Certified in Risk and Information Systems Control (CRISC) — Question 1176

Static code analysis has been consistently finding a significant number of critical security issues throughout an organization's internally developed applications. The risk practitioner’s BEST recommendation would be to:

Answer options

• A. provide training on secure programming practices.
• B. conduct penetration tests before code implementation.
• C. outsource software development.
• D. conduct security design reviews.

Correct answer: A

Explanation

The correct answer is A, as providing training on secure programming practices equips developers with the knowledge to prevent security issues from occurring in the first place. Options B and D are valuable but occur later in the development process and do not address the root cause. Outsourcing software development, option C, does not guarantee improved security and may introduce new risks.