CISSP · Question #13
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
The correct answer is B. Test for the security patch level of the environment. Preventing exploitation of OS bugs requires ensuring the environment is patched and up-to-date. Testing for the security patch level directly addresses whether known OS vulnerabilities have been remediated.
Question
Options
- ACheck arguments in function calls
- BTest for the security patch level of the environment
- CInclude logging functions
- DDigitally sign each application module
How the community answered
(52 responses)- A15% (8)
- B75% (39)
- C4% (2)
- D6% (3)
Why each option
Preventing exploitation of OS bugs requires ensuring the environment is patched and up-to-date. Testing for the security patch level directly addresses whether known OS vulnerabilities have been remediated.
Checking arguments in function calls is an input validation control that prevents application-level vulnerabilities such as injection attacks, not OS-level bug exploitation.
OS bugs are addressed by applying vendor-released security patches; testing for the security patch level of the environment ensures that known vulnerabilities in the operating system have been remediated before they can be exploited. This control directly maps to vulnerability management practices where unpatched systems are the primary attack surface for OS-level exploits. Verifying patch levels as a web application control ensures the underlying platform does not introduce exploitable weaknesses.
Including logging functions is a detective control that records activity for forensic or audit purposes but does not prevent the exploitation of OS bugs.
Digitally signing application modules ensures code integrity and authenticity of the application itself, but does not address or remediate vulnerabilities present in the underlying operating system.
Concept tested: Patch management as a web application security control
Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/README
Topics
Community Discussion
No community discussion yet for this question.