Exam CISSP topic 1 question 195 discussion

Option A allows the organization to review and assess the security of the system as it is being developed, rather than waiting until the system is fully developed. This can help identify and address any security vulnerabilities or weaknesses early on in the development process. Option B, engaging a third-party auditing firm, can also be a useful technique in certain situations, but it is not necessarily the best option in all cases, especially if the organization is already performing its own security review as part of system development. Option C, reviewing security architecture, is a high-level activity that should be done before system development begins, rather than during the development process. Option D, conducting penetration testing, is a useful technique for evaluating the security of a fully developed system, but it is not necessarily the best option for reviewing security during system development.

B, D when the end of development. C in design phase. So Option A is right

Going with C on this one

Review of the security design for the application is the best way

C. Review security architecture. This involves examining the security measures and protocols in place to ensure that they align with the real requirements and evaluate whether policies and procedures match these requirements.

C. Review security architecture. Reviewing security architecture is considered the BEST technique when implementing security reviews as part of system development. This involves assessing the design and implementation of security controls within the system to ensure they align with best practices and meet security requirements. A thorough security architecture review helps identify potential vulnerabilities, weaknesses, or design flaws early in the development process, enabling their mitigation before the system is deployed.

Reviewing security architecture should not be a one-time event. It should be an ongoing process throughout the development process to ensure that any changes made to the system do not introduce new vulnerabilities or weaknesses. Moreover, as part of an Agile methodology such as DevOps or SecDevOps, designing and incorporating security into software development is always checked during each iteration by performing code reviews or testing which includes securing code pipeline and version control strategies. By keeping this approach, anyone can identify design flaws at appropriate stages of SDLC which would save business time and cost much more efficiently.

The best technique for an organization implementing security review as part of system development is to review the security architecture. This involves assessing the overall design and structure of the system to ensure that security measures and principles are integrated from the ground up. Reviewing security architecture is a proactive approach that helps identify vulnerabilities and weaknesses early in the development process, making it an essential step in building a secure system. While the other options (performing incremental assessments, engaging a third-party auditing firm, and conducting penetration testing) can be valuable components of a security review, they are typically performed in conjunction with, or after, a thorough security architecture review.

Answer A Incremental Assessments allow an organization to only assess what’s needed without performing a full assessment. This means the company can focus only on the things that concern them, such as new equipment, new policies, or simply reevaluating the countermeasures that were found to be deficient during the previous full assessment to ensure that the previous problems have been fixed or even new questions that did not exist in the previous assessment. This allows for a targeted reassessment to be completed quickly, without wasting time on things that are unlikely to change, like security policies Validation Assessments allow site managers to perform an initial self-assessment before a third party or your own internal team arrives to conduct a full assessment

Auditing by an unbiased 3rd party provides best option

I vote for C. Key word here is development, during development process. So while all of the options listed can be valuable techniques for security review, reviewing the security architecture is the most important step to follow. This will ensure that the system is designed with security in mind and that any potential vulnerabilities are identified and addressed before the system is deployed. Incremental assessments, engaging a third-party auditing firm, and conducting penetration testing can all be useful in identifying and mitigating vulnerabilities in an already-deployed system, but they should not be the primary focus during the development process.

C. Review security architecture. While all of the options listed can be valuable techniques for security review, reviewing the security architecture is the most important step to follow. This will ensure that the system is designed with security in mind and that any potential vulnerabilities are identified and addressed before the system is deployed. Incremental assessments, engaging a third-party auditing firm, and conducting penetration testing can all be useful in identifying and mitigating vulnerabilities in an already-deployed system, but they should not be the primary focus during the development process.

C. Review security architecture. While all of the options listed can be valuable techniques for security review, reviewing the security architecture is the most important step to follow. This will ensure that the system is designed with security in mind and that any potential vulnerabilities are identified and addressed before the system is deployed. Incremental assessments, engaging a third-party auditing firm, and conducting penetration testing can all be useful in identifying and mitigating vulnerabilities in an already-deployed system, but they should not be the primary focus during the development process.

I vote for B.

Options B looks good

What about option B?