The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerD
A is incorrect: Cable testing is a physical-layer network diagnostic process used to verify connectivity and signal integrity in network cables. It ensures that cables are correctly wired and functioning but does not analyze software dependencies or application code. CASP+ security practices for DevSecOps emphasize integrating security controls into the software development lifecycle to detect vulnerabilities in code and third-party components. Because cable testing operates at the infrastructure level and not within software pipelines, it does not help detect vulnerable open-source packages.
B is incorrect: Port scanning is a network reconnaissance technique used to identify open ports and services on systems. Security teams may use it for vulnerability assessments to identify exposed services or potential attack surfaces. However, port scanning evaluates running network services rather than analyzing software libraries used within application code. CASP+ DevSecOps guidance focuses on integrating code-level security checks within build pipelines to detect insecure dependencies. Therefore, port scanning does not identify vulnerable open-source packages before release.
C is incorrect: NetFlow analysis monitors and records network traffic patterns between systems. It is useful for detecting anomalies, understanding network behavior, and supporting incident investigations. However, NetFlow data focuses on traffic flows and communication patterns rather than the composition of application code or software dependencies. CASP+ security operations materials highlight monitoring tools like NetFlow for network visibility but not for identifying vulnerable third-party libraries. Consequently, NetFlow analysis does not address the DevSecOps requirement described in the question.
D is correct: Software Composition Analysis (SCA) tools examine application dependencies and open-source libraries used during development. These tools compare package versions against vulnerability databases to identify known security issues before the software is released. CASP+ guidance on secure development emphasizes integrating automated security testing tools into CI/CD pipelines to detect vulnerabilities early in the development lifecycle. By identifying insecure or outdated open-source components prior to deployment, SCA helps organizations reduce supply chain risk and improve application security. Therefore, software composition analysis best supports detecting vulnerable open-source packages before release.
Correct AnswerB
A is incorrect: Feature delay due to extended software development cyclesrefers to operational or project management risks associated with software development timelines. This type of risk typically affects product delivery schedules or engineering productivity. In the scenario, the vendor’s primary role is moving office equipment and interacting with the organization through an API to access customer-related information. There is no indication that the vendor participates in software development activities. Therefore, development delays would not be the most relevant risk identified during the assessment.
B is correct: Financial liability from a vendor data breach is the correct answer because the vendor has access to customer data and business systems through an API, yet the assessment revealed the vendor lacks cybersecurity insurance and experiences high IT staff turnover. These conditions increase the likelihood that a security incident could occur due to weak operational controls or inconsistent security practices. If the vendor suffers a breach that exposes customer data, the organization could face regulatory penalties, legal claims, and reputational damage. The absence of cybersecurity insurance also increases the financial exposure because the vendor may lack the resources to compensate for damages resulting from a breach.
C is incorrect: Technical impact to the API configuration refers to operational risks related to misconfigured APIs or integration failures. While APIs can introduce security risks if improperly configured, the scenario does not indicate any specific technical weakness in the API configuration itself. Instead, the assessment findings focus on the vendor’s lack of cybersecurity insurance and high staff turnover, which are indicators of organizational security maturity and operational risk. Therefore, the primary concern is not the API configuration but the vendor’s ability to properly safeguard the data it accesses.
D is incorrect: The possibility of the vendor’s business ceasing operationsrelates to business continuity or vendor viability risks. While high staff turnover could potentially affect business stability, the scenario does not provide evidence that the vendor is financially unstable or likely to cease operations. The more immediate concern is the vendor’s access to sensitive customer data combined with insufficient cybersecurity risk coverage. Consequently, the most significant identified risk is the organization’s potential financial liability resulting from a vendor-related data breach.
Correct AnswerD
A is incorrect: Public anonymous uploads allow anyone to contribute or upload code artifacts without verified identity or integrity validation. This approach introduces significant supply chain risk because malicious or modified dependencies could be inserted into the build process. CASP guidance emphasizes controlling the integrity of software components and verifying their origin, which anonymous uploads clearly fail to support.
B is incorrect: Manual copy-paste of libraries from external sources is a highly insecure development practice. It bypasses dependency management systems, version control, and integrity verification mechanisms. This method also increases the likelihood of introducing outdated, vulnerable, or malicious code into the application. CASP secure development guidance stresses automated validation and integrity checking rather than manual processes that are prone to human error.
C is incorrect: Shared build credentialsallow multiple users or systems to access build infrastructure using the same authentication identity. While this might simplify operational access, it introduces accountability and security risks because actions cannot be attributed to a specific entity. It also does not validate the authenticity or integrity of application dependencies. Secure development practices emphasize individual authentication and controlled build pipelines rather than shared credentials.
D is correct: Artifact signing and provenance verification ensure that software dependencies originate from trusted sources and have not been tampered with. In this model, artifacts such as libraries or build outputs are cryptographically signed by trusted publishers, and the build system verifies both the signature and the provenance metadata before allowing them into the pipeline. This practice protects the software supply chain by ensuring integrity, authenticity, and traceability of dependencies. CASP secure development guidance highlights cryptographic verification and supply chain integrity controls as critical measures for protecting application dependencies.
Correct AnswerC
A is incorrect: Implementing least privilege ensures users only have the minimum permissions necessary to perform their duties. While this principle reduces excessive permissions and limits potential misuse, it does not inherently prevent developers from deploying artifacts directly to production if deployment rights are still part of their assigned privileges. Least privilege is an important foundational control but does not specifically enforce operational separation between development and production responsibilities. Therefore, it does not fully address the objective described in the scenario.
B is incorrect: Security awareness training helps users understand security risks, organizational policies, and safe operational behaviors. Although this can improve overall security culture and reduce human error, training alone does not technically prevent developers from deploying artifacts into production environments. The requirement in the scenario is to enforce a structural control within the development and deployment process. Consequently, awareness training would not be sufficient to accomplish this objective.
C is correct: Separation of duties ensures that critical tasks are divided among multiple individuals or roles so that no single person has complete control over sensitive processes. In a secure development lifecycle, this often means developers can create code but cannot directly deploy it into production environments. Instead, deployment activities are handled by separate release management or operations teams, or through controlled CI/CD pipelines requiring approvals. By enforcing policies and systems that separate development from production deployment privileges, the organization prevents developers from directly introducing artifacts into production. This directly meets the requirement described in the scenario.
D is incorrect: Job rotation is a governance control designed to reduce fraud and increase organizational resilience by periodically moving employees between roles. While it can help detect irregular activities and broaden operational knowledge across teams, it does not directly enforce restrictions on deployment privileges or access to production systems. Because the scenario requires preventing developers from deploying artifacts into production, job rotation would not provide the necessary technical or procedural control.
E is incorrect: Mandatory vacations are commonly used as a fraud detection control in financial and operational environments. When employees are required to take time away from their duties, irregular activities or hidden issues may become visible when another employee assumes their responsibilities. However, this practice is primarily intended for fraud detection and operational oversight rather than enforcing secure deployment controls within development pipelines. Therefore, it does not address the core requirement of preventing direct production deployments by developers.
F is incorrect: Quarterly access reviews help organizations verify that users retain appropriate permissions and that unnecessary privileges are removed. While these reviews support governance and compliance, they occur periodically rather than enforcing continuous operational control. Developers could still deploy artifacts into production between review cycles if they retain the necessary permissions. Because the objective requires preventing this capability entirely, periodic access reviews alone are insufficient compared with implementing separation of duties.
Correct AnswerB
A is incorrect: Simulators are typically used in cybersecurity training environments to emulate attacks or system behavior for educational or testing purposes. While they can help analysts practice responding to incidents, simulators do not analyze real malware samples or generate indicators of compromise. Because the objective in the scenario is to build a list of IoCs related to malware affecting similar organizations, simulators would not provide the necessary analysis of malicious code.
B is correct: Sandbox detonation involves executing suspected malware within a controlled and isolated environment to observe its behavior. During this process, analysts can collect artifacts such as file hashes, registry changes, command-and-control domains, network indicators, and other behavioral characteristics. These artifacts form indicators of compromise that can be used to detect similar malware across organizational systems. Since the organization wants to develop a comprehensive list of IoCs related to malware observed in the industry, detonating malware samples in a sandbox is the most appropriate approach.
C is incorrect: Antivirus solutions are designed primarily to detect and remove known malware based on signature databases or heuristic detection methods. While antivirus tools may identify known threats, they do not typically provide detailed behavioral analysis or generate comprehensive IoC lists for newly discovered malware campaigns. Therefore, antivirus alone would not be the most effective tool for developing a detailed set of indicators related to the threat.
D is incorrect: Endpoint Detection and Response (EDR) platforms monitor endpoint activity and help detect suspicious behavior across systems. EDR tools can assist with investigation and threat hunting by identifying potential compromise indicators already present in the environment. However, the scenario focuses on developing a list of IoCs related to malware seen in the industry rather than detecting existing compromises. Sandbox analysis is more appropriate for generating those IoCs before deploying detection across endpoints.
E is incorrect: Identity and access management (IAM) is a broad framework that encompasses authentication, authorization, identity lifecycle management, and access governance. While the described policy is part of an IAM program, the specific security principle being enforced is least privilege, which ensures that only necessary access is maintained. Therefore, IAM is too general to best describe the practice highlighted in the scenario.
Correct AnswerA
A is correct: The lessons learned phase occurs after an incident has been resolved and focuses on reviewing the incident, analyzing the response actions taken, and identifying improvements to prevent similar events in the future. During this phase, incident responders and stakeholders meet to discuss what occurred, what worked well, and what gaps were discovered in detection, response procedures, or controls. The scenario specifically describes a meeting after the breach to discuss findings and prevention strategies, which directly aligns with the lessons learned stage of the incident response lifecycle.
B is incorrect: Containment is an earlier phase of the incident response process that focuses on limiting the spread or impact of an active security incident. Actions taken during containment might include isolating infected systems, blocking malicious IP addresses, or disabling compromised accounts. The scenario describes a meeting held after the breach to review findings rather than actions taken during the active incident, so containment does not apply.
C is incorrect: A business impact analysis (BIA) is a process used during business continuity planning to identify critical business functions and determine the potential impact of disruptions to those functions. BIAs help organizations establish recovery priorities and define recovery time objectives. However, a BIA is not part of the incident response process following a specific breach investigation.
D is incorrect: A tabletop exercise is a discussion-based training activity used to simulate hypothetical incidents and test an organization’s preparedness and response procedures. Participants walk through scenarios to evaluate decision-making and coordination before a real incident occurs. In this case, the incident has already happened, and the stakeholders are reviewing real findings rather than participating in a simulated scenario. Therefore, this option does not describe the step in the process.
Correct AnswerB
A is incorrect: An OCSP responder is used to check the revocation status of digital certificates in real time. It allows clients to verify whether a certificate has been revoked before its expiration date by contacting the certificate authority’s OCSP service. While OCSP improves certificate revocation validation and enhances trust verification during TLS connections, it does not manage certificate expiration or renewal processes. Therefore, implementing an OCSP responder would not prevent certificates from expiring and causing recurring service interruptions.
B is correct: Life-cycle management involves systematically managing digital certificates throughout their entire life cycle, including issuance, deployment, monitoring, renewal, and revocation. Implementing certificate life-cycle management allows organizations to track certificate expiration dates and automate renewal processes before certificates expire. This reduces the risk of service disruptions caused by expired certificates and ensures consistent certificate governance across multiple systems and websites. Because the problem described involves repeated certificate expiration events, proper certificate life-cycle management is the most effective approach to prevent recurrence.
C is incorrect: Wildcard certificates allow a single certificate to secure multiple subdomains within the same domain (for example, *.example.com). While wildcard certificates can simplify certificate deployment and reduce the number of certificates that must be managed, they still have expiration dates and require renewal. If certificate management processes are weak, wildcard certificates can also expire and cause similar disruptions. Therefore, using wildcard certificates alone would not prevent the recurring issue described.
D is incorrect: Certificate pinning is a security technique used by applications to associate a specific public key or certificate with a server to prevent man-in-the-middle attacks. This mechanism ensures that clients only trust specific certificates when connecting to a service. However, certificate pinning does not address certificate expiration or automate renewal processes. In fact, if certificates expire and change without proper updates to pinned keys, pinning could cause additional connectivity issues. Therefore, certificate pinning does not solve the problem described in the scenario.
Correct AnswerB
A is incorrect: Dual responsibility (also called dual control) requires two authorized individuals to complete a sensitive operation. This control is commonly used for high-risk actions such as cryptographic key management or financial approvals. While it helps reduce fraud by requiring two parties to perform a task, it does not inherently define role-based permissions across a system nor broadly ensure that a single individual cannot accumulate excessive authority across functions. Therefore, it does not fully satisfy all of the requirements described.
B is correct: Separation of duties (SoD) divides critical tasks and privileges among multiple roles so that no single individual can complete an entire sensitive process independently. This control directly prevents fraud by ensuring that one person cannot both initiate and approve actions. It also aligns with role-based access control by assigning permissions according to defined roles, and it prevents any single entity from having complete control over a process. Because it satisfies all the stated requirements—role-based permission assignment, fraud prevention from a single person, and eliminating full access control by one entity—separation of duties is the most appropriate control.
C is incorrect: Need to know limits access to information strictly to individuals who require it to perform their job functions. This principle focuses on restricting information disclosure rather than dividing operational responsibilities. Although it supports confidentiality and reduces unnecessary access, it does not directly address the requirement of preventing a single person from performing all steps in a process.
D is incorrect: Least privilege ensures users receive only the minimum level of access required to perform their duties. This control reduces the attack surface and limits potential damage from compromised accounts. However, least privilege alone does not guarantee that responsibilities are divided across multiple individuals to prevent fraud or complete control by a single entity. Therefore, it does not fully meet all the requirements outlined in the scenario.
Select all that apply
Correct AnswersA, C, F
A is correct: A. Least privilege. This is a correct answer because zero trust architectures require that access to resources be granted strictly on a least-privilege basis. Rather than assuming users or systems are trustworthy based on network location or static roles, zero trust enforces granular access permissions that limit users and services to only the resources necessary for their tasks. Implementing least privilege reduces the attack surface and limits the impact of compromised accounts or insider threats. It is a fundamental principle of zero trust security models.
B is incorrect: B. VPN.Virtual private networks provide encrypted tunnels that allow remote users to connect to internal networks as though they were on the corporate LAN. Traditional VPNs implicitly trust users once they authenticate and connect to the network, which contradicts the zero trust model. Zero trust architectures move away from network-level trust boundaries and instead rely on identity, device posture, and contextual verification for every access request. Therefore, VPNs are not a core requirement for implementing zero trust.
C is correct: C. Policy automation.This is a correct answer because zero trust environments rely heavily on automated policy enforcement to evaluate access requests dynamically. Policy automation allows security systems to apply access decisions based on attributes such as user identity, device health, location, and behavioral context. Automated policies ensure consistent enforcement and enable real-time responses to changing risk conditions. Without automated policy evaluation and enforcement, it would be difficult to implement the dynamic and granular access controls required in a zero trust architecture.
D is incorrect: D. PKI. Public key infrastructure provides mechanisms for issuing and managing digital certificates used for authentication, encryption, and digital signatures. While PKI can support identity verification and secure communications within zero trust environments, it is not one of the core architectural principles required to replace trusted zones and one-time authentication. PKI may be used as a supporting technology but is not itself a defining component required to achieve the zero trust model described in the scenario.
E is incorrect: E. Firewall.Firewalls enforce network traffic filtering based on defined rules and are commonly used to create security perimeters or trusted network zones. However, the scenario explicitly states that the organization intends to remove trusted zones, which is a key shift in zero trust architecture. Although firewalls may still exist within network infrastructure, they are not the primary control used to enforce identity-based access decisions in a zero trust model. Therefore, a firewall alone does not achieve the objectives described.
F is correct: F. Continuous validation.This is a correct answer because zero trust architectures require continuous verification of user identity, device health, and access context rather than relying on one-time authentication. Continuous validation ensures that every access request is evaluated in real time and that trust is never assumed based on prior authentication events. By constantly validating user and device attributes, organizations can detect anomalies, revoke access when risk conditions change, and maintain strict access control across the environment.
Correct AnswerC
A is incorrect: This is incorrect. Paying the ransom does not address the underlying issue related to the recovery point objective requirement. The scenario indicates that backups occur every 48 hours, while the defined RPO is 24 hours. This means the current backup schedule does not meet the organization’s disaster recovery policy. Additionally, relying on ransom payments is not considered a reliable or recommended security practice, as there is no guarantee that attackers will provide a working decryption key or that the data will be fully restored.
B is incorrect: This is incorrect. Leaving the backup schedule unchanged would continue to violate the recovery point objective because the organization would still risk losing up to 48 hours of data in a disaster scenario. Making the file share read-only may reduce the likelihood of unauthorized modifications, but it does not solve the backup frequency problem or ensure the RPO requirement is met. The scenario specifically highlights the mismatch between the required RPO and the current backup interval.
C is correct: This is correct. A recovery point objective of 24 hours means the organization must ensure that no more than 24 hours of data loss occurs in a disaster event. Since the most recent backup occurred 48 hours earlier, the organization exceeded its acceptable data loss threshold. Increasing the frequency of backups ensures that backup intervals align with or fall below the required RPO. In addition, creating SIEM alerts for indicators of compromise improves early detection of ransomware activity, allowing security teams to respond before large-scale encryption occurs. This recommendation addresses both compliance with the RPO requirement and improved detection capabilities.
D is incorrect: This is incorrect. Decreasing the frequency of backups would worsen the problem by increasing potential data loss beyond the already noncompliant 48-hour backup interval. Furthermore, paying the ransom still fails to address the recovery objective or improve resilience against future attacks. Disaster recovery strategies emphasize improving backup strategies and detection capabilities rather than relying on attacker cooperation.
