A security analyst discovers a minor, non-critical vulnerability in a production web application's login form. The development team has already created a patch to fix the issue. According to security best practices, what is the MOST appropriate next step for deploying this patch?
Initiate a new Software Development Lifecycle (SDLC) to manage the patch development and deployment.
Submit the patch for review, testing, and approval through the formal change management process.
Deploy the patch directly to the production server to resolve the vulnerability immediately.
Activate the incident response plan because a security vulnerability was discovered.
The correct procedure is to submit the patch to the organization's formal change management process. This ensures the change is properly documented, tested, approved, and scheduled for deployment in a controlled manner, minimizing the risk of introducing new issues or causing an outage. Deploying directly to production is risky and bypasses critical security checks. While the issue is a vulnerability, initiating a full incident response plan is typically reserved for active breaches or more critical threats, not for the standard deployment of a patch for a minor flaw. Starting a completely new SDLC is unnecessary overhead for a patch, as patching is part of the maintenance phase of the existing lifecycle and is governed by change control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the change management process in the context of security patches?
Open an interactive chat with Bash
Why is directly deploying a patch to production considered risky?
Open an interactive chat with Bash
What is the difference between a full incident response plan and a vulnerability management process?