ISC2 Certified Cloud Security Professional (CCSP) Practice Question

During a secure DevOps review for a cloud-native application, you discover that the CI/CD pipeline downloads base container images and open-source libraries directly from public repositories at build time. The CISO requires the team to "use verified secure software." Which control will provide the MOST direct assurance that a malicious or tampered component cannot be introduced during the build process?

Mandate that developers run a static application security testing (SAST) scan on source code before each commit is merged.
Deploy a cloud-based web application firewall (WAF) in front of the microservice APIs.
Enable seccomp and AppArmor profiles on all production containers to restrict system calls at runtime.
Implement repository allow-listing and enforce cryptographic signature verification (for example, Cosign or Notary v2) for every image and package fetched during the build.

Report Issue

Answer Description

Requiring that every external component be cryptographically signed and that the build system verify those signatures (for example, with Cosign or Notary v2) ensures the provenance and integrity of each image or package before it is added to an artifact. This directly addresses supply-chain risks by blocking unsigned or altered content. Enabling runtime hardening tools such as seccomp/AppArmor improves container confinement but does not validate the software's origin. Static application security testing scans source code written by developers, not third-party binaries pulled at build time. A web application firewall mitigates inbound attacks against the running service, not the risk of poisoned build inputs.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.