A security engineer was auditing an organization's current software development practice and discovered that multiple open-source libraries were Integrated into the organization's software. The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
To ensure the security of open-source libraries integrated into an organization's software, it is crucial to track the library versions and monitor the CVE (Common Vulnerabilities and Exposures) website for related vulnerabilities. This approach allows the organization to stay updated on any newly discovered vulnerabilities in the open-source libraries they are using and take appropriate action to resolve them. Performing additional SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) on software that the organization develops and that includes the open-source libraries is already part of their practice. Tracking versions and monitoring for vulnerabilities focuses on proactive measures specific to external components without duplicating existing testing efforts.
: It is important to keep track of the versions of open-source libraries that are being used, and to monitor the CVE website for any vulnerabilities that have been identified in those libraries. This can help the organization stay aware of potential security issues and take appropriate action to address them. Performing unit testing of the open-source libraries is not necessary, as unit testing is typically focused on testing individual units of code within the software, not on external libraries that are being used.
Have to comment because I feel like the wording is confusing others... The organization currently performs SAST and DAST on the software it develops. Key words being "it develops." The company does not perform SAST and DAST on the open-source libraries as it does not develop these. I am leaning towards A to get the open-source libraries at the same level of testing as the software the company develops is at. Not feeling D as the main objective of unit testing is to isolate written code to test and determine if it works as intended. https://www.techtarget.com/searchsoftwarequality/definition/unit-testing
After rereading multiple times, the question states that the open-source libraries are already integrated into the developed software. In this case they need security guidelines on how to implement open source libraries they include in their development. Both SAST and DAST testing is already being done on the developed software that has the open source libraries already included. I believe B is correct.
Answer B doesn't make any sense. It asking what to add to the SDLC. You should add the testing of open-source libraries.
C is included in the last phase of SDLC.
Incorporating SSDLC into existing SDLC will include addressing the concerns and actions of C and D. Just because an organization has a SAST/DAST doesn't mean SSDLC is integrated at this point. Making a tracker doesn't mean anyone will care; trackers are always made. The trick is integrating controls into the process so that the organization tracks, tests, and approves library versions before they are allowed. ChatGPT also concurred Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
The best approach to ensure the security of the open-source libraries incorporated into the organization's software would be to track the library versions and monitor the CVE website for related vulnerabilities. Therefore, the correct answer is option C. While performing additional SAST/DAST on the open-source libraries or implementing the SDLC security guidelines could help improve the overall security of the software, it may not specifically address the vulnerabilities in the open-source libraries. Performing unit testing of the open-source libraries may also not be the most effective approach to identify security vulnerabilities in the libraries. By tracking the library versions and monitoring the CVE website for related vulnerabilities, the organization can identify and address any known vulnerabilities in the open-source libraries they are using, ensuring that their software remains secure.
By tracking the library versions they know when the outside libraries have been updated. I would have thought that this would tell them to perform SAST/DAST again (because of the outside update) but maybe that's an expensive headache and the more practical option is to see if any vulnerabilities (CVEs) have been updated for the (newly updated) open source.
Option C. If the company's software is already being tested through static and dynamic testing, then unit testing has already been done. The blind spot is the potential vulnerabilities of the open source packages used. Ignore that they are "Open Source" and consider what options the software company would have if they integrate with ANY other code that they do not own. The only option they would have is to track new vulnerabilities discovered after it has been published (otherwise they have to begin to maintain the open source components themselves).
I believe it's D. Not all open-source libraries have CVEs which means developers can’t rely only on CVEs to understand library flaws.
Monitoring the library for CVE and tracking library version for most up to date is the way to go
Tracking Library Versions: Keeping track of the versions of open-source libraries in use allows the organization to know exactly which versions are part of their software at any given time. Monitoring the CVE Website: The Common Vulnerabilities and Exposures (CVE) website is a well-known database of publicly disclosed information security vulnerabilities. By monitoring this site, the organization can stay informed about any vulnerabilities that are discovered in the open-source libraries they use. This enables the organization to quickly react by updating or patching the affected libraries to mitigate any security risks.
Key part of the question is "incorporate into": Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
Changing my answer to C
my vote for D here is my logic: Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries? 'incorporate into' implies testing
The last phase of SDLC involves monitoring CVEs of dependencies.