CompTIA CASP+ (CAS-004) — Question 256
A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program. Which of the following will BEST accomplish the company’s objectives? (Choose two.)
Answer options
- A. IAST
- B. RASP
- C. SAST
- D. SCA
- E. WAF
- F. CMS
Correct answer: C, D
Explanation
SAST (Static Application Security Testing) and SCA (Software Composition Analysis) are the best choices as they allow for earlier detection of vulnerabilities during the development process, thus aligning with the startup's goals. IAST and RASP focus more on runtime or post-development security, which does not address the need for early identification as effectively as SAST and SCA.