CompTIA CySA+ (CS0-002) — Question 109
During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-learned report noted the following:
• The development team used a new software language that was not supported by the security team's automated assessment tools.
• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.
• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.
To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)
Answer options
- A. Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed
- B. Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically
- C. Contact the human resources department to hire new security team members who are already familiar with the new language
- D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems
- E. Instruct only the development team to document the remediation steps for this vulnerability
- F. Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider
Correct answer: A, B
Explanation
Options A and B are the best choices as they focus on enhancing the security team's capabilities and improving automated tools to address the identified vulnerabilities. Training the security assessment team ensures they can evaluate the new language effectively, while adding support for the language in automated tools helps in early detection of vulnerabilities. The other options either do not directly address the root causes or introduce additional risks without solving the underlying issues.