CISSP · Question #775
Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?
The correct answer is A. Make changes following principle and design guidelines.. During the maintenance phase of the SDLC, discovered vulnerabilities must be remediated through a structured change process that follows established principles and design guidelines to ensure integrity and consistency of the system.
Question
Options
- AMake changes following principle and design guidelines.
- BStop the application until the vulnerability is fixed.
- CReport the vulnerability to product owner.
- DMonitor the application and review code.
How the community answered
(48 responses)- A83% (40)
- B4% (2)
- C2% (1)
- D10% (5)
Why each option
During the maintenance phase of the SDLC, discovered vulnerabilities must be remediated through a structured change process that follows established principles and design guidelines to ensure integrity and consistency of the system.
In the SDLC maintenance phase, any changes-including vulnerability fixes-must adhere to established design principles and change management guidelines to prevent introducing new issues and maintain system integrity. This structured approach ensures that patches and remediations are implemented in a controlled, documented manner consistent with the original architecture. Following principle and design guidelines is the mandatory process governing how modifications are made during maintenance.
Stopping the application is not a required or standard action; risk-based decisions may allow continued operation with compensating controls while a fix is developed, and halting production systems is a business decision, not an SDLC mandate.
Reporting to the product owner may be part of the process, but it is not the primary required action-the SDLC mandates a formal remediation process following design and change guidelines, not merely notification.
Monitoring and code review are activities associated with the detection phase or ongoing operations, not the specific required action once a vulnerability has already been discovered during maintenance.
Concept tested: Vulnerability remediation process within SDLC maintenance phase
Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.