CompTIA CASP+ (CAS-003) — Question 306

A development team releases updates to an application regularly. The application is compiled with several standard, open-source security products that require a minimum version for compatibility. During the security review portion of the development cycle, which of the following should be done to minimize possible application vulnerabilities?

Answer options

• A. The developers should require an exact version of the open-source security products, preventing the introduction of new vulnerabilities.
• B. The application development team should move to an Agile development approach to identify security concerns faster.
• C. The change logs for the third-party libraries should be reviewed for security patches, which may need to be included in the release
• D. The application should eliminate the use of open-source libraries and products to prevent known vulnerabilities from being included

Correct answer: C

Explanation

Option C is correct because reviewing change logs for third-party libraries helps ensure that any available security patches are applied, reducing potential vulnerabilities. Option A is incorrect as requiring an exact version may hinder necessary updates and improvements. Option B, while beneficial for speed, does not directly address the identification of vulnerabilities. Option D is not practical, as completely eliminating open-source libraries can limit functionality and may not be feasible.