CompTIA SecurityX (CAS-005) — Question 116

A company needs to quickly assess whether software deployed across the company's global corporate network contains specific software libraries. Which of the following best enables the company's SOC to respond quickly when such an assessment is required?

Answer options

• A. Maintaining SAST/DAST reports on a server with access restricted to SOC staff
• B. Contractually requiring all software vendors to attest to third-party risk mitigations
• C. Requiring all suppliers and internal developers to implement a thorough SBoM
• D. Implementing a GRC tool to maintain a list of all software vendors and internal developers

Correct answer: C

Explanation

The correct answer is C because requiring a Software Bill of Materials (SBoM) ensures that all software components are documented, allowing for quick identification of specific libraries. Options A and D do not provide direct visibility into software components, while option B focuses on risk management rather than immediate assessment capabilities.