Exam CCSK topic 1 question 143 discussion

SAST itself does not provide enough coverage IMHO

THe answer is "A"

Pg 113: Static Application Security Testing (SAST): On top of the normal range of tests, these should ideally incorporate checks on API calls to the cloud service. They should also look for any static embedded credentials for those API calls, which is a growing problem.

Static Application Security Testing (SAST) is On top of the normal range of tests, these should ideally incorporate checks on API calls to the cloud service. Hence, Correct answer is D.

A. Dynamic Application Security Testing (DAST) Dynamic Application Security Testing (DAST) is a type of application security testing that involves testing the application in its running state by sending various inputs and analyzing the responses. When it comes to checking API calls to the cloud service, DAST is particularly relevant. It simulates how an attacker might interact with an application and its APIs by making requests and evaluating the responses for vulnerabilities. Unit Testing (B), Functional Testing (C), and Static Application Security Testing (SAST) (D) are not specifically focused on testing API calls to cloud services, although they play important roles in broader application security practices. Option E ("All of the above") is not accurate in this context as DAST is the most relevant choice for checking API calls to cloud services among the options given.

10.1.3 Static Application Security Testing (SAST): On top of the normal range of tests, these should ideally incorporate checks on API calls to the cloud service. They should also look for any static embedded credentials for those API calls, which is a growing problem.

Static Application Security Testing (SAST): On top of the normal range of tests, these should ideally incorporate checks on API calls to the cloud service.

API calls should be tested with all the methods reported