Exam CAS-004 topic 1 question 262 discussion

A. Perform supply chain analysis and require third-party suppliers to implement vulnerability management programs would be the best option to mitigate risks and prevent further issues like these from occurring. The developer did not write some of the code, and it is not tracked for licensing purposes. Hence, it is likely that the code was obtained from third-party suppliers. By performing a supply chain analysis and requiring third-party suppliers to implement vulnerability management programs, the developer can ensure that the code used in the product is secure and does not contain vulnerabilities that could be exploited by attackers. This approach will also help prevent further issues from occurring in the future.

B. Perform software composition analysis and remediate vulnerabilities found in the software. This solution directly addresses the core issue — vulnerabilities in code that the developer did not write — by identifying the third-party or open-source components in the software and checking for known vulnerabilities. SCA tools will help identify these vulnerabilities and suggest actions to mitigate them (such as updating or replacing insecure libraries), which aligns with the developer's need to manage and secure the software effectively.

I agree with B

Another vote for B

B. Perform software composition analysis and remediate vulnerabilities found in the software.

I think some key phrases in the question are "developer does not recognize some of the code.." and "not tracked for licensing.." to me this sounds like 3rd part software or open source libraries. also, the software developer should be looking at the source code so reverse engineering shouldn't be necessary. software composition analysis is the answer I believe.