ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

In a containerized production environment, the security team notices that developers sometimes install additional packages after deployment. To stop any malicious binaries that might run inside the containers at runtime, they need a control that will immediately detect and block malware even if it was not present in the original image. Which approach best meets this requirement?

Enforce strict host-based firewall rules to limit outbound network traffic from container hosts to approved destinations
Deploy an on-access malware scanning agent inside each container runtime that uses frequently updated signatures and behavioral analysis to block suspicious executables at run time
Add container image scanning to the CI/CD pipeline to prevent pushing images that contain known vulnerabilities
Rely on static application security testing of the microservice source code before each build is triggered

Report Issue

Answer Description

An on-access (real-time) malware scanning agent placed inside each running container monitors every file execution attempt and compares it to up-to-date signature and heuristic rules. Because the scan happens at runtime, any malicious code introduced after deployment-such as through a package manager or a compromised process-is detected and blocked before it can execute. Image scanning in the CI/CD pipeline, while important, only protects against malware present at build time and cannot see changes made after the container is running. Host firewalls focus on network traffic, not executable content, and SAST finds source-code flaws before compilation rather than detecting malicious binaries delivered post-deployment. Therefore, deploying real-time anti-malware agents inside the container runtime is the most effective control for this scenario.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.