CompTIA CASP+ Practice Test

What assessment method provides the greatest level of assurance for a newly contracted web application processing credit cards?

• A. Penetration Testing
• B. Code Review
• C. Vulnerability Assessment
• D. Security Auditing

The correct answer is: Code Review

Choosing code review as the assessment method that provides the greatest level of assurance for a newly contracted web application processing credit cards is based on its comprehensive nature. Code review involves analyzing the source code of the application to identify potential security vulnerabilities from the very foundation of the application. This method allows security professionals to examine the actual implementation of the application logic, data processing functions, and security controls directly. By focusing on the code itself, a code review can uncover risks related to coding practices, such as improper handling of user input, authentication mechanisms, and encryption practices. This thorough examination can reveal vulnerabilities that may not be visible through other assessment methods. For instance, while penetration testing simulates an attack to exploit vulnerabilities, it may not detect underlying issues in the code that could lead to security breaches. Similarly, vulnerability assessments often rely on scanning tools that may miss subtle, nuanced problems present in the code. Security auditing, while beneficial in confirming compliance with standards, often inspects configurations and policies rather than the specific coding practices. Therefore, code review stands out as a critical and proactive approach to ensuring security in applications, particularly those dealing with sensitive information such as credit card data. This method provides assurance that the application is built securely from the ground up.