Question 10 - CompTIA SecurityX / CASP+ CAS-005 Real Exam Questions [March 2026 Update]

Q: 10

[Security Operations] An organization found a significant vulnerability associated with a commonly used package in a variety of operating systems. The organization develops a registry of software dependencies to facilitate incident response activities. As part of the registry, the organization creates hashes of packages that have been formally vetted. Which of the following attack vectors does this registry address?

Options

Discussion

Owen Feb 24, 2026 8:39 am

A. C is tempting but the registry with vetted hashes is really about stopping supply chain risk, not side channels.

Zoe I. Feb 19, 2026 1:29 am

Don't think it's B. Option C makes more sense to me here because side-channel analysis can look at how software interacts, and keeping hashes helps track changes. I saw similar advice in some official guides. Disagree?

Ravi P. Feb 20, 2026 7:17 pm

D , since on-path could be caught if the hash registry checks for transit changes.

Noah R. Feb 13, 2026 12:51 am

Makes sense to me, A. The hash registry mainly blocks supply chain attacks.

MeeraT Mar 1, 2026 8:15 am

D , because if the registry is mainly checking hashes at download time, that helps stop on-path package tampering.

Ben U. Feb 14, 2026 10:55 am

I picked D since a registry with hashes could help spot tampering while packages move over the network. If someone messes with a package in transit, the hash won’t match after download. Might be missing something on supply chain specifics but I thought on-path fit better here.

Grace Feb 13, 2026 7:28 pm

Wouldn't the hashes of vetted packages mainly help with identifying compromised or malicious dependencies? That seems like supply chain to me, since on-path (D) is more about interception during transit, not package integrity. Am I missing a scenario where another option would fit?

Jack B. Feb 23, 2026 9:25 am

SkepticalConsultant5801 Mar 2, 2026 4:09 pm

Nah, pretty sure it's A. The registry with hashes is specifically designed to detect if a compromised or altered package gets slipped in via the supply chain. C looks tempting but side-channel attacks aren't mitigated by hashed dependencies-those are more about physical or process leaks. Let me know if you see it differently.

Drew Mar 1, 2026 6:39 am

I see why you'd think C but D looks closer to me since on-path attacks mess with data in transit, and verified hashes could catch tampering. Might be missing something here.

Be respectful. No spam.

Correct Answer:

Explanation

The practice described—creating a registry of software dependencies and hashing vetted packages—is a direct countermeasure against supply chain attacks. A software supply chain attack involves compromising a third-party component, such as a library or package, which is then incorporated into the target organization's systems. By maintaining a registry (a form of Software Bill of Materials or SBOM) and using hashes for integrity checking, the organization can verify that the software components they use are the authentic, vetted versions. This helps detect unauthorized modifications and facilitates rapid incident response by quickly identifying all systems that use a compromised or vulnerable package.

Why Incorrect

B. Cipher substitution attack: This is a cryptographic attack targeting weaknesses in ciphers, which is unrelated to managing the integrity of software dependencies.

C. Side-channel analysis: This attack exploits information leaked from a system's physical implementation (e.g., power consumption), not vulnerabilities within its software components.

D. On-path attack: This attack intercepts network traffic. While it could be a vector to deliver a malicious package, the registry addresses the package's integrity, which is a supply chain concern.

E. Pass-the-hash attack: This is an authentication attack that uses a stolen credential hash to access network resources and is unrelated to software package management.

---

References

1. National Telecommunications and Information Administration (NTIA). (2021). The Minimum Elements For a Software Bill of Materials (SBOM).

Section: "What is an SBOM?" (Page 4): "A Software Bill of Materials (SBOM) is a nested inventory

a list of ingredients that make up software components... SBOMs are particularly useful in vulnerability management. When a vulnerability in a particular component is discovered

an SBOM allows an organization to easily determine if they are impacted and take action." This directly supports the scenario's use of a dependency registry for incident response.

2. National Institute of Standards and Technology (NIST). (2022). SP 800-161 Rev. 1

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

Section 2.3.2

"Threats" (Page 13): This section details threats to the supply chain

including the "installation of malicious or counterfeit hardware or software." The use of hashes to verify vetted packages

as described in the question

is a direct control against this threat.

3. Parno

& Jackson

C. (2022). 6.858 Computer Systems Security

Fall 2022 Lecture 15: Web Security. MIT OpenCourseWare.

Slide 47

"Software supply chain attacks": This lecture material defines supply chain attacks as compromising upstream dependencies (e.g.

libraries) that are then used by downstream developers. The scenario's focus on a "commonly used package" aligns perfectly with this definition.

4. National Institute of Standards and Technology (NIST). (n.d.). Glossary: Pass the hash. Computer Security Resource Center.

The glossary defines pass-the-hash as a technique where an "adversary steals a hashed user credential and

without cracking it

reuses it to trick an authentication system into creating a new authenticated session on the same network." This confirms its irrelevance to the scenario.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE