Certified Information Systems Security Professional (CISSP) — Question 157

A Chief Information Security Officer (CISO) is considering various proposals for evaluating security weaknesses and vulnerabilities at the source code level. Which of the following items BEST equips the CISO to make smart decisions for the organization?

Answer options

• A. The Common Weakness Risk Analysis Framework (CWRAF)
• B. The Common Vulnerabilities and Exposures (CVE)
• C. The Common Weakness Enumeration (CWE)
• D. The Open Web Application Security Project (OWASP) Top Ten

Correct answer: A

Explanation

The Common Weakness Risk Analysis Framework (CWRAF) is specifically designed to assess risks associated with common weaknesses, providing a structured approach for making informed decisions. In contrast, CVE lists known vulnerabilities without a risk assessment framework, CWE categorizes weaknesses without focusing on risk analysis, and the OWASP Top Ten highlights common web application security risks but does not offer a comprehensive evaluation framework like CWRAF does.