Exam CISSP topic 1 question 89 discussion

A. Official study guide, page26 Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.

When software is acquired (e.g., third-party, COTS, or SaaS), you typically don't have full access to the code or architecture. Therefore: You can’t effectively threat model the software in the same depth as in-house code. You rely on the vendor’s security practices — making a vendor risk assessment essential. This includes reviewing: Security certifications (e.g., ISO 27001, SOC 2) Secure SDLC practices Vulnerability disclosure processes Patch/update mechanisms Compliance with regulations (e.g., GDPR, HIPAA) This approach aligns with CISSP Domain 7: Security Operations and Domain 1: Security and Risk Management.

When acquiring software, especially third-party or commercial software, a vendor assessment evaluates the security posture, practices, and risks associated with the software provider. This helps determine if the software meets security requirements and if the vendor follows secure development and maintenance practices. Vendor assessment typically includes reviewing the vendor’s security controls, compliance certifications, patch management processes, and vulnerability handling, which directly impacts the security risk of the acquired software. While threat modeling (A) is useful for identifying potential threats during software design or development, it is less applicable for assessing already acquired software from external vendors.

While threat modeling is undoubtedly valuable, vendor assessment aligns more closely with the question's focus on acquired software: Vendor assessment evaluates the entire security lifecycle of the software, not just static or identified threats. It includes considerations like: Patch management. Secure software development practices. Ongoing support and vulnerability disclosure mechanisms. The question's emphasis on "security impact" implies a need for broader risk management, which vendor assessments address by evaluating the vendor's ability to mitigate risks holistically, not just identifying specific threats.

Both Threat modeling & Vendor assessment are important, but for assessing the security impact of acquired software, vendor assessment provides a broader evaluation of the vendor's security practices, which is crucial for ensuring the software's overall security.

Threat modeling is not the most applicable to the question which is specific to "aquired software". The only options are C and D - and D encompasses C making D the broader "management level" answer. 3rd party vendor assessments are used to validate security and can be distributed to potential customers as proof of their security compliance.

Answer is C! Elimination Rule: - A-Threat Modeling is a process not a method to use for assessing security impact - B- known vulnerabilities is part of the threat model and security assessment so It is either C or D.. the best will be C as Ensure that the acquired software complies with relevant security standards and regulations. This may include industry-specific standards or frameworks, as well as general data protection regulations.

The BEST method to use for assessing the security impact of acquired software is: A. Threat modeling. Threat modeling is a proactive approach to identify potential security threats and vulnerabilities in software systems. It involves analyzing the software's architecture, components, and interactions to determine possible attack vectors and prioritize security controls accordingly. By conducting a threat modeling exercise for acquired software, organizations can gain insights into potential security risks and make informed decisions on implementing appropriate security measures. It helps in understanding the software's security posture and guides the development of effective mitigation strategies.

Answer is A. Once you've acquired the software you can implement a threat model such as STRIDE. However before purchasing the system you have to ensure it has been subjected to formal evaluation processes in advance and has received some kind of security rating. Often trusted third parties are used to perform security evaluations; one such example being the Common Criteria. CISSP official Study Guide Volume 9 page 337

Answer is A. Security impact of software after being "Acquired " . Threat Modelling is right

B is included in A

I'm going with B, vulnerability assessment should give a vulnerability score which could give you a vulnerability impact assessment score and impact severity. I think you would have to know what the vulnerability is before you can asses the true treat. You can not have a threat w/o a vulnerability.