CompTIA PT0-003 Exam - Topic 4 Question 29 Discussion

Actual exam question for CompTIA's PT0-003 exam

Question #: 29
Topic #: 4

[Tools and Code Analysis]

A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?

AVM

BIAST

CDAST

DSCA

Show Suggested Answer

Suggested Answer: D

Software Composition Analysis (SCA) is used to analyze dependencies in applications and identify vulnerable open-source libraries.

Option A (VM - Virtual Machine) : A VM is a computing environment, not a vulnerability detection tool.

Option B (IAST - Interactive Application Security Testing) : IAST analyzes runtime behavior, but it does not specialize in detecting vulnerable libraries.

Option C (DAST - Dynamic Application Security Testing) : DAST scans running applications for vulnerabilities, but it does not analyze open-source libraries.

Option D (SCA - Software Composition Analysis) : Correct.

Identifies security flaws in dependencies.

Used for managing supply chain risks.

Reference: CompTIA PenTest+ PT0-003 Official Guide -- Software Composition Analysis (SCA)

by Alica at Nov 24, 2025, 03:51 AM

Limited Time Offer

25%

Off

Get Premium PT0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Leslee

16 hours ago

I think DAST is more about runtime issues, not libraries.

upvoted 0 times

...

Bettye

6 days ago

Definitely SCA, it scans for vulnerable libraries.

upvoted 0 times

...

Nicolette

11 days ago

SCA? More like "Secure Code Analysis", amirite? *wink wink*

upvoted 0 times

...

Tawny

16 days ago

SCA is the obvious choice here. Why even consider the other options?

upvoted 0 times

...

Bette

21 days ago

D) SCA for sure. Anything else and you're just playing around, am I right?

upvoted 0 times

...

Laticia

27 days ago

I agree, SCA is the way to go. Gotta keep those libraries secure, you know?

upvoted 0 times

...

Shoshana

1 month ago

D) SCA is the correct answer. It's the best tool for identifying vulnerable open-source libraries.

upvoted 0 times

...

Delsie

1 month ago

I think VM might be related to virtual machines, but it doesn’t seem relevant for identifying library vulnerabilities.

upvoted 0 times

...

Stephanie

1 month ago

I feel like I saw a practice question that mentioned IAST being useful for identifying vulnerabilities in code, but I'm not confident it applies here.

upvoted 0 times

...

Nancey

2 months ago

I think SCA is the right choice since it specifically focuses on identifying vulnerabilities in open-source libraries.

upvoted 0 times

...

Paola

2 months ago

This is a classic SCA question. I've got some experience with those tools, so I feel pretty confident I can nail this one.

upvoted 0 times

...

Malcolm

2 months ago

I'm a bit confused on the difference between IAST and DAST. Maybe I'll try a combination of both to cover my bases.

upvoted 0 times

...

Arthur

2 months ago

Agreed! SCA scans for vulnerabilities in dependencies.

upvoted 0 times

...

Matilda

2 months ago

I think D) SCA is the best choice. It focuses on open-source libraries.

upvoted 0 times

...

Wai

3 months ago

I'm not entirely sure, but I remember something about DAST being more about dynamic testing of applications rather than libraries.

upvoted 0 times

...

Mindy

3 months ago

Oof, I'm not super familiar with these types of security testing approaches. I'll need to review my notes and see if I can figure out the best approach.

upvoted 0 times

...

Shantell

3 months ago

SCA seems like the way to go here. I'll need to do a thorough scan of the app's dependencies to find any known vulnerabilities.

upvoted 0 times

...

Cora

3 months ago

Hmm, this one's tricky. I think I'll need to leverage some DAST tools to really dig into the web app and identify any vulnerable libraries.

upvoted 0 times

Ramonita

2 months ago

I agree, DAST tools are great for that.

upvoted 0 times

...