CompTIA SecurityX (CAS-005) — Question 16

A security engineer receives reports through the organization's bug bounty program about remote code execution in a specific component in a custom application. Management wants to properly secure the component and proactively avoid similar issues. Which of the following is the best approach to uncover additional vulnerable paths in the application?

Answer options

• A. Leverage an exploitation framework to uncover vulnerabilities.
• B. Use fuzz testing to uncover potential vulnerabilities in the application.
• C. Utilize a software composition analysis tool to report known vulnerabilities.
• D. Reverse engineer the application to look for vulnerable code paths.
• E. Analyze the use of an HTTP intercepting proxy to dynamically uncover issues.

Correct answer: B

Explanation

The correct answer is B, as fuzz testing is specifically designed to identify vulnerabilities by sending random or unexpected inputs to the application, which can reveal additional security flaws. Options A and D involve more manual or targeted approaches that may not systematically uncover all vulnerabilities. Option C focuses on known vulnerabilities rather than discovering new ones, while option E, although useful for dynamic analysis, may not be as effective in uncovering hidden paths as fuzz testing.