ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your DevSecOps team's automated security scan detects a high-severity SQL injection flaw in a microservice that is already live. You manually confirm the vulnerability exists. To guarantee it is followed from discovery through verified fix, what should you do next?
Create an entry in the organization's centralized vulnerability or defect tracking system, include severity and affected components, and assign it to the responsible team.
Notify senior management of the issue and wait for explicit direction before taking any additional action.
Deploy an emergency web application firewall rule to block the suspected attack vector and mark the scan finding as resolved.
Roll back the service to the previous release and omit the discovery from internal documentation to avoid external disclosure.
Once a vulnerability has been validated, the first priority for effective vulnerability management is to create a formal record in the organization's central defect or vulnerability tracking system. Opening a ticket that captures the vulnerability's unique identifier, severity, affected assets, and an assigned owner establishes accountability and provides a single authoritative location for status, metrics, and audit evidence until remediation is completed and verified. Implementing a compensating control such as a web application firewall rule can reduce immediate risk, but it does not replace the need for systematic tracking. Escalating to senior management without recording the issue delays remediation and still leaves the finding undocumented. Rolling back code while suppressing documentation not only impedes root-cause analysis and long-term remediation but also violates governance requirements. Therefore, formally logging and assigning the vulnerability is the essential next step to ensure end-to-end tracking.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to log vulnerabilities in a centralized tracking system?
Open an interactive chat with Bash
What is SQL injection, and why is it considered a high-severity issue?
Open an interactive chat with Bash
What is a compensating control, and why doesn’t it replace vulnerability tracking?
Open an interactive chat with Bash
Why is it important to create an entry in the organization's centralized vulnerability tracking system?
Open an interactive chat with Bash
What additional details should be included in the vulnerability tracking system entry?
Open an interactive chat with Bash
Why is implementing a compensating control, like a WAF rule, not sufficient on its own?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)