CompTIA CASP+ (CAS-004) — Question 217

A software developer was just informed by the security team that the company’s product has several vulnerabilities. Most of these vulnerabilities were traced to code the developer did not write. The developer does not recognize some of the code, as it was in the software before the developer started on the program and is not tracked for licensing purposes. Which of the following would the developer MOST likely do to mitigate the risks and prevent further issues like these from occurring?

Answer options

• A. Perform supply chain analysis and require third-party suppliers to implement vulnerability management programs.
• B. Perform software composition analysis and remediate vulnerabilities found in the software.
• C. Perform reverse engineering on the code and rewrite the code in a more secure manner.
• D. Perform fuzz testing and implement DAST in the code repositories to find vulnerabilities prior to deployment.

Correct answer: B

Explanation

The correct answer is B because performing software composition analysis allows the developer to identify and address vulnerabilities within the existing codebase, especially the third-party components. Options A and D focus on external processes and testing methods that do not directly resolve the vulnerabilities present in the software itself. Option C, while it addresses security, is impractical for code that the developer did not write and may not fully understand.