開発プロセス中に、チームは書き換えが必要な主要コンポーネントを特定します。その結果、会社は主要なプロセスの問題に対処するためにセキュリティ コンサルタントを雇います。将来これらの問題が再発するのを防ぐには、コンサルタントは次のどれを推奨すべきでしょうか。
正解: A
Comprehensive and Detailed in-Depth
Problem Statement:
The development team identifiesmajor issues in codeduring the development phase, indicatingflawed or vulnerable code.
To prevent similar problems in the future, anautomated and integrated solutionis needed tocatch issues early.
Why the Correct Answer is A (Implementing a static analysis tool within the CI/CD system):
Static Application Security Testing (SAST)is used toanalyze source codefor vulnerabilitiesbefore the code is compiled.
Integrating SAST into theCI/CD pipelineensures that:
Issues are detectedearly in the development process.
Developers getimmediate feedbackon vulnerabilities or code flaws.
Security checks areautomated, reducing human error and oversight.
This proactive approach helps inearly detection of syntax errors, insecure coding practices, and vulnerabilities.
Example of CI/CD Integration:
A typicalGitLab CI/CD pipelinecould include aSAST stage:
yaml
CopyEdit
sast:
stage: test
script:
- ./sast_tool analyze src/
allow_failure: false
This setup ensures that the code is scanned for vulnerabilitiesbefore deployment.
Why the Other Options Are Incorrect:
B . Configuring a dynamic application security testing tool:
DASTanalyzes applications duringruntime.
It identifiesvulnerabilities in running applications, butcannot catch issues during development.
SAST is better forearly detectionsince it examines thesource codeitself.
C . Performing software composition analysis on all third-party components:
WhileSCAidentifies vulnerabilities inthird-party libraries, it does not addresscoding issues in the organization's own codebase.
It is useful fordependency management, not for catchingsource code flaws.
D . Utilizing a risk-based threat modeling approach on new projects:
Threat modeling helps inidentifying risks and potential attack vectors.
While useful in planning, it does not providecontinuous detectionof coding flaws.
It is morestrategicand less focused on thedevelopment pipeline.
E . Setting up an interactive application security testing tool:
IASTworks byanalyzing application behavior during testing.
It requires the application to bedeployed and running, making it less suitable forearly detection during development.
SAST remains superior forcatching flaws before deployment.
Key Benefits of SAST in CI/CD:
Early Detection:Finds issues during thecoding phase, preventing costly fixes later.
Automated Security:Scans eachcode commit, ensuring consistent checks.
Developer Friendly:Providesactionable insightsright within the development environment.
Integration Capabilities:Compatible with popular CI/CD tools likeJenkins, GitLab CI, and Azure Pipelines.
Real-World Example:
A software company integratedSAST into their CI/CD pipelineusingSonarQube.
As a result, they reduced the number ofcritical vulnerabilitiesdiscovered after deployment by60%.
Developers couldfix issues on the spot, minimizing the time and effort required to address security flaws later.
Extract from CompTIA SecurityX CAS-005 Study Guide:
TheCompTIA SecurityX CAS-005 Official Study Guideemphasizes thatintegrating security testing into the CI/CD pipelineis crucial forDevSecOps. It states thatSAST toolsare essential foridentifying vulnerabilities earlyin the development process, helping organizations adopt ashift-left security approach.
