Official CISSP CBK Guide 4th Edition & practice question strange answer

I have a question regarding a practice exam question from the official CBK book 4th Edition:

Appendix A

14. Security is likely to be most expensive when addressed in which

phase?
A. Design
B. Rapid prototyping
C. Testing
D. Implementation
Answer: D
Security is much less expensive when it is built into the application design versus added
as an afterthought at or after implementation.

I chose C as to me it is more expensive the later in the development life cycle security is addressed. The answer explanation even states that ("at or after implementation").
The only way I can think of it is that testing is seen as part of the implementation phase. Anyway it’s still confusing to me.

Find more posts tagged with

Comments

ddeboer

I don't agree with you. You test before you implement. After implementation you would expect something like evaluation or improvement. D would have been my answer...

Archon

D looks good to me. You don't want to address security during implementation as it would be essentially an after thought rather than planned for in the design phase.

Hansii

OK,I have my roots in software development, where after the implementation phase, there is a testing phase (of course you still do unit tests during implementation phase).

jt2929

Hansii wrote: »

OK,I have my roots in software development, where after the implementation phase, there is a testing phase (of course you still do unit tests during implementation phase).

Forget your roots and answer as (ISC)2 teaches. Experience has helped many pass this exam, but sometimes you have to disregard what you do in your job and give the answer (ISC)2 wants.

cyberguypr

^ that's the key. There are 3 ways to do things: the right way, the wrong way, and the ISC2 way. You need to look at everything through the eyes of ISC2, no matter how you would do it it the real world.

renacido

I personally agree with the isc2 way on this. Security has to be addressed in the requirements phase, design phase, etc. It is much more expensive to address security after the code is released to production than it is to address it from the beginning and build and test to meet security requirements.

Just because a company does things a certain way doesn't mean they are following best practices.

RollTide

I can understand where the op is coming from. In many software development life cycles, Testing is a step after Implementation (apart from unit testing as he said). Having a software background, I would have picked "C" also. However, I agree with the other guys. I think we will have to learn to un-learn these things that we have hammered into our heads, or at least make a conscious note during the exam that we have to approach it with ISC2 glasses on.

Hansii

I totally get the point of the question, the earlier you care about security, the better and cheaper.

Now, I did a full text search on the ebook and found the solution, ISC2's definition of the development phases:

Domain 1

- Security Governance

- Security Roles and Responsibilities

- Budget

"The security officer must work with the application

development managers to ensure that security is considered in the project cost during

each phase of development (analysis, design, development, testing, implementation, and

post-implementation)."

When I say implementation I mean development, but now it's clear to me.

Thanks!

MrAgent

Its definitely D if you go along with any sort of SDLC. If you follow the phases and you add security when in implementation then you have to go back and design, test, review boards etc. It should be added much sooner in the life cycle.

RollTide

Hansii wrote: »

I totally get the point of the question, the earlier you care about security, the better and cheaper.

Now, I did a full text search on the ebook and found the solution, ISC2's definition of the development phases:

Domain 1

- Security Governance

- Security Roles and Responsibilities

- Budget

"The security officer must work with the application

development managers to ensure that security is considered in the project cost during

each phase of development (analysis, design, development, testing, implementation, and

post-implementation)."

When I say implementation I mean development, but now it's clear to me.

Thanks!

Yeah, it totally hangs on that one word, "implementation." I also would consider implementation to be the development time and not actual implementation as in going to PROD.

YouWill787

I just saw this question the other day while doing exams. I answered D, my thought was: Implementation is the final step and security is cheaper when involved from the beginning versus after implementation.

Side note:
A bunch of my questions to answers are messed up in the chapter reviews in my version of this book. Not sure if anyone else has come across that. The first two tests I took I thought I incorrectly answered like 11 out of 15 questions and nearly had a heart attack, turns out question 1 and 2 were completely random and threw off the pairing of the rest of the questions. Just putting that out there.

This is a terrible book. I apologize in advance if anyone is offended, but it's literally terrible.