Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?

A security engineer was auditing an organization’s current software development practice and discovered that multiple open-source libraries were Integrated into the organization’s software. The organization currently performs SAST and DAST on the software it develops.

Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
A . Perform additional SAST/DAST on the open-source libraries.
B . Implement the SDLC security guidelines.
C . Track the library versions and monitor the CVE website for related vulnerabilities.
D . Perform unit testing of the open-source libraries.

View Answer

Answer: C

Explanation:

Reference: https://www.whitesourcesoftware.com/resources/blog/application-security-best-practices/

Tracking the library versions and monitoring the CVE (Common Vulnerabilities and Exposures) website for related vulnerabilities is an activity that the organization should incorporate into the SDLC (software development life cycle) to ensure the security of the open-source libraries integrated into its software. Tracking the library versions can help identify outdated or unsupported libraries that may contain vulnerabilities or bugs. Monitoring the CVE website can help discover publicly known vulnerabilities in the open-source libraries and their severity ratings. Performing additional SAST/DAST (static application security testing/dynamic application security testing) on the open-source libraries may not be feasible or effective for ensuring their security, as SAST/DAST are mainly focused on testing the source code or functionality of the software, not the libraries. Implementing the SDLC security guidelines is a general activity that the organization should follow for developing secure software, but it does not specifically address the security of the open-source libraries. Performing unit testing of the open-source libraries may not be feasible or effective for ensuring their security, as unit testing is mainly focused on testing the individual components or modules of the software, not the libraries.

Verified Reference:

https://www.comptia.org/blog/what-is-cve

https://partners.comptia.org/docs/default-source/resources/casp-content-guide