CompTIA CASP+ (CAS-004) — Question 424

A security engineer evaluates the overall security of a custom mobile gaming application and notices that developers are bringing in a large number of open-source packages without appropriate patch management. Which of the following would the engineer most likely recommend for uncovering known vulnerabilities in the packages?

Answer options

• A. Leverage an exploitation framework to uncover vulnerabilities.
• B. Use fuzz testing to uncover potential vulnerabilities in the application.
• C. Utilize a software composition analysis tool to report known vulnerabilities.
• D. Reverse engineer the application to look for vulnerable code paths.
• E. Analyze the use of an HTTP intercepting proxy to dynamically uncover issues.

Correct answer: C

Explanation

The correct answer is C because a software composition analysis tool is specifically designed to identify known vulnerabilities in open-source packages. The other options, while useful in different contexts, do not directly address the need to assess open-source package vulnerabilities as effectively as a software composition analysis tool would.