Exam SY0-601 topic 1 question 143 discussion

I think C is correct. You shouldn't have to take any risk at all if you can containerize the application. The goal of containerization is to isolate an application to prevent malware, intruders, system resources or other applications from interacting with the application – and any of its sensitive information — secured by the container.

IMO they should Accept the risk if there is a clear road map for timely decommission ->

Well you have to accept the risk

Answer is C because It doesn't say "Eliminate the risk" it says " MOST prudent course of action". It means choosing the option that demonstrates the highest level of caution, thoughtfulness, and consideration for future outcomes. In cybersecurity and risk management, the most prudent course of action involves selecting the approach that minimizes risks and maximizes security effectiveness over the long term. Personally, I think it's C. Atleast the users would still be able to use the application without decommission and spreading of the risk. "IF there is a clear road map for timely decommission" Without explicit mention of a clear road map for timely decommissioning, waiting for such a plan might not be a reliable approach.

I'm picking A because C doesn't really make much sense for a Web application as web apps usually run on a web server and independent from other apps (except for other web apps, but there's already isolation between multiple websites on a web server). C doesn't make sense for other reasons: the libraries need updating - containerization will not fix that problem at all - it won't eliminate any inherent risks involve with a library.

This question is trash. It feels like it is entirely opinion based that the answer changes from one organization to another. I feel that A and C are fine choices. In both scenarios you are eliminating risk, but one is eliminating in the future. It is a low security risk, in the real world it would likely just be accepted IF there is a clear road map to EOL Containerization can help mitigate some risk, but the underlying problem and risk still exists, but it can help with making sure that the risk does not turn into a larger exploit. This is all IMO. I would personally go with A with real world expectations and call it a day, and if I ever run into the person who wrote this question, then I would happily kick them in the nuts.

"eliminate the risk" discards C as a possibility in my mind because the risk still exists. Using containerization is a technique for risk compensation. Risk acceptance is the only viable option, so A.

Prudent = caring for the future, accepting the risk would not do this.

People will be between A and C. But when we read "eliminate the risk", it makes it much easier for us to discard C, innit?

This is C!!! You're not going to just accept it and leave it, you would segment it so everything else is protected more, think about it!

for me it is prudent to avoid the incidents using containers while the app is being removed.

My understanding this is the organization has a web application using a third-party library and it is end of life. However, it is still in use by some of the organizations customers. With legacy systems, the best control of this risk is a compensating one (mitigation). Network segmentation is always the best compensating control and in this case it can be tied in with containerization of the application. This is a more prudent approach than accepting the risk since there is NO clear road map for timely decommission.

The most prudent course of action would be: A. Accept the risk if there is a clear road map for timely decommission. This option acknowledges the risk but also emphasizes having a plan in place to decommission the application in a timely manner. This approach balances the need for security with the awareness of the application's end-of-life status and the potential burden of immediate updates. Chat gpt

The answer is A. If you read carefully, it says "eliminate the risk." Firstly, when containerizing, the risk is not ELIMINATED, but rather mitigated to some extent; the risk will still exist because there is no possible solution that eliminates it (well, maybe rebuilding the entire software). Therefore, even if you containerize, the risk WILL CONTINUE TO EXIST, meaning you will still have to ACCEPT the remaining risk, which is not acceptable since the goal is to eliminate the risk. The only way to eliminate this risk is to decommission the outdated software.

y'all can't agree on nothing

I chose C because there is no clear map to a decommission. "..even though it is end of life and it would be a substantial burden to update the application for compatibility with more secure libraries"

Eliminating risk is always a better option then accepting risk, its C