For an application security program to be effective within your organization,it is critical to

A.
identify regulatory and compliance requirements.

B.
educate the software development organization the impact of insecure programming.

C.
develop the security policy that can be enforced.

D.
properly test all the software that is developed by your organization for security vulnerabilities.

Explanation:
C: The underlying foundation of software security controls is the organizations security policy. Th e security policy reflects the security requirements of the organization. The identification of regulatory and compliance requirements such as SarbanesOxley (SOX), payment card industry data security standard (PCIDSS) are essential and must be factored into the security policy. Without a clear understanding of what the security requirements are, as defined in the security policy, educating software development teams may potentially be still inadequate. Testing for security vulnerability can provide some degree of software assurance, but with newer kinds of attacks against software being discovered, security testing does not directly indicate the effectiveness of an application security program. Page 165.