ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

A development organization is realigning its pipeline with the NIST Secure Software Development Framework (SSDF). Which action most directly satisfies the SSDF practice to confirm the integrity and provenance of external code before it is incorporated into a build?

Establish a public vulnerability disclosure and bug-bounty program for the product.
Mandate multifactor authentication for all developer workstations accessing the build server.
Require suppliers to provide a signed Software Bill of Materials and validate component hashes during intake.
Run penetration tests against the production environment after every release.

Report Issue

Answer Description

The SSDF recommends that organizations verify the authenticity and integrity of all third-party components prior to use, typically by requiring a supplier-generated Software Bill of Materials (SBOM) and validating each file's cryptographic hash or digital signature during intake. This ensures the code is exactly what the trusted supplier produced. Penetration testing after deployment, enforcing multifactor authentication on developer workstations, and operating a vulnerability disclosure or bug-bounty program are valuable security activities, but they do not fulfill the specific SSDF requirement to prove component integrity and provenance before compilation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is a Software Bill of Materials (SBOM)?

Open an interactive chat with Bash

How are file hashes used to validate component integrity?

Open an interactive chat with Bash

Why doesn’t penetration testing or multifactor authentication address SSDF’s requirement for code integrity?

Open an interactive chat with Bash

What is a Software Bill of Materials (SBOM) and why is it important?

Open an interactive chat with Bash

How do cryptographic hashes ensure the integrity of software components?

Open an interactive chat with Bash

Why is it necessary to validate external code before incorporation into a build process?

Open an interactive chat with Bash

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Secure Software Supply Chain

Your Score:

Settings & Objectives

Secure Software Concepts

Secure Software Lifecycle Management

Secure Software Requirements

Secure Software Architecture and Design

Secure Software Implementation

Secure Software Testing

Secure Software Deployment, Operations, Maintenance

Secure Software Supply Chain

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot