CAS-003 · Question #644
CAS-003 Question #644: Real Exam Question with Answer & Explanation
The correct answer is C: The change logs for the third-party libraries should be reviewed for security patches, which may. Reviewing change logs of third-party open-source libraries identifies when security patches have been released, enabling developers to update dependencies to patched versions that still meet the minimum compatibility requirements. This is a Software Composition Analysis (SCA) bes
Question
Options
- AThe developers should require an exact version of the open-source security products, preventing
- BThe application development team should move to an Agile development approach to identify
- CThe change logs for the third-party libraries should be reviewed for security patches, which may
- DThe application should eliminate the use of open-source libraries and products to prevent known
Explanation
Reviewing change logs of third-party open-source libraries identifies when security patches have been released, enabling developers to update dependencies to patched versions that still meet the minimum compatibility requirements. This is a Software Composition Analysis (SCA) best practice that directly reduces vulnerability exposure. Answer A (requiring exact library versions) prevents security updates from being applied, freezing the application on potentially vulnerable versions. Answer B (switching to Agile) is a process change that does not directly address third-party library vulnerabilities. Answer D (eliminating open-source libraries) is impractical and does not inherently improve security, as closed-source software also has vulnerabilities. Change log review is the targeted, practical control.
Community Discussion
No community discussion yet for this question.