My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 29 - Question 2

Scenario: During a software audit, you find that the development team is using open-source libraries. What is your main security concern?

 

A.  Licensing issues

B.  Version control

C.  Outdated libraries

D.  Code quality

 

Answer:  C

Explanation: 

A. Licensing Issues

Licensing is a Legal/Compliance risk.

  • The Risk: Some open-source licenses (like GPL) have "copyleft" requirements that could force your company to release its proprietary source code to the public.

  • The Distinction: While this is a major business risk, the question specifically asks for the security concern. Licensing does not directly lead to a data breach or system compromise.

B. Version Control

Version control (e.g., Git) is the practice of tracking and managing changes to software code.

  • The Role: It helps teams collaborate and ensures they aren't overwriting each other's work.

  • The Distinction: Using open-source libraries doesn't inherently break version control; rather, the libraries themselves are usually managed via a Package Manager (like npm, NuGet, or Maven).

C. Outdated Libraries

This is the most critical security threat, often referred to as Vulnerable and Outdated Components (ranked highly on the OWASP Top 10).

  • Why it's the Answer: Open-source projects are constantly being probed by attackers. When a vulnerability is found, a patch is released. If your team is using an older version of that library, the vulnerability remains "live" in your application.

  • The Supply Chain Attack: Attackers frequently target well-known vulnerabilities in common libraries (like the Log4j "Log4Shell" incident) because they know many organizations fail to update their third-party dependencies.

D. Code Quality

Code quality refers to how "clean" or efficient the code is written.

  • The Nuance: While poor code quality can lead to security bugs (like buffer overflows), many open-source libraries actually have higher code quality than internal proprietary code because they are scrutinized by thousands of global contributors (Linus's Law: "Given enough eyeballs, all bugs are shallow").

How to Mitigate Open-Source Risks

For the CISSP exam, know the tools used to manage this risk:

  1. Software Composition Analysis (SCA): Specialized tools that scan your project for open-source libraries, identify their versions, and cross-reference them against databases of known vulnerabilities (like the NVD/CVE).

  2. Software Bill of Materials (SBOM): A formal, machine-readable inventory of all components and hierarchical dependencies within a software product.

  3. Private Repositories: Storing approved versions of libraries internally rather than pulling them directly from the public internet during every build.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel