Exam 350-901 topic 1 question 166 discussion

It's A and B. "Taint sources are locations in the program where data is being read from a potentially risky source, and include things like environment variables, data, files, file metadata" This is something that we look at during static code analysis along with proper coding style and standards.

Are A and B the correct answers? C may be wrong.

Correct answer: A & B

A and B are correct. Static code analysis complements dynamic testing to provide additional advantages: - Error detection: Static code analysis can identify hundreds of classes of bugs related to concurrency, tainted data, data flow, and static and dynamic memory. Some bugs are nearly impossible to detect with dynamic testing. - Security vulnerabilities detection: Static code analysis can detect common vulnerabilities, such as those identified by OWASP, in the code and imported libraries. - Low cost: Static code analysis may be easily automated without the overhead of writing test cases, instrumenting the code, and program execution. - Coding standards compliance: Static analysis tools can analyze source syntax and enforce coding standards. - Better source code: Static code analysis tools can identify unused code.

Static code analysis complements dynamic testing to provide additional advantages: - Error detection: Static code analysis can identify hundreds of classes of bugs related to concurrency, tainted data, data flow, and static and dynamic memory. Some bugs are nearly impossible to detect with the dynamic testing. - Security vulnerabilities detection: Static code analysis can detect common vulnerabilities, such as those identified by OWASP, in the code and imported libraries. - Low cost: Static code analysis may be easily automated without the overhead of writing test cases, instrumenting the code, and program execution. - Coding standards compliance: Static analysis tools can analyze source syntax and enforce coding standards. - Better source code: Static code analysis tools can identify the unused code. Source: Cisco DEVCOR 350-901 Study Guide

I agree with Bloody_sausage and B3nd3cida.

will go with A and B based on: https://owasp.org/www-community/controls/Static_Code_Analysis

I would go for A and B, as D sounds like being too much related to the running code.

For me B is one of the answers but though choice between A and D. Tainted data where input is not checked is not being tested by unit testing and therefore is a benefit of SCA. On the other hand, race conditions are also possible to check on SCA.

A and D

The answers are B and D