Certified Information Systems Auditor (CISA) — Question 321

Which of the following is the BEST report for an IS auditor to reference when tasked with reviewing the security of code written for a newly developed website?

Answer options

• A. Black box testing report
• B. Static software composition analysis
• C. Penetration test report
• D. Web application vulnerability report

Correct answer: B

Explanation

The Static software composition analysis report is ideal because it examines the code's components for vulnerabilities and compliance issues, which is crucial for assessing security. In contrast, a Black box testing report focuses on testing without knowledge of the internal workings, a Penetration test report evaluates the system's defenses against attacks rather than the code itself, and a Web application vulnerability report highlights specific security flaws but may not provide a comprehensive overview of the code's security.