Q: 20
Which of the following is a security weakness in the evaluation of common criteria (CC) products?
Options
Discussion
C or D, since both look like issues but I think C is more about test validity than a real weakness. If the question asked for the biggest operational gap instead of security weakness, would D fit better?
A , manufacturer picking config is a well-known weakness. Saw similar in practice exams and the official guide calls it out directly.
A had something like this in a mock. Manufacturer picking the config is the real security weakness here.
Not D, A makes the most sense. The manufacturer defining the evaluated config means real-world deployments might have untested vulnerabilities. Official study guide mentions this as a limitation. Pretty sure that's what they're looking for here.
Honestly, D looks right to me since expensive and slow evaluations could delay security updates or fixes from being properly assessed. I get why A is picked, but process delays are a real weakness too imo. Maybe missing something?
Looks like D could count if they're talking about practical weaknesses, since high cost/time might mean gaps in updates or coverage.
Be respectful. No spam.
