CompTIA PenTest+ (PT0-001) — Question 36

A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

Answer options

• A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
• B. Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management.
• C. Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.
• D. Request that management create an RFP to begin a formal engagement with a professional penetration testing company.

Correct answer: A

Explanation

The correct answer is A because documenting the findings in a comprehensive manner ensures that management understands the severity of the issue, along with recommendations for remediation. Option B is inappropriate as it risks further security issues, while C does not adequately inform management of the overall importance of the finding. Option D, although relevant, delays the immediate communication needed regarding the discovered vulnerability.