CompTIA Cloud+ (CV0-004) — Question 11

A cross-site request forgery vulnerability exploited a web application that was hosted in a public IaaS network. A security engineer determined that deploying a WAF in blocking mode at a CDN would prevent the application from being exploited again. However, a week after implementing the WAF, the application was exploited again. Which of the following should the security engineer do to make the WAF control effective?

Answer options

• A. Configure the DDoS protection on the CDN.
• B. Install endpoint protection software on the VMs.
• C. Add an ACL to the VM subnet.
• D. Deploy an IDS on the IaaS network.

Correct answer: C

Explanation

Implementing an ACL for the VM subnet is the correct approach because it can restrict traffic to only legitimate requests, enhancing the security provided by the WAF. The other options, while beneficial for overall security, do not directly address the specific vulnerability that allowed the application to be exploited again.