Your employer has a large team of software developers with constantly changing codebases for dozens of internal applications. As a part of change control any code changes go through an automated vulnerability scanning process which checks for known vulnerabilities in frameworks, programming languages, dependencies and the code itself. Due to business pressure these scans have been largely ignored and there are currently over a thousand issues found by the automated scanning. You are tasked with working with the developers and remedying 100% of the issues. What should you do next?
Stop all deployments, code changes and updates until the vulnerabilities are fixed
Organize the vulnerabilities by criticality and begin planning for solutions for the most critical vulnerabilities first
Implement an approval step for all code changes that requires no security issues prior to updates
Identify any false positives to reduce the number of items to remediate
In this scenario the best option for next steps is to organize the vulnerabilities by criticality. Some may be very important and represent significant risk, while others may be false positive or very minor issues. Most scanning solutions will have this information readily available. There is no way to identify false positives without going through each and every one, and halting all code changes would likely cause major disruptions to the business. The logical next step is to begin planning and focus on the worst issues first.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are false positives in vulnerability scanning?
Open an interactive chat with Bash
What does it mean to organize vulnerabilities by criticality?
Open an interactive chat with Bash
Why is it important to plan remediation for vulnerabilities?