Who should review custom code changes prior to release to production to identify potential vulnerabilities?

• A. The originator of the code must review the changes.
• B. Qualified internal auditors only.
• C. Individuals other than the author who are knowledgeable about secure coding practices.
• D. No formal review is required.

Answer: (C)

Independent verification by someone other than the person who wrote the code is essential. A reviewer who is not the author but has knowledge of secure coding practices can spot vulnerabilities the author might miss, such as injection risks, improper input validation, insecure error handling, or risky configuration details. This separate review acts as a security check within the development lifecycle, ensuring that changes are examined for potential weaknesses before they reach production. It also aligns with established security standards that emphasize peer and security-focused reviews. Relying on the author alone or skipping formal review leaves gaps where security flaws can slip in, while a reviewer without secure coding expertise wouldn’t provide the necessary depth of security assessment.