The correct answer is using a private repository manager with vulnerability scanning and version control. This approach provides a controlled, secure source for third-party components with validation before use. It enables scanning for known vulnerabilities, enforces version control, ensures availability, and provides an audit trail of what components are being used.
**Downloading libraries directly from vendor repositories to a private developer repository ** creates risk because vendor repositories can be compromised, and there's no validation of the libraries before use.
Copying all required libraries from the vendor repository into the project's source code repository before beginning a new build provides version control, but it bloats the repository size and complicates vulnerability management. It does not explicitly validate the libraries or ensure that the libraries are scanned for vulnerabilities or compromise.
**Allowing developers to manually download and commit libraries to the project **introduces inconsistency and risk. Different developers might use different versions or sources, and there's no systematic validation process for security vulnerabilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a private repository manager and how does it work?
Open an interactive chat with Bash
What are the benefits of vulnerability scanning in third-party libraries?
Open an interactive chat with Bash
What does version control mean in the context of software dependencies?
Open an interactive chat with Bash
ISC2 CISSP
Software Development Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access