ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

While architecting over-the-air firmware updates for a field-deployed industrial IoT sensor with limited flash storage, you must ensure that no malicious code is installed and that the device can still boot if power is lost during the update. Which update design best satisfies these goals?

Download firmware over HTTPS, decrypt it on the device, and prevent any rollback to earlier versions once installation starts.
Keep two firmware partitions (A/B); the immutable bootloader verifies a digital signature on the downloaded image before activating it and reverts to the previous image if verification or booting fails.
Encrypt firmware with a single symmetric key shared by all devices and push updates via a password-protected remote shell session.
Compress the new firmware to fit the existing partition, overwrite the running image, and depend on CRC checks during flashing to detect errors.

Report Issue

Answer Description

The combination of a dual-image (A/B) layout and cryptographic signature verification by an immutable bootloader meets both requirements. The signature check guarantees authenticity and integrity, preventing execution of tampered firmware, while maintaining two separate partitions lets the device fall back to the last known-good image if the new one is incomplete or fails to boot. Merely compressing the firmware or using transport encryption (HTTPS) protects size or transit privacy but does not assure post-download authenticity, nor does it offer reliable recovery from interruption. Relying on a shared symmetric key and remote shell lacks per-device trust anchors and safe rollback, leaving devices vulnerable to compromise or bricking.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.