ISC2 Certified Cloud Security Professional (CCSP) Practice Question

Your organization plans to deploy a customer-facing microservice in its public cloud environment. The development team wants to base the container image on a third-party open-source image downloaded from a public registry. Before granting production approval, the cloud security professional must perform a vendor assessment focused on supply-chain risk. Which action offers the highest level of assurance that the image is free of undocumented or malicious components?

Review the vendor's marketing datasheet to confirm that they claim secure development practices.
Match the image's cryptographic digest to a signed SBOM entry and reproduce the build from the vetted source code in a controlled pipeline.
Approve the image if it has over one million downloads and a high user rating in the registry.
Pull the image, execute functional smoke tests in a sandbox, and promote it if the tests pass.

Report Issue

Answer Description

The most reliable way to detect hidden or malicious additions in a third-party container image is to verify that the binary exactly matches a signed, documented build that can be reproduced from vetted source code. Matching the image's cryptographic digest to the manifest contained in an authenticated software bill of materials (SBOM) confirms provenance, while performing a reproducible build in a controlled pipeline validates that no code has been inserted between source and artifact. Running functional tests or relying on popularity metrics provides far less assurance, and marketing literature offers virtually none.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.