nerdexam
(ISC)2

CISSP · Question #1206

A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to ass

The correct answer is B. The software has been code reviewed.. When assessing the security risk of an MVP for a financial application, a security analyst's most critical concern is whether the code has been reviewed for vulnerabilities before exposure to external customers.

Submitted by fatima_kr· Mar 5, 2026Software Development Security

Question

A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess?

Options

  • AThe software has the correct functionality.
  • BThe software has been code reviewed.
  • CThe software had been branded according to corporate standards,
  • DThe software has been signed off for release by the product owner.

How the community answered

(25 responses)
  • A
    8% (2)
  • B
    44% (11)
  • C
    12% (3)
  • D
    36% (9)

Why each option

When assessing the security risk of an MVP for a financial application, a security analyst's most critical concern is whether the code has been reviewed for vulnerabilities before exposure to external customers.

AThe software has the correct functionality.

Correct functionality is a quality assurance concern, not a security concern, and falls outside the primary scope of a security risk assessment.

BThe software has been code reviewed.Correct

Code review is the most important security activity because it identifies vulnerabilities such as injection flaws, authentication weaknesses, and insecure data handling before the software is released to external users. For a financial application handling credit requests, unreviewed code poses significant risk of data breaches, fraud, and regulatory non-compliance. A security analyst's role is specifically to evaluate security controls, making code review the primary artifact to assess.

CThe software had been branded according to corporate standards,

Branding and corporate standards compliance is a marketing and UX requirement, not a security control, and has no direct bearing on the security risk of the application.

DThe software has been signed off for release by the product owner.

Product owner sign-off is a project management and release governance activity, not a security control, and does not address whether the software is free from security vulnerabilities.

Concept tested: Secure code review in application security assessment

Source: https://owasp.org/www-project-code-review-guide/

Topics

#Agile security#MVP security assessment#Code review#Secure SDLC

Community Discussion

No community discussion yet for this question.

Full CISSP Practice