Welcome to today’s practice test!
Today, we’re focusing on Domain 4.3: Explain various activities associated with vulnerability management.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security analyst runs a vulnerability scan on a production web server and detects a SQL injection vulnerability. Which of the following should the analyst do first?
#2. A system reports a CVSS score of 9.8 for a newly discovered vulnerability. What does this score indicate?
#3. A company participates in a responsible disclosure program. What is the main purpose of this activity?
#4. Which of the following best helps reduce false positives in vulnerability management?
#5. A security administrator wants to assess third-party software libraries for known vulnerabilities. What should they implement?
#6. A company uses OSINT for threat intelligence. What is a potential benefit?
#7. A vulnerability scanner has returned several findings. What step comes next in the vulnerability management process?
#8. An organization uses penetration tests to identify vulnerabilities. What distinguishes this from automated vulnerability scans?
#9. Which metric would a risk manager use to estimate financial impact from a vulnerability?
#10. What is a key difference between a false positive and a false negative in vulnerability analysis?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | Verification ensures it’s not a false positive before taking action. A web application firewall can be implemented as a preventive and detective control later. It’s inappropriate to patch the underlying operating system or disable the database service without confirmation. |
| 2 | C | CVSS (Common Vulnerability Scoring System) scores range from 0 to 10. 9.8 is considered critical. It also implies high exploitability and impact, not low. CVSS does not evaluate the validity or accuracy of a vulnerability report, nor whether specific action has been taken. Hence, the statements “The vulnerability is likely a false positive” and “The vulnerability has already been mitigated” are purely speculative. |
| 3 | C | Responsible disclosure gives a structured way to report vulnerabilities. Publicly releasing zero-day vulnerabilities is unethical. B and D are unrelated to the intent of disclosure programs. |
| 4 | A | Proper tuning and validation reduce false positives. Increasing scan frequency and enabling all available scanning plugins may cause more noise. Disabling heuristic detection might reduce detection accuracy. |
| 5 | B | An SBOM scan analyzes a software’s SBOM (Software Bill of Materials) against vulnerability databases to find known security issues. Static code analysis primarily scans your own custom code for vulnerabilities, not pre-compiled third-party libraries. Dynamic testing executes your own application to find vulnerabilities during runtime, not specifically for known issues within third-party libraries themselves. Input validation is a security control to prevent injection attacks and other input-related flaws, but it doesn’t directly assess third-party libraries for their known vulnerabilities. |
| 6 | B | OSINT (Open-Source Intelligence) helps identify emerging threats using publicly available sources. It’s generally low-cost (often free) as it uses public sources. However, its reliability can vary and requires careful validation. It explicitly deals with open-source (publicly available) information, not classified or secret government data. OSINT is about intelligence gathering (identifying threats). It has nothing to do with automatically fixing vulnerabilities. |
| 7 | D | Vulnerability scanners, while powerful and fast, are not perfect. They can produce false positives and false negatives. Hence, their findings must be validated and assessed for accuracy and severity before proceeding with next steps. |
| 8 | A | Penetration testing verifies exploitability, unlike automated vulnerability scans. A and D are unrelated. C is false. Like vulnerability scans, pentesting includes reports. |
| 9 | C | Exposure factor estimates potential loss as a percentage. CVSS and CVE assess severity, not financial impact. OSINT is irrelevant in this context. |
| 10 | B | A false negative is a missed actual vulnerability. Hence, it’s dangerous. A and D are incorrect. C mischaracterizes false positives. |