nerdexam
(ISC)2

CISSP · Question #958

In order to meet the project delivery deadline, a web application developer used readily available software components. Which is the BEST method for reducing the risk associated with this practice?

The correct answer is B. Obtain components from official sources over secured link.. To reduce risk when using readily available software components for a web application, the best method is to ensure these components are acquired from official, trusted sources via a secured link.

Submitted by akirajp· Mar 5, 2026Software Development Security

Question

In order to meet the project delivery deadline, a web application developer used readily available software components. Which is the BEST method for reducing the risk associated with this practice?

Options

  • AEnsure developers are using approved software development frameworks.
  • BObtain components from official sources over secured link.
  • CEnsure encryption of all sensitive data in a manner that protects and defends against threats.
  • DImplement a process to verify the effectiveness of the software components and settings.

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    71% (17)
  • C
    17% (4)
  • D
    8% (2)

Why each option

To reduce risk when using readily available software components for a web application, the best method is to ensure these components are acquired from official, trusted sources via a secured link.

AEnsure developers are using approved software development frameworks.

Using approved software development frameworks is a general good practice but does not directly address the supply chain risk associated with the provenance of readily available components themselves.

BObtain components from official sources over secured link.Correct

Obtaining software components from official sources over a secured link directly mitigates the risk of introducing malicious code, backdoors, or unpatched vulnerabilities from unofficial or tampered sources. This practice ensures the integrity and authenticity of third-party components by verifying their origin and protecting them during transit.

CEnsure encryption of all sensitive data in a manner that protects and defends against threats.

Encrypting sensitive data protects the data at rest and in transit but does not reduce the inherent risks of vulnerabilities or malicious code within the software components processing that data.

DImplement a process to verify the effectiveness of the software components and settings.

Implementing a process to verify effectiveness is a good post-acquisition step, but it is less proactive than preventing compromised components from entering the supply chain in the first place.

Concept tested: Software supply chain security; third-party component integrity

Source: https://owasp.org/www-project-top-10/2021/A06_2021-Vulnerable_and_Outdated_Components

Topics

#Supply chain security#Software components#Secure development#Risk mitigation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice