Certified Information Security Manager (CISM) — Question 753

An organization recently outsourced the development of a mission-critical business application. Which of the following would be the BEST way to test for the existence of backdoors?

Answer options

• A. Perform security code reviews on the entire application
• B. Scan the entire application using a vulnerability scanning tool
• C. Monitor Internet traffic for sensitive information leakage
• D. Run the application from a high-privileged account on a test system

Correct answer: A

Explanation

Performing security code reviews is the best method to identify backdoors, as it allows for a detailed examination of the source code for vulnerabilities and malicious code. Scanning the application with a vulnerability tool (option B) may miss backdoors hidden in the code. Monitoring Internet traffic (option C) can reveal data leaks but won't directly detect backdoors, and running the application as a high-privileged account (option D) is not effective for identifying hidden vulnerabilities in the code.