The Chief Information Security Officer of a startup company has asked a security engineer to implement a software security program in an environment that previously had little oversight.
Which of the following testing methods would be BEST for the engineer to utilize in this situation?
In an environment with little oversight, it is important to establish a strong baseline for code quality and security. Static analysis involves analyzing the source code of applications without executing them, which can help identify vulnerabilities, coding errors, and security flaws early in the development process. By catching issues before the code is compiled and run, static analysis provides a more thorough examination of the software's integrity and potential risks. This makes it the best method in this context to implement a robust software security program.
Choosing D here. The application was already in place (had a little oversight) and Dynamic analysis is the way to go against systems that are already operating.
The environment had little oversight, not the program
Static for Source-Code. Seems like the best answer. Get to it before it is compiled.
Static Analysis provides the most value and should be the first thing out of these options. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Static analysis will be more thorough and uncover more issues. Dynamic would be good as well but static will provide more value.
Static analysis is the best method to utilize in this situation, as it involves analyzing the source code of the application without actually executing it.
Ideally, both SAST and DAST should be utilized. But if the question is only asking for one answer, it should be static analysis. Static analysis is commonly used to catch vulnerabilities early on and provides more oversight along the development cycle. If you utilize Dynamic analysis, you would have to write the source code, compile it, and run the program for the testing to occur. This provides more oversight only towards the later cycles of the development cycle
I checked this question with 3 different AIs. As a startup company previously had little oversight, implementing static analysis can help identify and remediate security issues before they become a part of the final product.
c is the correct answer
Keyword is startup. A good place to start is SAST which is easily enabled on GitLab.
"in an environment that previously had little oversight" you are going to want to do a thorough analysis on the environment through the use of static analysis. Dynamic may miss important stuff that could not be caught
C is the answer because you are coming into an environment with previous little oversight and static analysis is used to establish a new baseline that CAN be trusted, THEN dynamic analysis will be used. It's a poorly made question but static is the most correct answer in this context.
Dynamic analysis can be particularly useful in an environment with little oversight, as it can help the engineer identify potential security issues and recommend steps for addressing them.
do not follow gpt
Static analysis involves examining the code without executing it. This type of analysis can identify vulnerabilities, coding errors, and security flaws early in the development process.
Here's why SCA is the most suitable choice for this scenario: Limited Existing Security: In an environment with minimal security practices, there's a high chance that third-party libraries and components might have unknown vulnerabilities. SCA can identify these potential risks without requiring deep code review of the entire codebase. Focus on Open Source: Startups often leverage open-source libraries to accelerate development. SCA is particularly valuable for identifying vulnerabilities within these open-source components.
Not only that... but who said the Startup company develops software?
A startup company wouldn't conduct SCA.
Choosing D here because a SCA in this contect (an environment that previously had little oversight) could be almost useless. a Static Analysis could spit out tens of thousands of findings that need to be parsed through an evaluated (I've used Fortify SCA tool, it reports a LOT of findings, many false). If the environment had little oversight, you could be looking at bad libraries, poor code, unsecure methods and objects--just a MESS, and you can't do anything about it immediately. With a DAST solution however, you'll get a list of actual vulnerabilities related to the software while it's running, and there will be no false negatives. This is a horribly worded question, though.
Going with C. With an environment that had very little oversight, I'd prefer static at least before dynamic analysis if neither were present, assuming dynamic would follow suite. Source code being more important.
I am choosing D. due to the fact that the software is already developed and running.
We don't know that the software is already developed and running. The environment had little oversight, but it says nothing about the program. This is another vague CompTIA question. Could make an argument for C or D.
Without information provided about the application, such as the deliverables handled, it should be assumed that the program is already built. It should also be noted that the CIO is not going to be the person on a development team for an application, they only deal with high-level strategies and if they are recommending a security product as a solution then it is safe to state it is a working product. DAST would be correct here.