CompTIA CASP+ (CAS-003) — Question 39

A deployment manager is working with a software development group to assess the security of a new version of the organization's internally developed ERP tool.
The organization prefers to not perform assessment activities following deployment, instead focusing on assessing security throughout the life cycle. Which of the following methods would BEST assess the security of the product?

Answer options

• A. Static code analysis in the IDE environment
• B. Penetration testing of the UAT environment
• C. Vulnerability scanning of the production environment
• D. Penetration testing of the production environment
• E. Peer review prior to unit testing

Correct answer: C

Explanation

The correct answer is C, as vulnerability scanning of the production environment allows for the identification of security weaknesses before the tool is fully deployed. Other options, like penetration testing, are more suited for post-deployment assessments, while static code analysis and peer reviews focus on earlier phases, which may not capture all operational risks.