A startup software company recently updated its development strategy to incorporate the Software Development Life Cycle, including revamping the quality assurance and release processes for gold builds. Which of the following would most likely be developed FIRST as part of the overall strategy?
A. Security requirements
B. Code signing
C. Application vetting
D. Secure coding standards
During a phishing exercise, a few privileged users ranked high on the failure list. The enterprise would like to ensure that privileged users have an extra security-monitoring control in place. Which of the following is the MOST likely solution?
A. A WAF to protect web traffic
B. User and entity behavior analytics
C. Requirements to change the local password
D. A gap analysis
A security consultant is designing an infrastructure security solution for a client company that has provided the following requirements:
1.
Access to critical web services at the edge must be redundant and highly available.
2.
Secure access services must be resilient to a proprietary zero-day vulnerability in a single component.
3.
Automated transition of secure access solutions must be able to be triggered by defined events or manually by security operations staff.
Which of the following solutions BEST meets these requirements?
A. Implementation of multiple IPSec VPN solutions with diverse endpoint configurations enabling user optionality in the selection of a remote access provider.
B. Remote access services deployed using vendor-diverse redundancy with event response driven by playbooks.
C. Two separate secure access solutions orchestrated by SOAR with components provided by the same vendor for compatibility.
D. Reverse TLS proxy configuration using OpenVPN/OpenSSL with scripted failover functionality that connects critical web services out to endpoint computers.
A security architect recommends replacing the company's monolithic software application with a containerized solution. Historically, secrets have been stored in the application's configuration files. Which of the following changes should the security architect make in the new system?
A. Use a secrets management tool.
B. Save secrets in key escrow.
C. Store the secrets inside the Dockerfiles.
D. Run all Dockerfiles in a randomized namespace.
Law enforcement officials informed an organization that an investigation has begun. Which of the following is the FIRST step the organization should take?
A. Initiate a legal hold.
B. Refer to the retention policy.
C. Perform e-discovery.
D. Review the subpoena.
A company wants to refactor a monolithic application to take advantage of cloud native services and service microsegmentation to secure sensitive application components. Which of the following should the company implement to ensure the architecture is portable?
A. Virtualized emulators
B. Type 2 hypervisors
C. Orchestration
D. Containerization
An analyst is evaluating the security of a web application that does not hold sensitive or financial data. The application requires users to have a minimum password length of 12 characters. One of the characters must be capitalized, and one must be a number. To reset the password, the user is asked to provide the birthplace, birthdate, and mother's maiden name. When all of these are entered correctly, a new password is emailed to the user. Which of the following should concern the analyst the MOST?
A. The security answers may be determined via online reconnaissance.
B. The password is too long, which may encourage users to write the password down.
C. The password should include a special character.
D. The minimum password length is too short.
A software company decides to study and implement some new security features in the software it develops in C++ language. Developers are trying to find a way to avoid a malicious process that can access another process's execution area. Which of the following techniques can the developers do?
A. Enable NX.
B. Move to Java.
C. Execute SAST.
D. Implement memory encryption.
An analyst received a list of IOCs from a government agency. The attack has the following characteristics:
1.
The attack starts with bulk phishing.
2.
If a user clicks on the link, a dropper is downloaded to the computer.
3.
Each of the malware samples has unique hashes tied to the user.
The analyst needs to identify whether existing endpoint controls are effective. Which of the following risk mitigation techniques should the analyst use?
A. Update the incident response plan.
B. Blocklist the executable.
C. Deploy a honeypot onto the laptops.
D. Detonate in a sandbox.
In a cloud environment, the provider offers relief to an organization's teams by sharing in many of the operational duties. In a shared responsibility model, which of the following responsibilities belongs to the provider in a PaaS implementation?
A. Application-specific data assets
B. Application user access management
C. Application-specific logic and code
D. Application/platform software
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-004 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.