Your company is developing a web site for E-Commerce. As an architect, you have just finished the architectural design. Which of the following best supports the identification of security issues? (Wentz QOTD)
A. Penetration testing
B. Vulnerability scanning
C. Common Weakness Enumeration (CWE)
D. Common Vulnerabilities and Exposures (CVE)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Common Weakness Enumeration (CWE) .

Design is the “process of defining the system elements, interfaces, and other characteristics of a system of interest in accordance with the requirements and architecture.” (ISO 15288) Architectural design is the foremost design activity, followed by detail design. A design proposes a solution to the requirements solicited and collected in the analysis phase. When the design is completed, threat modeling is conducted to identify design flaws.

A design may specify a solution to the level of technologies instead of products; for example, a solution may specify an RDBMS instead of MS-SQL or MySQL; CWE-89 (SQL injection) applies to all RDBMSs that support SQL language, while CVE-2021-1636 (Elevation of Privilege Vulnerability) applies to Microsoft SQL only.

Vulnerability scanning and penetration testing are typically conducted against a system in the test or production environment. The design phase produces a design as the solution, which has not been developed yet. As a result, vulnerability scanning and penetration testing won’t be conducted in the design phase.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

貴公司正在開發一個電子商務網站。 作為架構師，您剛剛完成了架構設計。 以下哪一項最能幫助您識別安全問題？(Wentz QOTD)
A. Penetration testing
B. Vulnerability scanning
C. Common Weakness Enumeration (CWE)
D. Common Vulnerabilities and Exposures (CVE)