ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

A DevOps engineer must decide whether to integrate a newly discovered third-party JavaScript library into a client-facing web application. Which single action will give the engineer the strongest assurance that the file truly comes from the intended publisher and has not been altered in transit before it is added to the build?

Read the README file and check the number of stars and forks in the library's public repository to assess community trust.
Verify the library's digital signature and independently match its cryptographic hash against the hash published by the supplier.
Confirm the release tag coincides with high activity in the project's public issue tracker before download.
Download the library from a reputable content delivery network and test its functionality in a staging environment.

Report Issue

Answer Description

Validating both the publisher's digital signature on the library and independently calculating and comparing the file's cryptographic hash to the hash value published by the vendor address two complementary concerns. The signature confirms the code's provenance by proving it was signed with the supplier's private key, while the hash comparison ensures the object's integrity, detecting any modification after signing. Community popularity signals, functional tests, or repository activity can provide useful information, but none give cryptographic proof of origin and integrity. Likewise, merely downloading from a widely used CDN does not prevent a tampered or spoofed file from being retrieved if the distribution point is compromised.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.