ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

After merging a critical security patch into the main branch of a cloud-hosted application, the DevSecOps team must decide what to do next. Following a secure patch release process that balances speed with safety, which action should they take before allowing the pipeline to promote the build to production?

Tag the patched commit as a hotfix and immediately generate production images for blue-green deployment without additional checks.
Archive the patched code and wait for the next quarterly change review meeting to schedule production deployment.
Disable all automated tests to accelerate the pipeline and deploy the patched build directly to production.
Trigger the automated security and regression test suite in a staging environment and require all tests to pass before production deployment.

Report Issue

Answer Description

A secure patch release process requires validating that the patch corrects the vulnerability without introducing new defects. The preferred way to achieve this is to run automated security and functional regression tests in a staging environment that mirrors production and to configure approval gates so the deployment proceeds only if all tests pass. Skipping tests or disabling gates might reduce deployment time but increases the risk of shipping unstable or insecure code. Simply tagging the commit and pushing to production, or postponing deployment until a distant quarterly review, both violate the principle of timely yet controlled patching. Therefore, executing the automated testing and ensuring successful results prior to production deployment is the correct next step.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.