CompTIA CASP+ (CAS-004) — Question 54

A security engineer was auditing an organization's current software development practice and discovered that multiple open-source libraries were Integrated into the organization's software. The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?

Answer options

• A. Perform additional SAST/DAST on the open-source libraries.
• B. Implement the SDLC security guidelines.
• C. Track the library versions and monitor the CVE website for related vulnerabilities.
• D. Perform unit testing of the open-source libraries.

Correct answer: C

Explanation

The correct answer is C, as tracking library versions and monitoring the CVE website is essential for identifying vulnerabilities specific to those libraries. While additional SAST/DAST (A) and implementing guidelines (B) are helpful, they do not specifically address the unique risks posed by open-source library vulnerabilities. Unit testing (D) does not directly relate to the security of the libraries themselves.