ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

While comparing two third-party XML parsing libraries for a payment-processing application, you want to select the option with the most reliable maintenance and support model to minimize security debt. Which characteristic is the strongest indicator that a supplier has a mature process for delivering timely security patches?

Distribution of the library under a widely adopted open-source license such as Apache 2.0.
A written SLA obligating the vendor to deliver security fixes within defined timelines and to maintain a published patch release schedule.
Comprehensive and well-structured API documentation available on the supplier's website.
An active community forum that allows users to share work-arounds and configuration tips.

Report Issue

Answer Description

A documented service-level agreement (SLA) that commits the supplier to release security fixes within a specific, short time window-and publishes a regular patch schedule-demonstrates a mature, measurable patch-management process. Active community forums, detailed API documentation, or the presence of a popular open-source license are all positive, but none of them directly guarantee that security vulnerabilities will be corrected quickly or that the supplier is contractually bound to do so. Only the explicit, time-bound SLA provides verifiable assurance that the organization's risk from future defects will be promptly mitigated.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.