ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
A software security engineer is assessing an open-source JSON library for a healthcare application. Scanning identifies a critical deserialization CVE with publicly available exploits, but a patched release is already available. The library is actively maintained and distributed under the permissive JSON License. Which risk treatment is MOST appropriate before approving the component?
Avoid the risk entirely by rewriting the JSON parsing functionality in-house and eliminating the dependency.
Transfer the risk by requiring the cloud hosting provider to monitor and patch the library on your behalf.
Accept the risk because the vulnerability is documented and the library's license is permissive.
Mitigate the risk by upgrading to the patched version and verifying the vulnerability is resolved before deployment.
Because exploit code exists for a critical vulnerability, leaving the issue unaddressed is unacceptable. A patched release is already provided and the project is well maintained, so the most effective response is to mitigate the risk: upgrade to the fixed version and verify the vulnerability is resolved. Accepting the risk would expose sensitive healthcare data, transferring the risk to a hosting provider would not remove the library's vulnerability, and rewriting the functionality would be costly and unnecessary when a secure, supported patch is available.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does deserialization refer to in the context of software security?
Open an interactive chat with Bash
Why is upgrading to the patched version the preferred risk treatment?
Open an interactive chat with Bash
What is the JSON License and why is it considered permissive?
Open an interactive chat with Bash
What is a CVE and why is it important in software security?
Open an interactive chat with Bash
What does 'deserialization vulnerability' in JSON libraries mean, and why is it critical?
Open an interactive chat with Bash
What are the advantages of open-source libraries under permissive licenses like the JSON License?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Supply Chain
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .