Exam CAS-004 topic 1 question 251 discussion

This one took some thought, but then it became clear. The only problem stated in the question was the plain text passwords in code. So how do you remove passwords from APIs? API Keys to replace the passwords! A and C are the only options that make sense and they both can be applied at the same time. B. This may help us detect misuse, but why wait for an issue to happen when you can mitigate the risk with API keys? D. This one is just irrelevant. E. This answer would be perfect if it said SAST or IAST instead of DAST. DAST's don't scan source code. F. MFA only secures the computers, the clear text passwords are within an API so they are still going across the network.

The company can address the finding by choosing the following two options: A. Implement complex, key-length API key management. API key management involves generating, distributing, and revoking API keys. By implementing complex, key-length API key management, the company can ensure that only authorized entities have access to the APIs. This can help prevent unauthorized access and reduce the risk of sensitive information, such as passwords, being embedded in the code. E. Incorporate a DAST (Dynamic Application Security Testing) into the DevSecOps process to identify the exposure of secrets. DAST is a testing process that involves inspecting an application in its running state for security vulnerabilities. By incorporating DAST into the DevSecOps process, the company can identify instances where secrets, such as passwords, are being exposed in the code. This can help the company address these issues before the application is deployed.

The correct answers are C and E from my point of view. Explanation: C. Implement time-based API key management – This helps limit the lifetime of exposed keys. If a key is accidentally embedded or leaked, it won’t remain valid indefinitely, reducing risk. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets – Dynamic Application Security Testing (DAST) tools can help identify security vulnerabilities, including secrets (like passwords or API keys) exposed in application code during runtime, which addresses the core problem mentioned (embedded unencrypted passwords)

Simply put, DAST is the wrong technology for the purposes of identifying secrets in code. SAST is more ideal.

DAST cannot directly scan source code to identify hardcoded secrets. This is beyond its scope as it analyzes the application as a black-box system. It is better at detecting the symptoms of embedded secrets (e.g., weak or static authentication) rather than the root cause. For direct detection of embedded keys or passwords, a Static Application Security Testing (SAST) tool is more appropriate.

A. Implement complex, key-length API key management. API keys are often used for authentication in APIs. By managing API keys securely (e.g., using complex, long keys), the company can reduce the risk of exposed secrets. This could include implementing key rotation, encryption, and storing keys in secure vaults rather than hardcoding them in source code. Properly managing API keys can prevent attackers from easily accessing sensitive systems in case a key is compromised. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets. Dynamic Application Security Testing (DAST) tools can automatically scan running applications and APIs for vulnerabilities, including exposed secrets (like passwords). This would allow the company to identify unencrypted passwords in the code during development or testing before the application is deployed to production. DAST tools can be integrated into the DevSecOps process to continuously monitor for such security issues.

A. Implement complex, key-length API key management: This ensures that API keys are strong and secure, making it harder for attackers to guess or brute-force them. Complex and sufficiently long keys reduce the risk of unauthorized access. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) tools can scan running applications to detect vulnerabilities, including the exposure of sensitive information such as unencrypted passwords. Integrating DAST into the DevSecOps pipeline helps in identifying and addressing these security issues early in the development process.

I believe C & E are the best answers for these reasons: C. Implement time-based API key management: Time-based API key management involves issuing API keys that have a limited validity period. This approach reduces the risk associated with compromised or leaked keys because they automatically expire after a certain timeframe. It's a practical approach to mitigating the impact of potential exposure of API keys, including unencrypted passwords embedded in code. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) tools are crucial for identifying vulnerabilities in deployed applications and APIs. While they don't directly inspect source code, they perform black-box testing to simulate attacks and identify potential security weaknesses, including exposed secrets like unencrypted passwords in APIs.

MFA makes no sense here. It does nothing for hardcoded secrets in code.

Lol, I may not know everything but I know this question has NOTHING to do with MFA at all. "Developers are doing bad coding so... make sure they use authy to log into their laptop??? What???" E. DAST is what they're already doing--thats how they discovered the security issue. Keep doing it to make sure the developers don't do something else stupid. C. There's OBVIOUSLY no key management going on here. The Developers are just writing passwords into the source code, which will break the API when they keys change. In order to fix the problem, use a time-based key management strategy (sometimes called SECRET ROTATION if you're using SECRETS MANAGER). This will cause the keys to cycle every X amount of time, which means if the developers keep trying to hard code passwords, those passwords will require regular update in the source code, and before long they'll realize it's easier just to source the key directly from the secrets manager than to keep updating their source code. This solution forces the developers to do their job correctly, and is in alignment with industry best practices.

To address the finding of unencrypted passwords embedded in the code for API management, the company can take the following actions: Implement time-based API key management (Option C): Time-based API key management involves regularly rotating or changing the API keys, reducing the impact of compromise if keys are exposed. This is especially important if developers are embedding unencrypted passwords in the code. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets (Option E): Dynamic Application Security Testing (DAST) involves scanning applications during runtime to identify security vulnerabilities, including the exposure of secrets. By incorporating DAST into the DevSecOps process, the company can regularly scan the APIs for security issues, including the presence of unencrypted passwords. Options A, B, D, and F are not directly addressing the issue of unencrypted passwords in the code

after multiple run throughs and question, DAST would not be correct because Dynamic analysis and testing will not look at the source code for embedded information. So E is out of the question. In consideration we can look at the Application Programming Interface though and implement key management for passwords. This way there is encryption and integrity. B - Session logs wouldn't help the situation C - Key management is already being worked on why not enhance it even more since its resolving the current issues identified D - SOAP is just a joke in this situation E - already discussed F - Another great form of security but focuses on the workstation and not the application. If it directed towards MFA with the application it would be correct

I'm going with A and C. I don't see how the others are relevant to the question's specifics. DAST doesn't look at source code so you'd need SAST.

Based on the given scenario, the two BEST solutions to address the finding of unencrypted passwords embedded in code are: E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: Dynamic Application Security Testing (DAST) can help detect vulnerabilities in an application's API security, including issues with password management. By incorporating DAST into the DevSecOps process, the company can identify the exposure of secrets and other vulnerabilities early in the development cycle. F. Enforce MFA on the developers’ workstations and production systems: Multi-Factor Authentication (MFA) can help prevent unauthorized access to systems and applications. By enforcing MFA on the developers’ workstations and production systems, the company can reduce the risk of attackers gaining access to sensitive information and passwords.

E. Incorporate a DAST (Dynamic Application Security Testing) into the DevSecOps process to identify the exposure of secrets. This will help the company to identify the potential vulnerabilities in the API codes and take necessary measures to address them. F. Enforce MFA (Multi-Factor Authentication) on the developers’ workstations and production systems. This will ensure that the authentication process is more secure and reduce the chances of unencrypted passwords being embedded in the code.

for sure E is part of the answer (DAST). I think the next part of the answer is C because it would eliminate the need to hard code unencrypted passwords in code. maybe the devs are doing that because they have to in order for the API to work.

The options that can address the finding of unencrypted passwords in the code are: B. Implement user session logging: This option is useful for tracking the activities of users and developers. It can help identify which users are accessing the API and monitor their session activities. E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets: This option is useful for identifying potential security vulnerabilities in the API code. By using a dynamic application security testing (DAST) tool, developers can scan the API code to detect any exposed secrets or unencrypted passwords.