CompTIA CASP+ (CAS-004) — Question 444

A company has grown rapidly in the past few years and has prioritized building new systems over maintaining and patching legacy systems. Now that company growth has slowed, the company is focusing on patching critical legacy systems. Which of the following best describes what the security team should do to address open vulnerabilities?

Answer options

• A. Ensure the scan results are compliant with ARF.
• B. Ensure the output of the scan results contains the CVSSv3 for each vulnerability.
• C. Ensure IoCs are included in the vulnerability reports for the management team.
• D. Ensure the CVE is listed in the output of the scan.

Correct answer: B

Explanation

The correct answer is B because including the CVSSv3 score provides a standardized way of assessing the severity of each vulnerability, which is essential for prioritization. Options A, C, and D do not specifically address the need for a comprehensive severity assessment, which is critical when dealing with vulnerabilities in legacy systems.