Identify Vulnerabilities for Security+ (SY0-701)
Understand application, hardware, mobile, virtualization, operating system, cloud, web, and supply-chain vulnerabilities for Security+.
A vulnerability is the weakness that makes the attack path work. Security+ expects you to identify the category of weakness and the layer where it lives. That matters because the best mitigation depends on whether the problem is a web input-validation flaw, a mobile-device posture issue, a cloud misconfiguration, or a hypervisor escape risk.
SSRF: Server-side request forgery, a web flaw where the application is tricked into making requests the attacker should not control.
XSS: Cross-site scripting, where attacker-controlled script runs in another user’s browser through the vulnerable application.
Hypervisor: The software layer that hosts and isolates virtual machines.
What the exam is really testing
CompTIA is usually checking whether you can:
- identify the weakness, not just the compromise story around it
- separate vector, vulnerability, and malicious activity cleanly
- recognize when the issue is design or configuration rather than patch level alone
Vulnerability families CompTIA emphasizes
| Category | Typical examples |
|---|---|
| Application | insecure deserialization, injection, broken access control |
| Hardware | firmware flaws, insecure peripherals, hardware tokens mishandled |
| Mobile | sideloading, jailbreaking, weak screen lock, lost device exposure |
| Virtualization | VM escape, snapshot misuse, weak hypervisor isolation |
| Operating system | unpatched kernel, insecure services, weak local configuration |
| Cloud-specific | over-permissive roles, exposed storage, insecure metadata access |
| Web-based | XSS, SQLi, CSRF, SSRF, path traversal |
| Supply chain | poisoned libraries, malicious updates, weak vendor build security |
Vulnerability chooser
| Scenario clue | Strongest vulnerability direction |
|---|---|
| user is tricked by delivery path, then executes a macro | insecure macro execution or weak application controls |
| public storage is reachable broadly | misconfigured access policy or cloud exposure |
| attacker abuses server-side requests to reach internal targets | web application weakness such as SSRF |
| mobile user bypasses platform restrictions | reduced platform trust or mobile hardening gap |
| guest escapes one tenant boundary into another | virtualization or hypervisor isolation weakness |
The question you should ask first
When Security+ describes a compromise, ask: what weakness made this possible? The answer is often narrower than the story.
- a phishing email is the vector, but macro execution or credential reuse may be the vulnerability
- public storage is the exposure, but misconfigured access policy is the vulnerability
- a rogue package is the delivery path, but unverified dependencies and weak software supply controls are the vulnerability
Weakness categories that are often misread
- a public admin portal is often an attack surface problem
- poor MFA adoption is often an identity-control weakness
- secrets in code are often an application or cloud configuration weakness
- unsupported firmware may be a hardware or platform vulnerability
Cloud misconfiguration is a recurring pattern
Security+ now expects baseline cloud literacy. Many cloud weaknesses are not exotic technical bugs:
- storage buckets or blobs exposed publicly
- overly broad IAM roles
- unused keys left active
- security groups or firewall rules too open
- secrets placed in source code or images
Those are all vulnerabilities even if the cloud provider infrastructure itself is sound.
Small cloud-risk example
1resource: object-storage-bucket
2issue: public_read_enabled
3owner: analytics-team
4risk: external_data_exposure
What to notice:
- the vulnerability is the misconfiguration
- the bucket is the asset
- the exposure is the consequence, not the weakness itself
Common traps
- treating every weakness as a patching issue when the real problem is bad design or misconfiguration
- confusing the exploit with the vulnerability
- thinking mobile and virtualization topics are fringe details rather than tested categories
- describing the visible symptom instead of the enabling weakness
What strong answers usually do
- identify the weakness at the correct layer before naming a mitigation
- distinguish the delivery path from the underlying exposure or misconfiguration
- recognize when the real problem is trust, access, or secret handling rather than just missing patches
- treat cloud, mobile, virtualization, and web categories as first-class Security+ topics instead of side details
Harder scenario question
A developer accidentally stores cloud API secrets in a public code repository. Attackers later use those secrets to access storage and create new compute resources. Which statement is strongest?
A. The main vulnerability is a cold-site failure B. The main vulnerability is exposed secret handling and insecure configuration, not the eventual compute creation itself C. The main issue is only password length D. The only weakness is the attacker’s IP address
Best answer: B. Security+ expects you to identify the enabling weakness, which is exposed secret storage and insecure handling, not just the later attacker activity.
Quiz
Continue with 2.4 Malicious Activity to connect the weakness to the kind of attack behavior CompTIA expects you to recognize.