ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During a security review you discover that production database credentials are embedded as environment variables inside Docker images that are pushed to a shared registry and deployed through an existing CI/CD pipeline. To align with secure storage and management practices for application secrets, which remediation is MOST appropriate?
Commit the credentials to a Git repository encrypted with AES and include the encryption key in a separate file.
Store the credentials in a secrets-management vault and have the orchestrator inject them into the container at runtime.
Obfuscate the credentials in the image by base64 encoding them before build time.
Keep the credentials in the image but restrict registry access to the production operations group only.
Baking secrets into a container image creates a persistent, widely distributed copy that anyone with pull access can retrieve. The recommended practice is to move those credentials to a dedicated secrets-management service or vault and have the orchestrator inject them into the container at runtime (for example, through Docker or Kubernetes secrets, or an external vault). This keeps the secret out of the image, allows centralized rotation, and integrates cleanly with automated pipelines. Base64 encoding does not protect the secret, placing encrypted files in source control still exposes key material, and restricting registry access reduces exposure but leaves the secret hard-coded in every image layer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a secrets-management vault?
Open an interactive chat with Bash
How does an orchestrator inject secrets into containers at runtime?
Open an interactive chat with Bash
Why is base64 encoding not secure for storing secrets?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)