ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

While hardening its CI/CD pipeline, a DevSecOps team decides to add a runtime control that can detect and block cross-site scripting attempts as they arrive from external clients. Which mechanism directly fulfills this requirement?

Sign each container image and verify the signature prior to deployment.
Perform software composition analysis to identify vulnerable third-party libraries before packaging.
Run static application security testing on the codebase during the build phase.
Deploy a cloud-based Web Application Firewall in front of the application to filter HTTP requests in real time.

Report Issue

Answer Description

A web application firewall (WAF) operates in real time between users and the application, inspecting each HTTP request and response. Because it can recognize malicious payloads such as cross-site scripting or SQL injection and block or sanitize them before they reach application code, it provides the desired runtime protection.

Static application security testing (SAST) analyzes source code or binaries during the build phase, not at runtime. Software composition analysis (SCA) inventories third-party components for known vulnerabilities but does not intercept live traffic. Container image signing verifies integrity before deployment; it has no visibility into or control over active HTTP sessions. Therefore, deploying a WAF is the only option that meets the requirement.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.