CompTIA SecurityX (CAS-005) — Question 231

A company recently migrated its critical web application to a cloud provider’s environment. As part of the company’s risk management program, the company intends to conduct an external penetration test. According to the scope of work and the rules of engagement, the penetration tester will validate the web application’s security and check for opportunities to expose sensitive company information in the newly migrated cloud environment. Which of the following should be the first consideration prior to engaging in the test?

Answer options

• A. Prepare a redundant server to ensure the critical web application’s availability during the test.
• B. Obtain agreement between the company and the cloud provider to conduct penetration testing.
• C. Ensure the latest patches and signatures are deployed on the web server.
• D. Create an NDA between the external penetration tester and the company.

Correct answer: B

Explanation

The correct answer is B because obtaining consent from both the company and the cloud provider is essential to ensure that the penetration test is authorized and compliant with legal and contractual obligations. Options A and C address operational concerns but do not prioritize the necessary permissions. Option D, while important for confidentiality, is secondary to obtaining permission for testing.