What is the BEST approach to addressing security issues in legacy web applications?
A. Debug the security issues
B. Migrate to newer, supported applications where possible
C. Conduct a security assessment
D. Protect the legacy application with a web application firewall
|
Download Printable PDF. VALID exam to help you PASS. |
 |
Addressing of the problem can take multiple forms: 1) Mitigate risk 2) Transfer risk 3) Avoid risk etc. Personally I feel avoiding the risk (B) whenever possible sounds good to me.
this one is very tricky. the question asks: what is the best approach to ADDRESSING security issues (in general) in legacy web apps?
lets make it easy – Out of the following options, which option best addresses various security issues in legacy web apps?
“Addresses” is such an interesting word here. What if they said mitigates? Think about what they are asking. Does a security assessment mitigate anything? No. Yes, it is a great option when considering what the security issues are, but when speaking about what the word “addresses” means in this context, I think they are asking for what “mitigates” issues, and a direct answer to that is what is listed as the correct answer – D. using a web application firewall to protect the legacy apps.
Similar to “HK’s response in the comments”: When I say, how do we address this? I am really asking, how do we fix this? How do we overcome this? In essence, the term “addressing” in the question here IS the security assessment. We know we have security issues in legacy web apps, but HOW do we ADDRESS those issues? What do we do to FIX or MITIGATE them? The assessment will not fix anything, it just answers what you might do to fix something. Actually doing something is directly “addressing” the issue, which I believe is what they are looking for here.
To each their own, just my perspective. Good luck with your exams!
There are actually three plausible answers here (B, C, or D) but one is more correct than the others. From the perspective of a CISSP, you should conduct a security assessment about the legacy web apps situation. From there, you can either decide to migrate to newer, supported apps or decide to protect the legacy app with a WAF. Using a WAF to protect legacy apps IS a solution but that is coming from the perspective of a security analyst, who is required to fix technical issues, and not the CISSP, who has the business’s interests in mind. The CISSP needs to assess what is a more cost effective solution. Therefore, I believe C is the correct answer.
legacy Web applications are often monolithic in design, and it is difficult to modify each component.
If the code is not modular, refactoring and debugging is impractical.
So if you move to a new Web application, you’re unlikely to get a guarantee.
Security assessment may present a problem with legacy Web applications, but it is not a solution.
Best of all, the WAF protects against attacks that exploit application vulnerabilities and protects against attacks that exploit common web application vulnerabilities by reducing the risk of legacy application vulnerabilities to a level of risk acceptance.
“D” doesn’t feel right to me. It would certainly be an excellent step, but not sure it’s the best. I’d guess “C”
D. Seems Accurate…
” security issues IN legacy web applications”
The issues were already found, possibly via a security assessment.