Which of the following describes the tester’s activities?

A penetration tester downloads a JAR file that is used in an organization’s production environment. The tester evaluates the contents of the JAR file to identify potentially vulnerable components that can be targeted for exploit.

Which of the following describes the tester’s activities?
A . SAST
B . SBOM
C . ICS
D . SCA

View Answer

Answer: D

Explanation:

The tester’s activity involves analyzing the contents of a JAR file to identify potentially vulnerable components. This process is known as Software Composition Analysis (SCA).

Here’s why: Understanding SCA:

Definition: SCA involves analyzing software to identify third-party and open-source components, checking for known vulnerabilities, and ensuring license compliance.

Purpose: To detect and manage risks associated with third-party software components.

Comparison with Other Terms:

SAST (A): Static Application Security Testing involves analyzing source code for security vulnerabilities without executing the code.

SBOM (B): Software Bill of Materials is a detailed list of all components in a software product, often used in SCA but not the analysis itself.

ICS (C): Industrial Control Systems, not relevant to the context of software analysis.

The tester’s activity of examining a JAR file for vulnerable components aligns with SCA, making it the correct answer.