ISC2 CISSP Practice Question

The correct answer is conducting a software composition analysis and vulnerability scan. This approach provides objective, verifiable information about the components' security by identifying known vulnerabilities in the specific versions being used. It gives organizations direct visibility into security issues rather than relying solely on vendor claims or documentation.

Requesting the vendor's security certification documentation is useful but insufficient on its own. Certifications may be outdated, have limited scope, or not address specific vulnerabilities in the components you're using.

Reviewing the vendor's claims about security features during contract negotiation may discourage overstatement of security capabilities. However, it does not evaluate or compensate for vulnerabilities in their products.

Using only open-source components with public code repositories has some advantages for transparency but doesn't guarantee security. Open-source software can still contain vulnerabilities, and not all proprietary software is inherently less secure than open-source alternatives. The key is proper evaluation regardless of the source.