Domain 4.3

Vulnerability scan

Automated scan to detect security weaknesses

Application security

Protecting applications from vulnerabilities

Dynamic analysis

testing code while app runs

Package monitoring

Tracking software packages for security issues

Threat feed

Source of current threat intelligence

Open-source intelligence (OSINT)

public info used for intelligence

Proprietary/third-party

Threat data from private organizations

Information-sharing organization

Group sharing security threat data

Dark web

Hidden internet used for anonymous activity

Penetration testing

Simulated attack to find vulnerabilities

Bug bounty program

Rewards for reporting security flaws

System/process audit

Security review of systems or processes

Confirmation

Verifying a vulnerability exists

False positive

Alert for a vulnerability that is not real

False negative

Missed vulnerability during detection

Prioritize

Rank vulnerabilities by risk

Common Vulnerability Scoring System (CVSS)

Standard rating for vulnerability severity

Common Vulnerability Enumeration (CVE)

Unique ID for known vulnerabilities

Vulnerability classification

Categorizing types of vulnerabilities

Exposure factor

Amount of damage a vulnerability may cause

Environmental variables

Environmental factors affecting risk

Industry/organizational impact

Effect of vulnerability on the organization

Risk tolerance

Level of risk an organization accepts

Patching

Applying updates to fix vulnerabilities

Insurance

Financial protection against security incidents

Segmentation

Dividing networks to limit threats

Compensating controls

Alternative controls reducing risk

Exceptions and exemptions

Approved cases where controls are bypassed

Rescanning

Scanning again after fixes

Audit

Review to confirm compliance

Verification

Confirming remediation worked