Agentless monitoring does not require the installation of software on the target device. It uses standard protocols to collect information, making it less intrusive and less resource intensive.

Static analysis refers to reviewing the source code of an application without executing it, in order to identify misconfigurations, vulnerabilities, and potential security flaws. This is the type of analysis the security analyst is performing by examining the code directly. Dynamic analysis (A) involves analyzing the application while it is running, to detect vulnerabilities that only appear during execution. Gap analysis (C) identifies discrepancies between current security measures and desired standards, but is not focused on source code review. Impact analysis (D) assesses the potential consequences of identified vulnerabilities but is not the process of reviewing source code directly.

A. BPA: Business Process Automation

B. NDA: Non-Disclosure Agreement

C. SLA: Service Level Agreement

D. MSA: Master Service Agreement

D. Due diligence In this context, due diligence refers to the process of evaluating the security, compliance, and risk associated with a third-party vendor or service, such as a SaaS application. Requesting a SOC 2 report is a common part of the due diligence process to assess the vendor's controls related to security, availability, processing integrity, confidentiality, and privacy. Internal audit (A) refers to an organization's internal review of its own processes, not an external vendor. Penetration testing (B) involves actively testing for vulnerabilities by simulating attacks, which is not applicable here. Attestation (C) refers to a third-party audit or certification, such as the SOC 2 report itself, but the analyst is conducting due diligence by requesting the report.

B. Masking Masking is used to conceal sensitive information, such as credit card numbers, by replacing or hiding parts of the data. In the context of database log files, masking ensures that sensitive information is not exposed while maintaining the usability of the data for other purposes. Tokenization (A) replaces sensitive data with a token that can only be mapped back to the original data using a secure system, but it is not typically used for log file entries. Hashing (C) converts data into a fixed-length hash, but it's a one-way function, making it unsuitable if the original data needs to be retrieved. Obfuscation (D) refers to making data less understandable but is less structured and secure than masking for specific data like credit card numbers.

C. WAF (Web Application Firewall) A Web Application Firewall (WAF) is specifically designed to protect web applications by filtering, monitoring, and blocking HTTP/S traffic to and from a web service. Since the organization is hosting a new service through a web portal, a WAF would be the most appropriate solution to protect against common web-based attacks like SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. Layer 4 firewall (A) provides protection at the transport layer, which is too low-level to specifically protect web applications. NGFW (Next-Generation Firewall) (B) adds application-level filtering and protection, but is generally broader in scope, not specifically tailored to web applications. UTM (Unified Threat Management) (D) is a multi-functional security device but doesn't provide the specialized web application protection that a WAF offers. Thus, WAF is the most suitable solution for protecting a web service accessed via a portal.

D. Branch protection requirements Branch protection requirements are related to the version control and development process within the SDLC, ensuring that code changes are reviewed, tested, and approved before being merged into main branches. This helps maintain code quality and security throughout the development process. Penetration testing is usually conducted as part of the testing phase or after deployment to identify vulnerabilities and security weaknesses. It is a separate process from the core stages of the SDLC but is an important aspect of ensuring the security and robustness of the application once development is completed.