C. Vulnerabilities are difficult to detect is the BEST answer because it encompasses all potential risks in the software supply chain, including unsupported libraries, and directly represents the root cause of the most serious security breaches.
A primary concern in software supply chain management is the potential for malicious actors to compromise software at any stage, from development to deployment, introducing vulnerabilities, malware, or other malicious code.
From OSG - When evaluating organizational risk, consider external factors that can affect the organization, especially related to company stability and resource availability. The supply chain can be a threat vector, where materials, software, hardware, or data is being obtained from a supposedly trusted source but the supply chain behind that source could have been compromised and the asset poisoned or modified.
A. Unsupported libraries refer to software libraries or components that are no longer actively maintained or updated by their developers. These libraries may have become outdated or obsolete, making them vulnerable to security vulnerabilities and issues that could be exploited by attackers. Unsupported libraries are a concern in software development and supply chain security because they pose a risk to the security and stability of the applications and systems that depend on them. Organizations should actively monitor and update their software components, including libraries, to mitigate these risks and ensure the security of their software supply chain.
OSG 9th edition. pg 99 , "This could happen if your supplier reuses components (like libraries) developed elsewhere..."
Tough one, but I'm going with...A
The correct answer is A: "Unsupported libraries are often used". The use of unsupported libraries in software development can pose a significant security risk to organizations. Unsupported libraries may have vulnerabilities that are not patched or addressed by the developer, which can be exploited by attackers. Additionally, unsupported libraries may not receive timely updates or support, which can leave them vulnerable to exploits. It is, therefore, essential for organizations to manage their use of libraries carefully and ensure that they are using supported and up-to-date libraries in their software development processes to minimize security risks.
I think Option C is better than option A because software supply chain included a lot of open source software or components and which is difficult to detect vulnerabilities.
option A (Unsupported libraries are often used) can also pose a significant security risk in software supply chain management.
When organizations use unsupported or outdated libraries in their software development process, they may expose themselves to known vulnerabilities that have not been patched or addressed by the library developers. These vulnerabilities can be exploited by attackers to gain unauthorized access, compromise the system, or steal sensitive data. Unsupported libraries may not receive regular security updates, leaving them more susceptible to attacks.
Therefore, option A is indeed a valid consideration and can contribute to the security risks associated with software supply chain management.
A: In software supply chain management, the element that poses the greatest security risk to organizations is often considered to be the third-party components and dependencies used in software development. Third-party components include libraries, frameworks, modules, or plugins that are integrated into an organization's.
A and B both are reasonable risks.
B can cause high risks in many cases.
But A cause high risks in every case - unmaintained/unsupported libraries are a huge problem because often there are impossible to replace and there are no fixes even for known vulnerabilities.
Official Study Guide pg 35 - "Understand supply chain risk management (SCRM) concepts. SCRM is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. SCRM includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements."
Applications with multiple contributors are difficult to evaluate. Software supply chain management refers to the process of controlling the flow of software components and dependencies throughout the software development lifecycle.
This section is not available anymore. Please use the main Exam Page.CISSP Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
c544a39
3 days agoEKP
2 months agoBigITGuy
4 months agodm808
10 months, 1 week agoVasyamba1
10 months, 1 week agoSoleandheel
1 year, 1 month agoshmoeee
1 year, 2 months ago74gjd_37
1 year, 4 months agobenllp_sst
1 year, 6 months agoBach1968
1 year, 6 months agoxxxBadManxxx
1 year, 7 months agonat0220
1 year, 8 months agodmo_d
1 year, 8 months agoThe1BelowAll
1 year, 9 months agojackdryan
1 year, 8 months agoRVoigt
1 year, 11 months agoJohnyDal
1 year, 11 months agotrojix
2 years ago