ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

While assessing an open-source encryption library for inclusion in a regulated payment application, you review its origin and support details. Which single observation should raise the greatest concern about adopting the component from an origin-and-support standpoint, potentially outweighing other favorable factors and directing you to reject or further vet the library?

Releases are not cryptographically signed and are available only from a sole developer's personal GitHub repository.
The project has an active contributor mailing list and automated CI pipeline for pull requests.
The issue tracker lists several open security bugs with pending patches awaiting review.
The code is released under the permissive MIT open-source license.

Report Issue

Answer Description

Unsigned releases distributed only from a personal repository provide little assurance that the code you download is exactly what the developer published. Without a cryptographic signature or distribution through a trusted package registry, you cannot confirm authenticity or detect tampering, making provenance highly questionable. A permissive MIT license is common and not inherently risky, an active community and CI pipeline are positive indicators of support, and documented security bugs with patches waiting for review show engagement rather than neglect. Therefore, the lack of verifiable, signed releases from a trustworthy source is the most serious origin-and-support red flag.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.