Exam CISA topic 1 question 123 discussion

Periodic secure code reviews are conducted to identify security flaws or vulnerabilities in source code before the software is deployed or put into production. This proactive approach helps ensure that insecure code does not make it into the final application, thereby preventing potential security issues. Therefore, this type of control is classified as a preventive control, because it aims to avoid incidents before they occur. Why not the others? A. Compensating ➤ A control that serves as a substitute for a missing primary control. Secure code reviews are not substitutes; they are standard practice. B. Detective ➤ Detective controls identify issues after they have occurred, such as logs or alerts. Code reviews are performed before deployment. D. Corrective ➤ Corrective controls are used after an incident to fix the problem. Secure code reviews aim to prevent issues in the first place.

These reviews help uncover issues that could lead to security breaches or functional failures, enabling the organization to address them before deployment. While secure coding practices (e.g., training and guidelines) are preventive, the act of reviewing code is detective because it identifies problems after the fact.

The practice of periodic secure code reviews is a preventive control. Detective vs. Preventive Controls Preventive Controls: Focus on avoiding security incidents by stopping vulnerabilities from being introduced (e.g., secure code reviews, access controls, and input validation). Detective Controls: Focus on identifying security incidents or vulnerabilities after they occur (e.g., intrusion detection systems, audit logs, and monitoring).

Preventive controls: These controls are designed to stop vulnerabilities from occurring in the first place. They are proactive measures that aim to prevent threats and errors before they happen. --> Secure Coding Guidelines / QC before implementation Detective controls: These controls are designed to detect vulnerabilities or threats that have already occurred. They are reactive measures that identify issues after they have happened. --> Code Review after deployment ...an auditor is performing a code review to DETECT vulnerabilities, IMO doesn't matter when and how, if the code is in production and so the question sounds.

After searching more about this, I believe code revision after code development or change is preventive because you prevent error or weak code. However, if you are doing it periodically even if there are no changes, it becomes detective, similar to checking logs and doing security scans.

secure code reviews basically are detective controll. But be sure that word periodic change it all. The correct answer is C Preventive. In any given scenario that says periodic or continous development the answer should be C.

Answer: C

The equivalent controls to periodic reviews are preventive controls.

I think the reason of confusion is because of the "periodic" term.

As per CISA -Control Objectives : Effectiveness and efficiency of operations: Detective: Use controls that detect and report the occurrence of an error, omission or malicious act 1. secure code reviews

As per 1.3.1 of CRM, it is detective control

Why C is default answer.Incredible

assuming that is a code in production environment its B a detective control ... if its not and is while developing its should be preventive

The correct answer is B

The correct answer is B, in the SICA review book said it.

The answer should be B, detective controls are designed to find errors or problems. Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities.

another ambiguous answer choice. CISA CISA-ing