Which two practices help make the security of an application a more integral part of the software development lifecycle? (Choose two.)
Which two practices help make the security of an application a more integral part of the software development lifecycle? (Choose two.)
Integrating security into the software development lifecycle can be achieved by incorporating automated security tests within the CI/CD (Continuous Integration/Continuous Delivery) pipeline. Running dynamic code analysis tools (A) helps identify vulnerabilities that manifest during runtime. Running static code analysis tools (B) helps detect possible security flaws in the source code before the application is run. These practices ensure that security issues are identified and addressed early in the development process, making security an integral part of the lifecycle. Using only internally written software modules (C) does not inherently integrate security practices into the lifecycle, updating the release plan (D) doesn’t directly integrate security into the development process, and although drive encryption (E) is important for security, it is not directly related to the software development lifecycle itself.
I'll choose "A & B".
I agree with JM_Lee: A and B are correct. I am certain of B: static code analysis like "bandit" can be used. A is also a good answer, although the study materials don't seem to mention dynamic analysis. C & D are nonsense E. is a valid response, but maybe not as "an integral part of the software development lifecycle"
A. Add a step to the CI/CD pipeline that runs a dynamic code analysis tool during the pipeline execution. B. Add a step to the CI/CD pipeline that runs a static code analysis tool during the pipeline execution.