CompTIA
CAS-003 · Question #719
CAS-003 Question #719: Real Exam Question with Answer & Explanation
The correct answer is A: Static. Static analysis examines source code in a repository without executing it, making it the correct tool to check OWASP secure coding compliance during development.
Question
While the code is still in the development environment, a security architect is testing the code stored in the code repository to ensure the top ten OWASP secure coding practices are being followed. Which of the following code analyzers will produce the desired results?
Options
- AStatic
- BDynamic
- CFuzzer
- DPeer review
Explanation
Static analysis examines source code in a repository without executing it, making it the correct tool to check OWASP secure coding compliance during development.
Common mistakes.
- B. Dynamic analysis requires the application to be actively running, so it cannot be applied to code sitting in a repository that has not been deployed or executed.
- C. A fuzzer sends random or malformed input to a running application to cause crashes and cannot evaluate coding practices in a non-executing code repository.
- D. Peer review relies on human inspection rather than automated tooling and lacks the systematic, consistent coverage needed to reliably verify compliance with all OWASP secure coding practices.
Concept tested. Static application security testing (SAST) for OWASP compliance
Reference. https://owasp.org/www-community/Source_Code_Analysis_Tools
Community Discussion
No community discussion yet for this question.