The best way for a SOC to rapidly identify whether deployed applications contain specific libraries is through the use of a Software Bill of Materials (SBOM). An SBOM is a formal, machine-readable inventory of all components, including third-party and open-source libraries, used in a software product. When a new vulnerability is disclosed (such as Log4Shell in Log4j), organizations with a comprehensive SBOM can immediately search across their application landscape to determine which systems are impacted.
Other options are less effective. Maintaining SAST/DAST reports (A) only provides snapshots of vulnerabilities at the time of scanning, but does not dynamically track components across all software in production. Vendor attestations (B) improve supply chain governance but do not provide immediate visibility into internal or custom software. A GRC tool (D) helps track vendors and policies but does not show technical dependencies inside applications.
Requiring suppliers and internal developers to provide and maintain SBOMs ensures continuous visibility into dependencies. This allows the SOC to quickly query and respond to emerging vulnerabilities, reducing risk exposure and accelerating remediation timelines.

A). Supply chain attack: This type of attack involves compromising the software supply chain by injecting malicious code into legitimate software packages.
B). Cipher substitution attack: This is a cryptographic attack focused on replacing ciphertext with a different ciphertext to deduce the key. It's not relevant to the scenario.
C). Side-channel analysis: This attack involves gathering information from the physical implementation of a system (e.g., timing, power consumption) rather than exploiting the algorithm itself. It's not applicable here.
D). On-path attack (formerly man-in-the-middle): This attack involves intercepting and potentially altering communication between two parties. While important, it's not theprimary focus of the registry.
E). Pass-the-hash attack: This attack involves using a stolen hash of a user's password to authenticate without needing the actual password. It's unrelated to software package integrity.
Why A is the Correct answer:
A supply chain attack is exactly what the organization is trying to mitigate. By creating a registry of known-good software packages and their hashes, they can verify that the packages they are using are legitimate and haven't been altered.
If an attacker were to compromise a software package in the supply chain, the hash of the altered package would not match the hash in the organization's registry. This would immediately alert the organization to a potential compromise.
CASP+ Relevance: This aligns with the CASP+ exam objectives, which emphasize the importance of risk management, threat intelligence, and implementing security controls to address various attack vectors, including supply chain risks.
How the Registry Works (Elaboration based on CASP+principles):
Hashing: When a package is vetted, a cryptographic hash function (like SHA-256) is used to generate a unique "fingerprint" (the hash) of the package's contents.
Verification: Before installing or using a package, its hash is calculated and compared to the hash stored in the registry. A match confirms the package's integrity. A mismatch indicates tampering.
Incident Response: If a vulnerability is discovered in a commonly used package, the registry helps the organization quickly identify which systems are affected based on the dependency list and the stored hashes.
In conclusion, maintaining a registry of software dependencies with hashes is a crucial security control that directly addresses the threat of supply chain attacks by ensuring the integrity and authenticity of software packages. The use of hash functions for verification is a common practice in security and is emphasized in the CASP+ material.
Explanation:
Comprehensive and Detailed Step by Step
Understanding the Scenario: The question describes a proactive security measure where an organization maintains a registry of software dependencies and their corresponding hashes. This registry is used to verify the integrity of software packages.
Analyzing the Answer Choices:

The incident highlights gaps in visibility, monitoring, and log management that allowed unauthorized access to persist undetected. The most critical corrective actions are to extend log retention for all devices (B) and to ensure all devices are forwarding relevant logs to the SIEM (E). Together, these steps strengthen monitoring and incident detection capabilities by ensuring that sufficient telemetry is collected, stored, and available for correlation and investigation.
Disabling bulk user creation (A) may reduce misuse but does not directly address monitoring gaps. Daily review of the application allow list (C) is operationally impractical and does not provide the breadth of monitoring needed. Routine patching (D) is essential for security hygiene but is separate from monitoring improvements. Configuring firewall rules (F) may reduce traffic flows but does not ensure detection or visibility of unauthorized activity.

Comprehensive and Detailed Step by Step
Understanding the Scenario: Theorganization is using customer-managed encryption keys in the cloud, which is more expensive than using the cloud provider's free managed keys. The CISO needs to find a way to reduce costs without significantly weakening the security posture.
Analyzing the Answer Choices:
A . Utilize an on-premises HSM to locally manage keys: While on-premises HSMs offer strong security, they introduce additional costs and complexity (procurement, maintenance, etc.). This option is unlikely to reduce costs compared to cloud-based key management.
B . Adjust the configuration for cloud provider keys on data that is classified as public: This is the most practical and cost-effective approach. Data classified as public doesn't require the same level of protection as sensitive data. Using the cloud provider's free managed keys for public data can significantly reduce costs without compromising security, as the data is intended to be publicly accessible anyway.
Reference:
C . Begin using cloud-managed keys on all new resources deployed in the cloud: While this would reduce costs, it's a broad approach that doesn't consider the sensitivity of the data. Applying cloud-managed keys to sensitive data might not be acceptable from a security standpoint.
D . Extend the key rotation period to one year so that the cloud provider can use cached keys: Extending the key rotation period weakens security. Frequent key rotation is a security best practice to limit the impact of a potential key compromise.
Why B is the Correct answer:
Risk-Based Approach: Using cloud-provider-managed keys for public data is a reasonable risk-based decision. Public data, by definition, is not confidential.
Cost Optimization: This directly addresses the CISO's concern about cost, as cloud-provider-managed keys are often free or significantly cheaper.
Security Balance: It maintains a strong security posture for sensitive data by continuing to use customer-managed keys where appropriate, while optimizing costs for less sensitive data.
CASP+ Relevance: This approach demonstrates an understanding of risk management, data classification, and cost-benefit analysis in security decision-making, all of which are important topics in CASP+.
Elaboration on Data Classification:
Data Classification Policy: Organizations should have a clear data classification policy that defines different levels of data sensitivity (e.g., public, internal, confidential, restricted).
Security Controls Based on Classification: Security controls, including encryption key management, should be applied based on the data's classification level.
Cost-Benefit Analysis: Data classification helps organizations make informed decisions about where to invest in stronger security controls and where cost optimization is acceptable.
In conclusion, adjusting the configuration to use cloud-provider-managed keys for data classified as public is the most effective way to reduce costs while maintaining a strong security posture. It's a practical, risk-based approach that aligns with data classification principles and cost-benefit considerations, all of which are important concepts covered in the CASP+ exam objectives.

The most effective solution is Terraform (C), an Infrastructure as Code (IaC) tool that allows organizations to define and provision infrastructure resources across multiple cloud providers using a consistent configuration language. For a multicloud strategy, Terraform provides cloud-agnostic templates, ensuring that server creation, networking, and storage provisioning are automated and standardized across AWS, Azure, GCP, or other providers. This aligns with CAS-005 best practices for cloud automation and consistency.
PowerShell (A) and Bash (B) are scripting tools that can automate tasks but are typically tied to specific operating systems and lack multicloud orchestration capabilities. Ansible (D) is a strong automation tool for configuration management and application deployment, but Terraform is specifically designed to provision and manage infrastructure at scale across multicloud environments.