PT0-001 Question #99: Real Exam Question with Answer & Explanation

The correct answer is C: Decompile the application.. Static code analyzers work by examining human-readable source code, not compiled binary or bytecode. Java bytecode (.class files or .jar files) is the compiled intermediate representation that the JVM executes - it is not directly analyzable by most static analysis tools. To use

Question

A company contracted a firm specializing in penetration testing to assess the security of a core business application. The company provided the firm with a copy of the Java bytecode. Which of the following steps must the firm take before it can run a static code analyzer?

Options

ARun the application through a dynamic code analyzer.
BEmploy a fuzzing utility.
CDecompile the application.
DCheck memory allocations.

Explanation

Static code analyzers work by examining human-readable source code, not compiled binary or bytecode. Java bytecode (.class files or .jar files) is the compiled intermediate representation that the JVM executes - it is not directly analyzable by most static analysis tools. To use a static code analyzer, the firm must first decompile the bytecode back into Java source code using a tool like CFR, Procyon, or JD-GUI. Only then can a static analyzer parse and inspect the code for vulnerabilities. Dynamic analysis, fuzzing, and memory inspection are runtime techniques unrelated to static analysis prerequisites.

Community Discussion

No community discussion yet for this question.

Full PT0-001 Practice