A lead security architect at a financial services company is reviewing the firm's new DevSecOps strategy. The strategy encourages developers to leverage open-source components from public repositories to accelerate development. While this approach has benefits, the architect is tasked with identifying the most significant, high-impact security threat to prioritize for mitigation. Which of the following represents the PRIMARY security concern the architect should highlight to leadership regarding the use of these public code repositories?
The potential for dependency confusion attacks targeting internal packages
The risk of embedding components with deliberately obfuscated vulnerabilities
The lack of formal security assurance processes for contributed code
The potential for repository infrastructures to be compromised to distribute malicious code
The correct answer is the potential for repository infrastructures to be compromised to distribute malicious code. Public repositories have been targets of supply chain attacks where attackers compromise repository infrastructure or developer accounts to distribute malicious versions of popular packages. These attacks can affect all downstream applications that use the compromised components.
The risk of embedding components with deliberately obfuscated vulnerabilities is a legitimate concern but is a technique used within a larger attack rather than the primary threat itself. This refers to code that appears legitimate but contains intentionally hidden flaws that are difficult to detect.
The lack of formal security assurance processes for contributed code is a systemic issue with many open-source projects. Without rigorous security review requirements, vulnerabilities may be introduced accidentally. While this is a real concern, it typically leads to unintentional vulnerabilities rather than the deliberate malicious code injection that occurs in repository compromises.
The potential for dependency confusion attacks targeting internal packages is a specific type of supply chain attack where attackers exploit package naming conflicts between public and private repositories. While important to address, this attack vector is more limited in scope than the broader risk of repository infrastructure compromise, which can affect all users of a package.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a supply chain attack in the context of software development?
Open an interactive chat with Bash
How can developers mitigate the risk of repository infrastructure compromise?
Open an interactive chat with Bash
What is dependency confusion, and how does it differ from repository compromise?
Open an interactive chat with Bash
ISC2 CISSP
Software Development Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .