Practice Exam Version:
Part 1: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-1/
Part 2: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-2/
Part 3: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-3/
Part 4: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-4/
Part 5: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-5/
Part 6: https://awslagi.com/comptia-cysa-cs0-002-certification-exam-part-6/

Actual Exam Version: https://awslagi.com/course-category/comptia/

Q60.In response to an audit finding, a company’s Chief Information Officer (CIO) instructed the security department to increase the security posture of the vulnerability management program. Currently, the company’s vulnerability management program has the following attributes:
✑ It is unauthenticated.
✑ It is at the minimum interval specified by the audit framework.
✑ It only scans well-known ports.
Which of the following would BEST increase the security posture of the vulnerability management program?

A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed scans.
C. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Continue unauthenticated scanning.
D. Continue scanning the well-known ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.

Q61.A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also sees that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future?

A. IDS signatures
B. Data loss prevention
C. Port security
D. Sinkholing

Q62.An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?

A. SCADA
B. CAN bus
C. Modbus
D. IoT

Q63.Which of the following BEST explains the function of a managerial control?

A. To help design and implement the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system maintenance
C. To create data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails

Q64.A user receives a potentially malicious attachment that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious?

A. sha256sum ~/Desktop/file.pdf
B. file ~/Desktop/file.pdf
C. strings ~/Desktop/file.pdf | grep –i “
D. cat < ~/Desktop/file.pdf | grep –i .exe

Q65.In web application scanning, static analysis refers to scanning:

A. the system for vulnerabilities before installing the application
B. the compiled code of the application to detect possible issues.
C. an application that is installed and active on a system.
D. an application that is installed on a system that is assigned a static IP.

Q66.An organization’s Chief Information Security Officer has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers. Which of the following is a benefit of having these communication plans?

A. They can help to prevent the inadvertent release of damaging information outside the organization
B. They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase.
C. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected
D. They can help to keep the organization’s senior leadership informed about the status of patching during the recovery phase

Q67.An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions, the user’s account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:
✑ Successful administrator login reporting priority `” high
✑ Failed administrator login reporting priority `” medium
✑ Failed temporary elevated permissions `” low
✑ Successful temporary elevated permissions `” non-reportable
A security analyst is reviewing server syslogs and sees the following:

Which of the following events is the HIGHEST reporting priority?

A. <100>2 2020-01-10T20:36:01.010Z financeserver sudo 201 32001 – BOM ‘sudo vi users.txt’ success
B. <100>2 2020-01-10T21:18:34.002Z adminserver sudo 201 32001 – BOM ‘sudo more /etc/passwords’ success
C. <100>2 2020-01-10T19:33:48.002Z webserver su 201 32001 – BOM ‘su’ success
D. <100>2 2020-01-10T21:53:11.002Z financeserver su 201 32001 – BOM ‘su vi syslog.conf failed for joe

Q68.Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?

A. Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from nonauthorized access.
B. Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
C. Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data.
D. Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.

Q69.Which of the following is the BEST way to gather patch information on a specific server?

A. Event Viewer
B. Custom script
C. SCAP software
D. CI/CD

Q70.A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop:

Which of the following processes will the security analyst identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

A. Chrome.exe
B. Word.exe
C. Explorer.exe
D. mstsc.exe
E. taskmgr.exe

Q71.Which of the following can detect vulnerable third-party libraries before code deployment?

A. Impact analysis
B. Dynamic analysis
C. Static analysis
D. Protocol analysis

Q72.A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow:

Which of the following controls must be in place to prevent this vulnerability?

A. Convert all integer numbers in strings to handle the memory buffer correctly.
B. Implement float numbers instead of integers to prevent integer overflows.
C. Use built-in functions from libraries to check and handle long numbers properly.
D. Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.

Q73.A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:

Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B. Examine the server logs for further indicators of compromise of a web application.
C. Run kill -9 1325 to bring the load average down so the server is usable again.
D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

Q74.Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

A. Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices.
B. Trusted firmware updates provide organizations with security specifications, open-source libraries, and custom tools for embedded devices.
C. Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded devices.
D. Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.

Q75.A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.

Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

A. Port 22
B. Port 135
C. Port 445
D. Port 3389

Q76.A security analyst needs to identify possible threats to a complex system a client is developing. Which of the following methodologies would BEST address this task?

A. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges (STRIDE)
B. Software Assurance Maturity Model (SAMM)
C. Open Web Application Security Project (OWASP)
D. Open Source Security Information Management (OSSIM)

Q77.An organization has several systems that require specific logons. Over the past few months, the security analyst has noticed numerous failed logon attempts followed by password resets. Which of the following should the analyst do to reduce the occurrence of legitimate failed logons and password resets?

A. Use SSO across all applications
B. Perform a manual privilege review
C. Adjust the current monitoring and logging rules
D. Implement multi factor authentication

Q78.A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between both instances
C. Set up every cloud component with duplicated copies and auto-scaling turned on
D. Create a duplicate copy on premises that can be used for failover in a disaster situation

Q79.Which of the following incident response components can identify who is the liaison between multiple lines of business and the public?

A. Red-team analysis
B. Escalation process and procedures
C. Triage and analysis
D. Communications plan

Q80.Which of the following sources will provide the MOST relevant threat intelligence data to the security team of a dental care network?

A. H-ISAC
B. Dental forums
C. Open threat exchange
D. Dark web chatter

Q81.As part of an intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several domains and reputational information that suggest the company’s employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST appropriate for intelligence gathering?

A. Update the whitelist.
B. Develop a malware signature.
C. Sinkhole the domains.
D. Update the blacklist.

Q82.A security analyst is running a tool against an executable of an unknown source. The input supplied by the tool to the executable program and the output from the executable are shown below:

Which of the following should the analyst report after viewing this information?

A. A dynamic library that is needed by the executable is missing.
B. Input can be crafted to trigger an injection attack in the executable.
C. The tool caused a buffer overflow in the executable’s memory.
D. The executable attempted to execute a malicious command.

Q83.An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team wants to find out if any of these files were downloaded by public users accessing the server. The results should be written to a text file and should include the date, time, and IP address associated with any spreadsheet downloads. The web server’s log file is named webserver.log, and the report file name should be accessreport.txt. Following is a sample of the web server’s log file:

Which of the following commands should be run if an analyst only wants to include entries in which a spreadsheet was successfully downloaded?

A. more webserver.log | grep *.xls > accessreport.txt
B. more webserver.log > grep ג€*xlsג€ | egrep ג€”E ‘success’ > accessreport.txt
C. more webserver.log | grep ג€”E ג€return=200 | xlsג€ > accessreport.txt
D. more webserver.log | grep ג€”A *.xls < accessreport.txt

Q84.A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the security analyst while performing this task?

A. Static analysis
B. Dynamic analysis
C. Regression testing
D. User acceptance testing

Q85.After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of
JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?

A. Make a backup of the server and update the JBoss server that is running on it.
B. Contact the vendor for the legacy application and request an updated version.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
D. Apply virtualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.

Q86.After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of
JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?

A. Make a backup of the server and update the JBoss server that is running on it.
B. Contact the vendor for the legacy application and request an updated version.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
D. Apply virtualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.

Q87.The management team assigned the following values to an inadvertent breach of privacy regulations during the original risk assessment:
✑ Probability = 25%
✑ Magnitude = $1,015 per record
✑ Total records = 10,000
Two breaches occurred during the fiscal year. The first compromised 35 records, and the second compromised 65 records. Which of the following is the value of the records that were compromised?

A. $10,150
B. $25,375
C. $101,500
D. $2,537,500

Q88.Which of the following is a difference between SOAR and SCAP?

A. SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics.
B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does.
D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.

Q89.A general contractor has a list of contract documents containing critical business data that are stored at a public cloud provider. The organization’s security analyst recently reviewed some of the storage containers and discovered most of the containers are not encrypted. Which of the following configurations will provide the MOST security to resolve the vulnerability?

A. Upgrading TLS 1.2 connections to TLS 1.3
B. Implementing AES-256 encryption on the containers
C. Enabling SHA-256 hashing on the containers
D. Implementing the Triple Data Encryption Algorithm at the file level

Q90.A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST?

A. Apply the required patches to remediate the vulnerability
B. Escalate the incident to the senior management team for guidance
C. Disable all privileged user accounts on the network
D. Temporarily block the attacking IP address

Q91.A new variant of malware is spreading on the company network using TCP/443 to contact its command-and-control server. The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance. Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?

A. Implement a sinkhole with a high entropy level.
B. Disable TCP/53 at the perimeter firewall.
C. Block TCP/443 at the edge router.
D. Configure the DNS forwarders to use recursion.

Q92.A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?

A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification

Q93.A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:

A. enables remote code execution that is being exploited in the wild.
B. enables data leakage but is not known to be in the environment.
C. enables lateral movement and was reported as a proof of concept.
D. affected the organization in the past but was probably contained and eradicated.

Q94.An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of the following is the BEST course of action to mitigate the risk of this reoccurring?

A. Perform an assessment of the firmware to determine any malicious modifications.
B. Conduct a trade study to determine if the additional risk constitutes further action.
C. Coordinate a supply chain assessment to ensure hardware authenticity
D. Work with IT to replace the devices with the known-altered motherboards.

Q95.Which of the following BEST describes HSM?

A. A computing device that manages cryptography, decrypts traffic, and maintains library calls
B. A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions
C. A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions
D. A computing device that manages algorithms, performs entropy functions, and maintains digital signatures
Hint answer:B
Q96.A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm’s largest client. Which of the following is MOST likely inhibiting the remediation efforts?

A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime

Q97.Which of the following solutions is the BEST method to prevent unauthorized use of an API?

A. HTTPS
B. Geofencing
C. Rate limiting
D. Authentication

Q98.A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in this situation?

A. Implement an IPS signature for the malware and update the deny list for the associated domains and IPs
B. Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs
C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs’ subnets and second-level domains

Q99.A security analyst is researching ways to improve the security of a company’s email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?

A. An AAAA record on the name server for SPF
B. DNSSEC keys to secure replication
C. Domain Keys Identified Mail
D. A sandbox to check incoming mail

Q100.Which of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

A. Deidentification
B. Hashing
C. Masking
D. Salting

Q101.A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would work BEST to limit the risk of this incident being repeated?

A. Add client addresses to the blocklist
B. Update the DLP rules and metadata
C. Sanitize the marketing material
D. Update the insider threat procedures

Q102.A cybersecurity analyst is working with a SIEM tool and reviewing the following table:

When creating a rule in the company’s SIEM, which of the following would be the BEST approach for the analyst to use to assess the risk level of each vulnerability that is discovered by the vulnerability assessment tool?

A. Create a trend with the table and join the trend with the desired rule to be able to extract the risk level of each vulnerability
B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the table dynamically, generate the results faster, and be able to display the table in a dashboard or export it as a report
C. Use a static table stored on the disk of the SIEM system to correlate its data with the data ingested by the vulnerability scanner data collector
D. Use the table as a new index or database for the SIEM to be able to use multisearch and then summarize the results as output

Q103.The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:

A. web servers on private networks.
B. HVAC control systems.
C. smartphones.
D. firewalls and UTM devices.

Q104.A company that uses email for all internal and external communications received a legal notice from a vendor that was disputing a contract award.
The company needs to implement ta legal hold on the email of users who were involved in the vendor selection process and the awarding of the contract. Which of the following describes the appropriate steps that should be taken to comply with the legal notice?

A. Notify the security team of the legal hold and remove user access to the email accounts.
B. Coordinate with legal counsel and then not the security team to ensure the appropriate email accounts are frozen.
C. Disable the user accounts that are associated with the legal hold and create new user accounts so they can continue doing business.
D. Encrypt messages that are associated with the legal hold and initiate a chain of custody to ensure admissibility in future legal proceedings.

Q105.Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

A. Data custodian
B. Data owner
C. Data processor
D. Senior management

Q106.An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs; the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix

Q107.An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

A. Gather information from providers, including data center specifications and copies of audit reports
B. Identify SLA requirements for monitoring and logging
C. Consult with the senior management team for recommendations
D. Perform a proof of concept to identify possible solutions

Q108.Which of the following is a reason to use a risk-based cybersecurity framework?

A. A risk-based approach always requires quantifying each cyber risk faced by an organization.
B. A risk-based approach better allocates an organization’s resources against cyberthreats and vulnerabilities.
C. A risk-based approach is driven by regulatory compliance and is required for most organizations.
D. A risk-based approach prioritizes vulnerability remediation by threat hunting and other qualitative-based processes.

Q109.An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?

A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C. Determine an annual patch cadence to ensure all patching occurs at the same time.
D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.

Q110.An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosure of the incident to external entities should be based on:

A. the responder’s discretion.
B. the public relations policy.
C. the communication plan.
D. the senior management team’s guidance.

Q111.The help desk provided a security analyst with a screenshot of a user’s desktop:

For which of the following is aircrack-ng being used?

A. Wireless access point discovery
B. Rainbow attack
C. Brute-force attack
D. PCAP data collection

Q112.An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issued mobile device while connected to the network. Which of the following actions would help during the forensic analysis of the mobile device? (Choose two.)

A. Resetting the phone to factory settings
B. Rebooting the phone and installing the latest security updates
C. Documenting the respective chain of custody
D. Uninstalling any potentially unwanted programs
E. Performing a memory dump of the mobile device for analysis
F. Unlocking the device by blowing the eFuse

E
Q113.An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization’s security team then provided guidance on how to ensure the authenticity of the motherboards it received from vendors. Which of the following would be the BEST recommendation for the security analyst to provide?

A. The organization should use a certified, trusted vendor as part of the supply chain.
B. The organization should evaluate current NDAs to ensure enforceability of legal actions.
C. The organization should maintain the relationship with the vendor and enforce vulnerability scans.
D. The organization should ensure all motherboards are equipped with a TPM.

Q114.An analyst is reviewing the following output:

Vulnerability found: Improper neutralization of script-related HTML tag.

Which of the following was MOST likely used to discover this?

A. Reverse engineering using a debugger
B. A static analysis vulnerability scan
C. A passive vulnerability scan
D. A web application vulnerability scan

Q115.A security analyst is reviewing the network security monitoring logs listed below:

A. 10.1.1.128 sent potential malicious traffic to the web server
B. 10.1.1.128 sent malicious requests, and the alert is a false positive
C. 10.1.1.129 successfully exploited a vulnerability on the web server
D. 10.1.1.129 sent potential malicious requests to the web server
E. 10.1.1.129 sent non-malicious requests, and the alert is a false positive
F. 10.1.1.130 can potentially obtain information about the PHP version

F
Q116.A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. The technique is referred to as:

A. Output encouting.
B. Data protection.
C. Query paramererization.
D. Input validation.

Q117.Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?

A. Data deidentification
B. Data encryption
C. Data masking
D. Data minimization

Q118.During a routine review of service restarts, a security analyst observes the following in a server log:

Which of the following is the GREATEST security concern?

A. The daemon’s binary was changed.
B. Four consecutive days of monitoring are skipped in the log.
C. The process identifiers for the running service change.
D. The PIDs are continuously changing.

Q119.During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-learned report noted the following:

• The development team used a new software language that was not supported by the security team’s automated assessment tools.
• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.
• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)

A. Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed
B. Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically
C. Contact the human resources department to hire new security team members who are already familiar with the new language
D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems
E. Instruct only the development team to document the remediation steps for this vulnerability
F. Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider

Q120.During an audit, several customer order forms v/ere found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the BEST way to locate this issue?

A. Reduce the session timeout threshold.
B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a static code scan.