The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerA
A is correct: This is the correct answer. The Payment Card Industry Data Security Standard (PCI DSS)requires organizations that process, store, or transmit payment card data to disable insecure protocols such as TLS 1.0 and earlier. These older protocols contain known cryptographic weaknesses and do not provide sufficient protection for sensitive payment transactions. PCI DSS mandates the use of stronger encryption protocols such as TLS 1.2 or newer for systems involved in cardholder data processing. Because the scenario involves a retail website, it is highly likely that payment card transactions occur on the platform. Disabling TLS 1.0 ensures compliance with PCI DSS requirements and reduces the risk of exploitation through vulnerabilities associated with legacy encryption protocols.
B is incorrect: This option is incorrect because digital certificates are not dependent on a specific TLS version. Certificates are used within public key infrastructure (PKI) to authenticate servers and establish trust, but they can be used across multiple protocol versions. A certificate issued by a trusted certificate authority can still function with older TLS protocols, even though those protocols are no longer considered secure. The issue with TLS 1.0 is not certificate compatibility but the weaknesses in the cryptographic protocol itself. Therefore, digital certificates do not require disabling TLS 1.0.
C is incorrect: This option is incorrect because although many browser manufacturers have deprecated support for TLS 1.0, this is not the primary driver for disabling it in environments handling payment transactions. Browser deprecation may influence compatibility and security posture, but regulatory and industry compliance requirements take precedence in commercial environments such as retail platforms. The key motivation in this scenario is compliance with security standards governing payment systems, not browser vendor decisions.
D is incorrect: This option is incorrect because the scenario does not indicate that the application software lacks support for TLS 1.0. Many applications historically supported TLS 1.0, and the need to disable it generally arises from security and compliance considerations rather than software limitations. Even if an application continues to support TLS 1.0, organizations handling sensitive data—particularly payment information—must disable the protocol to comply with modern security standards and reduce exposure to known cryptographic weaknesses.
Correct AnswerA
A is correct: The Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time. It represents how far back in time data must be recoverable after an incident occurs. In the scenario, the business impact analysis states that losing more than one hour of data would be catastrophic. This means the organization must ensure that backups, replication, or other recovery mechanisms limit data loss to no more than one hour. Therefore, an RPO of one hour or less must be implemented to meet this requirement.
B is incorrect: The Recovery Time Objective (RTO) defines the maximum acceptable time required to restore systems and services after an outage. It measures how quickly operations must resume following a disruption. Although RTO is an important component of disaster recovery planning, it relates to system downtime rather than data loss. The scenario specifically addresses how much data can be lost, which corresponds to RPO rather than RTO.
C is incorrect: A Service Level Agreement (SLA) is a contractual document that defines service performance expectations between a service provider and a customer. SLAs may include uptime guarantees, response times, or support commitments. While SLAs can incorporate recovery objectives such as RTO or RPO, they do not directly define the allowable amount of data loss themselves. Therefore, an SLA is not the specific concept described in the scenario.
D is incorrect: A Disaster Recovery Plan (DRP) outlines the procedures and processes required to restore IT infrastructure and services after a disruptive event. DRPs incorporate recovery objectives such as RTO and RPO, but the plan itself does not define the specific tolerance for data loss. Instead, the DRP uses the recovery objectives derived from the business impact analysis to guide recovery activities.
E is incorrect: A Business Continuity Plan (BCP) focuses on maintaining essential business operations during and after disruptive events. It addresses operational continuity across people, processes, and technology. While the BCP relies on outputs from the BIA and may incorporate recovery objectives, it does not specifically define the allowable amount of data loss. The specific requirement described in the scenario relates directly to the RPO metric.
Correct AnswerB
A is incorrect: Cell-level encryption encrypts specific database fields to protect sensitive information. While this protects confidentiality of data stored in the database, it does not primarily address obfuscation during access by an application. When the application decrypts the data to use it, the original values may still be visible to users or processes that access the application output. The scenario specifically asks for preventing unauthorized viewing through obfuscation, which implies hiding or altering the visible data rather than simply encrypting storage.
B is correct: Data masking replaces sensitive data elements with modified or fictional values while maintaining the data format. For example, a Social Security number may appear as XXX-XX-1234 or a credit card number may be partially hidden. CASP+ guidance describes masking as an effective method for protecting personally identifiable information (PII) in applications by obscuring the actual values while still allowing the application to function. This technique is specifically designed to prevent unauthorized users from viewing real PII while preserving usability.
C is incorrect: Data Loss Prevention (DLP) solutions monitor and control the movement of sensitive data across networks, endpoints, and storage systems. DLP tools are used to detect and prevent data exfiltration or unauthorized transmission of protected information. However, DLP does not typically modify or obfuscate the data presented to users inside an application, so it would not directly prevent unauthorized viewing of PII in this context.
D is incorrect: Encryption at rest protects data stored on disk by encrypting entire storage volumes or databases. This ensures that if storage media are stolen or accessed without authorization, the data cannot be read without the decryption keys. However, encryption at rest does not prevent unauthorized viewing when the application legitimately accesses and decrypts the data for use. Once the data is accessed by the application, it appears in plaintext unless additional protections such as masking are implemented.
Correct AnswerA
A is correct: The dd utility is commonly used in digital forensics to create a bit-for-bit copy of storage media. This process produces a forensic disk image that includes all sectors of the drive, such as active files, deleted files, slack space, and unallocated space. Creating this image preserves the state of the system at the time of acquisition and allows investigators to analyze the data without altering the original evidence. In forensic investigations involving suspected insider activity, capturing a full disk image ensures that all potential evidence is preserved while maintaining the integrity of the original device.
B is incorrect: Reverse engineering binary programs involves analyzing compiled code to understand its structure, behavior, or vulnerabilities. Tools commonly used for reverse engineering include disassemblers, debuggers, and specialized analysis platforms. The dd utility does not analyze program binaries or assist in reverse engineering; instead, it performs raw data copying at the disk level. Therefore, it is not used for examining executable code behavior.
C is incorrect: Recovering deleted logs from a laptop typically requires forensic analysis tools that examine file systems and carve data from unallocated space after an image has been captured. While a forensic disk image created with dd may contain deleted logs within unallocated sectors, the tool itself does not directly recover or reconstruct deleted files. Its purpose is to create an exact copy of the storage medium for later forensic analysis.
D is incorrect: Deduplication refers to eliminating redundant data to reduce storage usage. Deduplication technologies analyze datasets and remove duplicate blocks or files while maintaining references to the original data. The ddutility performs raw copying and does not evaluate data redundancy or remove duplicate content. Because dd copies every sector exactly as it appears on the disk, deduplication is not part of its function.
Correct AnswerD
A is incorrect: Denial-of-service (DoS)attacks attempt to disrupt the availability of a system or service by overwhelming it with excessive requests or resource consumption. These attacks target service availability rather than the integrity of software dependencies. In the scenario, the organization identified a malicious package introduced into a public code repository that the application depends on. This situation does not involve service disruption through traffic flooding or resource exhaustion. Therefore, it does not represent a denial-of-service attack.
B is incorrect: Insider threats involve malicious or negligent actions performed by individuals who already have authorized access to organizational systems, such as employees, contractors, or partners. While insiders may introduce malicious code intentionally, the scenario describes a malicious package placed in a public repository that is widely used by external developers. Because the threat originates from a compromised or malicious external dependency rather than an internal actor abusing authorized access, insider threat is not the most appropriate classification.
C is incorrect: Network intrusionrefers to unauthorized access to an organization's network infrastructure through exploitation, credential compromise, or other attack techniques. Network intrusions typically involve attackers gaining access to internal systems or moving laterally within an environment. In this case, the malicious activity occurs in a public code repository that provides software dependencies rather than through unauthorized network access into the organization's environment. Therefore, the issue is not primarily a network intrusion.
D is correct: Software supply chain compromise is the correct answer because it involves attackers introducing malicious components into software dependencies that organizations rely on. When a malicious package is placed into a public repository used by applications, developers may unknowingly include compromised code in their builds. This type of attack targets the integrity of the software development ecosystem and can affect many downstream organizations simultaneously. Security guidance for modern development environments highlights software supply chain attacks as a significant risk due to the widespread reliance on third-party libraries and open-source components.
Correct AnswerC
A is incorrect: Software composition analysis (SCA) focuses on identifying vulnerabilities in third-party libraries and open-source components used within an application. It helps organizations track dependency versions and detect known vulnerabilities (CVEs) associated with external components. While SCA is an important component of a secure development program, it specifically addresses risks associated with third-party software dependencies rather than analyzing the organization’s own application code for vulnerabilities. Since the environment previously had little security oversight, the primary need is a foundational testing method that evaluates the security of the internally developed code base. Therefore, SCA alone would not provide the broad coverage required for establishing an initial software security testing program.
B is incorrect: Code obfuscation is a defensive technique used to make application code more difficult to understand or reverse engineer. It modifies the structure of the code without changing its functionality, typically by renaming variables, altering control flows, or encrypting portions of the code. While obfuscation can help protect intellectual property and reduce the effectiveness of reverse engineering, it is not a security testing method. It does not identify vulnerabilities or weaknesses within the codebase and therefore would not help the engineer establish a security testing program in an environment with little oversight.
C is correct: Static analysis is the correct answer because it evaluates application source code, bytecode, or compiled code without executing the program. Static Application Security Testing (SAST) tools analyze the code to identify potential vulnerabilities such as insecure coding practices, buffer overflows, injection flaws, and improper error handling. In an environment that previously lacked oversight, static analysis is particularly valuable because it can be integrated early in the development lifecycle and applied across the entire codebase to identify systemic issues. Establishing static analysis as part of a secure development program provides broad visibility into coding flaws and helps developers address security weaknesses before deployment.
D is incorrect: Dynamic analysis involves testing a running application to identify vulnerabilities during execution. Dynamic Application Security Testing (DAST) tools simulate attacks against deployed or running applications to observe how they behave under different conditions. While dynamic analysis is valuable for identifying runtime vulnerabilities, it typically requires a functioning application environment and does not provide direct insight into the underlying source code weaknesses. In a startup environment with minimal security oversight, static analysis is generally implemented first to identify foundational coding issues across the codebase before relying on runtime testing approaches. Therefore, dynamic analysis alone would not be the most effective initial method.
Correct AnswerB
A is incorrect: Supply chain issues can affect operational continuity and may influence long-term business resilience, particularly for an online retailer that relies on logistics and inventory management. However, when prioritizing the restoration of mission-essential functions after an outage, CASP+ methodology focuses primarily on business impact as determined during the Business Impact Analysis (BIA). The BIA evaluates the financial and operational consequences of system downtime. While supply chain disruption may be a factor in operational risk, it is not the primary determinant used to prioritize which systems or services should be restored first during recovery.
B is correct: A Business Impact Analysis specifically evaluates how disruptions affect financial performance, operational capability, and organizational objectives, including revenue loss. Systems that directly generate revenue—such as payment processing, order placement, and customer-facing services—typically receive the highest restoration priority because prolonged outages directly impact the organization’s financial viability. The CASP+ guidance explains that BIA activities identify mission-essential functions and determine recovery priorities based on the magnitude of business impact, especially financial losses and operational disruption. Therefore, revenue-generating systems should be restored first when establishing recovery priorities.
C is incorrect: Warm-site operations refer to a disaster recovery strategythat provides partially preconfigured infrastructure for restoring services. While the selection of a recovery site (hot, warm, or cold) affects recovery time and operational readiness, it does not determine the priority order of restoring mission-essential functionsidentified by the BIA. Site type is an implementation detail of the disaster recovery plan rather than a criterion used to prioritize which functions should be restored first.
D is incorrect: Scheduled impacts to future projects represent planning considerations related to project management or development roadmaps. However, a BIA focuses on the immediate operational and financial consequences of system downtime, not on the effect that outages may have on planned initiatives. Future project timelines are therefore not a primary factor when establishing recovery priorities for mission-essential functions during incident recovery or disaster restoration.
Correct AnswerB
A is incorrect: Validating the server certificate and trust chain relates to TLS/SSL security and ensures that encrypted communications are trusted and not subject to man-in-the-middle attacks. While certificate validation is an important security control for web servers, it does not address the specific attack pattern shown in the request. The example indicates an attempt to traverse directories to access sensitive files, which is unrelated to certificate trust mechanisms.
B is correct: Validating the server input and appending the input to the base directory path is the correct defense against this attack. The URL ../../../../etc/shadow demonstrates a directory traversal attack, where an attacker attempts to navigate outside the intended web root directory to access sensitive system files such as /etc/shadow. Proper input validation ensures that user-supplied paths cannot escape the designated directory structure. By sanitizing inputs and forcing file requests to remain within the allowed base directory, the server can prevent unauthorized access to critical system files.
C is incorrect: Validating that the server is not deployed with default account credentials addresses authentication weaknesses that attackers could exploit to gain administrative access. Although removing default credentials is an important security best practice, it does not mitigate directory traversal attempts that exploit improper input validation in web applications. Therefore, it does not address the attack pattern shown.
D is incorrect: Validating that multifactor authentication (MFA) is enabled for all user accounts improves authentication security and protects against credential compromise. However, MFA is relevant to login authentication processes rather than HTTP requests attempting to access local system files through directory traversal. Consequently, enabling MFA would not prevent the type of attack observed in the traffic log.
Correct AnswerD
A is incorrect: Anonymous internal routing allows systems to communicate within the network without strong identity verification or explicit authorization checks. While routing mechanisms determine the path traffic takes across the network, they do not enforce fine-grained access controls between subjects and resources. CASP+ architectural guidance stresses identity-based access decisions and controlled authorization policies rather than implicit trust based on network presence. Anonymous routing therefore fails to limit resource exposure to explicitly approved entities.
B is incorrect: Open internal trust by default reflects a traditional perimeter-based security model in which systems inside the network are automatically trusted. This approach significantly increases the risk of lateral movement once an attacker gains access to any internal system. CASP+ security architecture promotes Zero Trust principles where trust is never assumed and every access request must be verified and authorized. A default trust model directly contradicts these principles and therefore does not adequately limit exposure of internal resources.
C is incorrect: Shared subnet access allows multiple systems to operate within the same network segment and communicate freely with one another unless additional controls are implemented. While subnets can support segmentation at a basic level, shared subnet access without strict policies enables broad communication and potential lateral movement. CASP+ architectural principles emphasize granular authorization and identity-based controls rather than relying solely on network topology for access control. Therefore, shared subnet access alone does not sufficiently restrict access to approved subjects and objects.
D is correct: Defined subject-object relationships under a Zero Trust architecture enforce explicit authorization policies that determine which identities (subjects) may access specific resources (objects). Access decisions are based on verified identity, device posture, and policy evaluation rather than network location. CASP+ materials emphasize Zero Trust as a model that eliminates implicit trust and ensures every interaction between systems is authenticated and authorized. By defining explicit relationships between subjects and objects, this architecture minimizes exposure of internal resources and limits access strictly to approved entities.
Correct AnswerC
A is incorrect: Reverse ARP (RARP) is a legacy networking protocol used for resolving a device’s IP address from its MAC address. It was historically used by diskless systems to obtain an IP configuration during boot. However, RARP does not evaluate device health, management status, or security posture. CASP+ architecture guidance emphasizes identity and posture-aware access controls for modern enterprise environments. Therefore, RARP does not support enforcing access decisions based on device security posture.
B is incorrect: NAT overload (also known as Port Address Translation) allows multiple internal hosts to share a single public IP address by translating source ports. This capability primarily addresses IP address conservation and basic network connectivity between internal and external networks. NAT does not assess device health, endpoint compliance, or management status. As a result, NAT overload does not provide the security control necessary to ensure that only managed and compliant devices can access sensitive applications.
C is correct: Device posture validation ensures that endpoint security conditions—such as patch level, endpoint protection status, device management enrollment, or configuration compliance—are evaluated before granting access to sensitive resources. This capability is commonly implemented through network access control (NAC) or zero trust access systems, where access decisions incorporate device health and identity context. CASP+ materials emphasize conditional access and posture-based controls as mechanisms to protect sensitive systems and prevent compromised or unmanaged devices from connecting to critical applications. Therefore, device posture validation in access decisions best supports the requirement.
D is incorrect: BGP communities are routing attributes used by network operators to tag and influence routing policies between autonomous systems. They are primarily used for traffic engineering, route filtering, and policy-based routing decisions in large networks. BGP communities do not evaluate endpoint device security posture or enforce application access control policies. Consequently, they do not support ensuring that only healthy, managed devices can reach sensitive applications.
