CompTIA CASP+ (CAS-004) — Question 383

A company recently migrated its critical web application to a cloud provider’s environment. As part of the company's risk management program, the company intends to conduct an external penetration test. According to the scope of work and the rules of engagement, the penetration tester will validate the web application's security and check for opportunities to expose sensitive company information in the newly migrated cloud environment. Which of the following should be the first consideration prior to engaging in the test?

Answer options

• A. Prepare a redundant server to ensure the critical web application's availability during the test.
• B. Obtain agreement between the company and the cloud provider to conduct penetration testing.
• C. Ensure the latest patches and signatures are deployed on the web server.
• D. Create an NDA between the external penetration tester and the company.

Correct answer: B

Explanation

The first priority should be obtaining agreement between the company and the cloud provider to conduct penetration testing, as this ensures legal compliance and outlines the parameters of the test. While ensuring availability, applying patches, and creating an NDA are also important, they should come after securing explicit permission to perform the test in the cloud environment.