ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

While conducting threat modeling for a new e-commerce platform, you learn the developers plan to integrate an open-source payment-tokenization library downloaded directly from a public Git repository. Which risk inherited from a third-party supplier should you flag as the MOST relevant security threat?

Its MIT license might require the company to include attribution text in product documentation.
The library may already contain vulnerabilities or malicious code introduced upstream, enabling attackers to compromise payment data or inject backdoors.
Adding the library could increase the application's download size, slowing page loads for mobile users.
Ongoing maintenance of the library could cease, forcing the development team to rewrite payment functionality in the future.

Report Issue

Answer Description

Because the team is obtaining code that is created and maintained outside the organization, the primary security concern is that the library could already contain exploitable vulnerabilities or intentionally malicious code, or that an attacker could tamper with the library's update channel. Such weaknesses would let an adversary compromise the application and expose sensitive payment data. Lack of future support is a maintainability problem, not an immediate security threat. License obligations are a legal/compliance issue rather than a security flaw. Larger bundle size affects performance and user experience but does not directly threaten confidentiality, integrity, or availability. Therefore, the threat of vulnerable or malicious third-party code is the most significant security risk to capture in the model.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.