CAS-005 Exam Dumps : CompTIA SecurityX Certification Exam

A. Implementing allow lists: Allow lists (whitelisting) restrict network communication to only authorized devices and applications, significantly reducing the attack surface by ensuring that only pre-approved traffic is permitted.

F. Implementing a site-to-site IPSec VPN: A site-to-site VPN provides a secure, encrypted tunnel for data transmission between the OT systems and the vendor, protecting the data from interception and tampering during transit.

Other options:

B. Monitoring network behavior: While useful for detecting anomalies, it does not proactively reduce the risk of compromise or sabotage.

C. Encrypting data at rest: Important for protecting data stored on devices, but does not address network communication risks.

D. Performing boot integrity checks: Ensures the integrity of the system at startup but does not protect ongoing network communications.

E. Executing daily health checks: Useful for maintaining system health but does not directly reduce the risk of network-based compromise or sabotage.

The best answer is A. Linting . The listed problems are classic source-code quality and static-analysis findings : out-of-bounds array indexing, null dereferences, unsafe type use, unreachable code, and non-portable constructs. A linter is designed to inspect code before execution and flag these classes of issues early in the development workflow. In the official CompTIA SecurityX CAS-005 objectives, Security Engineering includes “Automation: scripting… workflow automation” and broader secure engineering practices. Using a linter fits that model because it is an automated developer-side control that improves code quality before peer review and release.

Why the other options are not correct:

B. SBoM documents software components and dependencies; it does not primarily detect unreachable code or null dereferences in custom source code. C. DAST tests a running application from the outside and is not the best tool for finding these code-level static issues before peer review. D. Branch protection is a repository control for workflow governance, not a code-analysis mechanism. E. Software composition analysis focuses mainly on third-party libraries, dependency risk, licensing, and known vulnerabilities in components, not on first-party code defects like array bounds and unreachable code.

The presence of an unauthorized server (29mail.mycrosoft.info) sending emails on behalf of the company indicates a potential spoofing or phishing attempt. To mitigate this:

Remove the unnecessary servers from the SPF record (Option C): The Sender Policy Framework (SPF) specifies which mail servers are authorized to send emails on behalf of a domain. Removing unauthorized or unnecessary servers from the SPF record helps prevent spoofed emails from passing SPF checks.

Change the SPF record to enforce the hard fail parameter (Option D): Setting the SPF policy to a hard fail (-all) ensures that emails from unauthorized servers are rejected, enhancing email security.

Implementing these changes strengthens the domain ' s email authentication mechanisms, reducing the risk of successful phishing or spoofing attacks.