cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nitesh
Newcomer II

Addressing security issues

Dear Team

 

What is the BEST approach to addressing security issues in legacy web applications?

  • A. Debug the security issues
  • B. Migrate to newer, supported applications where possible
  • C. Conduct a security assessment
  • D. Protect the legacy application with a web application firewall

ADDRESSING is the key word here which relates to countermeasure or mitigation.

 

Option A does not seem to be a fit to address the security issue.

Option B can be a answer but it depends on the cost benefit analysis of the countermeasure.

Option C talks about security assessment which i suppose is important to identify cost benefit analysis of the countermeasure & steps to lower the risk of security issues.

Option D can be a answer but it depends on the cost benefit analysis of the countermeasure.

 

I would choose Option C as the best answer as security assessment will let the management know on the cost benefit analysis of the countermeasure & steps to lower the risk of security issues.

 

Any other thoughts please.

 

Thanks

Nitesh

 

9 Replies
dcontesti
Community Champion

So let me start with "this is a lousy question".

 

A.  Hmm Legacy app and debug - NO

B. Wonderful answer and most likely what you would want to do but it's a legacy app for a reason (it works, there's no money to upgrade/migrate, it cant be migrated, it's a one of a kind.......so many reasons why not)

C. A security assessment is not going to address the issues, it will just re-enforce what the problems are

D. Could be correct but I would need additional information that is not in the question (can the platform support a WAF (performance, etc.)

 

I am going to say I would probably choose D on this one.

 

Others?

 

d

 

Steve-Wilme
Advocate II

It's not a good question, but 'legacy' is probably a clue.  If an application is legacy it's become very difficult to change and probably had dependencies on a series of out of support technologies and complex dependencies. So I'd suggest D is the best answer.  You could get to D and mitigate commodity level layer 7 attacks quickly.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
rslade
Influencer II

> Nitesh (Newcomer II) posted a new topic in Exam Preparation on 12-01-2020 05:47 PM in the (ISC)² Community :

>   I would
> choose Option C as the best answer as security assessment will let the
> management know on the cost benefit analysis of the countermeasure & steps
> to lower the risk of security issues.

You're learning ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Dance like nobody's watching. Love like you've never been hurt.
Develop software like the end user has your home address.
http://twitter.com/#!/RobertFischer/status/69117740622950400
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

Welcome back Rob,

 

But I still think C is not correct.

 

The question:

What is the BEST approach to addressing security issues in legacy web applications?

 

How does C address the security issues other than telling you what you already most likely know?

 

d

 

Beads
Advocate I

Answer C infers doing more than just looking at securing a legacy web application. A security assessment would entail looking at the entire security landscape, quite the increase in scope if done correctly.

 

Answer D would be a targeted control for a legacy web application, more comparable to a scalpel than the blunt force of a full security assessment. You should do a security assessment at least once a year or when you have a major change in your business or workflow.

 

- b/eads

dcontesti
Community Champion

Thanks, but I am still hung up on the word "addresses"

 

So if C is the right answer I would get this one wrong, but still think it is a bad question and would hope it would not be on an exam.

 

d

 

Beads
Advocate I

Like that has ever stopped us before. Whoever wrote the test question needs to go back give the sentence some sort of ownership. One answer being overly broad in my terms the other being enough to scrape by. Otherwise we'd probably agree as to what the best control would be here.

 

- b/eads

sg2278
Newcomer II

I would answer C because as an IT person our first response is to fix it, but a managers response would be to assess the situation and then make a well informed decision.

Beads
Advocate I

Its the scope of the question that limits my interpretation to 'C' not 'D',nothing else. You either fix one specific component or you do a wide survey of all vulnerabilities found and fix them all. The question feel ambiguous as to intent.