topic Re: Addressing security issues in Exam Preparation

Addressing security issues

Nitesh — Tue, 01 Dec 2020 22:47:41 GMT

Dear Team

What is the BEST approach to addressing security issues in legacy web applications?

A. Debug the security issues
B. Migrate to newer, supported applications where possible
C. Conduct a security assessment
D. Protect the legacy application with a web application firewall

ADDRESSING is the key word here which relates to countermeasure or mitigation.

Option A does not seem to be a fit to address the security issue.

Option B can be a answer but it depends on the cost benefit analysis of the countermeasure.

Option C talks about security assessment which i suppose is important to identify cost benefit analysis of the countermeasure & steps to lower the risk of security issues.

Option D can be a answer but it depends on the cost benefit analysis of the countermeasure.

I would choose Option C as the best answer as security assessment will let the management know on the cost benefit analysis of the countermeasure & steps to lower the risk of security issues.

Any other thoughts please.

Thanks

Nitesh

Re: Addressing security issues

dcontesti — Wed, 02 Dec 2020 08:31:12 GMT

So let me start with "this is a lousy question".

A. Hmm Legacy app and debug - NO

B. Wonderful answer and most likely what you would want to do but it's a legacy app for a reason (it works, there's no money to upgrade/migrate, it cant be migrated, it's a one of a kind.......so many reasons why not)

C. A security assessment is not going to address the issues, it will just re-enforce what the problems are

D. Could be correct but I would need additional information that is not in the question (can the platform support a WAF (performance, etc.)

I am going to say I would probably choose D on this one.

Others?

Re: Addressing security issues

Steve-Wilme — Wed, 02 Dec 2020 13:56:10 GMT

It's not a good question, but 'legacy' is probably a clue. If an application is legacy it's become very difficult to change and probably had dependencies on a series of out of support technologies and complex dependencies. So I'd suggest D is the best answer. You could get to D and mitigate commodity level layer 7 attacks quickly.

Re: Addressing security issues

rslade — Wed, 02 Dec 2020 18:07:42 GMT

> Nitesh (Newcomer II) posted a new topic in Exam Preparation on 12-01-2020 05:47 PM in the (ISC)Â² Community :

> I would
> choose Option C as the best answer as security assessment will let the
> management know on the cost benefit analysis of the countermeasure &Â steps
> to lower the risk of security issues.

You're learning ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Dance like nobody's watching. Love like you've never been hurt.
Develop software like the end user has your home address.
http://twitter.com/#!/RobertFischer/status/69117740622950400
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Addressing security issues

dcontesti — Wed, 02 Dec 2020 22:11:36 GMT

Welcome back Rob,

But I still think C is not correct.

The question:

What is the BEST approach to addressing security issues in legacy web applications?

How does C address the security issues other than telling you what you already most likely know?

Re: Addressing security issues

Beads — Wed, 02 Dec 2020 22:16:53 GMT

Answer C infers doing more than just looking at securing a legacy web application. A security assessment would entail looking at the entire security landscape, quite the increase in scope if done correctly.

Answer D would be a targeted control for a legacy web application, more comparable to a scalpel than the blunt force of a full security assessment. You should do a security assessment at least once a year or when you have a major change in your business or workflow.

- b/eads

Re: Addressing security issues

dcontesti — Wed, 02 Dec 2020 22:21:54 GMT

Thanks, but I am still hung up on the word "addresses"

So if C is the right answer I would get this one wrong, but still think it is a bad question and would hope it would not be on an exam.

Re: Addressing security issues

Beads — Wed, 02 Dec 2020 23:02:19 GMT

Like that has ever stopped us before. Whoever wrote the test question needs to go back give the sentence some sort of ownership. One answer being overly broad in my terms the other being enough to scrape by. Otherwise we'd probably agree as to what the best control would be here.

- b/eads

Re: Addressing security issues

sg2278 — Mon, 15 Feb 2021 01:43:19 GMT

I would answer C because as an IT person our first response is to fix it, but a managers response would be to assess the situation and then make a well informed decision.

Re: Addressing security issues

Beads — Mon, 15 Feb 2021 16:23:31 GMT

Its the scope of the question that limits my interpretation to 'C' not 'D',nothing else. You either fix one specific component or you do a wide survey of all vulnerabilities found and fix them all. The question feel ambiguous as to intent.