Exam CAS-004 topic 1 question 80 discussion

E and F are the answers to this question.

E. Detects unauthorized insider actions, such as unauthorized changes to configurations, by identifying abnormal user behaviors in the development environment. F. Enables tracking of unauthorized insertions or changes in application development environments by creating logs of code commits and analyzing them for irregularities.

And EF. To effectively prioritize defenses against the specified attack scenarios, the following actions will enable the necessary data feeds to detect these types of attacks on development environments: E. Model user behavior and monitor for deviations from normal. This approach helps detect unauthorized changes made by authorized insiders by identifying any anomalous behavior that deviates from the established patterns of normal user activity. F. Continuously monitor code commits to repositories and generate summary logs. Monitoring code commits allows for the detection of unauthorized insertions and changes within the application development environment, as it provides visibility into who is making changes and what those changes entail.

ChatGPT goes with A and D.

Option A (Static Code Analysis), while valuable for ensuring code security and quality, does not directly address the specific scenarios of unauthorized insertions and insider threats as effectively as Options E and F. Static code analysis focuses on code quality and vulnerability detection, not on monitoring and detecting unauthorized actions.

E.F, after F comes A as next step.

SAST addresses the issue of poorly written code, not maliciously written code.

E. Model user behavior and monitor for deviations from normal. This approach involves using User and Entity Behavior Analytics (UEBA) to establish a baseline of normal user behavior and detect deviations. By modeling user behavior, the SOC can identify unauthorized activities by insiders, such as unauthorized changes to environment configurations. F. Continuously monitor code commits to repositories and generate summary logs. Monitoring code commits to repositories helps detect unauthorized insertions and changes in the codebase. Generating summary logs of these commits allows the SOC to track and identify suspicious activities or unauthorized changes made by insiders.

E. Model user behavior and monitor for deviations from normal. This option focuses on detecting anomalies in user behavior within the development environment. By establishing baselines for typical actions and access patterns, the system can flag unusual activity that might indicate unauthorized insertions or configuration changes. This includes monitoring access times, modifications made, files accessed, and commands executed. F. Continuously monitor code commits to repositories and generate summary logs. This option provides visibility into changes made to the codebase. Monitoring commits allows for early detection of suspicious insertions, backdoors, or other malicious code injected by attackers. Analyzing commit logs can also reveal patterns of unauthorized activity, even if the attacker tries to blend in with legitimate changes. A. Doesn't help because it doesn't directly address unauthorized insertions or configuration changes.

F) will detect unauthorized insertion E) will address the concern of insider threat. UEBA is commonly used to detect malicious activity from insiders. Note that the second attack scenario in the question is for unauthorized changes to *environmental configurations*. It does not state any changes to the code. The environmental configurations include things server addresses, database connection strings, and API endpoints. So if you have UEBA implemented, usually on a SIEM, you can detect these unauthorized changes in configuration.

A = SAST F = CONMON Best choices for coding protections in a modern dev environment. If they have a CI/CD pipeline, I would also recommend a DSAT. C is important but isn't as good D doesn't have enough action to it, a passive IDS doesn't beat CONMON and analysis of code. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

A. Perform static code analysis of committed code and generate summary reports. F. Continuously monitor code commits to repositories and generate summary logs. Performing static code analysis of committed code and continuously monitoring code commits to repositories can help detect unauthorized insertions into application development environments. Static code analysis is a technique that involves analyzing code without executing it to identify potential vulnerabilities, security flaws, or other issues. By performing static code analysis of committed code and generating summary reports, the home automation company can identify any code that does not meet its standards or that may be malicious.

It best meets the requirements of the question.

Is best actions for internal code review and security

I like AF as the concern is "insider" static code reviews and submitted summary reports would be a good check against an insider threat. I thought IDS at first, but the concern isnt detecting an unusual presence or event at the transport layer, rather the integrity of the code.

Here what I think: D - you want to prevent "unauthorized insertion into development environment" so you need to watch that network segment - IDS F - you are monitoring commits done by authorized devs, making sure they don't abuse the access and do something bad in the code on purpose.

I think A F.