nerdexam
ExamsCAS-002Questions#610
CompTIA

CAS-002 · Question #610

CAS-002 Question #610: Real Exam Question with Answer & Explanation

The correct answer is D: Sign a NDA with a small consulting firm and use the firm to perform Grey box testing.. Grey box testing by an external firm under NDA provides more thorough vulnerability coverage than black box testing, while a small firm limits the number of individuals with access to the proprietary code base, satisfying both the CEO's thoroughness and confidentiality requiremen

Question

A firm's Chief Executive Officer (CEO) is concerned that its IT staff lacks the knowledge to identify complex vulnerabilities that may exist in the payment system being internally developed. The payment system being developed will be sold to a number of organizations and is in direct competition with another leading product. The CEO highlighted, in a risk management meeting that code base confidentiality is of upmost importance to allow the company to exceed the competition in terms of product reliability, stability and performance. The CEO also highlighted that company reputation for secure products is extremely important. Which of the following will provide the MOST thorough testing and satisfy the CEO's requirements?

Options

  • AUse the security assurance team and development team to perform Grey box testing.
  • BSign a NDA with a large consulting firm and use the firm to perform Black box testing.
  • CUse the security assurance team and development team to perform Black box testing.
  • DSign a NDA with a small consulting firm and use the firm to perform Grey box testing.

Explanation

Grey box testing by an external firm under NDA provides more thorough vulnerability coverage than black box testing, while a small firm limits the number of individuals with access to the proprietary code base, satisfying both the CEO's thoroughness and confidentiality requirements.

Common mistakes.

  • A. Using the internal security assurance and development team does not address the CEO's explicit concern that the IT staff lacks sufficient knowledge to identify complex vulnerabilities in the payment system.
  • B. A large consulting firm exposes the proprietary code to a larger number of personnel, significantly increasing confidentiality risk; black box testing is also less thorough than grey box and is more likely to miss complex internal vulnerabilities.
  • C. Using internal teams for black box testing fails to resolve the knowledge gap concern and provides less thorough coverage than grey box, since testers have no visibility into internal architecture or design decisions.

Concept tested. Security testing methodology selection balancing thoroughness and confidentiality

Reference. https://csrc.nist.gov/publications/detail/sp/800-115/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice