ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During a sprint review for a new payment-processing feature, a developer proposes copying a cryptographic helper class from a popular public blog to save time. The security lead pushes back and asks the team to incorporate the organization's internally maintained crypto library instead. From a secure software reuse perspective, which reason best supports the lead's position?

The vetted library is already under the organization's secure development and maintenance processes, reducing the risk of hidden vulnerabilities or outdated algorithms.
Including the existing library will shrink the final executable by eliminating redundant instructions, improving performance.
Code posted on public forums has usually been peer-reviewed by many developers, so its security is implicitly higher.
Copying code from a public blog could increase licensing fees if the snippet is later patented.

Report Issue

Answer Description

Reusing code can speed delivery, but security depends on how well that code is vetted and maintained. An internal library that is already approved by the organization has undergone security review, is subject to regular patch management, and is monitored for vulnerabilities. Simply copying code found on the Internet bypasses these controls, making it more likely that undocumented flaws, backdoors, or outdated algorithms will be introduced and remain unpatched. While concerns such as licensing costs or performance may be relevant, they are secondary to ensuring that reused code is trustworthy and can be centrally updated when issues are discovered. Therefore, relying on the vetted internal library is the most secure choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.