ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During component selection for a payment application, a security engineer must choose between two third-party cryptographic libraries that both satisfy functional and performance requirements. Which single evaluation factor should carry the most weight to minimize software supply-chain risk?

Highest number of GitHub stars and community forks
Availability of recent independent security audit results and a proven, timely vulnerability disclosure process
Presence of multiple commercial training courses for developers
Fastest encryption throughput in industry benchmark tests

Report Issue

Answer Description

A core SSDF recommendation is to assess the supplier's security posture, including how thoroughly the component has been evaluated and how quickly the maintainers address discovered issues. A recent independent security audit coupled with an established, responsive vulnerability disclosure process shows due diligence, active maintenance, and a commitment to timely patching-directly reducing the risk of introducing exploitable flaws. Popularity, raw performance, or availability of training can be helpful, but none provides the same assurance that the component has been rigorously reviewed for security defects and will be promptly fixed if new vulnerabilities arise.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

Why is an independent security audit important for third-party cryptographic libraries?

Open an interactive chat with Bash

What does a proven vulnerability disclosure process entail?

Open an interactive chat with Bash

Why are popularity and performance less critical than security audits for minimizing software supply-chain risks?

Open an interactive chat with Bash

What is an independent security audit, and why is it important?

Open an interactive chat with Bash

What is a vulnerability disclosure process, and how does it reduce supply chain risk?

Open an interactive chat with Bash

Why are GitHub stars and forks not reliable for assessing security risks?

Open an interactive chat with Bash

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Secure Software Supply Chain

Your Score:

Settings & Objectives

Secure Software Concepts

Secure Software Lifecycle Management

Secure Software Requirements

Secure Software Architecture and Design

Secure Software Implementation

Secure Software Testing

Secure Software Deployment, Operations, Maintenance

Secure Software Supply Chain

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot