Exam Details

  • Exam Code
    :CAS-003
  • Exam Name
    :CompTIA Advanced Security Practitioner (CASP+)
  • Certification
    :CompTIA Certifications
  • Vendor
    :CompTIA
  • Total Questions
    :791 Q&As
  • Last Updated
    :Jan 22, 2024

CompTIA CompTIA Certifications CAS-003 Questions & Answers

  • Question 301:

    An enterprise is trying to secure a specific web-based application by forcing the use of multifactor authentication. Currently, the enterprise cannot change the application's sign-in page to include an extra field. However, the web-based application supports SAML. Which of the following would BEST secure the application?

    A. Using an SSO application that supports mutlifactor authentication

    B. Enabling the web application to support LDAP integration

    C. Forcing higher-complexity passwords and frequent changes

    D. Deploying Shibboleth to all web-based applications in the enterprise

  • Question 302:

    A software development company lost customers recently because of a large number of software issues. These issues were related to integrity and availability defects, including buffer overflows, pointer deferences, and others. Which of the following should the company implement to improve code quality? (Select two).

    A. Development environment access controls

    B. Continuous integration

    C. Code comments and documentation

    D. Static analysis tools

    E. Application containerization

    F. Code obfuscation

  • Question 303:

    A developer emails the following output to a security administrator for review:

    Which of the following tools might the security administrator use to perform further security assessment of this issue?

    A. Port scanner

    B. Vulnerability scanner

    C. Fuzzer

    D. HTTP interceptor

  • Question 304:

    An infrastructure team within an energy organization is at the end of a procurement process and has selected a vendor's SaaS platform to deliver services. As part of the legal negotiation, there are a number of outstanding risks, including:

    1.

    There are clauses that confirm a data retention period in line with what is in the energy organization's security policy.

    2.

    The data will be hosted and managed outside of the energy organization's geographical location.

    The number of users accessing the system will be small, and no sensitive data will be hosted in the SaaS platform. Which of the following should the project's security consultant recommend as the NEXT step?

    A. Develop a security exemption, as the solution does not meet the security policies of the energy organization.

    B. Require a solution owner within the energy organization to accept the identified risks and consequences.

    C. Mititgate the risks by asking the vendor to accept the in-country privacy principles and modify the retention period.

    D. Review the procurement process to determine the lessons learned in relation to discovering risks toward the end of the process.

  • Question 305:

    An organization wants to allow its employees to receive corporate email on their own smartphones. A security analyst is reviewing the following information contained within the file system of an employee's smartphone:

    1.

    FamilyPix.jpg

    2.

    Taxreturn.tax

    3.

    paystub.pdf

    4.

    employeesinfo.xls

    5.

    SoccerSchedule.doc

    6.

    RecruitmentPlan.xls

    Based on the above findings, which of the following should the organization implement to prevent further exposure? (Select two).

    A. Remote wiping

    B. Side loading

    C. VPN

    D. Containerization

    E. Rooting

    F. Geofencing

    G. Jailbreaking

  • Question 306:

    While conducting online research about a company to prepare for an upcoming penetration test, a security analyst discovers detailed financial information on an investor website the company did not make public. The analyst shares this information with the Chief Financial Officer (CFO), who confirms the information is accurate, as it was recently discussed at a board of directors meeting. Many of the details are verbatim discussion comments captured by the board secretary for purposes of transcription on a mobile device. Which of the following would MOST likely prevent a similar breach in the future?

    A. Remote wipe

    B. FDE

    C. Geolocation

    D. eFuse

    E. VPN

  • Question 307:

    A security administrator wants to implement controls to harden company-owned mobile devices. Company policy specifies the following requirements:

    1.

    Mandatory access control must be enforced by the OS.

    2.

    Devices must only use the mobile carrier data transport.

    Which of the following controls should the security administrator implement? (Select three).

    A. Enable DLP

    B. Enable SEAndroid

    C. Enable EDR

    D. Enable secure boot

    E. Enable remote wipe

    F. Disable Bluetooth

    G. Disable 802.11

    H. Disable geotagging

  • Question 308:

    An online bank has contracted with a consultant to perform a security assessment of the bank's web portal. The consultant notices the login page is linked from the main page with HTTPS, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site. Which of the following is a concern for the consultant, and how can it be mitigated?

    A. XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this.

    B. The consultant is concerned the site is using an older version of the SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate this issue.

    C. The HTTP traffic is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server.

    D. A successful MITM attack Could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.

  • Question 309:

    A company's Chief Operating Officer (COO) is concerned about the potential for competitors to infer proprietary information gathered from employees' social media accounts.

    Which of the following methods should the company use to gauge its social media threat level without targeting individual employees?

    A. Utilize insider threat consultants to provide expertise.

    B. Require that employees divulge social media accounts.

    C. Leverage Big Data analytical algorithms.

    D. Perform social engineering tests to evaluate employee awareness.

  • Question 310:

    A firewall specialist has been newly assigned to participate in red team exercises and needs to ensure the skills represent real-world threats.

    Which of the following would be the BEST choice to help the new team member learn bleeding-edge techniques?

    A. Attend hacking conventions.

    B. Research methods while using Tor.

    C. Interview current red team members.

    D. Attend web-based training.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-003 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.