Exam CISSP topic 1 question 198 discussion

D. All software has vulnerabilities but an open source solution with equivalent popularity will have fewer UNPATCHED known vulnerabilities and because vulnerabilities are patched more frequently, typically upon discovery.

So weird how many people think the answer is A. Just because a libary is open-source it doesnt make it automatically have known vulnerabilities. The answer is 100% D. If a library is open then its under public scrutiny far more. Therefore, when a vulnerability is detected, a fix is found quite fast. For example just look at the SSL vulnerability.

Option B is incorrect because the common understanding that vulnerabilities in open-source libraries will not be exploited is not true. Option C is incorrect because while unknown vulnerabilities in open-source libraries are possible, it does not mean they should not be used. Option D is incorrect because although many open-source libraries are constantly updated and maintained by a large community of contributors, it does not mean they are free from vulnerabilities

A is correct

From the CISSP Official Study Guide - "Many of these libraries are available as open source projects, whereas others may be commercially sold or maintained internally by a company. Over the years, the use of shared libraries has resulted in many security issues... To protect against similar vulnerabilities, developers should be aware of the origins of their shared code and keep abreast of any security vulnerabilities that might be discovered in libraries that they use. This doesn't mean that shared libraries are inherently bad. In fact, it's difficult to imagine a world where shared libraries aren't widely used. It simply calls for vigilance and attention from software developers and cybersecurity professionals."

A. Open source libraries contain known vulnerabilities, and adversaries regularly exploit those vulnerabilities in the wild. While it is true that open source libraries can be updated regularly, this does not guarantee that vulnerabilities will not exist or that they will not be exploited. In fact, the use of open source libraries can potentially increase the risk of vulnerabilities because they are widely used and known to many people, including adversaries. This means that if a vulnerability is discovered in an open source library, it may be more likely to be exploited compared to a proprietary library that is not widely known. Additionally, it is not uncommon for open source libraries to contain known vulnerabilities, as these libraries are often developed by a community of volunteers who may not have the resources or time to thoroughly test and secure the code. Therefore, it is important for software developers to consider the potential risks of using open source libraries, including the possibility of known vulnerabilities, when making decisions about which libraries to use.

A, developer known the vulnerabilities before use the open source library

?!? Guys?! Only d is correct. If vulnerbinities are recogniced, they are fixed. All poeple can look for them. Review is done much more frequently. Unknown vulnerabilities exist in every software. And there is no consense fir nit attacking anything.

Open source vulnerabilities are basically security risks in open source software. These are weak or vulnerable code that allows attackers to conduct malicious attacks or perform unintended actions that are not authorized. https://www.cypressdatadefense.com/blog/open-source-security-risk/

Answer is right e.g log4j

IN my opinion the correct Answer is B "Sometimes it’s noted that a vulnerability that exists but is unknown can’t be exploited, so the system “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of helping to fix it. Having unknown vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they’ll be exploited. Fundamentally, the problem of someone exploiting a vulnerability they discover is a problem for both open and closed source systems." https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html https://www.darkreading.com/application-security/flaws-found-in-some-open-source-projects-exploited-more-often