nerdexam
(ISC)2

CISSP · Question #13

Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

The correct answer is B. Test for the security patch level of the environment. Preventing exploitation of OS bugs requires ensuring the environment is patched and up-to-date. Testing for the security patch level directly addresses whether known OS vulnerabilities have been remediated.

Submitted by takeshi77· Mar 5, 2026Security Engineering

Question

Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

Options

  • ACheck arguments in function calls
  • BTest for the security patch level of the environment
  • CInclude logging functions
  • DDigitally sign each application module

How the community answered

(52 responses)
  • A
    15% (8)
  • B
    75% (39)
  • C
    4% (2)
  • D
    6% (3)

Why each option

Preventing exploitation of OS bugs requires ensuring the environment is patched and up-to-date. Testing for the security patch level directly addresses whether known OS vulnerabilities have been remediated.

ACheck arguments in function calls

Checking arguments in function calls is an input validation control that prevents application-level vulnerabilities such as injection attacks, not OS-level bug exploitation.

BTest for the security patch level of the environmentCorrect

OS bugs are addressed by applying vendor-released security patches; testing for the security patch level of the environment ensures that known vulnerabilities in the operating system have been remediated before they can be exploited. This control directly maps to vulnerability management practices where unpatched systems are the primary attack surface for OS-level exploits. Verifying patch levels as a web application control ensures the underlying platform does not introduce exploitable weaknesses.

CInclude logging functions

Including logging functions is a detective control that records activity for forensic or audit purposes but does not prevent the exploitation of OS bugs.

DDigitally sign each application module

Digitally signing application modules ensures code integrity and authenticity of the application itself, but does not address or remediate vulnerabilities present in the underlying operating system.

Concept tested: Patch management as a web application security control

Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/README

Topics

#web application security#OS patching#vulnerability management#security controls

Community Discussion

No community discussion yet for this question.

Full CISSP Practice