Exam CISSP topic 1 question 274 discussion

Again, poor wording of question and answers

They ask to correct the security weakness, only way to do it is to update it and patch it

Unlikely B. Sandboxing can help with testing, but it does not prevent or correct security weaknesses in production.

D. The software is already implemented and they are migrating it, so clearly it is not end-of-life. The question asks for "prevent and correct". This means that the vendor has to release patches which need to be installed.

Applying Patches is a corrective control and examine the process is due diligence and isn't preventive so i believe that the sandbox the correct answer.

D. Examine the software updating and patching process. To prevent and correct security weaknesses in the COTS software that is being migrated to the cloud, the best approach would be to examine the software updating and patching process. This would involve a review of the software vendor's patching and update schedules, and an assessment of how quickly the vendor releases patches in response to newly discovered vulnerabilities. This can help ensure that any known security weaknesses in the software are addressed in a timely manner, reducing the risk of exploitation.

D. Examine the software updating and patching process It is important to ensure that the software is updated and patched regularly to address known security vulnerabilities. This may include reviewing the software's end-of-life schedule and implementing a dedicated COTS sandbox environment for testing updates and patches before deploying them to the production environment. Additionally, it's important to review and assess the security of the cloud service provider and their ability to mitigate vulnerabilities in the COTS application.

but is concerned about the application security of the software in the organization's dedicated environment with a cloud service provider- aka live environment.

Option D would have been the best but the framing of the questions suggests the update and patching process is still under review ("examine") of the change control process. I will compesate with option B while waiting for approval for update and patch.

The BEST way to prevent and correct the software's security weaknesses is by keeping the software up to date with the latest patches. So, I am going with "D" on this one.

Prevent and Correct the weaknesses. Just because they bought it years ago doesn't mean it isn't being maintained.