ISC2 CISSP Practice Question

The correct answer is using a private repository manager with vulnerability scanning and version control. This approach provides a controlled, secure source for third-party components with validation before use. It enables scanning for known vulnerabilities, enforces version control, ensures availability, and provides an audit trail of what components are being used.

**Downloading libraries directly from vendor repositories to a private developer repository ** creates risk because vendor repositories can be compromised, and there's no validation of the libraries before use.

Copying all required libraries from the vendor repository into the project's source code repository before beginning a new build provides version control, but it bloats the repository size and complicates vulnerability management. It does not explicitly validate the libraries or ensure that the libraries are scanned for vulnerabilities or compromise.

**Allowing developers to manually download and commit libraries to the project **introduces inconsistency and risk. Different developers might use different versions or sources, and there's no systematic validation process for security vulnerabilities.