Exam CISSP All QuestionsBrowse all questions from this exam
Question 92

A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess?

    Correct Answer: D

    The most important activity a security analyst should assess when evaluating the security risk of a minimum viable product (MVP) is to ensure that the software has been code reviewed. Code review is essential as it involves scrutinizing the code for potential security vulnerabilities, ensuring robust security measures are in place prior to the product’s release. This is crucial to identify and mitigate security risks effectively, thereby protecting the external customer base from possible security breaches.

Discussion
JamatiOption: D

A minimum viable product (MVP) is a version of a product with just enough features to be usable by early customers who can then provide feedback for future product development and updates / upgrades. The question specially asks about THE SECURITY RISK of the MVP. In other words, we already have an MVP, i.e., correct functionality. What we now want is to evaluate the security around this correctly functioning system, not to evaluate if it functions correctly.

somkiatr

Agreed.

franbarproOption: D

As a security analyst - You should only care if the code has been reviewed from security standpoint. All the other stuff...... let them deal with it.

stickerbush1970Option: A

B, C, and D are covered under A.

Mgz156

But as a Security Analyst your first job is to check the code. Answer is D

oudmasterOption: D

Option D is the only answer that is related to the security analyst duty.

jackdryan

D is correct

sphenixfireOption: D

a security analyst in this case is a pentester. it's not the job to check function, branding and especially not this job to accept a sign off of a product owner. so my vote is D

wyerockOption: D

A, B, C do not impact security risk

RamyeOption: C

Got to think like an adviser without getting into weeds and providing details solutions.

Demo25Option: D

D. The software has been code reviewed. Code review is a process of inspecting code to identify potential security vulnerabilities. It is an important part of the software development lifecycle, and it can help to prevent security breaches. The other options are not as important as code review. The software has been signed off for release by the product owner: This is important, but it does not guarantee that the software is secure. The software has been branded according to corporate standards: This is also important, but it is not as important as security. The software has the correct functionality: This is important, but it is not as important as security.

Bach1968Option: D

again i forgot to select the answer

Bach1968Option: D

In assessing the security risk of the minimum viable product (MVP) for a financial organization's new application, the most important activity for the security analyst to assess is option D: The software has been code reviewed. Code review is a crucial security practice that helps identify and address security vulnerabilities and weaknesses in the software's code. By conducting a thorough code review, the security analyst can identify potential security flaws, coding errors, and vulnerabilities that could be exploited by attackers. This allows for the identification and mitigation of security risks before the software is released to customers, helping to ensure a higher level of security in the application.

HughJassoleOption: C

C. An MVP is not a finished product, but a test: "An MVP allows you to prove a concept before committing too much time or budget to full-blown product development. Most agree that an MVP is a product with a minimal number of features needed to engage customers and validate a basic concept for further development. Importantly, it’s not final — the idea is that it’s something you augment and refine over time." https://thenewstack.io/building-an-minimum-viable-product-a-founders-guide-to-success/ "Minimum Viable Product is not a finished product or version 1.0. It is the smallest part of the product that clearly demonstrates its main functionality and is available to the public. MVP does not have to work, it can be a prototype of a web application explaining the main idea of a product, for example. MVP’s role is to get feedback from the user and learn what he likes about the product and what the things that he does not need are." https://www.scrumdesk.com/what-is-minimum-viable-product/

nitiOption: C

Keywords in the question: " works according to agile principles" "minimum viable product" so functionality is the main agenda - Ans is "C"

nitiOption: C

Keywords in the question: " works according to agile principles" "minimum viable product" so functionality is the main agenda - Ans is "C"

NcoaOption: C

MVP is being able to demonstrate the functionality of the product to the external customer base to ensure it meets requirements and the appetite to complete development

Ncoa

Actually I think D is correct from a security risk perspective. My bad