Text preview & study summary

CompTIA CASP+ SecurityX CAS-005 - All Domains Advanced Security Architecture Engineering

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A company's development team wants to integrate security into their CI/CD pipeline. A security engineer proposes running SAST and DAST tools automatically. What is the difference?

Answer choices

  • A. SAST tests applications in production; DAST tests source code

  • B. SAST (Static Application Security Testing) analyzes source code without running it; DAST (Dynamic Application Security Testing) tests the running application by sending attack payloads (Correct)

  • C. SAST is for mobile apps; DAST is for web apps

  • D. They test the same things with different tools

Explanation

SAST analyzes source code, bytecode, or binaries to find vulnerabilities (SQLi, buffer overflows, hardcoded credentials) without running the code. DAST attacks the running application (like a black-box test) to find runtime vulnerabilities (authentication flaws, injection, misconfigurations).

Question 2

A security engineer is implementing TLS for an internal API. They want to ensure that only the server's certificate is trusted (not any CA certificate), preventing man-in-the-middle attacks even with valid CA-signed certificates. What technique should be used?

Answer choices

  • A. Certificate revocation (CRL/OCSP)

  • B. Certificate pinning (Correct)

  • C. Extended Validation (EV) certificates

  • D. Mutual TLS (mTLS)

Explanation

Certificate pinning "pins" the expected certificate or public key in the application, rejecting any certificate that doesn't match — even valid CA-signed certificates. This prevents MITM attacks using fraudulently-issued or CA-compromised certificates, at the cost of more complex certificate rotation.

Question 3

An organization wants to measure the effectiveness of their security program. Which metric would BEST indicate the organization's ability to detect and respond to threats?

Answer choices

  • A. Number of security policies documented

  • B. Percentage of assets with antivirus installed

  • C. Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) tracked over time (Correct)

  • D. Number of security training completions

Explanation

MTTD and MTTR are outcome-based metrics that directly measure security program effectiveness. Decreasing MTTD shows improved detection capability; decreasing MTTR shows improved response capability. They measure actual security outcomes, not just activity metrics (policies written, training completed).

Question 4

A CISO is designing a supply chain security program after a major vendor compromise. Which control would MOST effectively reduce supply chain risk?

Answer choices

  • A. Require vendors to sign NDAs

  • B. Conduct thorough vendor security assessments (TPRM), require SOC 2/ISO 27001 attestations, implement software composition analysis (SCA) for third-party code, and monitor vendor access (Correct)

  • C. Use only domestic vendors

  • D. Limit vendor communication via email

Explanation

Supply chain security requires: TPRM (Third-Party Risk Management) assessments for vendor security posture, attestation to security standards, software SCA to detect vulnerable/malicious dependencies in vendor-supplied code, and monitoring vendor privileged access (as seen in SolarWinds attack).

Question 5

An enterprise security architect is designing a solution to ensure that privileged access to cloud infrastructure is temporary, audited, and eliminates permanent credentials. Which capability achieves this?

Answer choices

  • A. Long-lived service account credentials stored in a vault

  • B. Just-in-Time (JIT) privileged access management (PAM) with time-limited elevation and full session recording (Correct)

  • C. Shared admin accounts stored in a password manager

  • D. VPN access for all administrators

Explanation

JIT (Just-in-Time) PAM grants elevated privileges for a specific time window (e.g., 1 hour) based on approved request, records the session, and automatically revokes access afterward. This eliminates standing privileges that represent persistent risk from credential compromise.