Interview › Security & DevSecOps
Why is context (internet exposure, sensitive data, privileges) key to vulnerability prioritisation? [Basic]
Answer
Context is key because vulnerability severity alone does not show whether an attacker can reach the asset or whether compromise would matter. Internet exposure, sensitive data access, and privileges determine likelihood and impact in the real environment.
Technical explanation
Internet exposure increases likelihood because attackers can reach the vulnerable surface directly.
Sensitive data increases business impact because compromise may lead to disclosure or regulatory consequences.
Privileges increase blast radius because the attacker may move laterally, access secrets, or modify cloud resources.
Hands-on example
Example: CVE-A has CVSS 9.8 but exists only in a stopped dev VM. CVE-B has CVSS 7.5 but is on an internet-facing API with admin IAM permissions and access to customer data. CVE-B may be the higher operational priority.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]