ISC2 CISSP Practice Question

The correct answer is the potential for repository infrastructures to be compromised to distribute malicious code. Public repositories have been targets of supply chain attacks where attackers compromise repository infrastructure or developer accounts to distribute malicious versions of popular packages. These attacks can affect all downstream applications that use the compromised components.

The risk of embedding components with deliberately obfuscated vulnerabilities is a legitimate concern but is less common than repository compromise. This refers to code that appears legitimate but contains intentionally hidden flaws that are difficult to detect through normal code review or testing. While this does happen, large-scale attacks through repository compromise affect more users.

The lack of formal security assurance processes for contributed code is a systemic issue with many open-source projects. Without rigorous security review requirements, vulnerabilities may be introduced accidentally. While this is a real concern, it typically leads to unintentional vulnerabilities rather than the deliberate malicious code injection that occurs in repository compromises.

The potential for dependency confusion attacks targeting internal packages is a specific type of supply chain attack where attackers exploit package naming conflicts between public and private repositories. While important to address, this attack vector is more limited in scope than the broader risk of repository infrastructure compromise, which can affect all users of a package.Retry