Text preview & study summary
CompTIA CASP+ SecurityX CAS-005 - All Domains Advanced Security Architecture Engineering
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A company's development team wants to integrate security into their CI/CD pipeline. A security engineer proposes running SAST and DAST tools automatically. What is the difference?
Explanation
SAST analyzes source code, bytecode, or binaries to find vulnerabilities (SQLi, buffer overflows, hardcoded credentials) without running the code. DAST attacks the running application (like a black-box test) to find runtime vulnerabilities (authentication flaws, injection, misconfigurations).
Question 2
A security engineer is implementing TLS for an internal API. They want to ensure that only the server's certificate is trusted (not any CA certificate), preventing man-in-the-middle attacks even with valid CA-signed certificates. What technique should be used?
Explanation
Certificate pinning "pins" the expected certificate or public key in the application, rejecting any certificate that doesn't match — even valid CA-signed certificates. This prevents MITM attacks using fraudulently-issued or CA-compromised certificates, at the cost of more complex certificate rotation.
Question 3
An organization wants to measure the effectiveness of their security program. Which metric would BEST indicate the organization's ability to detect and respond to threats?
Explanation
MTTD and MTTR are outcome-based metrics that directly measure security program effectiveness. Decreasing MTTD shows improved detection capability; decreasing MTTR shows improved response capability. They measure actual security outcomes, not just activity metrics (policies written, training completed).
Question 4
A CISO is designing a supply chain security program after a major vendor compromise. Which control would MOST effectively reduce supply chain risk?
Explanation
Supply chain security requires: TPRM (Third-Party Risk Management) assessments for vendor security posture, attestation to security standards, software SCA to detect vulnerable/malicious dependencies in vendor-supplied code, and monitoring vendor privileged access (as seen in SolarWinds attack).
Question 5
An enterprise security architect is designing a solution to ensure that privileged access to cloud infrastructure is temporary, audited, and eliminates permanent credentials. Which capability achieves this?
Explanation
JIT (Just-in-Time) PAM grants elevated privileges for a specific time window (e.g., 1 hour) based on approved request, records the session, and automatically revokes access afterward. This eliminates standing privileges that represent persistent risk from credential compromise.
