A development team uses open-source software and follows an Agile methodology with two-week sprints.
Last month, the security team filed a bug for an insecure version of a common library.
The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable.
This month, the security team found the same vulnerability on the server.
Which of the following should be done to correct the cause of the vulnerability?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The issue is that the server continues to have the same vulnerability even after the DevOps team has updated the library, indicating that the fix may not have been applied correctly or that the development team is not implementing secure coding practices.
Option A, deploying a WAF in front of the application, would not address the root cause of the vulnerability and would only provide a temporary solution. While a WAF can help protect against known vulnerabilities, it is not a substitute for secure coding practices.
Option B, implementing a software repository management tool, could help ensure that the latest and most secure versions of libraries and dependencies are being used. However, it would not address the underlying issue of insecure coding practices.
Option C, installing a HIPS on the server, would not address the root cause of the vulnerability but would provide a layer of protection against certain types of attacks. However, it is still recommended to address the root cause of the vulnerability.
Option D, instructing the developers to use input validation in the code, is the most appropriate answer. Input validation is a fundamental secure coding practice that helps prevent vulnerabilities such as injection attacks. By implementing input validation, the development team can ensure that user input is properly sanitized and validated before being used in the code.
In conclusion, option D is the correct answer as it addresses the root cause of the vulnerability by implementing secure coding practices, rather than providing temporary solutions or additional layers of protection.