CompTIA CAS-004 Exam Practice Test Instant Access

Question 1

A security engineer receives reports through the organization's bug bounty program about remote code execution in a specific component in a custom application. Management wants to properly secure the component and proactively avoid similar issues. Which of the following is the best approach to uncover additional vulnerable paths in the application?

AImplement fuzz testing focused on the component and inputs uncovered by the bug bounty program.

BLeverage a software composition analysis tool to find all known vulnerabilities in dependencies.

CUse a vulnerability scanner to perform multiple types of network scans to look for vulnerabilities.

DUtilize a network traffic analyzer to find malicious packet combinations that lead to remote code execution.

ERun an exploit framework with all payloads against the application to see if it is able to gain access.

Answer : A

Fuzz testing identifies vulnerabilities by providing unexpected or random input to the application, exposing edge cases and additional attack vectors. This aligns with CASP+ objective 1.5, emphasizing proactive vulnerability discovery techniques in application security.

Question 2

A company has data it would like to aggregate from its PLCs for data visualization and predictive maintenance purposes. Which of the following is the most likely destination for the tag data from the PLCs?

AExternal drive

BCloud storage

CSystem aggregator

DLocal historian

Answer : D

Question 3

After establishing coding standards and integrating software assurance tools into CI/CD pipelines, an architect continues to find too many different coding styles throughout the team. Which of the following additional measures can the architect take to help improve consistency?

AEstablish a chain of custody to govern code quality.

BCreate and proliferate framework code.

CRequire two-person integrity for code commits.

DEnhance the monitoring of code coverage for unit testing.

Answer : B

Framework codeprovides a standardized structure and set of conventions that all team members can follow, ensuring consistency in coding styles across the development team.

Option A (Chain of custody): This relates to tracking and managing code changes for accountability, not standardizing coding styles.

Option C (Two-person integrity): Ensures review and approval for code changes but does not enforce uniform coding styles.

Option D (Code coverage for unit testing): Focuses on test quality rather than addressing inconsistent coding styles.

CompTIA CASP+ Exam Objective 3.3: Apply software development security best practices.

CASP+ Study Guide, 5th Edition, Chapter 8, Secure Software Development.

Question 4

An organization is in frequent litigation and has a large number of legal holds. Which of the following types of functionality should the organization's new email system provide?

ADLP

BEncryption

CE-discovery

DPrivacy-level agreements

Answer : C

The organization's new email system should provide e-discovery functionality. E-discovery stands for electronic discovery, which is the process of identifying, preserving, collecting, processing, reviewing, analyzing, and producing electronically stored information (ESI) that is relevant to a legal matter. E-discovery can help the organization comply with legal holds, which are orders or notices to preserve relevant ESI when litigation is anticipated or ongoing. E-discovery can also help the organization reduce the costs and risks of litigation, as well as improve the efficiency and accuracy of the discovery process. Verified Reference:

https://www.techtarget.com/searchsecurity/definition/electronic-discovery

https://www.techtarget.com/searchsecurity/definition/legal-hold

https://www.ibm.com/topics/electronic-discovery

Question 5

A software company wants to build a platform by integrating with another company's established product. Which of the following provisions would be MOST important to include when drafting an agreement between the two companies?

AData sovereignty

BShared responsibility

CSource code escrow

DSafe harbor considerations

Answer : B

When drafting an agreement between two companies, it is important to clearly define the responsibilities of each party. This is particularly relevant when a software company is looking to integrate with an established product. A shared responsibility agreement ensures that both parties understand their respective responsibilities and are able to work together efficiently and effectively. For example, the software company might be responsible for integrating the product and ensuring it meets user needs, while the established product provider might be responsible for providing ongoing support and maintenance. By outlining these responsibilities in the agreement, both parties can ensure that the platform is built and maintained successfully. Reference: CompTIA Advanced Security Practitioner (CASP+) Study Guide, Chapter 8, Working with Third Parties.

Question 6

A company has hired a security architect to address several service outages on the endpoints due to new malware. The Chief Executive Officer's laptop was impacted while working from home. The goal is to prevent further endpoint disruption. The edge network is protected by a web proxy.

Which of the following solutions should the security architect recommend?

AReplace the current antivirus with an EDR solution.

BRemove the web proxy and install a UTM appliance.

CImplement a deny list feature on the endpoints.

DAdd a firewall module on the current antivirus solution.

Answer : A

Replacing the current antivirus with an EDR (endpoint detection and response) solution is the best solution for addressing several service outages on the endpoints due to new malware. An EDR solution is a technology that provides advanced capabilities for detecting, analyzing, and responding to threats or incidents on endpoints, such as computers, laptops, mobile devices, or servers. An EDR solution can use behavioral analysis, machine learning, threat intelligence, or other methods to identify new or unknown malware that may evade traditional antivirus solutions. An EDR solution can also provide automated or manual remediation actions, such as isolating, blocking, or removing malware from endpoints. Removing the web proxy and installing a UTM (unified threat management) appliance is not a good solution for addressing service outages on endpoints due to new malware, as it could expose endpoints to more threats or attacks by removing a layer of protection that filters web traffic, as well as not provide sufficient detection or response capabilities for endpoint-specific malware. Implementing a deny list feature on endpoints is not a good solution for addressing service outages on endpoints due to new malware, as it could be ineffective or impractical for blocking new or unknown malware that may not be on the deny list, as well as not provide sufficient detection or response capabilities for endpoint-specific malware. Adding a firewall module on the current antivirus solution is not a good solution for addressing service outages on endpoints due to new malware, as it could introduce compatibility or performance issues for endpoints by adding an additional feature that may not be integrated or optimized with the antivirus solution, as well as not provide sufficient detection or response capabilities for endpoint-specific malware. Verified Reference: https://www.comptia.org/blog/what-is-edr https://partners.comptia.org/docs/default-source/resources/casp-content-guide

Question 7

A company just released a new video card. Due to limited supply and high demand, attackers are employing automated systems to purchase the device through the company's web store so they can resell it on the secondary market. The company's intended customers are frustrated. A security engineer suggests implementing aCAPTCHAsystem on the web store to help reduce thenumber of video cards purchased through automated systems. Which of the following now describes the level of risk?

AInherent

BLow

CMitigated

DResidual

ETransferred

Answer : D

Comprehensive and Detailed in-Depth

Understanding the Risk Levels:

Inherent Risk:

Theoriginal riskbefore any controls or mitigation measures are applied.

In this scenario, it represents therisk of automated purchases without CAPTCHA.

Residual Risk:

Theremaining riskaftermitigation strategieshave been applied.

After implementing CAPTCHA, some risk remains asCAPTCHA systems can be bypassedorhuman-operated botsmay still make purchases.

Mitigated Risk:

A risk that has beenreduced or managedeffectively.

While CAPTCHAmitigatesthe issue, it does noteliminateit.

Low Risk:

A risk that is consideredminordue to effective mitigation or low impact.

CAPTCHA reduces risk but does not guarantee it is low.

Transferred Risk:

A risk that has beenshifted to another entity, such asoutsourcing or insurance.

Implementing CAPTCHA does nottransfer riskbut ratherreduces it directly.

Why the Correct Answer is D (Residual):

Implementing CAPTCHAreduces the number of automated purchases, but therisk is not entirely eliminated.

There is always aresidual riskbecause:

Advanced botsmay bypass CAPTCHA systems.

Human-assisted purchasesmight still occur, as attackers might hire people to complete CAPTCHAs.

Therefore, the risk after implementing the CAPTCHA system isresidual, assome potential for automated purchases remains.

Why the Other Options Are Incorrect:

A . Inherent:

Inherent risk existsbeforeany mitigating actions, like CAPTCHA implementation.

Since the CAPTCHA is already suggested, we are addressing theresidual risk.

B . Low:

While CAPTCHA reduces the risk, itdoes not eliminate it completelyor make it negligible.

Attackers can stillbypass CAPTCHAusing more sophisticated methods.

C . Mitigated:

The CAPTCHA reduces risk butdoes not fully mitigate it.

The termmitigatedimplies a more comprehensive reduction than what CAPTCHA alone can provide.

E . Transferred:

There isno transfer of riskto another party or system.

CAPTCHA directlymitigatesrisk rather than shifting responsibility.

Real-World Scenario:

Whenpopular productsare released (like new GPUs), attackers usebotsto make bulk purchases.

Retailers implementCAPTCHA systemsto prevent automated orders.

However,bot developerscontinuously innovate tobypass CAPTCHA, leaving some level ofresidual risk.

Extract from CompTIA SecurityX CAS-005 Study Guide:

TheCompTIA SecurityX CAS-005 Official Study Guidedefinesresidual riskas therisk that remains after controls are implemented. Implementing aCAPTCHAsystem reduces thelikelihoodof automated purchases butdoes not fully eliminate the threat, thus leaving aresidual risk.

CompTIA CAS-004 CompTIA Advanced Security Practitioner (CASP+) Exam Practice Test