Exam 312-50v12 topic 1 question 177 discussion

I guessed A, and ChatGPT says A too. "Vulnerability scanners can tell you what's wrong, but not how much it matters to your business. In this case, the analyst needs to prioritize based on impact, and that's where vulnerability assessment tools fall short — they don't provide contextual risk analysis tied to business operations."

answer is B Based on ChatGPT

So...there are 3 choices that make sense. A - because VA don't have context, which is 100% true B - this one is debatable because every single vulnerability is due to software engineering flaws. However, for some a pentest might find them. C - that's applicable to VA/Pentests/Audits, hence too broad D - no A is the most correct one, however C could be a valid option generally speaking

B: "Vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed." While all the options represent potential limitations of vulnerability assessment, option B highlights a critical concern. Vulnerability scanning software, like any software, can have its own flaws or limitations in its ability to accurately detect vulnerabilities. These flaws could range from misconfigurations to incomplete vulnerability databases or algorithms. Consequently, serious vulnerabilities might go undetected if the scanning software fails to properly identify them. It's important for the security analyst to be aware of this limitation and not solely rely on vulnerability scanning software. They should complement automated scanning with manual checks, penetration testing, and other security measures to ensure comprehensive coverage and accuracy in identifying vulnerabilities within the network.

A. Vulnerability scanning software cannot define the impact of an identified vulnerability on different business operations. The problems described will not change their criticality over time, so C will not change the results.

C. Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time. While vulnerability scanning is a valuable tool for identifying known vulnerabilities in a network, it's important to note that it provides a snapshot of the system's security posture at a specific moment.

I think A. Vulnerability scanning software cannot define the impact of an identified vulnerability on different business operations

Im a bit hesitant about the effectiveness of this CEH technique