What are the requirements for code reviews prior to release?

• A. Code changes are reviewed by the originating code author only.
• B. Code reviews are optional for custom code.
• C. Public-facing web applications are exempt from code reviews.
• D. Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices; code-review results are reviewed and approved by management prior to release; applies to all custom code; public-facing apps have additional controls.

Answer: (D)

The main idea here is that code changes must be checked by someone other than the person who wrote them, and this review should be done by people who know how to conduct effective code reviews and how to spot secure coding issues. Requiring independent reviewers helps catch mistakes, logic flaws, and security vulnerabilities that the original author might miss. Having the review results reviewed and approved by management adds governance and accountability before anything goes live. Applying this process to all custom code ensures consistency and doesn’t leave gaps where risky changes could slip through. For public-facing apps, adding extra controls recognizes the higher risk exposure and the need for stricter scrutiny.

This is why the option that emphasizes independent review by knowledgeable reviewers, management approval, comprehensive coverage of all custom code, and additional controls for public-facing apps best fits the standard practice. The other options fail to provide independent verification, label reviews as optional, or imply exemptions for public-facing applications, which would undermine security and governance.