CompTIA CASP+ (CAS-004) — Question 60

The Chief Information Security Officer of a startup company has asked a security engineer to implement a software security program in an environment that previously had little oversight.
Which of the following testing methods would be BEST for the engineer to utilize in this situation?

Answer options

• A. Software composition analysis
• B. Code obfuscation
• C. Static analysis
• D. Dynamic analysis

Correct answer: C

Explanation

Static analysis is the most suitable method in this context because it allows for the examination of source code without executing the program, identifying vulnerabilities early in the development process. Software composition analysis focuses on third-party libraries, code obfuscation is more about protecting code than testing it, and dynamic analysis requires a running application, which may not be ideal for an environment with limited oversight.