During a recent vulnerability assessment, it was discovered that a business-critical legacy application is vulnerable to a well-known security exploit. The application is running on an unsupported operating system, and the vendor no longer provides patches. As part of vulnerability management reporting, what should be the primary recommendation to stakeholders to mitigate the risk associated with this legacy application?
Decommission the application immediately to remove the vulnerability
Ignore the vulnerability since the application is business-critical
Implement compensating controls to mitigate the risk
Upgrade the operating system to the latest version
The correct answer is 'Implement compensating controls to mitigate the risk', because, in cases where patching is not possible due to the application running on an unsupported operating system, the best course of action is to apply alternative security measures that can protect the system, without changing the legacy system itself. This might include network segmentation, additional monitoring, or even application whitelisting.
'Upgrade the operating system' is incorrect because the question implies that the application is business-critical and might not be compatible with newer operating systems, which could lead to business process interruption.
'Decommission the application' is incorrect because the application is described as business-critical, thus simply removing it may not be a viable immediate solution.
'Ignore the vulnerability' is incorrect as it leaves the system open to exploitation, which could result in significant business impact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls and how do they work?
Open an interactive chat with Bash
Why is patching not an option for legacy applications?
Open an interactive chat with Bash
What is vulnerability assessment and why is it important?