Exam CISSP topic 1 question 310 discussion

D. This is for software being developed "The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle." https://csrc.nist.gov/glossary/term/software_assurance

The correct answer is D. Software that does not perform as intended may be exploitable which makes it vulnerable to attack. Explanation: Software assurance is the practice of ensuring that software is designed, developed, and maintained to be secure, reliable, and free from vulnerabilities. It is critical in helping prevent an increase in business and mission risk for an organization because software that does not perform as intended can introduce vulnerabilities that may be exploited by attackers. When vulnerabilities are exploited, it can lead to security breaches, data loss, or disruptions to business operations, resulting in increased risks for the organization. Incorrect answers: A. Request for proposals (RFP) avoid purchasing software that does not meet business needs: While RFPs can help organizations select software that meets their requirements, the focus of RFPs is typically on functional requirements rather than security assurance.

D. Software that does not perform as intended may be exploitable which makes it vulnerable to attack.

Software assurance is critical in helping prevent an increase in business and mission risk for an organization because it helps ensure that the software used by the organization is free of vulnerabilities that could be exploited by attackers. When software is not properly tested and secured, it may contain security vulnerabilities that can be exploited by attackers to gain unauthorized access to the organization's systems and data, or to disrupt or degrade the organization's operations. By implementing software assurance practices, organizations can help ensure that the software they use is free of known vulnerabilities and is less likely to be exploited by attackers, reducing the risk of business and mission impact due to a security incident.

Software that does not perform as intended may be exploitable which makes it vulnerable to attack. ! This might not necessarily true. If a software does not work as intended, it does not mean it is vulnerable for exploit. The issue could be just that software does not perform the purpose well (low functional quality).

Which of the following BEST describes why software assurance is critical? I don't think RFP will BEST describe this. I agree with "D" A request for proposal (RFP) is a document that an organization, often a government agency or large enterprise, posts to elicit a response -- a formal bid -- from potential vendors for a desired IT solution. The RFP specifies what the customer is looking for and describes each evaluation criterion on which a vendor's proposal will be assessed. https://www.techtarget.com/searchitchannel/definition/request-for-proposal

RFPs do nothing for software assurance. "D" is more accurate.

D makes more sense