Secure code reviews in a continuous deployment or DevSecOps pipeline are a type of preventive control because they are conducted before the code is deployed to production. Their goal is to identify and fix vulnerabilities early, thus preventing security flaws from being introduced into the live environment.
Why not the others?
A. Detective
Detective controls identify issues after they occur (e.g., logging, monitoring, or alerts). Code reviews are proactive.
B. Corrective
Corrective controls remediate issues after detection, such as applying patches. Code reviews aim to prevent the issue in the first place.
C. Logical
Logical controls relate to access, authentication, and authorization — not code review processes specifically.
Secure code reviews are a preventive control in a continuous deployment program. The primary purpose of a secure code review is to identify and mitigate security flaws before code is deployed to production. By examining the code for vulnerabilities and weaknesses during the development lifecycle, organizations aim to prevent potential security breaches and operational issues.
Continuous deployment is a software development strategy that ensures that code changes to an application are automatically released into the production environment. This automation is accomplished through a series of predefined tests.
Secure code reviews are a measure of detective control. From the CISA Review Manual figure 1.5 under detective controls. • Use controls that detect and report the
• Hash totals
occurrence of an error, omission or
• Check points in production jobs
malicious act
• Echo controls in telecommunications
• Error messages over tape labels
• Duplicate checking of calculations
• Periodic performance reporting with
variances
• Past-due account reports
• Internal audit functions
• Review of activity logs to detect
unauthorized access attempts
• Secure code reviews
• Software quality assurance
The answer is D , Because , Secure code review is a manual or automated process that examines an application's source code. The goal of this examination is to identify any existing security flaws or vulnerabilities. Code review specifically looks for logic errors, examines spec implementation, and checks style guidelines, among other activities.
Secure code reviews as part of a continuous deployment program are a preventive control. Preventive controls are designed to stop security issues from occurring in the first place. By reviewing the code for security vulnerabilities before it is deployed, organizations can identify and fix potential issues, thereby preventing security breaches or other incidents from happening.
upvoted 7 times
...
...
This section is not available anymore. Please use the main Exam Page.CISA Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Greens
1Â month ago1Naa
7Â months agoveli_117
9Â months, 1Â week agoa84n
1Â year, 2Â months agoSwallows
1Â year, 3Â months agoakosigengen
1Â year, 9Â months agostarzuu
2Â years ago007Georgeo
2Â years, 2Â months agosaado9
2Â years, 3Â months agoPeter_CISA
2Â years, 3Â months agoSBD600
2Â years, 2Â months ago