Exam CAS-004 topic 1 question 219 discussion

Why not IAST, because you need to access to the original code to integrate it with special libraries and agents to make it works. So, if you have the compiled binaries it won't work. SAST can be used with compiled binaries.

E. Fuzz testing Fuzz testing involves providing unexpected or random inputs to compiled binaries to discover vulnerabilities or unexpected behaviors. F. IAST (Interactive Application Security Testing) IAST involves testing an application during runtime, and it can be effective in analyzing the behavior of compiled binaries in real-world scenarios.

Considering the limitations and needs of analyzing compiled binaries, the most appropriate choices from the given list are: B. SAST (with the understanding it would be used on binary code) E. Fuzz testing

To analyze compiled binaries of applications for software assurance, the organization should consider the following approaches: B. SAST (Static Application Security Testing): SAST analyzes the application's source code or binary code without executing it. While it's more commonly used with source code, some SAST tools support binary analysis. SAST can identify potential security vulnerabilities and coding issues within the application, making it a valuable tool for vetting applications for security concerns. F. IAST (Interactive Application Security Testing): IAST tools, sometimes known as hybrid analysis tools, combine elements of both SAST and DAST (Dynamic Application Security Testing). They can analyze running applications (including compiled binaries) to identify security vulnerabilities in real-time. IAST tools can provide insights into the application's behavior during runtime and help pinpoint vulnerabilities within the binaries.

"Code has been compiled already into an application" Fuzz Testing - messing with the application by sending unexpected inputs of data to see the behavior Interactive Application Security Testing (IAST) - Monitors the behavior of the program as it runs - Malware sandbox does this as well. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

IAST (Interactive Application Security Testing): IAST can be used to analyze the behavior of the running application to identify vulnerabilities, even if the application is provided only as compiled binaries. This can be done by instrumenting the application and monitoring its behavior at runtime, which can help identify potential security issues. Fuzz testing: Fuzz testing is a technique that involves sending large volumes of malformed or unexpected data to an application to see how it responds. This can help identify potential vulnerabilities and weaknesses in the application, even if the source code is not available. By sending a variety of inputs to the compiled binary, fuzz testing can help identify unexpected behaviors and crashes that may be indicative of security issues.

E and F are correct as they are for testing software that is executing

I go to B,F

I'll go with EF.

Guys, I wonder how can you any dependency management if you get binaries, so you don't really know what, which version is underneth, or what dependencies other dependencies depend on ;)

the key word here being "compiled binaries" E and F

E and F.