Certified Information Security Manager (CISM) — Question 1204

A penetration test against an organization's external web application shows several vulnerabilities. Which of the following presents the GREATEST concern?

Answer options

• A. Vulnerabilities were caused by insufficient user acceptance testing (UAT).
• B. Exploit code for one of the vulnerabilities is publicly available.
• C. Atules of engagement form was not signed prior to the penetration test.
• D. Vulnerabilities were not found by internal tests.

Correct answer: B

Explanation

The greatest concern is that exploit code for one of the vulnerabilities is publicly available, which means attackers can easily take advantage of the weakness. While insufficient user acceptance testing and unsigned engagement forms are issues, they do not directly facilitate an attack like publicly accessible exploit code does. The internal tests' failure to identify vulnerabilities is a concern, but it is less immediate than the existence of exploit code.