CompTIA CySA+ (CS0-003) — Question 213

A company’s internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Choose two.)

Answer options

• A. Deploying a WAF
• B. Performing a forensic analysis
• C. Contracting a penetration test
• D. Holding a tabletop exercise
• E. Creating a bug bounty program
• F. Implementing threat modeling

Correct answer: C, E

Explanation

The correct answers, C and E, are effective because contracting a penetration test provides an external evaluation of security vulnerabilities, while a bug bounty program encourages external researchers to identify and report flaws. The other options, while useful in certain contexts, do not directly address the need for identifying security weaknesses in a proactive manner.