CompTIA CySA+ (CS0-003) — Question 372

During an internal code review, software called “ACE” was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

Answer options

• A. Look for potential IoCs in the company.
• B. Inform customers of the vulnerability.
• C. Remove the affected vendor resource from the ACE software.
• D. Develop a compensating control until the issue can be fixed permanently.

Correct answer: D

Explanation

The correct answer is D because implementing a compensating control allows the organization to mitigate the risk temporarily while a permanent fix is developed. Informing customers (B) should come after ensuring their safety; removing the vendor resource (C) may not be feasible immediately and could disrupt operations; looking for IoCs (A) is less urgent than addressing the vulnerability directly.