vendor assessment evaluates the entire security lifecycle of the software, not just static or identified threats. It includes considerations like: Patch management. Secure software development practices. Ongoing support and vulnerability disclosure mechanisms. The question's emphasis on "security impact" implies a need for broader risk management, which vendor assessments address by evaluating the vendor's ability to mitigate risks holistically, not just identifying specific threats.

Both Threat modeling & Vendor assessment are important, but for assessing the security impact of acquired software, vendor assessment provides a broader evaluation of the vendor's security practices, which is crucial for ensuring the software's overall security.

Threat modeling is not the most applicable to the question which is specific to "aquired software". The only options are C and D - and D encompasses C making D the broader "management level" answer. 3rd party vendor assessments are used to validate security and can be distributed to potential customers as proof of their security compliance.

Answer is C! Elimination Rule: - A-Threat Modeling is a process not a method to use for assessing security impact - B- known vulnerabilities is part of the threat model and security assessment so It is either C or D.. the best will be C as Ensure that the acquired software complies with relevant security standards and regulations. This may include industry-specific standards or frameworks, as well as general data protection regulations.

The BEST method to use for assessing the security impact of acquired software is: A. Threat modeling. Threat modeling is a proactive approach to identify potential security threats and vulnerabilities in software systems. It involves analyzing the software's architecture, components, and interactions to determine possible attack vectors and prioritize security controls accordingly. By conducting a threat modeling exercise for acquired software, organizations can gain insights into potential security risks and make informed decisions on implementing appropriate security measures. It helps in understanding the software's security posture and guides the development of effective mitigation strategies.

Answer is A. Once you've acquired the software you can implement a threat model such as STRIDE. However before purchasing the system you have to ensure it has been subjected to formal evaluation processes in advance and has received some kind of security rating. Often trusted third parties are used to perform security evaluations; one such example being the Common Criteria. CISSP official Study Guide Volume 9 page 337

Answer is A. Security impact of software after being "Acquired " . Threat Modelling is right

B is included in A

I'm going with B, vulnerability assessment should give a vulnerability score which could give you a vulnerability impact assessment score and impact severity. I think you would have to know what the vulnerability is before you can asses the true treat. You can not have a threat w/o a vulnerability.