During a routine security review, a software development company discovers that a widely used open-source library in its web application contains a publicly disclosed vulnerability. A vendor patch is expected in three weeks, but the application must remain online to meet customer service-level agreements. The company wants to continue using the library without simply accepting the risk. Which risk treatment strategy best aligns with this goal?
Choosing "Mitigate" means the organization implements temporary compensating controls-such as a web application firewall, stricter input validation, or runtime application self-protection-to lower the likelihood or impact of exploiting the vulnerable library until it can be patched. "Transfer" moves financial responsibility to another party (for example, via cyber-insurance) but does not directly address the defect. "Accept" conflicts with the scenario requirement because leadership does not want to live with the risk unchanged. "Avoid" would require removing or disabling the library entirely, which would violate the need to keep the application running.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in risk mitigation?
Open an interactive chat with Bash
How does a web application firewall (WAF) help mitigate risks?