ISC2 CISSP Practice Question

The correct answer is using a software composition analysis tool to identify known vulnerabilities. Software composition analysis tools inventory all third-party components in an application, check them against databases of known vulnerabilities, and alert developers to security issues. This enables informed decision-making about which components to use and when updates are needed.

Implementing a formal vendor security assessment process is a good security practice but may not identify specific vulnerabilities in the components themselves. This approach focuses on the vendor's security practices rather than the actual code being used.

Restricting usage to components from vendors with published security policies provides some assurance but doesn't guarantee that the components themselves are free from vulnerabilities. Published policies don't necessarily translate to secure code.

Conducting manual code reviews of all third-party components is thorough but impractical for most organizations due to resource constraints and the vast amount of code in modern libraries and frameworks. Manual reviews may also miss vulnerabilities that automated tools can more readily identify through comparison with vulnerability databases.