The correct answer is including security requirements in the acceptance criteria with independent verification. This approach creates clear, measurable security expectations that must be met before acceptance, while the independent verification ensures compliance through objective assessment rather than relying on the contractor's claims. It establishes security as a non-negotiable deliverable alongside functionality.
Mandating specific development frameworks and programming languages may provide some security benefits but doesn't guarantee secure code. Many vulnerabilities result from implementation errors rather than technology choices, and secure code can be written in virtually any language when proper practices are followed.
Requiring security certifications for developers provides some assurance of security awareness but doesn't directly translate to secure code production. Certifications demonstrate knowledge but not necessarily the application of that knowledge in day-to-day development activities.
Establishing financial penalties for vulnerabilities discovered post-delivery is reactive rather than preventive. While it may motivate the contractor to focus on security, it doesn't provide specific guidance on security requirements or methods of verification, and addresses security issues after they've already been introduced into the codebase.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are acceptance criteria in software development?
Open an interactive chat with Bash
What is independent verification in the context of software development?
Open an interactive chat with Bash
Why might specific programming languages not guarantee secure code?
Open an interactive chat with Bash
ISC2 CISSP
Software Development Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access