ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During onboarding of a third-party closed-source component, your organization wants an automated control that simultaneously proves the component's origin and that it has not been altered while it transits multiple pipeline stages. Which approach best satisfies this requirement?
Run an antivirus scan on the component before promoting it to each subsequent environment.
Require the supplier to attach a PGP or X.509 digital signature to the component and have every pipeline stage verify the signature against the supplier's public key.
Move the component only over HTTPS or TLS-protected links between internal repositories.
Generate a one-time SHA-256 checksum after download and store it in a team spreadsheet for later reference.
Cryptographically signing the component and verifying the signature at each stage provides proof that the binary originates from the expected supplier (authenticity) and that its bits have not changed (integrity). The supplier's private key creates the signature, and each pipeline step validates it with the corresponding public key, establishing a verifiable chain of custody. Simply recording a checksum, using TLS during transfer, or scanning with antivirus offers some protection, but none ties the artifact to a specific trusted source or detects tampering across every handoff.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a digital signature in the context of secure software components?
Open an interactive chat with Bash
Why is a checksum insufficient for proving a component's integrity and authenticity?
Open an interactive chat with Bash
What is the role of the public/private key pair in verifying software integrity?
Open an interactive chat with Bash
What is a PGP digital signature?
Open an interactive chat with Bash
What is an X.509 digital signature?
Open an interactive chat with Bash
How does a cryptographic signature ensure both authenticity and integrity?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Supply Chain
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .