CompTIA PenTest+ (PT0-001) — Question 149

A systems security engineer is preparing to conduct a security assessment of some new applications. The applications were provided to the engineer as a set that contains only JAR files. Which of the following would be the MOST detailed method to gather information on the inner workings of these applications?

Answer options

• A. Launch the applications and use dynamic software analysis tools, including fuzz testing.
• B. Use a static code analyzer on the JAR files to look for code quality deficiencies.
• C. Decompile the applications to approximate source code and then conduct a manual review.
• D. Review the details and extensions of the certificate used to digitally sign the code and the application.

Correct answer: A

Explanation

The correct answer is A because launching the applications and using dynamic software analysis tools allows for real-time observation of their behavior and potential vulnerabilities. Options B and C provide limited insights as they focus on either static analysis or decompilation, which may miss runtime issues. Option D, while useful for validating the code's integrity, does not provide detailed information about the application's functionality.