Ann, the software security engineer, works for a major software vendor. Which of the following practices should
be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each
production release?

A.
Product baseline report

B.
Input validation

C.
Patch regression testing

D.
Code review

Explanation:
The problems listed in this question can be caused by problems with the application code. Reviewing the code
will help to prevent the problems.
The purpose of code review is to look at all custom written code for holes that may exist. The review needs also
to examine changes that the code—most likely in the form of a finished application—may make: configuration
files, libraries, and the like. During this examination, look for threats such as opportunities for injection to occur
(SQL, LDAP, code, and so on), cross-site request forgery, and authentication. Code review is often conducted
as a part of gray box testing. Looking at source code can often be one of the easiest ways to find weaknesses
within the application. Simply reading the code is known as manual assessment, whereas using tools to scanthe code is known as automated assessment.