CompTIA SecurityX (CAS-005) · Domain 3 · 31% of exam

Security Engineering

Drill 20 practice questions focused entirely on Security Engineering for the CompTIA CAS-005 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A DevSecOps team uses Ansible to orchestrate configuration of thousands of Linux hosts. During a security review, an engineer discovers that database passwords and API tokens are stored in cleartext within playbook group_vars files committed to the shared Git repository, and that playbooks run under a single privileged service account with unrestricted SSH access to all managed nodes. Which combination of changes MOST effectively hardens the automation platform against secret exposure and blast-radius escalation?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services company must migrate encryption for a regulated SaaS workload to a public cloud provider. Compliance requires that the organization retain sole control over the origin of the key material and be able to demonstrate to auditors that the cloud provider never generated the master key. The team wants to use the provider's managed KMS for performance but must satisfy this key-provenance requirement. Which approach best meets the requirement?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company is preparing for post-quantum cryptography migration. Leadership asks the security engineering team to first understand where and how cryptography is used across thousands of applications, libraries, and hardware devices before selecting replacement algorithms. Which action best positions the organization to prioritize migration and achieve crypto-agility?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company experienced a production outage when a TLS certificate on a customer-facing API gateway expired without warning. The certificate was manually issued 12 months earlier by an internal CA, and the responsible engineer had left the company. The security architect is tasked with preventing recurrence across hundreds of internal and public-facing certificates. Which approach BEST addresses the root cause while supporting long-term operational resilience?

Reviewed for accuracy · Report an issue
Question 5 of 20

A DevSecOps team discovers that a compromised open-source package was pulled during a recent CI build, injecting a malicious script into the resulting container image before it was pushed to the production registry. The pipeline currently pulls dependencies directly from public repositories at build time and signs images only after they reach the registry. Which combination of controls would MOST effectively prevent this class of build-integrity compromise going forward?

Reviewed for accuracy · Report an issue
Question 6 of 20

A DevSecOps team is hardening its Kubernetes workloads. During a security review, an analyst finds that production containers run as root, mount the host Docker socket for logging sidecars, and allow shell access via kubectl exec for troubleshooting. The team wants to reduce the container attack surface while keeping the ability to investigate incidents. Which combination of controls BEST hardens these containers without eliminating incident investigation capability?

Reviewed for accuracy · Report an issue
Question 7 of 20

A DevSecOps team runs a Kubernetes platform where developers can push arbitrary images to the cluster's namespaces. Recent incident review found a workload running an unsigned image pulled from an untrusted public registry that contained a cryptominer. The team already signs internal images using Cosign and stores public keys in a trusted store. Which control most directly prevents unsigned or untrusted images from being deployed to the cluster going forward?

Reviewed for accuracy · Report an issue
Question 8 of 20

A DevSecOps engineer is hardening a containerized microservice deployment on Kubernetes. During a review, the security team discovers that database passwords and API keys are being passed to containers as plaintext environment variables defined directly in the Deployment manifest, which is stored in a Git repository. The team wants to eliminate secret exposure both at rest in source control and at runtime within the container. Which approach BEST addresses both concerns?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company operates a private PKI with an offline root CA. To enable trust for a newly acquired subsidiary that already deployed thousands of endpoints trusting a different existing root, the security engineer must allow certificates issued by the company's intermediate CA to validate on the subsidiary's endpoints WITHOUT redeploying a new root to those endpoints or replacing existing leaf certificates. Which approach best achieves this?

Reviewed for accuracy · Report an issue
Question 10 of 20

A security engineer is standardizing how TLS certificates are requested for a fleet of application servers. Compliance requires that private keys never leave the host on which they will be used and cannot be exported or copied, even by an administrator. The engineer must define the certificate enrollment workflow. Which approach best satisfies this requirement while producing a valid certificate signing request (CSR)?

Reviewed for accuracy · Report an issue
Question 11 of 20

A DevSecOps team is integrating automated security testing into a CI/CD pipeline for a customer-facing web application. Leadership wants defects caught as early as possible to reduce remediation cost, but also insists that runtime vulnerabilities involving authentication flows and server misconfiguration be detected before production release. The team must select where to place Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST). Which pipeline design best satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 12 of 20

A security engineer is hardening a fleet of Windows workstations used by financial analysts. Incident data shows repeated infections from malicious macro-enabled documents and unsigned PowerShell scripts downloaded from the internet. Leadership wants to block execution of untrusted code without preventing analysts from running their approved line-of-business applications and internally developed automation scripts. Which control set most directly and durably meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A security engineer is hardening a fleet of Windows workstations that run an EDR agent. During a recent incident, an attacker who gained local administrator rights was able to stop the EDR service, delete its logs, and load an unsigned kernel driver to disable telemetry before exfiltrating data. The engineer must implement controls that prevent a privileged local attacker from neutralizing endpoint protection in a similar way. Which combination of controls BEST addresses the root cause?

Reviewed for accuracy · Report an issue
Question 14 of 20

A software vendor distributes signed installers to millions of customers. During an audit, security discovers the code-signing private key is stored on a build server's disk and reused across all releases for the past three years. A recent near-miss showed an attacker with build-server access could have exfiltrated the key and signed malware trusted by every customer. The team must redesign the signing process to minimize the blast radius of a key compromise while preserving the ability to validate previously released software. Which approach BEST meets these goals?

Reviewed for accuracy · Report an issue
Question 15 of 20

A security architect is preparing a cryptographic inventory ahead of the organization's post-quantum migration. Leadership asks which currently deployed algorithms require the least urgent action because they remain adequately secure against quantum attacks with modest parameter adjustments, versus those that are fundamentally broken by a cryptographically relevant quantum computer. Which recommendation is technically correct?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security engineer is designing a mobile field-inspection application that must store a per-device private key used to sign inspection records. The organization requires that the private key never be exportable, that key operations be gated by biometric user presence, and that the backend be able to cryptographically verify the key was generated and is stored inside the device's hardware security module rather than in software. Which approach best satisfies all of these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company is deploying a new hardware security module (HSM) to generate and protect the root signing key for its internal code-signing PKI. The security architect must ensure that no single administrator can export, back up, or use the key material unilaterally, while still allowing recovery if some custodians are unavailable. Which control should the architect require during the key ceremony?

Reviewed for accuracy · Report an issue
Question 18 of 20

A manufacturer is hardening a fleet of industrial IoT sensors that push telemetry to a cloud platform. Threat modeling identifies persistent malware surviving reboots and unauthorized firmware modifications as the highest risks. The devices have constrained TPMs, limited compute, and must remain in the field for a decade with over-the-air (OTA) updates. Which control combination BEST addresses the identified risks while remaining feasible on the constrained hardware?

Reviewed for accuracy · Report an issue
Question 19 of 20

A DevSecOps engineer is hardening a production Kubernetes cluster after an audit found that several application pods run with privileged security contexts, mount the host filesystem, and use the default service account with cluster-wide RBAC bindings. The applications are standard stateless web APIs that do not require host-level access. The engineer must reduce the container breakout and lateral movement risk with the least disruption to legitimate workloads. Which combination of controls MOST directly addresses the identified weaknesses?

Reviewed for accuracy · Report an issue
Question 20 of 20

A company is deploying an internal LLM-based assistant that uses a tool/function-calling framework, allowing the model to invoke backend APIs (ticketing, HR lookups, database queries) on behalf of employees. Security testing shows that a crafted prompt can coax the model into chaining tool calls to retrieve data the requesting user is not authorized to see. Which control most directly reduces the impact of this attack?

Reviewed for accuracy · Report an issue

More CAS-005 practice

Keep going with the other CompTIA SecurityX (CAS-005) domains, or take a full timed mock exam.

← Back to CAS-005 overview