Which of the following recommendations is BEST for the CISO to put forward to the product manager?

Company XYZ has had repeated vulnerability exploits of a critical nature released to the
company’s flagship product. The product is used by a number of large customers. At the Chief
Information Security Officer’s (CISO’s) request, the product manager now has to budget for a team
of security consultants to introduce major product security improvements.
Here is a list of improvements in order of priority:

1. A noticeable improvement in security posture immediately.
2. Fundamental changes to resolve systemic issues as an ongoing process
3. Improvements should be strategic as opposed to tactical
4. Customer impact should be minimized
Which of the following recommendations is BEST for the CISO to put forward to the product
manager?

Company XYZ has had repeated vulnerability exploits of a critical nature released to the
company’s flagship product. The product is used by a number of large customers. At the Chief
Information Security Officer’s (CISO’s) request, the product manager now has to budget for a team
of security consultants to introduce major product security improvements.
Here is a list of improvements in order of priority:

1. A noticeable improvement in security posture immediately.
2. Fundamental changes to resolve systemic issues as an ongoing process
3. Improvements should be strategic as opposed to tactical
4. Customer impact should be minimized
Which of the following recommendations is BEST for the CISO to put forward to the product
manager?

A.
Patch the known issues and provide the patch to customers. Make a company announcement
to customers on the main website to reduce the perceived exposure of the application to alleviate
customer concerns. Engage penetration testers and code reviewers to perform an in-depth review
of the product. Based on the findings, address the defects and re-test the findings to ensure that
any defects have been resolved.

B.
Patch the known issues and provide the patch to customers. Engage penetration testers and
code reviewers to perform an in-depth review of the product. Based on the findings, address the
defects and re-test the findings to ensure that the defects have been resolved. Introduce periodic
code review and penetration testing of the product in question and consider including all relevant
future projects going forward.

C.
Patch the known issues and provide the patch to customers. Implement an SSDLC / SDL
overlay on top of the SDLC. Train architects, designers, developers, testers and operators on
security importance and ensure that security-relevant activities are performed within each of the
SDLC phases. Use the product as the primary focal point to close out issues and consider using
the SSDLC / SDL overlay for all relevant future projects.

D.
Stop active support of the product. Bring forward end-of-life dates for the product so that it can
be decommissioned. Start a new project to develop a replacement product and ensure that an
SSDLC / SDL overlay on top of the SDLC is formed. Train BAs, architects, designers, developers,
testers and operators on security importance and ensure that security-relevant activities are
performed within each of the SDLC phases.



Leave a Reply 0

Your email address will not be published. Required fields are marked *