CompTIA Security+ (SY0-601) — Question 688

A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action?

Answer options

• A. Accept the risk if there is a clear road map for timely decommission.
• B. Deny the risk due to the end-of-life status of the application.
• C. Use containerization to segment the application from other applications to eliminate the risk.
• D. Outsource the application to a third-party developer group.

Correct answer: A

Explanation

The best option is to accept the risk with a clear plan to decommission the application, as this acknowledges the current use and challenges while ensuring future security. Denying the risk does not address the reality of ongoing use, and containerization or outsourcing may not effectively mitigate the vulnerabilities present in the outdated application.