212-82 · Question #153
212-82 Question #153: Real Exam Question with Answer & Explanation
The correct answer is C: Implementing a tool that combines both SAST and DAST features for a more holistic security. Explanation Combining SAST and DAST (Option C) provides the most comprehensive security assessment because SAST catches vulnerabilities in the source code before runtime (such as coding errors and insecure logic), while DAST identifies issues in the running application (such as c
Question
TechTYendz. a leading tech company, is moving towards the final stages of developing a new cloud- based web application aimed at real-time data processing for financial transactions. Given the criticality of data and the high user volume expected. TechTYendz's security team is keen on employing rigorous application security testing techniques. The team decides to carry out a series of tests using tools that can best mimic potential real-world attacks on the application. The team's main concern Is to detect vulnerabilities In the system, including those stemming from configuration errors, software bugs, and faulty APIs. The security experts have shortlisted four testing tools and techniques. Which of the following would be the MOST comprehensive method to ensure a thorough assessment of the application's security?
Options
- AEmploying dynamic application security testing (DAST) tools that analyze running applications in
- BUtilizing static application security testing (SAST) tools to scan the source code for vulnerabilities.
- CImplementing a tool that combines both SAST and DAST features for a more holistic security
- DConducting a manual penetration test focusing only on the user interface and transaction modules.
Explanation
Explanation
Combining SAST and DAST (Option C) provides the most comprehensive security assessment because SAST catches vulnerabilities in the source code before runtime (such as coding errors and insecure logic), while DAST identifies issues in the running application (such as configuration errors, faulty APIs, and runtime vulnerabilities) - together they cover the full spectrum of threats described in the scenario.
Why the distractors are wrong:
- Option A (DAST only) is limited because it only tests the running application and misses source-code-level vulnerabilities that haven't yet manifested at runtime.
- Option B (SAST only) cannot detect runtime issues like misconfigured servers, authentication flaws exposed during execution, or API vulnerabilities that only appear when the application is live.
- Option D (Manual penetration testing on UI/transactions only) is too narrow in scope - focusing solely on the interface misses backend vulnerabilities, configuration errors, and code-level flaws across the entire application.
Memory Tip: Think of it as "Inside + Outside = Complete" - SAST looks inside the code (static), DAST looks outside during execution (dynamic), and combining them leaves no blind spots. When a question mentions multiple vulnerability types across a critical system, always lean toward the hybrid/combined approach.
Topics
Community Discussion
No community discussion yet for this question.