The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerA
A is correct: Static application security testing (SAST) analyzes source code or compiled code during development to identify security vulnerabilities such as injection flaws, insecure functions, and improper input validation before the software is deployed. When integrated into the SDLC and CI/CD pipelines, SAST tools can automatically detect insecure coding patterns and prevent vulnerable code from progressing through the build process. Because the gap analysis revealed missing security controls in the SDLC leading to vulnerable releases, implementing SAST directly addresses the root problem by identifying vulnerabilities early and preventing insecure code from reaching production.
B is incorrect: Regression testing verifies that new code changes do not break existing functionality. It ensures previously working features continue to operate correctly after updates or bug fixes. While regression testing is an important quality assurance practice, it focuses on functional behavior rather than identifying security vulnerabilities. Therefore, it would not effectively prevent insecure code from being deployed to production.
C is incorrect: Code signing provides assurance that software originates from a trusted developer and that the code has not been modified after signing. It ensures authenticity and integrity of distributed software packages. However, code signing does not analyze or detect vulnerabilities in the software itself. Vulnerable code can still be signed and distributed if no security testing occurs earlier in the development process.
D is incorrect: Sandboxing isolates applications or processes in a controlled environment to limit their ability to affect other systems. Sandboxing can help analyze suspicious applications or reduce the impact of potentially malicious software. However, it does not address the root issue of insecure code being introduced during development. The goal in this scenario is to prevent vulnerabilities from being deployed, which requires security testing earlier in the SDLC.
Correct AnswerC
A is incorrect: Defining the risk assessment methodology involves establishing the framework and process used to evaluate risks, including scoring models, likelihood calculations, and impact assessments. While this methodology may support vendor risk management activities, the vendor risk registry itself is not responsible for defining how risks are assessed. Instead, it serves as a repository for recording risks identified through the established methodology.
B is incorrect: Studying a variety of risks and reviewing the threat landscape is typically performed through threat intelligence analysis, risk assessments, and security monitoring activities. Although information about vendor risks may contribute to this broader understanding, the primary purpose of a vendor risk registry is not threat landscape analysis but documentation and tracking of identified vendor-related risks.
C is correct: A vendor risk registry serves as a centralized record of risks associated with third-party vendors and service providers. It documents identified risks, mitigation strategies, risk owners, and remediation status. Maintaining this registry ensures the organization consistently tracks vendor-related risks and maintains an inventory of those risks for governance, compliance, and ongoing risk management activities. CASP+ materials emphasize maintaining risk registers or registries as part of formal risk management programs to track identified risks and mitigation efforts.
D is incorrect: Ensuring that all assets have low residual risk is an objective of risk management processes rather than the function of a vendor risk registry itself. The registry records and tracks risks, but it does not guarantee that residual risk levels are minimized. Risk reduction depends on implementing mitigation strategies and controls rather than simply documenting the risks.
Select all that apply
Correct AnswersD, E
A is incorrect: Code signing ensures that compiled code or software packages have not been altered and verifies the authenticity of the developer who produced them. While this protects the integrity and origin of software artifacts, it does not enforce coding standards or prevent configuration drift during development. Code signing typically occurs later in the release pipeline and does not directly validate source code formatting or enforce configuration consistency.
B is incorrect: Fuzzers are testing tools that send random or malformed inputs to applications in order to identify crashes or vulnerabilities such as buffer overflows or input handling flaws. Although fuzzing is valuable for identifying runtime vulnerabilities, it does not address configuration drift or enforce coding standards. Therefore, fuzzing does not directly meet the objectives described in the CI/CD requirements.
C is incorrect: Dynamic code analysis (DAST) evaluates running applications by interacting with them during execution to identify security vulnerabilities. While this helps detect issues in deployed or staging environments, it does not enforce coding standards or prevent configuration drift in source code repositories. Dynamic analysis focuses on runtime behavior rather than maintaining code quality or configuration consistency during development.
D is correct: Manual approval processes introduce governance controls within a CI/CD pipeline to ensure that code changes, configuration updates, or releases are reviewed and approved before being merged or deployed. This can help prevent configuration drift by ensuring that all changes follow documented procedures and are validated before entering production environments. CASP+ materials emphasize change management and approval workflows as mechanisms to control configuration changes and maintain system integrity.
E is correct: Linters analyze source code to enforce coding standards, formatting rules, and best practices automatically during development or CI/CD builds. They help ensure developers follow predefined coding conventions and reduce the risk of inconsistent or insecure code patterns. Linters directly address the requirement to enforce coding standards within automated pipelines.
F is incorrect: Regression testing ensures that previously functioning features continue to work after code changes are introduced. Although regression testing helps maintain functional stability across software updates, it does not prevent configuration drift or enforce coding style or standards. Its purpose is validating functionality rather than maintaining coding discipline or configuration governance.
Correct AnswerA
A is correct: User and Entity Behavior Analytics (UEBA) uses machine learning and behavioral analytics to analyze logs, authentication events, and system activity to detect anomalous behavior associated with users or systems. UEBA platforms aggregate and correlate data from multiple log sources to establish behavioral baselines and quickly identify suspicious activity tied to specific accounts or entities. In the scenario, the security team had to manually analyze many logs to attribute malicious activity to employees. Implementing UEBA would automate correlation and behavioral analysis, significantly streamlining the process of identifying suspicious user activity in future investigations.
B is incorrect: A Hardware Security Module (HSM) is a specialized device used to securely generate, store, and manage cryptographic keys. HSMs are typically used for certificate authorities, encryption key management, and secure cryptographic operations. While HSMs enhance cryptographic security, they do not analyze logs or correlate user activity across systems, so they would not help streamline forensic log analysis.
C is incorrect: A Host-based Intrusion Prevention System (HIPS) monitors and protects individual hosts by detecting and preventing malicious activity on that system. HIPS focuses on endpoint protection by blocking suspicious behavior such as unauthorized system calls or file modifications. However, it does not aggregate logs from multiple systems or provide large-scale behavioral analytics needed to identify patterns across multiple employees or systems during incident investigations.
D is incorrect: Extended Detection and Response (XDR) integrates telemetry from multiple security tools such as endpoints, networks, and cloud systems to improve threat detection and response. While XDR can provide cross-platform threat correlation, its primary focus is threat detection and response across security tools rather than analyzing behavioral patterns specifically tied to users and entities. The scenario emphasizes correlating activities to specific employees, which aligns more directly with UEBA capabilities.
E is incorrect: Operations security (OPSEC) training educates personnel about protecting sensitive information and preventing inadvertent disclosure of operational details. While useful for improving employee awareness and reducing insider risk, training would not help automate or streamline the analysis of logs following a breach investigation. The problem described relates to inefficient log correlation rather than a lack of employee awareness.
Correct AnswerB
A is incorrect: ITIL (Information Technology Infrastructure Library) is a framework focused on IT service management (ITSM). It provides guidance for service lifecycle management, incident management, change management, and operational processes. While useful for managing IT services and operational workflows, ITIL does not provide a taxonomy of attacker behaviors or adversary techniques used during cyber intrusions. Therefore, it does not support threat attribution or technique mapping in security investigations.
B is correct: MITRE ATT&CK is a globally recognized knowledge base that documents adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks. Security teams use the framework to map observed attacker behaviors—such as privilege escalation, lateral movement, or command execution—to known techniques, helping analysts understand attacker methodologies and potentially attribute activity to threat groups. CASP security operations guidance highlights the use of threat intelligence frameworks like MITRE ATT&CK to classify attacker behavior and improve investigation, detection engineering, and threat hunting.
C is incorrect: COBIT (Control Objectives for Information and Related Technologies) is a governance and management framework for enterprise IT. It focuses on aligning IT processes with business goals, risk management, and compliance. While valuable for governance and control frameworks, COBIT does not provide a detailed taxonomy of adversary techniques or operational threat intelligence for investigations.
D is incorrect: PCI DSS (Payment Card Industry Data Security Standard) is a compliance framework designed to protect payment card data within organizations that process, store, or transmit cardholder information. It defines security requirements such as encryption, access controls, and monitoring, but it does not provide threat intelligence mappings or adversary technique classifications used for investigative attribution.
Correct AnswerD
A is incorrect: Proxies act as intermediaries between clients and external services, often providing capabilities such as content filtering, caching, and traffic inspection. While proxies can generate logs about web requests and responses, they typically monitor only traffic passing through the proxy itself. They do not collect or aggregate telemetry from diverse sources such as endpoints, cloud workloads, and network infrastructure devices across an enterprise environment. Therefore, a proxy does not fulfill the requirement for centralized telemetry collection and analysis.
B is incorrect: Firewalls enforce network access control by allowing or blocking traffic based on defined policies such as IP addresses, ports, and protocols. Firewalls also generate logs that can help detect suspicious network activity. However, they primarily monitor network traffic at specific network boundaries and do not provide a platform for aggregating telemetry from multiple security domains such as endpoints, cloud workloads, and infrastructure devices. As a result, a firewall alone does not meet the requirement for centralized security analysis.
C is incorrect: Routers direct network traffic between different networks based on routing tables and protocols. While routers may generate operational logs related to routing events or connectivity issues, they are not designed to collect, correlate, and analyze security telemetry from multiple systems across an enterprise. Since the requirement involves centralized analysis of telemetry from endpoints, networks, and cloud workloads, routers do not provide the necessary capability.
D is correct: Security Information and Event Management (SIEM)platforms are designed specifically to collect, aggregate, and analyze security telemetry from multiple sources across an organization. SIEM systems ingest logs and event data from endpoints, cloud services, applications, and network devices, normalize the data, and apply correlation rules and analytics to detect suspicious activity. This centralized visibility enables SOC teams to monitor enterprise-wide security events and respond to potential threats more effectively. Security operations guidance identifies SIEM as the primary solution for centralized log collection and cross-domain security analysis.
Correct AnswerA
A is correct: A Privacy Impact Assessment (PIA) evaluates how a system collects, processes, stores, and shares personal data, and identifies potential privacy risks or regulatory compliance issues. PIAs are designed to assess data protection concerns and recommend mitigation measures to ensure the system adheres to privacy laws and organizational policies. For a new system handling personal data, a PIA is the most appropriate method to identify privacy risks before deployment.
B is incorrect: A wireless vulnerability scan evaluates the security of wireless networks, such as encryption strength, rogue access points, or misconfigured settings. While important for network security, it does not assess how personal data is processed, stored, or shared, and therefore does not address privacy risk.
C is incorrect: Static route analysis examines network routing tables to verify paths and network reachability. Although useful for network troubleshooting and security configuration review, static route analysis does not evaluate data processing or privacy implications of a system.
D is incorrect: A penetration retest (or retesting) simulates attacks against a system to verify vulnerabilities have been remediated. While it helps identify security weaknesses, it does not specifically assess privacy risks or the handling of personal data. Therefore, it is not the most suitable assessment for privacy compliance.
Correct AnswerD
A is incorrect: Implementing a change management plan ensures that systems are updated in a controlled manner and that configuration or software changes are documented and approved. Change management supports operational stability and reduces configuration-related risks. However, it does not address the foundational requirement of determining what systems or processes must be protected in a disaster recovery strategy. Before implementing operational controls such as change management within a recovery environment, the organization must first determine which business functions are critical and what technology resources support them. Therefore, change management is useful later in the recovery planning process but not the first step.
B is incorrect: Hiring additional on-call staff could help during an incident by providing personnel to respond to outages or execute recovery procedures. However, staffing decisions should occur only after the organization understands the scope of the disaster recovery plan, the systems involved, and the operational requirements for restoring services. Without first identifying the critical processes and associated technology dependencies, the organization cannot determine what skill sets or staffing levels are required. As a result, this option does not represent the initial planning activity for a disaster recovery strategy.
C is incorrect: Designing a warm siteis a valid disaster recovery strategy that provides a partially prepared recovery environment with hardware and connectivity available for rapid activation. However, selecting a recovery site strategy—such as cold, warm, or hot sites—must occur after the organization determines the critical business processes, recovery objectives, and infrastructure requirements. Without first identifying what systems must be restored and how quickly they must be available, the organization cannot appropriately design or size a warm site. Therefore, designing the recovery site is a later architectural decision rather than the first planning step.
D is correct: Identifying critical business processes and determining associated software and hardware requirements is the correct first step because disaster recovery planning begins with understanding what business functions are essential to the organization’s operations. This process is typically part of a business impact analysis (BIA), which identifies critical processes, system dependencies, and required recovery objectives. Once these processes and supporting systems are identified, the organization can determine backup requirements, recovery time objectives, recovery point objectives, infrastructure needs, and appropriate recovery sites. Because the scenario requires data to be backed up and available immediately during a disaster, identifying the critical processes and their supporting technology is necessary before any recovery architecture or staffing decisions can be made.
Correct AnswerC
A is incorrect: Web application firewalls (WAFs) protect running web applications by filtering and inspecting HTTP requests for malicious patterns such as injection attacks or cross-site scripting attempts. WAFs operate at runtime and are designed to block attacks targeting deployed applications. They do not analyze application dependencies or identify vulnerabilities within open-source libraries used during development. Since the requirement is to detect vulnerabilities in dependencies before the application is built and deployed, a WAF does not address the objective.
B is incorrect: Dynamic application security testing (DAST)analyzes running applications by sending requests and observing responses to identify vulnerabilities such as injection flaws or authentication issues. DAST tools operate during runtime testing stages and focus on vulnerabilities present in the application’s behavior. However, they do not specifically analyze third-party libraries or open-source dependencies used during the build process. Because the scenario focuses on identifying vulnerable dependencies prior to deployment, DAST is not the most appropriate solution.
C is correct: Software composition analysis (SCA) is the correct answer because it specifically evaluates open-source libraries and third-party dependencies included in an application. SCA tools analyze dependency manifests and package repositories to identify known vulnerabilities, outdated components, and licensing risks before the application is built or deployed. By integrating into CI/CD pipelines, SCA helps development teams detect insecure or compromised libraries early in the software supply chain and prevent vulnerable components from entering production environments.
D is incorrect: Static application security testing (SAST)analyzes application source code to identify vulnerabilities such as insecure coding practices, logic flaws, or improper input validation. While SAST is valuable for identifying issues within the code written by developers, it does not primarily focus on identifying vulnerabilities in external open-source libraries or dependencies. Since the requirement specifically involves detecting vulnerabilities in open-source components before deployment, SAST does not provide the most targeted solution.
Correct AnswerA
A is correct: Security Information and Event Management (SIEM) platforms aggregate logs and security telemetry from multiple systems, cloud services, and applications into a centralized platform for analysis and monitoring. In environments with many platforms and vendors, SIEM provides the internal security team with unified visibility by collecting event logs, correlating security events, and generating alerts for suspicious activity. This capability allows analysts to monitor activity across heterogeneous environments, including cloud workloads, identity services, and network infrastructure. CASP+ guidance highlights SIEM as a core enterprise capability for centralized security monitoring, log correlation, and detection across diverse systems.
B is incorrect: Cloud Security Posture Management (CSPM) focuses primarily on identifying misconfigurations and compliance issues within cloud infrastructure. While it provides visibility into configuration and security posture across cloud resources, it does not provide the same centralized event monitoring and real-time security analytics that SIEM solutions deliver. Therefore, CSPM alone would not fully satisfy the requirement for broad operational security visibility across multiple platforms.
C is incorrect: SNMPv2 monitoring and log aggregation can collect some operational metrics and logs from devices and services. However, SNMPv2 is primarily used for network management and lacks robust security features and advanced correlation capabilities. It does not provide the centralized analytics, threat detection, and security-focused event correlation that a SIEM platform offers in enterprise environments.
D is incorrect: Managed Detection and Response (MDR) services provide outsourced monitoring and incident response capabilities through a third-party provider. While MDR can enhance threat detection and response, it does not ensure that the internal security team maintains direct visibility into all platforms. The scenario specifically requires the internal team to have centralized visibility, making MDR less aligned with the objective.
