ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam
Go to Exam

Exam CISM topic 1 question 927 discussion

Actual exam question from Isaca's CISM
Question #: 927
Topic #: 1
[All CISM Questions]

A penetration test against an organization's external web application shows several vulnerabilities. Which of the following presents the GREATEST concern?

  • A. Vulnerabilities were caused by insufficient user acceptance testing (UAT).
  • B. Exploit code for one of the vulnerabilities is publicly available.
  • C. Atules of engagement form was not signed prior to the penetration test.
  • D. Vulnerabilities were not found by internal tests.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by CISSPST at Sept. 13, 2023, 3:09 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AlexJacobson
10 months, 1 week ago
Selected Answer: B
As a pentester I can tell you that B is definitely very concerning. But almost equally concerning should be C. In the context of this question maybe not so much, but in general this can be a big deal.
upvoted 1 times
...
Bl1024
1 year ago
Why not D? If public vulnrabilities were not found by internal testing than the process is very faulty and the problem will certainly occure again.
upvoted 1 times
AlexJacobson
10 months, 1 week ago
It's concerning, but not THE MOST concerning.
upvoted 1 times
...
...
koala_lay
1 year, 1 month ago
Selected Answer: B
The greatest concern among the given options would be option B: Exploit code for one of the vulnerabilities is publicly available. This is a significant concern because if the exploit code is publicly available, it means that it can be easily accessed and utilized by threat actors with malicious intent. This increases the likelihood of a successful attack on the organization's web application, potentially leading to unauthorized access, data breaches, or other types of security incidents. It is essential to address this vulnerability urgently and take appropriate actions to mitigate the risk.
upvoted 2 times
...
richck102
1 year, 2 months ago
um....i vote B. Exploit code for one of the vulnerabilities is publicly available.
upvoted 1 times
...
wickhaarry
1 year, 2 months ago
C. Atules of engagement form was not signed prior to the penetration test. , I am not sure of this but think if the Rules of engagement was not signed and that means any loss caused by them cant be legal plus they can look into confidential stuff
upvoted 1 times
...
CISSPST
1 year, 2 months ago
If the exploit code is available publicly (making it a known vulnerability to all including the organization) then a suitable control can be selected and implemented. However, if user acceptance is the main issue, after the application is in production, then the challenge could be major, pointing toward design flaws, rejection of technology etc. Or, at least, I think so. Appreciate more views on this.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel