CompTIA CASP+ (CAS-004) — Question 431

A security engineer receives reports through the organization’s bug bounty program about remote code execution in a specific component in a custom application. Management wants to properly secure the component and proactively avoid similar issues. Which of the following is the best approach to uncover additional vulnerable paths in the application?

Answer options

• A. Implement fuzz testing focused on the component and inputs uncovered by the bug bounty program.
• B. Leverage a software composition analysis tool to find all known vulnerabilities in dependencies.
• C. Use a vulnerability scanner to perform multiple types of network scans to look for vulnerabilities.
• D. Utilize a network traffic analyzer to find malicious packet combinations that lead to remote code execution.
• E. Run an exploit framework with all payloads against the application to see if it is able to gain access.

Correct answer: A

Explanation

The correct answer is A, as fuzz testing specifically targets the component and its inputs to uncover vulnerabilities that may not have been identified, allowing for a proactive approach to security. Options B and C focus on existing vulnerabilities rather than uncovering new paths, while D and E are reactive strategies that may not effectively identify additional vulnerabilities in the application.