Exam CAS-004 topic 1 question 536 discussion

Sorry, I change my answer to A. Static analysis tools are designed to analyze source code or binaries for vulnerabilities without executing the program. By integrating a static analysis tool into the Continuous Integration/Continuous Deployment (CI/CD) pipeline, the team can automatically detect issues early in the development process, before they become larger problems. This helps identify security flaws, code quality issues, or areas that need rewriting, enabling the team to address them during development rather than after the fact. Key benefits of implementing static analysis in the CI/CD pipeline: Early detection of vulnerabilities or issues during the development process, allowing for immediate remediation. Automation that ensures that security checks are part of the regular development cycle, preventing security and process issues from going undetected. Consistency in security practices, as static analysis can be run automatically on every code commit, providing ongoing feedback to developers.

The need to rewrite major components suggests fundamental issues in the design or architecture of the application. These issues are likely due to inadequate early-stage planning regarding security threats and risks. Implementing practices that identify and mitigate risks early in the development lifecycle can prevent significant rework later on. By applying threat modeling at the design phase, potential security issues can be identified before coding begins. This proactive approach reduces the likelihood of needing to rewrite major components later due to security flaws.

Ans. D. To best prevent major process issues from reoccurring in the future, the consultant should recommend utilizing a risk-based threat modeling approach on new projects. Risk-based threat modeling helps identify potential security vulnerabilities early in the development process by assessing risks associated with the design and architecture of the application. This proactive approach allows teams to address security concerns before they manifest as major issues. While implementing a static analysis tool within the CI/CD system can catch coding issues before deployment, but if the underlying processes and designs are flawed, it might not be sufficient to prevent recurrence.