Exam CISSP topic 1 question 25 discussion

A is the only one that VALIDATES the coding TECHNIQUE. C would validate how effective the technique is, but even a sophisticated automated scanner won't validate the technique you use to write your code. Having worked with several in the industry, I can tell you that most of what they do is point you back to "funny looking" things for team validation.

A wins over C because CISSP prioritizes validating adherence to secure coding practices through collaborative, repeatable processes, not just automated detection of vulnerabilities. Furthermore, the question specifically calls out "validate secure coding techniques", automated scanning doesn't validate coding techniques. To me personally, the only correct answer here is A. I agree automated scanning would be more efficient and cost effective, but this question doesn't care about that -- it wants the BEST method, and A is just that.

Automated tools might not detect the latest vulnerabilities .. so Option A is the right answer. think like a CEO

Automated code review

The key is to validate secure coding techniques.

Code reviews are good practice but may miss subtle injection and overflow flaws without tool assistance.

A and C are both correct, but what is the BEST option? I believe it would be C.

Answer is A. conduct a team review to discus about patterns for code review. in CISSP you think like a manager not like and analyst

We are asking to validate coding techniques, not to scan our code for vulnerabilities.

C. Using automated programs to test for the latest known vulnerability patterns.....security testing tools like dynamic and static analysis are automated and can help detect injection attacks and buffer overflow attacks among others.

C is correct. It's the BEST option because it's automated. I'm thinking of something like a SonarQube scan which provides code hotspots to be reviewed. I would say it's NOT option A because code can get longggg and really complex. Having a team of people review coding styles and techniques against injection and overflow attacks would take a long time. If anything, the team could get together and review the results from the automated program (making option C necessary FIRST, for option A to be more beneficial).

I thought we would have to think like a manager. Wouldn't it be "Scheduled team review of coding style and techniques for vulnerability patterns." Since scheduling would be the indicator for manager resposibilities.

Why it is not Option C, "Using automated programs to test for the latest known vulnerability patterns," is a useful method for identifying potential security vulnerabilities in code, but it is not the best method for validating secure coding techniques against injection and overflow attacks. Automated programs can only detect known vulnerabilities, and may not be able to identify new or unknown injection or overflow attacks. A combination of automated testing and human review, such as in option A, is often considered the best method for identifying and mitigating these types of attacks.

Agree with C.

C is correct answer. Application pentest.

Agree with "C" I thought A first... but application pentesting can get expensive fast and human makes mistakes.