Certified Information Systems Security Professional (CISSP) — Question 227

Which of the following BEST describes when an organization should conduct a black box security audit on a new software protect?

Answer options

• A. When the organization wishes to check for non-functional compliance
• B. When the organization wants to enumerate known security vulnerabilities across their infrastructure
• C. When the organization is confident the final source code is complete
• D. When the organization has experienced a security incident

Correct answer: C

Explanation

The correct answer is C because a black box security audit is most effective when the software is presumed ready for evaluation, meaning the source code is complete. Options A and B focus on compliance and vulnerability enumeration, which are not the primary reasons for a black box audit. Option D suggests a reactive approach after a security incident, which is not ideal for proactive security evaluations.