Which is the BEST technique to detect vulnerable third-party dependencies?
A CISSP practice question covering Domain 8: Software Development Security. Try answering before reading the explanation below.
Show options & answer
Why "Software Composition Analysis (SCA)" is the right answer
SCA tools (Dependabot, Snyk, OWASP Dependency-Check) inventory dependencies and flag known CVEs. DAST tests runtime behavior of the app. Manual review can't keep up with hundreds of transitive dependencies.
Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.