Exam CAS-004 topic 1 question 547 discussion

The source code in this scenario uses insecure functions like strcpy which are known for not checking buffer sizes, leading to buffer overflow vulnerabilities. The most effective solution is to update the company’s secure coding policy to prohibit the use of insecure functions and replace them with safer alternatives, such as strncpy, which enforces buffer length checks. Integrating this change into the Software Development Life Cycle (SDLC) ensures that future code adheres to secure practices, thereby reducing the risk of vulnerabilities being introduced into production systems.

After careful consideration, and review of the questions and answers with some research, I changed my answer to C. Updating the secure coding policy to exclude insecure functions prevents the issue at the source and integrates security into the development process early, reducing future risks. Secondary Recommendation: D While not as strong as C, implementing DAST/SAST scanning can help catch any violations of the secure coding policy. However, C is the most effective long-term solution.

Integrating SAST/DAST tools into the CI/CD pipeline ensures that code is automatically scanned with each build or release. Developers receive real-time alerts about insecure code, allowing them to fix issues promptly. Automated scanning reduces the likelihood of insecure functions being overlooked due to human error. SAST/DAST tools often maintain logs and reports, providing an audit trail of security assessments. Enforces the secure coding policy by actively detecting violations, rather than relying solely on developers' adherence.

Ans D. Perform DAST/SAST scanning before handoff to another team. Implementing Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) can help identify insecure functions and coding practices early in the development process. This proactive approach allows teams to catch vulnerabilities before they are handed off or deployed, reducing the likelihood of security issues in the final product. While the other options may have merit, they are not as comprehensive or proactive in addressing the root cause of the issue throughout the development process.