nerdexam
(ISC)2

CISSP · Question #775

Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?

The correct answer is A. Make changes following principle and design guidelines.. During the maintenance phase of the SDLC, discovered vulnerabilities must be remediated through a structured change process that follows established principles and design guidelines to ensure integrity and consistency of the system.

Submitted by viktor_hu· Mar 5, 2026Software Development Security

Question

Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?

Options

  • AMake changes following principle and design guidelines.
  • BStop the application until the vulnerability is fixed.
  • CReport the vulnerability to product owner.
  • DMonitor the application and review code.

How the community answered

(48 responses)
  • A
    83% (40)
  • B
    4% (2)
  • C
    2% (1)
  • D
    10% (5)

Why each option

During the maintenance phase of the SDLC, discovered vulnerabilities must be remediated through a structured change process that follows established principles and design guidelines to ensure integrity and consistency of the system.

AMake changes following principle and design guidelines.Correct

In the SDLC maintenance phase, any changes-including vulnerability fixes-must adhere to established design principles and change management guidelines to prevent introducing new issues and maintain system integrity. This structured approach ensures that patches and remediations are implemented in a controlled, documented manner consistent with the original architecture. Following principle and design guidelines is the mandatory process governing how modifications are made during maintenance.

BStop the application until the vulnerability is fixed.

Stopping the application is not a required or standard action; risk-based decisions may allow continued operation with compensating controls while a fix is developed, and halting production systems is a business decision, not an SDLC mandate.

CReport the vulnerability to product owner.

Reporting to the product owner may be part of the process, but it is not the primary required action-the SDLC mandates a formal remediation process following design and change guidelines, not merely notification.

DMonitor the application and review code.

Monitoring and code review are activities associated with the detection phase or ongoing operations, not the specific required action once a vulnerability has already been discovered during maintenance.

Concept tested: Vulnerability remediation process within SDLC maintenance phase

Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final

Topics

#vulnerability management#SDLC maintenance#change management#secure coding principles

Community Discussion

No community discussion yet for this question.

Full CISSP Practice