Exam CISSP topic 1 question 286 discussion

They go out of there way to mention it is a draft contract, that leaves A and C. And I think A is included in C.

Nothing about SLA is indicated in the question.

As this is a contract for software development, the vendor must contractually embed security as part of the design (security capability) and code review comes after as a reactive step to ensure that security has been implemented. Security capabilities could include user authentication mechanisms, data encryption, input validation, and secure communication protocols, while a code review would look for things like improper handling of user input, insecure storage of sensitive data, and missing authorization checks. "code review" is a process of examining the source code to identify potential security vulnerabilities and other issues, essentially acting as a quality check to ensure those security capabilities are implemented correctly

Answer D) Update the service level agreement (SLA) to require the vendor to provide security capabilities. Think about how many damn times the CISSP has mentioned SLA....and two of the answers are almost identical. (C and D) Usually this wants you to chose between them. Now for something a bit more concrete: Page 20 of Official CISSP Study Guide says that a SLR lists the expectations for products from a vendor before an SLA is made.....but those requirements should be incorporated into the SLA before the customer signs the contract.

This approach is the best because it directly addresses the issue of software security not being addressed in the contract. By updating the contract to include a requirement for the vendor to provide security capabilities, the organization can ensure that the software application will be developed with security in mind. This approach is more effective than simply updating the SLA to require auditing or security provisions, as it establishes a clear obligation for the vendor to provide secure software.

C. Update the contract so that the vendor is obligated to provide security capabilities. This approach is the best because it directly addresses the issue of software security not being addressed in the contract. By updating the contract to include a requirement for the vendor to provide security capabilities, the organization can ensure that the software application will be developed with security in mind. This approach is more effective than simply updating the SLA to require auditing or security provisions, as it establishes a clear obligation for the vendor to provide secure software.

There is no contract yet so B and D are not possible. A is dictating just one type of activity so it is limiting the scope. C is correct because it forces the vendor to add a variety of security capabilities until the customer decides it meets their needs.

Why not D? Option C suggests updating the contract to obligate the vendor to provide security capabilities but this is not specific enough and may not provide enough assurance that the security controls implemented will be adequate.

B does not guarantee the security capability implementation but C does. The best answer is C.

software security is not addresses. So I think answer C is the right one. The vendor should be responsible for it. Option A is a security testing (code review) for the software, since security was not addressed from the beginning, then it is not much relevant.

B Asking/obligating vendor to provide anything does NOT guarantee vendors processes/delivery attempt will operate successfully. Vendors processes will need to be Audited if we want to verify this. Right to audit is a specific requirement hence should go in SLA (SLA = specific req’s. Contract = overall legal requirements e.g. termination of terms)… Draft contracts often don’t include a draft SLA but this is NOT guaranteed.

Going for C No SLA for a draft contract Code review shuld be part of security capabilities?

Security is not addressed, let's ask them to provide security capabilities. Going with "C" on this one.

if it is a draft then you do not have SLA to update. The best solution is to update the Contract I believe. SLA applies when you have a real contract, the question intentionally says the draft.