CompTIA SecurityX CAS-004 (CAS-004) — Questions 901975

1000 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

During a penetration test, the tester has gained initial access to a network and now aims to move laterally to a sensitive database server. Which phase of the penetration testing lifecycle does this activity represent?

A.Exploitation
B.Post-exploitation
C.Reporting
D.Reconnaissance
AnswerA

Lateral movement is part of exploitation.

Why this answer

Lateral movement occurs during the exploitation phase, specifically after initial access, as the attacker moves through the network.

902
MCQhard

During an audit, a compliance officer finds that the organization has not conducted a risk assessment in over two years. Which of the following is the MOST significant risk?

A.Inability to prioritize security investments.
B.Loss of customer trust.
C.Non-compliance with regulatory fines.
D.Increased likelihood of successful attacks.
AnswerC

Many regulations require periodic risk assessments; failure to conduct them can result in significant fines and penalties.

Why this answer

Option C is correct because regulatory fines can be substantial and are directly tied to compliance requirements, making it the most significant risk.

903
MCQmedium

A security analyst is conducting a threat hunt based on the hypothesis that an adversary may have used PowerShell to execute malicious scripts. Which threat hunting methodology is being employed?

A.IoC-driven hunting
B.TTP-driven hunting
C.Baseline-driven hunting
D.Hypothesis-driven hunting
AnswerD

The hunt begins with a hypothesis about specific adversary behavior.

Why this answer

Hypothesis-driven hunting starts with a hypothesis about potential adversary behavior, then searches for evidence. The analyst is hypothesizing that PowerShell was abused.

904
MCQeasy

A security engineer is integrating API security for a RESTful service. Which mechanism is used to verify that the API request has not been tampered with and originates from a legitimate client?

A.OAuth 2.0 authorization code
B.API key in query parameter
C.JWT
D.Rate limiting
AnswerC

JWT includes a signature that verifies integrity and authenticity.

Why this answer

JWT (JSON Web Token) is a compact, self-contained token that includes claims and a digital signature to verify integrity and authenticity.

905
MCQhard

A company is designing a hybrid cloud architecture with AWS and an on-premises data center. They need to ensure that all data transmitted between environments is encrypted and that the connection is resilient. Which design should the architect choose?

A.Deploy a single MPLS connection with network-based encryption
B.Set up a single AWS Direct Connect connection and rely on the provider's encryption
C.Establish multiple redundant IPsec VPN tunnels to the VPC
D.Use an SSL VPN tunnel from the on-premises firewall to the VPC
AnswerC

Redundant IPsec tunnels provide both encryption and resilience.

Why this answer

A VPN tunnel using IPsec with IKEv2 provides encryption and authentication; redundant tunnels ensure failover. Direct Connect is private but often requires separate encryption. SSL tunnel would work but typically for web traffic.

MPLS is a carrier service, not inherently encrypted.

906
MCQmedium

A security analyst is configuring a TPM 2.0 for a new fleet of laptops. The requirement is to ensure that only authorized operating systems can boot and that any tampering with the boot process is detected. Which TPM feature should be used?

A.Secure boot
B.Measured boot with attestation
C.Sealed storage
D.Key attestation
AnswerB

Measured boot records boot measurements in PCRs; attestation allows verification of those measurements.

Why this answer

Measured boot records measurements of boot components in PCRs, and attestation allows a remote verifier to check these measurements. Secure boot only verifies signatures, not measurements. Sealed storage ties data to PCR values.

Key attestation is for keys.

907
MCQhard

A security engineer is reviewing an S3 bucket policy for a bucket named 'corporate-data'. The policy is shown. Which of the following describes a vulnerability in this configuration?

A.The Deny statement allows anonymous uploads over HTTP
B.The Deny statement allows any anonymous user to upload objects to the bucket
C.The Allow statement's IP address condition uses a private IP range, which is ineffective for internet-facing buckets
D.The Allow statement permits access over insecure HTTP
AnswerC

Private IP ranges (10.0.0.0/8) are not source IPs from the internet; thus the condition never matches, making the Allow statement useless.

Why this answer

Option C is correct because the Allow statement in the S3 bucket policy restricts access to a private IP address range (e.g., 10.0.0.0/8 or 192.168.0.0/16), which is non-routable on the public internet. Since the bucket is internet-facing, this condition is ineffective—any request from a public IP will fail the condition, effectively denying all external access, but the real vulnerability is that the policy relies on a private IP range that cannot be enforced for internet traffic, leaving the bucket either inaccessible or misconfigured. This misconfiguration can lead to unintended access if the condition is bypassed or if the bucket is intended to be public.

Exam trap

CompTIA often tests the misconception that private IP ranges can be used to restrict access to internet-facing S3 buckets, when in fact S3 only evaluates public source IPs, making such conditions ineffective or overly restrictive.

How to eliminate wrong answers

Option A is wrong because the Deny statement does not allow anonymous uploads over HTTP; it explicitly denies all anonymous access, and the vulnerability is not about HTTP vs. HTTPS but about the Allow statement's IP condition. Option B is wrong because the Deny statement explicitly blocks anonymous uploads, so it does not allow any anonymous user to upload objects; the vulnerability lies in the Allow statement, not the Deny.

Option D is wrong because the Allow statement does not permit access over insecure HTTP—it specifies HTTPS (via the aws:SecureTransport condition), and the vulnerability is the private IP range, not the protocol.

908
MCQmedium

Refer to the exhibit. A security analyst reviews this pod specification. Which attack surface is most increased by the added capabilities?

A.The container can modify network settings
B.The container can kill other processes
C.The container can read all host files
D.The container can install new kernel modules
AnswerD

SYS_ADMIN capability allows loading kernel modules, potentially compromising the host.

Why this answer

SYS_ADMIN grants many powerful privileges including loading kernel modules, which can lead to host compromise. NET_ADMIN allows network configuration but is less critical. The combination significantly increases attack surface.

909
MCQmedium

A security engineer is configuring a web application firewall (WAF) for an e-commerce site. The application uses JSON APIs for all transactions. Which WAF mode provides the best protection against injection attacks while minimizing false positives?

A.Anomaly detection and learning mode
B.Positive security model with strict API schema validation
C.Passive mode for monitoring only
D.Negative security model with a large rule set
AnswerB

Only allows traffic that matches expected schema, effectively preventing injections.

Why this answer

Option C (Positive security model) is correct because it whitelists allowed inputs, reducing false positives. Option A (Negative) blocks known attacks but can generate false positives. Option B (Learning) helps but may not be fully protective.

Option D (Off) provides no protection.

910
MCQmedium

During a penetration test, an engineer discovers that the application uses client-side JavaScript to validate input before submission. What is the MOST significant vulnerability?

A.Server-side validation is missing
B.Cross-site scripting
C.Insecure direct object reference
D.Weak session management
AnswerA

The lack of server-side validation allows any client-side validation to be bypassed, creating a serious vulnerability.

Why this answer

Client-side validation can be easily bypassed by disabling JavaScript or sending crafted HTTP requests. Without server-side validation, attackers can submit malicious payloads, leading to injection attacks. XSS and IDOR are separate issues; weak session management is unrelated to input validation.

911
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

Select 2 answers
A.Require users to change passwords every 30 days.
B.Use single sign-on (SSO) for all applications.
C.Implement the principle of least privilege for all user roles.
D.Enable multi-factor authentication (MFA) for all administrative accounts.
E.Create default admin accounts for each department.
AnswersC, D

Limiting privileges reduces the attack surface and potential damage.

Why this answer

The principle of least privilege (C) ensures that users and roles are granted only the permissions necessary to perform their job functions, reducing the attack surface and limiting potential damage from compromised accounts. Enabling multi-factor authentication (D) for administrative accounts adds a critical layer of security beyond passwords, mitigating risks from credential theft or brute-force attacks. Both are foundational controls in cloud IAM frameworks like AWS IAM, Azure AD, or GCP IAM.

Exam trap

CompTIA often tests the misconception that frequent password changes (A) are a security best practice, when in fact modern standards advise against them, and that SSO (B) alone is a security control, whereas it is primarily a convenience feature that requires additional safeguards like MFA.

912
Multi-Selecteasy

Which TWO of the following are best practices for securing a database that stores personally identifiable information (PII)? (Select TWO.)

Select 2 answers
A.Encrypt data at rest using AES-256
B.Use default admin credentials for easy access
C.Enable audit logging for all queries
D.Store all data in plaintext for performance
E.Implement role-based access control (RBAC)
AnswersA, E

Encryption protects data confidentiality even if storage media is compromised.

Why this answer

Options A and C are correct. Encrypting data at rest (A) and implementing role-based access control (C) are fundamental security controls. Option B (default admin credentials) is insecure.

Option D (plaintext storage) is prohibited by regulations. Option E (audit logging) is important but not as directly focused on data protection as encryption and access control.

913
MCQmedium

Refer to the exhibit. This clause is a requirement of which of the following?

A.PCI DSS.
B.GDPR Article 32.
C.ISO 27001.
D.HIPAA Security Rule.
AnswerB

Article 32 of the GDPR details the security of processing, including pseudonymization, encryption, and resilience.

Why this answer

Option B is correct because the text is a direct excerpt from the GDPR, Article 32, which mandates security measures for personal data processing.

914
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN configuration follows a logical order: first define IKE policy, then IPsec policy, create tunnel, permit traffic, and finally apply crypto map.

915
MCQmedium

A security architect is designing a secure boot process for a new line of embedded devices. The boot ROM loads the bootloader, which then loads the OS kernel. To ensure that only signed code is executed, which mechanism should the bootloader use to verify the kernel?

A.Decrypt the kernel using a symmetric key stored in the boot ROM
B.Verify a digital signature on the kernel using a public key stored in the boot ROM
C.Check that the kernel file size matches the expected value
D.Compare the kernel hash against a list of known good hashes stored in the bootloader
AnswerB

Digital signature verification ensures the kernel is from a trusted source and has not been tampered.

Why this answer

The bootloader should verify a digital signature on the kernel image using a public key embedded in the boot ROM or bootloader. This ensures both integrity and authenticity of the kernel.

916
MCQmedium

An organization is required to comply with PCI DSS. Which of the following is a mandatory requirement for protecting cardholder data?

A.Conducting annual risk assessments
B.Using a dedicated network segment for card processing
C.Implementing multi-factor authentication for all users
D.Encrypting cardholder data at rest
AnswerD

PCI DSS Requirement 3.4 requires rendering PAN unreadable at rest.

Why this answer

PCI DSS Requirement 3 mandates that stored PAN must be rendered unreadable via encryption, truncation, hashing, or tokenization.

917
MCQmedium

A company is evaluating a new cloud service provider. The provider offers a SOC 2 Type II report, a third-party penetration test summary, and a completed security questionnaire. However, the company's procurement team discovers that the provider uses a subcontractor for data storage. Which of the following is the BEST next step for the security team?

A.Require the provider to use only in-house resources.
B.Accept the risk because the provider has a SOC 2 report.
C.Request a right-to-audit clause covering the subcontractor.
D.Immediately terminate the contract due to subcontractor risk.
AnswerC

This allows the company to assess the fourth-party risk.

Why this answer

The presence of a subcontractor introduces fourth-party risk. The company should assess the subcontractor's security through a right-to-audit clause or request equivalent evidence, as the primary provider's controls may not cover the subcontractor.

918
MCQeasy

A company is deploying a RESTful API that handles sensitive financial data. Which of the following should be implemented to ensure data integrity during transmission?

A.TLS 1.3
B.Input validation
C.JSON Web Token (JWT) authentication
D.API rate limiting
AnswerA

TLS encrypts the entire session and ensures data integrity via MACs.

Why this answer

Option C is correct because TLS 1.3 provides encryption and integrity for data in transit. Option A (input validation) is for application-level input. Option B (rate limiting) protects against DoS.

Option D (JWT) is for authentication, not transmission integrity.

919
MCQhard

An organization's vulnerability management team discovers a critical vulnerability in a legacy application that cannot be patched because the vendor no longer supports it. The application is essential for business operations. Which of the following compensating controls would best reduce the risk of exploitation while maintaining functionality?

A.Apply a virtual patch using a web application firewall (WAF) rule
B.Implement network segmentation and restrict access to the application
C.Disable the application until a replacement is found
D.Increase monitoring of the application without any access restrictions
AnswerB

Segmentation limits exposure and reduces risk.

Why this answer

Network segmentation with strict firewall rules isolating the legacy application limits the attack surface and prevents lateral movement from compromised hosts. This is an effective compensating control when patching is not possible.

920
MCQmedium

A financial services company is implementing a zero-trust architecture. The security architect needs to ensure that all network traffic between application tiers is inspected and logged regardless of source location. Which of the following should be implemented?

A.Implement microsegmentation using a next-generation firewall
B.Deploy a site-to-site VPN across all tiers
C.Use a single, centralized firewall for all traffic
D.Place all application servers in a DMZ
AnswerA

Microsegmentation enables fine-grained security policies between individual workloads, supporting inspection and logging.

Why this answer

Microsegmentation enforces granular security policies between workloads, allowing full inspection and logging of east-west traffic, which aligns with zero-trust principles. A VPN concentrates traffic but does not provide per-application inspection. A DMZ is perimeter-oriented.

A firewall is necessary but microsegmentation provides a more refined control.

921
Multi-Selecthard

Which TWO are required by PCI DSS for all merchants?

Select 2 answers
A.Implement network segmentation
B.Maintain a vulnerability management program
C.Store CVV codes
D.Encrypt cardholder data at rest
E.Use only tokenization
AnswersB, D

PCI DSS requirement 6 requires a vulnerability management program.

Why this answer

Options A and B are correct. PCI DSS requires encryption of cardholder data at rest (requirement 3) and a vulnerability management program (requirement 6). Tokenization is optional, CVV storage is prohibited, and network segmentation is a recommended control but not a requirement for all merchants.

922
Multi-Selectmedium

A security engineer is hardening a Kubernetes environment. Which THREE of the following are effective controls for securing the cluster? (Select THREE.)

Select 3 answers
A.Configuring load balancers for high availability
B.Enabling Pod Security Admission (PSA) to enforce pod security standards
C.Implementing RBAC for API server access
D.Using Network Policies to isolate workloads
E.Installing antivirus on all nodes
AnswersB, C, D

PSA prevents pods from running with excessive privileges.

Why this answer

RBAC controls API access, Pod Security Standards (or admission controllers) enforce pod security, and Network Policies restrict pod communication. All three are Kubernetes-native controls for cluster hardening.

923
MCQmedium

An organization is moving to a passwordless authentication approach. They require a solution that supports hardware-based cryptographic authentication and is resistant to phishing. Which standard should they implement?

A.TOTP (Time-based One-Time Password)
B.SMS-based one-time codes
C.FIDO2/WebAuthn
D.Password manager with autofill
AnswerC

FIDO2 uses public-key cryptography and hardware authenticators, providing phishing resistance.

Why this answer

FIDO2/WebAuthn uses public-key cryptography and hardware authenticators to provide phishing-resistant, passwordless authentication. TOTP is not passwordless and can be phished.

924
MCQhard

A company is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run in the cluster. Which Kubernetes resource should be used to enforce policies on what containers can run, including image source restrictions?

A.Role-Based Access Control (RBAC)
B.Network policies
C.Seccomp profiles
D.Admission controllers
AnswerD

Admission controllers can enforce image policies, such as requiring images from a trusted registry.

Why this answer

Admission controllers intercept requests to the Kubernetes API server before object persistence, allowing policy enforcement such as ensuring images come from a trusted registry. Pod Security Policies are deprecated; Pod Security Admission or custom admission controllers are current.

925
Multi-Selecteasy

Which TWO of the following are essential characteristics of a hardware security module (HSM)? (Select TWO.)

Select 2 answers
A.Hardware acceleration of cryptographic operations.
B.Tamper-resistant key storage.
C.Virtualization of the hardware root of trust.
D.Integration with public key infrastructure (PKI) to replace certificate authorities.
E.User authentication and authorization.
AnswersA, B

HSMs offload cryptographic processing from the main CPU.

Why this answer

Option A is correct because HSMs are dedicated hardware appliances that offload cryptographic operations from the main CPU, providing hardware acceleration for algorithms such as AES, RSA, and ECC. This acceleration is critical for high-throughput environments like TLS termination or code signing, where software-based cryptography would create a performance bottleneck.

Exam trap

The CAS-004 exam often tests the distinction between 'essential characteristics' and 'common but non-essential features' — the trap here is that candidates confuse optional integration capabilities (like PKI support or user authentication) with the fundamental purpose of an HSM, which is tamper-resistant key storage and cryptographic acceleration.

926
Multi-Selectmedium

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Select 3 answers
A.The ACL will block all traffic from the 192.168.1.0/24 network to 10.0.0.0/24
B.Traffic sourced from 192.168.1.100 going to the 10.0.0.0/24 network will be permitted
C.Traffic from the 10.0.0.0/24 network to 192.168.1.100 is not affected by this ACL
D.The implicit deny at the end of the ACL will block all other traffic not explicitly permitted
E.The ACL blocks SSH and RDP access to 192.168.1.100 from any source
AnswersB, C, E

The ACL does not filter traffic sourced from 192.168.1.100; it filters based on destination.

Why this answer

Option B is correct because the ACL, when applied inbound on GigabitEthernet0/0, evaluates traffic entering the interface. The permit statement allows traffic sourced from host 192.168.1.100 destined to the 10.0.0.0/24 network, so that specific traffic is explicitly permitted.

Exam trap

The trap here is that candidates often confuse the direction of ACL application, assuming an inbound ACL on an interface affects traffic destined to that interface's IP address, when in fact it only filters traffic entering the interface from the outside.

927
MCQeasy

A small business uses a single on-premise server running a custom application and a SQL database. The IT manager is concerned about data loss due to hardware failure. The company has a backup tape drive but often forgets to change tapes. The RTO is 24 hours and RPO is 4 hours. Which of the following is the BEST improvement to meet the RPO/RTO requirements?

A.Purchase a second identical server and set up failover clustering.
B.Switch to daily differential backups and store tapes offsite.
C.Implement a RAID 1 mirroring for the server's hard drives.
D.Use a cloud-based backup service with hourly incremental backups.
AnswerD

Hourly backups meet RPO of 4 hours; cloud restore can meet RTO of 24 hours.

Why this answer

D is correct. Hourly cloud backups meet the 4-hour RPO and likely achieve 24-hour RTO. RAID protects against disk failure but not other hardware failures.

Daily backups may miss the RPO. Failover clustering is expensive and complex for a small business.

928
Multi-Selectmedium

A multinational corporation is adopting a zero trust architecture for its enterprise network. The security team is evaluating mechanisms to enforce granular access controls and segment workloads. Which TWO components are most critical for implementing a zero trust model? (Choose TWO.)

Select 2 answers
A.Secure Access Service Edge (SASE)
B.Micro-segmentation
C.Perimeter-based firewalls
D.Identity-centric access controls
E.Software-defined perimeter (SDP)
AnswersB, D

Micro-segmentation creates isolated security zones for workloads, enforcing least privilege and containing lateral movement.

Why this answer

Micro-segmentation and identity-centric access controls are foundational to zero trust. Micro-segmentation isolates workloads, while identity-centric controls ensure that access is based on user/device identity rather than network location. SASE is a broader framework, and VPNs are often replaced by zero trust.

Perimeter firewalls contradict the zero trust principle of assuming no implicit trust.

929
MCQhard

During a threat modeling exercise for a new web application, the team identifies that the application uses JWT for authentication. Which vulnerability is most likely if the server does not properly verify the JWT signature?

A.Cross-site scripting
B.SQL injection
C.JWT tampering
D.Insecure direct object reference
AnswerC

Correct; missing signature verification allows tampering with the JWT payload.

Why this answer

If signature verification is missing, an attacker can forge a JWT with arbitrary payload (e.g., admin role).

930
MCQeasy

An organization deploys honeypots to detect attackers. Which type of deception technology is being used?

A.Honeytokens
B.Bait networks
C.Honeypots
D.Honeynets
AnswerC

Honeypots are decoy systems used for deception.

Why this answer

Honeypots are decoy systems designed to lure attackers and detect unauthorized activity.

931
MCQhard

A security analyst is investigating a potential data exfiltration incident. The analyst has collected a memory dump from the affected server. Which Volatility command should the analyst use to extract the contents of the clipboard, which may contain copied sensitive data?

A.volatility -f dump.raw clipboards
B.volatility -f dump.raw windows.clipboard
C.volatility -f dump.raw clipboard
D.volatility -f dump.raw memdump --pid 1234
AnswerC

Correct command to extract clipboard contents.

Why this answer

The 'clipboard' plugin in Volatility extracts the contents of the Windows clipboard, which can contain copied text, including passwords or sensitive data.

932
Multi-Selectmedium

Which three options are best practices for writing secure scripts? (Choose three.)

Select 3 answers
A.Log all errors and warnings for debugging.
B.Use parameterized inputs to prevent injection attacks.
C.Validate all external input before processing.
D.Hardcode sensitive credentials in the script.
E.Run scripts with the least privilege necessary.
AnswersB, C, E

Parameterization separates code from data.

Why this answer

Options A, C, and D are correct. Parameterized inputs prevent injection, least privilege limits damage, and input validation stops malformed data. B is insecure.

E is a good general practice but not specifically a security best practice.

933
MCQhard

During a security assessment, an analyst discovers that an HSM used for key generation is FIPS 140-2 Level 2 compliant. The organization requires a higher level of physical security to prevent tampering. Which upgrade would best address this requirement?

A.Implement a TPM 2.0 instead
B.Upgrade to FIPS 140-2 Level 4
C.Upgrade to FIPS 140-2 Level 3
D.Use a software-based key store
AnswerC

Level 3 adds tamper-evident seals and physical security requirements.

Why this answer

FIPS 140-2 Level 3 requires tamper-evident coatings and physical security mechanisms. Level 4 is even higher but may be overkill. Moving to Level 2 is same.

Level 1 has no physical security. Software-based TPM is not equivalent.

934
Multi-Selectmedium

A penetration tester is performing reconnaissance against a target. Which TWO of the following are examples of active reconnaissance? (Select TWO.)

Select 2 answers
A.Banner grabbing
B.Social media profiling
C.Port scanning
D.WHOIS lookup
E.Searching job postings for technology details
AnswersA, C

Banner grabbing connects to services to read banners.

Why this answer

Active reconnaissance involves direct interaction with the target. Port scanning and banner grabbing are active; OSINT and WHOIS lookups are passive (no direct interaction).

935
MCQeasy

A company's internal audit found that employees often share passwords. Which policy change would BEST address this?

A.Implement multi-factor authentication
B.Increase password complexity requirements
C.Require password changes every 30 days
D.Provide security awareness training on password sharing
AnswerA

MFA provides an additional layer, making password sharing less effective for unauthorized access.

Why this answer

Option A is correct because multi-factor authentication reduces reliance on passwords alone. Option B is wrong increasing complexity may not stop sharing. Option C is wrong periodic changes do not prevent sharing.

Option D is wrong training helps but MFA is a technical control.

936
Multi-Selecthard

During an incident response, a forensic examiner is collecting evidence from a compromised Windows workstation. The examiner must follow proper order of volatility to preserve potential evidence. Which THREE of the following items should be collected first, before the others? (Choose THREE.)

Select 3 answers
A.Master File Table (MFT) from the hard drive
B.Event logs from the Security log
C.List of active network connections
D.List of running processes
E.Contents of RAM (memory dump)
AnswersC, D, E

Network state can change quickly.

Why this answer

The order of volatility dictates that the most volatile data (registers, cache, memory, network connections, running processes) should be collected first. Disk data is less volatile.

937
Multi-Selecthard

Which three measures should be implemented to secure a RESTful API? (Select THREE.)

Select 3 answers
A.Use JSONP for cross-origin requests
B.Implement proper error handling that does not expose stack traces
C.Disable rate limiting to ensure availability
D.Validate all input against a strict schema
E.Use OAuth2 with scopes for authorization
AnswersB, D, E

Generic error messages prevent information leakage.

Why this answer

Options A (OAuth2 with scopes), C (Validate all input), and E (Proper error handling without stack traces) are correct. Option B (Disable rate limiting) lowers security. Option D (Use JSONP) introduces cross-origin risks.

938
MCQmedium

A company is deploying a SASE architecture. Which component is responsible for securing web traffic and enforcing acceptable use policies at the edge?

A.Zero Trust Network Access (ZTNA)
B.Secure Web Gateway (SWG)
C.Cloud Access Security Broker (CASB)
D.SD-WAN
AnswerB

SWG is designed for web traffic filtering and policy enforcement.

Why this answer

A Secure Web Gateway (SWG) is a core SASE function that filters web traffic and enforces security policies like URL filtering and malware detection.

939
MCQhard

A security engineer is reviewing a Kubernetes deployment where the pod spec includes `securityContext: { privileged: true }`. What is the primary security concern of this configuration?

A.The container can access host resources like the filesystem
B.The container can run as root
C.The container has unrestricted network access
D.The container can modify the host's kernel
AnswerD

Privileged mode grants direct access to host kernel functions and devices.

Why this answer

Privileged containers have almost all capabilities of the host, including access to host devices and kernel modules. This significantly increases the attack surface compared to running as root alone.

940
MCQhard

A security audit reveals that Docker containers are built with multiple unnecessary layers and utilities. Which practice reduces the attack surface of the container image?

A.Use multi-stage builds
B.Use a base image with only the required packages
C.Combine multiple RUN commands into one
D.Delete the apt cache in the Dockerfile
AnswerB

Minimizing installed packages reduces the attack surface.

Why this answer

Using a minimal base image with only required packages reduces the number of potential vulnerabilities. Multi-stage builds help but don't directly reduce the base image size.

941
MCQeasy

During a threat hunting exercise, a security analyst hypothesizes that adversaries may be using PowerShell to execute commands in memory. Which threat hunting methodology is being employed?

A.Signature-based hunting
B.TTP-driven hunting
C.Hypothesis-driven hunting
D.IoC-driven hunting
AnswerC

The analyst is starting with a hypothesis about PowerShell usage, which is hypothesis-driven.

Why this answer

Hypothesis-driven hunting starts with a hypothesis about potential adversary behavior, then searches for evidence. IoC-driven uses indicators of compromise, and TTP-driven focuses on tactics, techniques, and procedures.

942
MCQeasy

A security manager is reviewing the company's vendor risk management program. Which of the following should be included as a mandatory step BEFORE entering into a contract with a new cloud service provider?

A.Establishing an incident response plan
B.Performing a penetration test of the vendor's infrastructure
C.Conducting a third-party security assessment
D.Requesting monthly vulnerability reports
AnswerC

Pre-contract assessment ensures vendor meets security requirements.

Why this answer

Option C is correct because a third-party security assessment is a mandatory due diligence step before entering into a contract with a new cloud service provider. This assessment evaluates the vendor's security controls, compliance posture, and risk profile against the organization's requirements, ensuring that the vendor meets minimum security standards before any data or systems are entrusted to them. Without this pre-contract assessment, the organization would be accepting unknown risks that could lead to data breaches or compliance violations.

Exam trap

The trap here is that candidates often confuse post-contract operational activities (like incident response planning or vulnerability reporting) with pre-contract due diligence, leading them to select options that are important but not mandatory before signing a contract.

How to eliminate wrong answers

Option A is wrong because establishing an incident response plan is an operational step that should occur after the contract is signed and the service is being integrated, not before entering into the contract; it is not a prerequisite for vendor selection. Option B is wrong because performing a penetration test of the vendor's infrastructure is typically not feasible or allowed before a contract is in place, as it requires legal agreements and access permissions that do not exist pre-contract; such testing is usually conducted post-contract as part of ongoing validation. Option D is wrong because requesting monthly vulnerability reports is a post-contract monitoring activity, not a pre-contract due diligence step; the vendor may not even have such reports available before the business relationship is established.

943
MCQmedium

A multinational corporation is deploying a new application that will be accessed by employees, partners, and customers. The security architecture must support single sign-on (SSO) across different identity providers (IdPs) while maintaining strict access control based on user attributes such as role, location, and device posture. The company uses Active Directory for employees, a cloud IdP for partners, and self-registration for customers. The architect needs to design a centralized policy enforcement point that can evaluate access requests from multiple IdPs and enforce dynamic access policies before granting access to the application. Which of the following is the BEST architectural approach?

A.Deploy a SAML/WS-Federation federation server that authenticates users and then passes the identity to the application for authorization
B.Have each IdP enforce its own access policies and pass the authorization decision via SAML assertions
C.Configure a reverse proxy to authenticate users from any IdP and pass their identity to the application
D.Implement an externalized authorization management system (e.g., OAuth 2.0 with OpenID Connect) using a policy decision point (PDP) and a policy enforcement point (PEP) at the application gateway
AnswerD

This separates authentication from authorization, allows centralized attribute-based policy, and works across IdPs.

Why this answer

A Policy Enforcement Point (PEP) integrated with a Policy Decision Point (PDP) can abstract authentication from authorization, allowing unified policy regardless of IdP. Option A is wrong because relying on each IdP for authorization leads to policy fragmentation. Option B is wrong because a SAML federation server handles authentication but not authorization.

Option D is wrong because a proxy alone does not provide the policy decision capabilities.

944
MCQhard

A company is merging with another company that has a different security posture. The CISO wants to integrate the two security programs quickly. Which of the following is the MOST critical first step?

A.Establish a joint governance committee
B.Align security policies and standards
C.Implement the same security tools across the enterprise
D.Conduct a joint risk assessment
AnswerA

Governance provides strategic oversight for integration.

Why this answer

Establishing a joint governance committee provides oversight and direction for integration. Options A, B, and C are tactical steps that should follow governance.

945
Multi-Selecteasy

An organization is planning to deploy digital certificates for various use cases. Which TWO of the following certificate types are typically used for email security?

Select 2 answers
A.Client certificates
B.Code signing certificates
C.Extended validation (EV) certificates
D.S/MIME certificates
E.Domain-validated (DV) certificates
AnswersA, D

Client certificates can be used for email authentication and signing.

Why this answer

S/MIME certificates are specifically used for secure email (encryption and signing). Client certificates can also be used for email authentication (e.g., in some setups). Code signing is for software, DV/OV/EV are for websites.

946
MCQeasy

Based on the exhibit, what type of attack is indicated?

A.Brute-force attack
B.Man-in-the-middle
C.Denial of service
D.Replay attack
AnswerA

Multiple failed attempts then success is characteristic of brute-force.

Why this answer

Option C is correct because repeated failed logins followed by a success indicates a brute-force attack. Option A is wrong MITM involves interception. Option B is wrong replay involves capturing and retransmitting.

Option D is wrong DoS involves overwhelming resources.

947
MCQeasy

A compliance officer is reviewing logs from a web application and finds multiple failed login attempts from a single IP address. Which type of control should be implemented to reduce the risk of brute-force attacks?

A.Account lockout policy
B.Network firewall
C.Password hashing
D.Encryption of traffic
AnswerA

Account lockout limits the number of attempts, reducing brute-force risk.

Why this answer

Account lockout policies prevent brute-force attacks by locking accounts after a number of failed attempts. Encryption, firewalls, and hashing do not directly address brute-force login attempts.

948
MCQeasy

A security analyst is reviewing a suspicious file. Which static analysis technique would the analyst use to examine the file without executing it?

A.Submit the file to VirusTotal
B.Execute the file in a debugger
C.Run the file in a sandbox
D.Use strings to extract readable text
AnswerD

Strings is a common static analysis tool.

Why this answer

Static analysis examines the file without running it. Running strings extracts readable text, which can reveal clues like IP addresses or commands.

949
Multi-Selectmedium

An organization is reviewing its supply chain risk management. Which TWO of the following are effective strategies to manage fourth-party risk?

Select 2 answers
A.Use only vendors that are SOC 2 certified
B.Reduce reliance on vendors by bringing services in-house
C.Conduct penetration tests on all fourth parties directly
D.Include a right-to-audit clause that covers subcontractors
E.Require vendors to contractually mandate security controls for their subcontractors
AnswersD, E

Correct: This ensures the ability to audit fourth parties.

Why this answer

To manage fourth-party risk, organizations can require their vendors to flow down security requirements to subcontractors and include right-to-audit clauses that extend to subcontractors.

950
MCQeasy

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

A.Include security requirements in contracts and conduct periodic audits
B.Require vendors to obtain ISO 27001 certification
C.Send annual self-assessment questionnaires
D.Perform quarterly penetration tests on vendor networks
AnswerA

Legally binding and verifiable

Why this answer

Including security requirements in contracts and conducting periodic audits is the most effective method because it creates a legally binding obligation for vendors to adhere to the organization's security policies, and audits provide direct, verifiable evidence of compliance. Unlike self-assessments or certifications, audits allow the organization to actively inspect controls, configurations, and processes, ensuring ongoing adherence rather than relying on a point-in-time assertion. This approach aligns with the NIST SP 800-53 continuous monitoring framework and is a core principle of third-party risk management (TPRM) in the CAS-004 domain.

Exam trap

The CAS-004 exam often tests the misconception that a one-time certification or a technical test like a penetration test is sufficient to ensure ongoing compliance, when in reality, continuous contractual obligations and independent audits are required to enforce and verify policy adherence over time.

How to eliminate wrong answers

Option B is wrong because requiring ISO 27001 certification only proves that a vendor had a compliant Information Security Management System (ISMS) at the time of certification, but it does not guarantee ongoing compliance with the organization's specific security policies, nor does it provide a mechanism for the organization to verify current controls or address unique contractual requirements. Option C is wrong because annual self-assessment questionnaires rely on the vendor's self-reported data, which is subjective, lacks independent verification, and can easily miss critical security gaps or misconfigurations, making it unreliable for ensuring compliance. Option D is wrong because quarterly penetration tests on vendor networks only assess technical vulnerabilities at a point in time and do not evaluate the vendor's adherence to security policies, processes, or administrative controls, nor do they cover all aspects of compliance such as data handling, access management, or incident response procedures.

951
Matchingmedium

Match each port number to its associated protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RDP

SSH

HTTPS

LDAP

LDAPS

Why these pairings

These are well-known port assignments for common protocols.

952
MCQeasy

Which technology is used to discover and control cloud applications, enforce security policies, and provide visibility into cloud usage?

A.Cloud Workload Protection Platform (CWPP)
B.Cloud Access Security Broker (CASB)
C.Cloud Security Posture Management (CSPM)
D.Secure Access Service Edge (SASE)
AnswerB

CASB provides visibility, compliance, data security, and threat protection for cloud services.

Why this answer

A Cloud Access Security Broker (CASB) is a security policy enforcement point that sits between cloud service consumers and providers to monitor activity and enforce policies. CSPM focuses on cloud configuration posture. CWPP protects cloud workloads.

SASE combines network and security functions.

953
MCQmedium

An organization wants to protect cryptographic keys used for TLS termination. Which hardware solution should be deployed to prevent key extraction?

A.KMS
B.TPM
C.UEFI
D.HSM
AnswerD

HSMs are purpose-built for key protection and cryptographic operations.

Why this answer

Hardware Security Modules (HSMs) are dedicated hardware that securely generate, store, and manage cryptographic keys, making them resistant to extraction even if the host is compromised.

954
MCQmedium

A security operations center (SOC) is implementing a SOAR platform to automate responses to phishing incidents. The playbook will include steps to automatically quarantine suspicious emails, delete them from user mailboxes, and block the sender's domain. Which element should the SOAR playbook incorporate to ensure the automated response does not cause unintended disruption?

A.An automatic rollback script that restores quarantined emails after 24 hours if no user complaint
B.Integration with threat intelligence to verify the sender domain reputation score before blocking
C.A confirmation step that prompts the analyst to approve the quarantine and deletion actions
D.A manual approval step before executing any automated response
AnswerC

Having the analyst approve destructive actions like deletion reduces the risk of removing legitimate emails.

Why this answer

Automated actions can have negative consequences if not validated. Incorporating user confirmation before destructive actions reduces risk, especially in cases of false positives.

955
MCQeasy

In a cloud shared responsibility model, which of the following is typically the customer's responsibility for IaaS?

A.Hypervisor security
B.Guest OS patch management
C.Hardware maintenance
D.Physical security of data centers
AnswerB

The customer is responsible for securing the guest OS and applications.

Why this answer

In IaaS, the customer manages the guest OS, applications, and data, while the cloud provider secures the physical hosts and hypervisor.

956
Multi-Selectmedium

A company is implementing a defense-in-depth strategy for its web application. Which THREE security controls should be included in the architecture? (Choose three.)

Select 3 answers
A.Web application firewall (WAF)
B.Load balancer with SSL termination
C.Runtime application self-protection (RASP)
D.Single sign-on (SSO)
E.Network segmentation
AnswersA, C, E

WAF inspects HTTP traffic for attacks like SQL injection.

Why this answer

Defense-in-depth uses multiple layers. WAF filters malicious traffic, network segmentation limits lateral movement, and RASP protects the application at runtime.

957
Multi-Selecthard

A global company must comply with data residency regulations that require customer data to stay within specific geographic boundaries. The company uses a multi-cloud architecture. Which THREE strategies should the architect implement to ensure compliance?

Select 3 answers
A.Using cloud provider's region-specific services and data centers
B.Encrypting all data at rest and in transit
C.Implementing strict identity and access management (IAM) policies
D.Configuring data classification tags to identify regulated data
E.Deploying data loss prevention (DLP) policies to block cross-border data transfers
AnswersA, D, E

Choosing specific regions ensures data is stored and processed within the desired geography.

Why this answer

To meet data residency requirements, data must be stored and processed locally. Encryption alone does not prevent data from leaving the region. Private links keep traffic within the cloud provider's network but do not guarantee data stays in region.

Access controls do not prevent data movement. Data classification helps identify regulated data. Cloud provider's region-specific services ensure data remains in that region.

958
MCQmedium

Refer to the exhibit. Which security issue does this S3 bucket policy present?

A.The bucket allows anonymous GET operations from any IP
B.The bucket policy is too restrictive
C.The bucket allows anonymous PUT operations from any source
D.The bucket is not encrypted
AnswerC

The second statement permits any principal to put objects without an IP condition.

Why this answer

Option A is correct because the second statement allows anonymous PUT without any IP restriction, meaning anyone can upload objects to the bucket. Option B is incorrect because the GET action is restricted to the specified IP range. Options C and D are not indicated by the policy.

959
Multi-Selecthard

An organization is automating cloud security group management across AWS, Azure, and GCP. Which TWO approaches provide centralized, auditable control? (Select TWO.)

Select 2 answers
A.Leverage infrastructure as code tools (e.g., Terraform) to define and enforce security group rules.
B.Require manual approval for every security group change through a ticketing system.
C.Disable logging on security group changes to reduce performance impact.
D.Use cloud provider CLI commands (e.g., AWS CLI, Azure CLI) in scripts to update security groups.
E.Store service account credentials directly in automation scripts for simplicity.
AnswersA, D

IaC provides a single source of truth and automates enforcement across multiple clouds.

Why this answer

Cloud provider CLI scripts (A) can automate changes, and IaC (C) enforces security baselines as code. Storing credentials in scripts (D) is insecure, and manual review (E) defeats automation. Disabling logging (B) is prohibited.

960
Multi-Selectmedium

A security operations team is implementing deception technology to detect lateral movement. Which TWO of the following are examples of deception technologies? (Select TWO.)

Select 2 answers
A.Honeytoken
B.Intrusion prevention system
C.Endpoint detection and response (EDR)
D.Security information and event management (SIEM)
E.Honeypot
AnswersA, E

Honeytokens are deceptive tokens like fake credentials.

Why this answer

Honeypots are decoy systems, and honeytokens are fake credentials or data used to trigger alerts when accessed.

961
Multi-Selecteasy

A compliance officer is preparing for an audit and needs to collect evidence. Which TWO of the following are considered acceptable forms of audit evidence? (Select TWO.)

Select 2 answers
A.Screenshots of unofficial reports
B.Verbal statements from employees
C.Written security policies
D.Assumptions about system configurations
E.System access logs
AnswersC, E

Policies demonstrate what is required.

Why this answer

Audit evidence includes system logs (factual records) and policy documentation (proof of requirements).

962
Multi-Selecthard

A security administrator is reviewing a Python script used to automate compliance checks across cloud resources. The script uses environment variables for API tokens. Which of the following are secure coding practices that should be implemented in this script? (Select TWO.)

Select 2 answers
A.Use try-except blocks to handle exceptions gracefully
B.Use os.system() to run shell commands for resource management
C.Hardcode API tokens as fallback if environment variables are missing
D.Validate that required environment variables exist before proceeding
E.Log the API tokens for troubleshooting purposes
AnswersA, D

Why this answer

Option A is correct because using try-except blocks in Python allows the script to catch and handle exceptions (e.g., missing environment variables, API call failures) gracefully without crashing. This is a fundamental secure coding practice that prevents unhandled errors from exposing sensitive information or causing unpredictable behavior in automated compliance checks.

Exam trap

The CAS-004 exam often tests the misconception that hardcoding fallback values or logging sensitive data is acceptable for troubleshooting, but the trap here is that both practices directly violate secure coding principles by exposing secrets, while os.system() is a known anti-pattern for command execution in Python.

Why the other options are wrong

B

os.system is vulnerable to injection; prefer subprocess with parameterized commands.

C

Hardcoding tokens is insecure and defeats the purpose of using environment variables.

E

Logging credentials exposes them in logs, which is a security risk.

963
MCQhard

During a penetration test, the tester successfully gains initial access to a web server and wants to move laterally to a database server. The web server uses a service account that has local admin rights on the database server. What is the most effective technique for lateral movement in this scenario?

A.Exploit a SQL injection vulnerability in the database server
B.Brute-force the database server administrator password
C.Use a keylogger to capture credentials on the web server
D.Pass-the-Hash
AnswerD

The service account's hash can be used to authenticate to the database server.

Why this answer

Pass-the-Hash uses NTLM hashes to authenticate without the plaintext password, effective when the same account hash is reused across systems.

964
MCQmedium

An organization wants to ensure that its supply chain vendors are compliant with its security policies. Which of the following is the MOST effective approach?

A.Conduct on-site audits of all vendors.
B.Include security requirements in contracts and rely on legal remedies.
C.Require vendors to complete a self-assessment questionnaire.
D.Implement a continuous monitoring program using automated tools.
AnswerD

Continuous monitoring provides ongoing visibility into vendor security and reduces manual effort.

Why this answer

Option C is correct because continuous monitoring offers real-time visibility and is scalable for a large vendor base, aligning with best practices for third-party risk management.

965
MCQeasy

Which of the following is a primary purpose of using code signing for application deployment?

A.To encrypt the application code
B.To verify the integrity and authenticity of the code
C.To prevent reverse engineering
D.To speed up application deployment
AnswerB

Why this answer

Code signing uses a digital signature (typically RSA or ECDSA) to bind the publisher's identity to the code. The primary purpose is to verify both the integrity (the code has not been tampered with) and the authenticity (the code comes from a trusted source) before deployment. This is achieved by hashing the code and signing the hash with the publisher's private key; the recipient verifies the signature using the publisher's public certificate.

Exam trap

The CAS-004 exam often tests the misconception that code signing provides encryption or obfuscation, when in fact it only provides integrity and authenticity verification without hiding the code content.

Why the other options are wrong

A

Encryption is for confidentiality; code signing does not encrypt the code.

C

Code signing does not prevent reverse engineering; obfuscation or other techniques are used for that.

D

Code signing adds overhead, not speed.

966
MCQhard

Given the exhibit, what is the MOST likely scenario?

A.A misconfigured application is sending malformed data to a server.
B.An external attacker is scanning the internal network.
C.An internal host is compromised and attacking an external web server.
D.A web vulnerability scanner is performing authorized tests.
AnswerC

The host adapts to firewall rules and launches SQL injection attack.

Why this answer

Option C is correct. The internal host 10.0.1.100 initially tried to connect to port 80 (HTTP) but was denied, then used port 443 (HTTPS) which was allowed, and then performed SQL injection on the web server. This suggests the host is compromised and attempting to attack an external server via HTTPS to bypass firewall rules.

Option A is wrong because the traffic is outward, not inbound. Option B is wrong because SQL injection is detected, and the pattern is deliberate. Option D is wrong because host is active.

967
MCQeasy

A company requires a cryptographic hash function for integrity verification of large files. The solution must be resistant to length extension attacks and provide high performance. Which of the following is the best choice?

A.BLAKE3
B.SHA-256
C.SHA-3
D.MD5
AnswerC

SHA-3 is resistant to length extension attacks and is a NIST standard.

Why this answer

SHA-3 is not vulnerable to length extension attacks and offers good performance. SHA-256 is vulnerable to length extension. BLAKE3 is fast but less standardized.

MD5 is broken and insecure.

968
MCQmedium

A company is conducting a third-party risk assessment for a SaaS provider. The provider has provided a SOC 2 Type II report, penetration test results, and a completed security questionnaire. Which of these provides the most independent and comprehensive view of the provider's control environment over time?

A.Penetration test report
B.Security questionnaire
C.Vendor's marketing materials
D.SOC 2 Type II report
AnswerD

Provides independent assurance over controls over time.

Why this answer

A SOC 2 Type II report is an independent auditor's opinion on controls over a period, making it the most comprehensive.

969
Multi-Selecteasy

A security architect is designing a secure remote access solution for contractors who need temporary access to a few internal applications. Which THREE of the following are best practices for controlling contractor access? (Select THREE.)

Select 3 answers
A.Allow contractors to use a shared account for simplicity
B.Implement just-in-time (JIT) temporary privilege elevation
C.Create time-limited accounts that expire automatically
D.Provide full network-level VPN access
E.Use a VPN with application-level access control
AnswersB, C, E

JIT provides access only when needed, reducing the risk of unused standing privileges.

Why this answer

Time-limited accounts enforce temporary access, application-level VPNs restrict access to specific applications, and just-in-time (JIT) privileges reduce standing access. Full VPN access provides too much network access, shared accounts lack accountability, and permanent accounts are against least privilege.

970
Multi-Selecthard

A company is implementing a hardware security module (HSM) to protect cryptographic keys. The security architect must ensure the solution meets FIPS 140-2 Level 3 requirements. Which TWO of the following features are required for Level 3?

Select 2 answers
A.Role-based authentication only
B.Tamper-evident coatings and seals
C.Identity-based authentication for operators
D.Ability to export keys in plaintext
E.Tamper resistance with automatic zeroization
AnswersB, C

Level 3 requires tamper evidence.

Why this answer

FIPS 140-2 Level 3 requires tamper-evident coatings or seals and identity-based authentication, along with physical security. Tamper resistance with zeroization is more Level 4. Role-based authentication is Level 3 but identity-based is more specific.

Plaintext key export is disallowed at Level 3.

971
MCQhard

A multinational organization is adopting a zero trust architecture and needs to align its network segmentation with regulatory requirements. The compliance team has identified that certain data must be isolated to meet PCI DSS scope reduction. Which of the following design approaches BEST supports both zero trust and PCI DSS compliance?

A.Deploying VLANs to separate cardholder data from other traffic
B.Implementing microsegmentation with software-defined networking
C.Using network access control (NAC) to enforce endpoint compliance
D.Placing all systems that process cardholder data in a DMZ
AnswerB

Microsegmentation enables fine-grained, dynamic isolation and aligns with zero trust.

Why this answer

Microsegmentation with software-defined networking (SDN) enables granular, identity-aware isolation of workloads at the virtual network layer, which directly supports zero trust's 'never trust, always verify' principle by restricting lateral movement. For PCI DSS scope reduction, microsegmentation allows the organization to create a logical, auditable boundary around cardholder data environment (CDE) assets without relying on physical network topology, thereby reducing the scope of PCI DSS compliance assessments. This approach is superior because it provides dynamic, policy-driven segmentation that can adapt to regulatory changes while maintaining strict least-privilege access.

Exam trap

CompTIA often tests the misconception that VLANs are sufficient for security segmentation, but the trap here is that VLANs lack the identity-aware, dynamic policy enforcement and east-west traffic control required by zero trust, and they do not provide the auditable, scope-reducing isolation that PCI DSS demands.

How to eliminate wrong answers

Option A is wrong because VLANs operate at Layer 2 and provide only coarse, static segmentation that can be bypassed via VLAN hopping attacks (e.g., double tagging per IEEE 802.1Q) and do not enforce identity-based access controls required by zero trust. Option C is wrong because NAC (e.g., 802.1X) focuses on pre-admission endpoint compliance and posture assessment, not on isolating workloads or reducing PCI DSS scope; it does not provide the granular east-west traffic control needed for zero trust segmentation. Option D is wrong because placing all CDE systems in a DMZ violates the principle of least privilege by exposing them to untrusted networks, increases attack surface, and does not achieve scope reduction—PCI DSS requires isolation of CDE from untrusted networks, not exposure.

972
MCQhard

An organization is implementing a secure software development lifecycle. Which of the following practices BEST ensures that security requirements are addressed early in the development process?

A.Security training for developers
B.Code analysis after development
C.Threat modeling during design phase
D.Penetration testing before release
AnswerC

Threat modeling identifies threats early, allowing mitigation in design.

Why this answer

Threat modeling during the design phase identifies potential security issues before development, shifting security left. Penetration testing and code analysis are later activities, and training is important but does not directly address requirements early.

973
MCQmedium

Refer to the exhibit. A security analyst notices that users from the internet can reach the web server at 10.0.1.100 on port 443, but they cannot reach it on port 8443. What is the most likely cause?

A.The ACL only permits traffic from specific source IPs
B.The firewall rule order is incorrect
C.The web server is not listening on port 8443
D.The firewall is blocking all traffic on port 8443
AnswerC

If the server is not configured for port 8443, it will not respond.

Why this answer

The firewall ACL permits both ports, so the firewall is not the issue. The most likely cause is that the web server is not listening on port 8443. Option A is incorrect because the ACL permits it.

Option C is incorrect because the ACL order is fine. Option D is incorrect because the ACL permits any source.

974
MCQmedium

A security architect is implementing an API gateway to protect microservices. Which security capability is uniquely provided by an API gateway compared to a traditional web application firewall (WAF)?

A.TLS termination
B.SQL injection prevention
C.Cross-site scripting (XSS) filtering
D.Rate limiting per API consumer
AnswerD

Correct – API gateways can throttle requests per API key or user.

Why this answer

An API gateway can enforce rate limiting and authentication (e.g., OAuth) at the API level, while a WAF typically focuses on HTTP-layer attacks like SQLi.

975
MCQmedium

An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?

A.Use stored procedures exclusively
B.Escape all user input with a database-specific escaping function
C.Implement parameterized queries / prepared statements
D.Use an ORM (Object-Relational Mapping) framework
AnswerC

Why this answer

Parameterized queries (prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver automatically escapes the input values, ensuring they are treated as data, not executable code. This directly prevents SQL injection because the query structure is fixed before user input is bound.

Exam trap

The CAS-004 exam often tests the misconception that stored procedures or ORMs are inherently safe, but the trap is that both can still be vulnerable if they allow dynamic SQL construction or raw query execution without parameterization.

Why the other options are wrong

A

Stored procedures can still be vulnerable if dynamic SQL is used within them.

B

Escaping is error-prone and not as reliable as parameterized queries.

D

ORMs can reduce risk but may still generate dynamic SQL if not used carefully.

Page 12

Page 13 of 14

Page 14