Certified Information Systems Auditor (CISA) — Question 767

A web application is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

Answer options

• A. Database application monitoring logs
• B. Code review by a third party
• C. Penetration test results
• D. Web application firewall implementation

Correct answer: C

Explanation

Penetration test results provide direct evidence of the application's security posture by simulating real-world attacks to identify vulnerabilities. While a code review by a third party and a web application firewall can enhance security, they do not offer the same level of assurance as penetration testing, which actively seeks to exploit weaknesses. Database application monitoring logs are useful for identifying issues post-deployment but do not serve as proactive evidence of security measures.