You are assessing an OSC that develops applications handling Controlled Unclassified Information (CUI). As part of the assessment, you review their vulnerability scanning process. According to their risk assessment policy, the OSC conducts system vulnerability scans every three months. However, they also utilize a centralized, automated vulnerability scanning tool that performs daily scans. Upon discovering any vulnerabilities, the OSC’s team applies patches and rescans their systems. Their environment includes backend database servers, web applications with custom Java code, virtual machine hosts running containerized applications, network firewalls, routers, switches, and developer workstations. During the assessment, you find that their scanning solution integrates the latest vulnerability feeds from the National Vulnerability Database (NVD), Open Vulnerability and Assessment Language (OVAL), and vendor sources. The tool generates reports using Common Vulnerability Scoring System (CVSS) metrics, and even remotely connected developer laptops are included in the scans. However, upon reviewing the vulnerability reports, you observe that the same high/critical vulnerabilities persist month after month without evidence of remediation.Furthermore, there is no record of source code scanning for their custom applications, and virtual machine hosts running the containerized applications are not included in the scans. Which of the following would be an appropriate compensating control or mitigation for the lack of source code scanning?
Submit