A Chief information Security Officer (CISO) is developing corrective-action plans based on the following from a vulnerability scan of internal hosts:

Which of the following MOST appropriate corrective action to document for this finding?

1. A. The product owner should perform a business impact assessment regarding the ability to implement a WAF.
2. B. The application developer should use a static code analysis tool to ensure any application code is not vulnerable to buffer overflows.
3. C. The system administrator should evaluate dependencies and perform upgrade as necessary.
4. D. The security operations center should develop a custom IDS rule to prevent attacks buffer overflows against this server.

Correct Answer: A

An analyst execute a vulnerability scan against an internet-facing DNS server and receives the following report:

Which of the following tools should the analyst use FIRST to validate the most critical vulnerability?

1. A. Password cracker
2. B. Port scanner
3. C. Account enumerator
4. D. Exploitation framework

Correct Answer: A

The Chief information Security Officer (CISO) of a small locate bank has a compliance requirement that a third-party penetration test of the core banking application must be conducted annually. Which of the following services would fulfill the compliance requirement with the LOWEST resource usage?

1. A. Black-box testing
2. B. Gray-box testing
3. C. Red-team hunting
4. D. White-box testing
5. E. Blue-learn exercises

Correct Answer: C

To save time, a company that is developing a new VPN solution has decided to use the OpenSSL library within Its proprietary software. Which of the following should the company consider to maximize risk reduction from vulnerabilities introduced by OpenSSL?

1. A. Include stable, long-term releases of third-party libraries instead of using newer versions.
2. B. Ensure the third-party library implements the TLS and disable weak ciphers.
3. C. Compile third-party libraries into the main code statically instead of using dynamic loading.
4. D. Implement an ongoing, third-party software and library review and regression testing.

Correct Answer: D
Implementing an ongoing, third-party software and library review and regression testing is the best way to maximize risk reduction from vulnerabilities introduced by OpenSSL. Third-party software and libraries are often used by developers to save time and resources, but they may also introduce security risks if they are not properly maintained and updated. By reviewing and testing the third-party software and library regularly, the company can ensure that they are using the latest and most secure version of OpenSSL, and that their proprietary software is compatible and functional with it. References: [CompTIA CASP+ Study Guide, Second Edition, page 362]

A company is looking at sending historical backups containing customer PII to a cloud service provider to save on storage costs. Which of the following is the MOST important consideration before making this decision?

1. A. Availability
2. B. Data sovereignty
3. C. Geography
4. D. Vendor lock-in

Correct Answer: B