Which of the following should customers who are involved with UI developer agreements be concerned with when considering the use of these products on highly sensitive projects?
Which of the following should customers who are involved with UI developer agreements be concerned with when considering the use of these products on highly sensitive projects?
Customers involved with UI developer agreements should be particularly concerned with outsourced code development when considering the use of these products on highly sensitive projects. Outsourcing code development can introduce a variety of risks, including weak or insecure coding practices, lack of control over the development process, and potential for intellectual property theft. These risks can be especially critical in highly sensitive projects. Therefore, robust security measures and strict oversight are essential when dealing with third-party developers.
Does anyone proofread these questions for grammar or legibility? I feel like I am drunk reading this question.
I totally feel you mate, I am a non-English speaker, I think CompTIA meant below, Which one of the 4 multiple choices, should customers (who are involved with UI developer agreements) be concerned with when considering the use of these products (I don't know, what products they are talking about??) on highly sensitive projects? God knows, what CompTIA is thinking, while writing this question.
D- I would think outsourcing code would be the biggest security concern. This is another weird comptia question
UI developer agreements most likely mean that the UI development is outsourced to a third party hence there is a need for a contract/agreement. When third party is performing code development, organisation/company should be aware of the following: • Accessing the code base – Internal access over a VPN – Cloud-based access • Verify security to other systems – The development systems should be isolated • Test the code security – Check for backdoors – Validate data protection and encryption Taken from profmesser
https://owasp.org/www-community/OWASP_Secure_Software_Contract_Annex 4. SECURITY REQUIREMENT AREAS The following topic areas must be considered during the risk understanding and requirements definition activities. This effort should produce a set of specific, tailored, and testable requirements Both Developer and Client should be involved in this process and must agree on the final set of requirements. ... (i) Secure Configuration : The requirements shall specify that the default values for all security relevant configuration options shall be secure. For audit purposes, the software should be able to produce an easily readable report showing all the security relevant configuration details.
That's interesting - a couple of other dump sites choose A for the answer too.
Outsource code development
UI developer agreements....folks, agreements have nothing to do with weak configurations. They are most likely concerned about undocumented backdoors due to code outsourcing. D
For a UI? Maybe for backend work, but weak configurations are warned about all the time with any web development work. Directory traversal to config files with everything from database logins to api keys are one. Setting permissions on directories, and much much more. It's an extremely common attack vector (looking for the config files). As a dev for 25 years, I can attest to this, still lingering, problem - especially with UI people.
Customers who are involved with UI developer agreements should be particularly concerned with **Outsourced Code Development** when considering the use of these products on highly sensitive projects. Outsourced code development can introduce a variety of risks, especially when dealing with sensitive projects. These risks include, but are not limited to, the potential for weak or insecure coding practices, lack of control over the development process, and potential for intellectual property theft. Therefore, it's crucial to have robust security measures and strict oversight in place when outsourcing code development. So, the correct answer is D. Outsourced Code Development.
For UI, we're really talking about javascript, right? The code is right there for anyone to see. If the client side is configured wrong (or holds db logins, api keys, or poor directory permissions, etc), this most common attack vector is easily exploited.
I have to go with A. The reason is the question already states the customer is outsourcing the code development, so naturally it is a concern. Taking it a step further, what would the customer be concerned with using a 3rd party.
Unsecure user accounts (namely, test accounts) would be a greater concern than config issues, in my opinion. i realize in the CompTIA stuff, real life experience actually hurts you more - best to look at dumps and memorize poor answers. :)
Those accounts would be for back end stuff, not UI (javascript, HTML, CSS etc).
Customers are more likely to be concerned about outsourcing than weak configuration. In fact most times they cannot tell the difference in configuration! Control is still within the developer's hands but with outsourcing, the risk compounds!
But it's for UI (web client side) and all the code is in javascript (these days), so they can't really hide much, however, in client side work, config files are often exploited as well as weak directory permissions (configs). It's the most common attack vector for websites, followed by XSS, CSRF, and SQLi
I would assume that the customer outsourced the code development because they thought the external party would be doing a great job in code development; this negates the issue of weak configurations. The question would be how to ensure that they have the necessary NDA in place to ensure the secrecy of the codes due to the sensitive nature of the project. My choice is D.
The reason I lean towards Weak configurations is this: While Outsourced code development involves bringing in external individuals or firms to handle software development, it doesn't automatically equate to vulnerabilities. However, Weak configurations pose a direct risk, potentially leading to vulnerabilities within the system. So (A), Weak configurations would be my biggest concern.
While outsourced code development is indeed a concern for customers involved in UI developer agreements, it's not directly related to the use of the products on highly sensitive projects. The concern with outsourced code development generally revolves around issues like code quality, reliability, and adherence to specifications. However, for highly sensitive projects, ensuring the security of user accounts is paramount, as any compromise in user account security could lead to unauthorized access to sensitive data or resources. Therefore, unsecure user accounts (option C) would typically be the primary concern in such scenarios.
Originally, I figured D: outsourced code development, however, there's no indication that the UI developer would outsource their work. Weak configurations make a lot of sense with regards to storing api keys and connection strings, etc in a config file in a public facing UI (mobile apps or websites). From my experience, this is pretty common (even worse, I've seen javascript files with API keys out for the taking!).
Insecure user accounts represent a direct vulnerability where unauthorized users could gain access to the system or sensitive information through compromised accounts. This is often a more immediate and direct threat compared to weak configurations, which might leave the system vulnerable to exploitation but may not necessarily result in unauthorized access without other vulnerabilities being exploited. Therefore, addressing insecure user accounts should generally take precedence as it involves directly securing access points to the system. Once user accounts are secured, attention can be turned to addressing weak configurations to further enhance the overall security posture of the system.
The main concern is, obviously, the outsourced development code.
From GPT: Outsourced code development: This is a major concern because third-party developers may not follow the same secure coding practices as internal teams, and they may not be subject to the same security controls and oversight. Additionally, third-party developers often have access to the code they're working on, which could potentially lead to the exposure of sensitive information if not properly managed
D. Outsourced code development