A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Choose two.)
A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Choose two.)
To effectively harden existing solutions and reduce application vulnerabilities, prioritizing both auto-updates and third-party updates is essential. Auto-updating ensures that the software remains current with the latest security patches, thereby mitigating known vulnerabilities promptly. Third-party updates similarly ensure that any external software components or dependencies are continuously patched and secure, preventing potential exploitation through outdated third-party elements. These steps directly address the most common vulnerabilities and keep the application ecosystem resilient against emerging threats.
The scenario doesn't specify a web application. I just assumed a locally ran application so I chose A&F. Poorly worded question.
It's A & D. Hardening existing applications will derive no benefits whatsoever, from "Sandboxing." However, aside enabling Auto-Updates of their applications, they might also want to safeguard 3rd-Party Solutions (CRM, ERP, Web-based solutions, etc) by ensuring they are regularly patched/updated. Every other options would be "chasing shadows."
Ok so i wasnt the only one thinking this way by how the question is worded. Im not understanding what sandboxing has to do with hardening the vulnerabilities right now when it could be as easy as updating and auto updating. idk maybe im wrong though
B. HTTP headers: Configuring secure HTTP headers can help protect against various web application vulnerabilities, such as cross-site scripting (XSS), clickjacking, and certain types of information leakage. C. Secure cookies: Ensuring that cookies are secure and properly configured helps prevent various attacks like session hijacking and cookie tampering.
makes sense if we are assuming this is about a WEB application which is not specified in the question.
If it were web then B n C could be answer. But it’s not the case here. It’s general context reduce application vulnerabilities
auto-update does not reduce application vulnerabilities, per se. They can actually increase vulnerabilities in many cases. Also, updates can be for new features and, in the enterprise environment, auto-updating can destabilize many systems (making the less secure), why you should test thoroughly before doing so. Sandboxing doesn't actually fix vulnerabilities in apps nor does it harden them, it merely mitigates them (the apps, themselves, are still vulnerable).
A. Auto-update D. Third-party updates I've done some research on the top system hardening actions to take first. Multiple sources are saying that these are the most important things. -- Auto OS updates -- Keep third party software on the system patched.
The question seems to lack any meaningful context. What type of application is it? What is the environment? Some folks here assume a web app, but I would not be so sure.
https://checklist.gg/templates/software-hardening-checklist
Going a bit against the grain and saying A&D. Since it asks what should be done first. Sandboxing or HTTP stuff is nice in certain cases, but if your software isn't patched then that's the number one way it will become vulnerable. Whether it's first party or third party.
As usual, we are stuck in uncertainty due to the poor wording of the question and are forced to make an inference. Personally, I like BC over AD. I think generally, CompTIA teaches us to be wary of auto-update policies in enterprise environments, and instead preaches the use of patch management suites. I think this can be attributed to auto-updates having the potential to cause compatibility, performance, and availability issues. I'm using similar reasoning to be wary of third-party updates -- patch management can help vet/schedule those updates so they are implemented seamlessly. Therefore, I'm more comfortable making the inference of web application security, resulting in my decision to select BC.
seem like all answer last 20Q before and after this Q is right, why this is wrong ?
In a general context where the goal is to reduce application vulnerabilities, it’s reasonable to prioritize measures that address common software vulnerabilities and protect against potential threats. Sandboxing often takes priority because it directly mitigates application-related vulnerabilities and helps prevent malicious code or actions within an application from affecting the broader system. Full disk encryption, while important for data security, primarily addresses data-at-rest protection.While valuable, it doesn’t directly reduce application vulnerabilities So, when the goal is to reduce application vulnerabilities, prioritizing sandboxing over full disk encryption makes more sense.
Most of us here arguing based on web based application security or general context of app security at first instance. Indeed in question clearly said reduce app vulnerabilities. Not web applications just needs bit more scrutiny
A. Auto-update B. HTTP headers Auto-update ensures that software remains up-to-date with the latest security patches, addressing known vulnerabilities promptly. Configuring HTTP headers properly enhances web application security by mitigating common web-based attacks. These proactive measures can significantly reduce the attack surface and strengthen the overall security posture of the applications.
AF- Auto-update ensures that all software has the latest security patches, minimizing security risks. Sandboxing is a security mechanism for separating running programs, often used to execute untested codes, preventing software vulnerabilities from spreading across the system
Auto-update is not hardening, so it's out. B & C are application hardening methods (for web apps including intranet apps - which is extremely common today) D is not hardening, per se - (one bad update can weaken a system - ask Microsoft) E & G are not application hardening, either (they protect data at rest, not really the application) F is a hardening technique for an entire system - not really just an application
who told you auto-update is not a hardening technique? I would advise you to read more before posting, unless you are really sure, as this is causing so much confusion.. https://checklist.gg/templates/software-hardening-checklist
sandboxing for testing new patches or updates and auto update after sandboxing result
sandboxing is used for containment/isolation. for example, a web browser can be run in a sandbox to mitigate attacks through the browser (i.e. malvertising, drive-by downloads, browser zero-days, etc). IOS employ sandboxing for all its running apps. sandboxing can be used for testing but it's not the sole purpose
sandboxing doesn't technically reduce application vulnerabilities, it merely mitigates risk. The apps, themselves, are still vulnerable.
So with this question, all other options are things that are good security measures. A) A good Security Practice but not hardening. D) Same as A. E) a protective measure F) limits an applications “reach” so it doesn’t access other parts of the system. G) same as e. I could be wrong, but just based on the way the question was worded, and it is worded horribly, the only two that I could think would apply in this situation is B and C.
I picked B & C because they are specific to actual application hardening, not mitigating attack surface (sandboxing is not app hardening, but network hardening & risk mitigation)
Since the question says "existing solutions" it makes me think this is in reference to third party software which could also be accessed via a web application. Based on the "existing solutions" I would use A.) Auto-update. F.) Sandboxing - I would consider this something I would do "FIRST" to mitigate application related vulnerabilities; especially if there is a third-party application with unpatchable vulnerabilities.
A. Auto-update: Implementing auto-updates ensures that your applications are always running the most recent and secure versions C. Secure cookies: Many web applications use cookies to maintain session state and store user-specific information. If these cookies are compromised, it could lead to session hijacking or unauthorized access.
who has written exam