The practice of periodic secure code reviews is which type of control?
The practice of periodic secure code reviews is which type of control?
Periodic secure code reviews are considered a detective control. Detective controls are designed to identify and uncover existing issues or problems, rather than preventing them from occurring in the first place. Through periodic code reviews, security flaws and vulnerabilities in the code can be detected and addressed after the code has been written. Therefore, the primary function of these reviews is to detect errors or security issues that may have been introduced during the coding process.
I think the reason of confusion is because of the "periodic" term.
Generally, Audits/ reviews are detective in nature
another ambiguous answer choice. CISA CISA-ing
The answer should be B, detective controls are designed to find errors or problems. Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities.
The correct answer is B, in the SICA review book said it.
assuming that is a code in production environment its B a detective control ... if its not and is while developing its should be preventive
As per 1.3.1 of CRM, it is detective control
As per CISA -Control Objectives : Effectiveness and efficiency of operations: Detective: Use controls that detect and report the occurrence of an error, omission or malicious act 1. secure code reviews
It should be B
Secure code review is detective acoording to CRM. Correct answear is B
should be B
The correct answer is B
Why C is default answer.Incredible
The equivalent controls to periodic reviews are preventive controls.
Secure code reviews are conducted to proactively identify and mitigate security vulnerabilities in software code before they can be exploited. By systematically reviewing code for potential security flaws and weaknesses, organizations can prevent security breaches and minimize the risk of unauthorized access, data breaches, or other security incidents. Therefore, secure code reviews serve as a preventive measure aimed at reducing the likelihood and impact of security incidents.
Answer: C
secure code reviews basically are detective controll. But be sure that word periodic change it all. The correct answer is C Preventive. In any given scenario that says periodic or continous development the answer should be C.
After searching more about this, I believe code revision after code development or change is preventive because you prevent error or weak code. However, if you are doing it periodically even if there are no changes, it becomes detective, similar to checking logs and doing security scans.