ISC2 CISSP Practice Question

The correct answer is scanning container images for vulnerabilities and misconfigurations. Container images often include operating system components, libraries, and application dependencies that may contain security vulnerabilities. Regular scanning as part of the CI/CD pipeline is a foundational 'shift-left' security practice that helps identify and remediate these issues before containers are deployed to production.

Implementing Mandatory Access Control restricts what processes running inside containers can do but is typically more complex to implement and maintain in fast-paced development environments. It is better suited for hardening production systems.

Deploying runtime container behavioral monitoring with anomaly detection is a sophisticated security measure that helps detect suspicious activities during container execution. However, this is a detective control rather than a preventive one and is more appropriate for production environments where understanding active threats is critical.

Enforcing cryptographic verification of container image integrity and provenance ensures containers haven't been tampered with and come from trusted sources. While important for supply chain security, this control verifies the authenticity of containers rather than identifying inherent vulnerabilities or misconfigurations that might exist in properly signed container images.