CDPSE · Question #321
Which of the following should be done FIRST when responding to a mandate to protect a critical application that was developed in-house?
The correct answer is D. Perform a threat assessment.. A threat assessment must come first because it identifies what threats the application faces, what assets are at risk, and what vulnerabilities exist. Without this baseline understanding, any protective measure chosen may be poorly targeted or disproportionate. Security decisions
Question
Which of the following should be done FIRST when responding to a mandate to protect a critical application that was developed in-house?
Options
- AApply dynamic application security testing (DAST).
- BImplement the maximum level of protection.
- CDevelop a proprietary encryption scheme.
- DPerform a threat assessment.
How the community answered
(45 responses)- A4% (2)
- B11% (5)
- C4% (2)
- D80% (36)
Explanation
A threat assessment must come first because it identifies what threats the application faces, what assets are at risk, and what vulnerabilities exist. Without this baseline understanding, any protective measure chosen may be poorly targeted or disproportionate. Security decisions must be risk-informed, not reactive. Applying DAST (A) is a useful testing technique, but testing before knowing what threats exist produces results without strategic context. Implementing maximum protection (B) is inefficient and may introduce unnecessary complexity or cost without addressing the actual threat landscape. Developing a proprietary encryption scheme (C) is strongly discouraged-custom cryptography is almost always weaker than vetted standards and should never be the first or the chosen step.
Topics
Community Discussion
No community discussion yet for this question.