Question 7 - Microsoft Cybersecurity SC-100 Real Exam Questions [Jan 2026 Update]

Q: 7

Your company is developing a new Azure App Service web app. You are providing design assistance to verify the security of the web app. You need to recommend a solution to test the web app for vulnerabilities such as insecure server configurations, cross-site scripting (XSS), and SQL injection. What should you include in the recommendation?

Options

Correct Answer:

Explanation

Dynamic Application Security Testing (DAST) is a "black-box" security testing methodology that analyzes a web application from the outside while it is running. DAST tools simulate attacks against an application to identify vulnerabilities without needing access to the source code. This method is highly effective for detecting runtime vulnerabilities such as cross-site scripting (XSS), SQL injection, and insecure server configurations (e.g., HTTP header issues), which directly matches the requirements of the question. DAST assesses the application from an attacker's perspective, making it the ideal choice for this scenario.

Why Incorrect

A. interactive application security testing (IAST): IAST analyzes the application from within while it runs, often using agents. While effective, DAST is the more direct and standard black-box approach for testing the specified external vulnerabilities.

B. static application security testing (SAST): SAST analyzes the application's source code without executing it. It cannot detect runtime vulnerabilities or insecure server configurations, which are only present in a running application.

C. runtime application self-protection (RASP): RASP is a security technology that protects an application in real-time by detecting and blocking attacks. It is a protection mechanism, not a testing tool for identifying vulnerabilities.

References

1. Microsoft Cloud Adoption Framework

"Security in the DevOps (DevSecOps)": This document describes different application security testing methods. It states

"Dynamic Application Security Testing (DAST) analyzes running web applications and services for security vulnerabilities. DAST tools interact with the application like a malicious user would... Common vulnerabilities found by DAST tools include cross-site scripting

and SQL injection." This directly supports the use of DAST for the specified vulnerabilities.

Source: Microsoft Docs

Cloud Adoption Framework > Strategy > Define a security strategy > Security in the DevOps (DevSecOps).

2. Microsoft Security Development Lifecycle (SDL)

"Practice #10: Perform Dynamic Analysis Security Testing": The SDL

a foundational Microsoft security process

explicitly recommends DAST. It describes DAST as a method that "finds security vulnerabilities in a running web application by presenting it with a series of malicious inputs."

Source: Microsoft Security Development Lifecycle > SDL Practices > Verification > Practice #10: Perform Dynamic Analysis Security Testing.

3. OWASP

"DAST": The Open Web Application Security Project (OWASP)

a widely respected authority

defines DAST as a process of testing an application from the outside. It notes

"DAST is a black-box security testing methodology in which an application is tested from the outside."

Source: owasp.org

search for "DAST".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE