Exam CAS-004 topic 1 question 113 discussion

Choosing D here. The application was already in place (had a little oversight) and Dynamic analysis is the way to go against systems that are already operating.

Static for Source-Code. Seems like the best answer. Get to it before it is compiled.

Due to the software is already in place and had a little oversight, the best place where to start is a Software composition analysis.

Agree with A. In a startup environment with little prior oversight, there is a high likelihood of the use of third-party libraries and open-source software. Software composition analysis (SCA) is the best initial step to identify vulnerabilities, outdated dependencies, and licensing issues in third-party components. This method is particularly critical in such environments to quickly gain visibility into the security posture of existing software and mitigate risks.

Static analysis involves examining the code without executing it. This type of analysis can identify vulnerabilities, coding errors, and security flaws early in the development process.

Keyword is startup. A good place to start is SAST which is easily enabled on GitLab.

Here's why SCA is the most suitable choice for this scenario: Limited Existing Security: In an environment with minimal security practices, there's a high chance that third-party libraries and components might have unknown vulnerabilities. SCA can identify these potential risks without requiring deep code review of the entire codebase. Focus on Open Source: Startups often leverage open-source libraries to accelerate development. SCA is particularly valuable for identifying vulnerabilities within these open-source components.

Choosing D here because a SCA in this contect (an environment that previously had little oversight) could be almost useless. a Static Analysis could spit out tens of thousands of findings that need to be parsed through an evaluated (I've used Fortify SCA tool, it reports a LOT of findings, many false). If the environment had little oversight, you could be looking at bad libraries, poor code, unsecure methods and objects--just a MESS, and you can't do anything about it immediately. With a DAST solution however, you'll get a list of actual vulnerabilities related to the software while it's running, and there will be no false negatives. This is a horribly worded question, though.

Ideally, both SAST and DAST should be utilized. But if the question is only asking for one answer, it should be static analysis. Static analysis is commonly used to catch vulnerabilities early on and provides more oversight along the development cycle. If you utilize Dynamic analysis, you would have to write the source code, compile it, and run the program for the testing to occur. This provides more oversight only towards the later cycles of the development cycle

"in an environment that previously had little oversight" you are going to want to do a thorough analysis on the environment through the use of static analysis. Dynamic may miss important stuff that could not be caught

C is the answer because you are coming into an environment with previous little oversight and static analysis is used to establish a new baseline that CAN be trusted, THEN dynamic analysis will be used. It's a poorly made question but static is the most correct answer in this context.

Going with C. With an environment that had very little oversight, I'd prefer static at least before dynamic analysis if neither were present, assuming dynamic would follow suite. Source code being more important.

Static Analysis provides the most value and should be the first thing out of these options. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

I checked this question with 3 different AIs. As a startup company previously had little oversight, implementing static analysis can help identify and remediate security issues before they become a part of the final product.

Static analysis will be more thorough and uncover more issues. Dynamic would be good as well but static will provide more value.

I am choosing D. due to the fact that the software is already developed and running.

Static analysis is the best method to utilize in this situation, as it involves analyzing the source code of the application without actually executing it.