You conducted vulnerability scanning against a website and identified a SQL injection defect. Which of the following actions should you take first? (Wentz QOTD)
A. Validate inputs at both the client and server-side.
B. Use parameterized SQL queries at the server-side
C. Evaluate the risk exposure
D. Submit a change request to fix the defect

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Evaluate the risk exposure.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Vulnerability is one of the risk factors, the uncertainty part. SQL injection is a common vulnerability in a system that employs SQL databases. Input validation and parameterized SQL queries are technical security controls used to mitigate risk.

Before we submit a change request to fix the SQL injection, we have to analyze and evaluate the risk to determine appropriate risk treatment.

Reference

---

您對網站進行了漏洞掃描並發現了 SQL 注入缺陷。您應該首先採取以下哪些行動？ (Wentz QOTD)
A. 在 Clint 和服務器端驗證輸入。
B.在服務器端使用參數化的SQL查詢
C. 評估風險敞口
D. 提交更改請求以修復缺陷