ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During a weekly vulnerability review you discover two critical findings: (1) a CVSS 9.8 remote-code-execution flaw on an internal, segmented code-repository server, and (2) a CVSS 9.8 SQL-injection vulnerability on a public-facing payment API that processes most of the organization's daily revenue. Which remediation decision BEST reflects proper triage based on overall risk and business impact?
Prioritize and patch the payment API immediately because its external exposure and direct revenue impact create the greatest business risk, even though both vulnerabilities share the same critical CVSS score.
Document compensating controls for both findings and formally accept the risk because neither vulnerability has been exploited in production.
Defer remediation of both issues until the next quarterly maintenance window so they can be fixed together with minimal downtime.
Patch the repository server first since its remote-code-execution flaw is inherently more dangerous than SQL injection, and both have equally high CVSS scores.
Effective vulnerability triage must weigh more than CVSS base scores. Although both flaws are rated 9.8, the internal repository server is isolated on an internal network segment, reducing attacker access and immediate business impact. In contrast, the SQL-injection flaw affects an Internet-facing payment API that directly handles revenue transactions. Successful exploitation could lead to customer data theft, service outages, and immediate financial loss, making its overall risk higher despite equal technical severity. Therefore, remediating the payment API first best aligns with risk-based prioritization principles. Prioritizing the repository server solely because it is a remote-code-execution issue, postponing both fixes, or formally accepting the risk without strong justification would not adequately address the organization's highest exposure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CVSS and how is the base score calculated?
Open an interactive chat with Bash
Why does a public-facing API represent higher risk than an internal server?
Open an interactive chat with Bash
What is SQL injection, and why is it especially dangerous for a payment API?
Open an interactive chat with Bash
What is CVSS and why is it important in vulnerability assessment?
Open an interactive chat with Bash
What is a SQL-injection vulnerability and why is it so critical?
Open an interactive chat with Bash
Why prioritize external vulnerabilities over internal ones despite similar CVSS scores?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)