CISSP · Question #1206
A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to ass
The correct answer is B. The software has been code reviewed.. When assessing the security risk of an MVP for a financial application, a security analyst's most critical concern is whether the code has been reviewed for vulnerabilities before exposure to external customers.
Question
Options
- AThe software has the correct functionality.
- BThe software has been code reviewed.
- CThe software had been branded according to corporate standards,
- DThe software has been signed off for release by the product owner.
How the community answered
(25 responses)- A8% (2)
- B44% (11)
- C12% (3)
- D36% (9)
Why each option
When assessing the security risk of an MVP for a financial application, a security analyst's most critical concern is whether the code has been reviewed for vulnerabilities before exposure to external customers.
Correct functionality is a quality assurance concern, not a security concern, and falls outside the primary scope of a security risk assessment.
Code review is the most important security activity because it identifies vulnerabilities such as injection flaws, authentication weaknesses, and insecure data handling before the software is released to external users. For a financial application handling credit requests, unreviewed code poses significant risk of data breaches, fraud, and regulatory non-compliance. A security analyst's role is specifically to evaluate security controls, making code review the primary artifact to assess.
Branding and corporate standards compliance is a marketing and UX requirement, not a security control, and has no direct bearing on the security risk of the application.
Product owner sign-off is a project management and release governance activity, not a security control, and does not address whether the software is free from security vulnerabilities.
Concept tested: Secure code review in application security assessment
Source: https://owasp.org/www-project-code-review-guide/
Topics
Community Discussion
No community discussion yet for this question.