Isaca Certified in Risk and Information Systems Control CRISC Question # 46 Topic 5 Discussion

CRISC Exam Topic 5 Question 46 Discussion:

Question #: 46

Topic #: 5

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Monitor the databases for abnormal activity

Approve exception to allow the software to continue operating

Require the software vendor to remediate the vulnerabilities

Accept the risk and let the vendor run the software as is

Get Premium CRISC Questions

Explanation

Cross-site scripting (XSS) and SQL injection are two common types of web application attacks that can compromise the confidentiality, integrity, and availability of data and systems. XSS allows an attacker to inject malicious code into a web page that is viewed by other users, while SQL injection allows an attacker to execute arbitrary commands on a database server by manipulating the input parameters of a web application. Both attacks can result in data theft, unauthorized access, defacement, denial of service, and more.

To mitigate these attacks, the best option is to require the software vendor to remediate the vulnerabilities by applying secure coding practices, such as input validation, output encoding, parameterized queries, and HTML sanitization. These techniques can prevent or limit the impact of XSS and SQL injection by ensuring that user input is not interpreted as code or commands by the web browser or the database server. The software vendor should also provide regular updates and patches to fix any known or newly discovered vulnerabilities.

The other options are not effective or acceptable ways to mitigate these attacks. Monitoring the databases for abnormal activity can help detect and respond to SQL injection attacks, but it does not prevent them from happening or address the root cause of the vulnerability. Approving an exception to allow the software to continue operating can expose the organization to unnecessary risks and liabilities, as well as violate compliance requirements and standards. Accepting the risk and letting the vendor run the software as is can also have serious consequences for the organization, as it implies that the potential impact and likelihood of the attacks are low or acceptable, which may not be the case. References =

IT Risk Resources | ISACA

CRISC Certification | Certified in Risk and Information Systems Control | ISACA

Cross Site Scripting Prevention Cheat Sheet - OWASP

A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm | EURASIP Journal on Information Security | Full Text

Difference Between XSS and SQL Injection - GeeksforGeeks

Actual exam question for Isaca CRISC exam by Kairo83709 at Aug 3, 2025, 8:50:44 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 46 Topic 5 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 46 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 46 Topic 5 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 46 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval