ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your firm is selecting a third-party encryption library. As part of due diligence, you must evaluate each supplier's security track record to reduce risk in the software supply chain. Which of the following pieces of evidence would be the most persuasive demonstration of a mature, trustworthy security track record?

A recent SOC 1 Type II report that attests to the supplier's financial reporting controls.
A glossy vendor brochure asserting that the library uses "military-grade" encryption algorithms.
A public history showing that all reported CVEs for the product have been disclosed and patched within 30 days over the past three years.
An independent penetration-test report from five years ago that found no critical vulnerabilities at that time.

Report Issue

Answer Description

A well-documented record of promptly disclosed vulnerabilities that are assigned CVE identifiers and fixed within an industry-standard remediation window demonstrates that the supplier both detects and corrects security issues in a disciplined, transparent manner. Timely patch release and public disclosure are key indicators of a mature secure development and vulnerability-management process, points specifically called out in supply-chain guidance such as NIST SP 800-218 and SP 800-161. Marketing claims without verification, audit reports that address only financial controls, or a single outdated penetration test do not give ongoing, security-specific evidence of how a supplier handles vulnerabilities over time, so they are weaker indicators of a current security track record.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.