ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
You are designing a CI/CD pipeline for a microservice that relies heavily on open-source libraries. To reduce the risk of releasing vulnerable code, you must detect flaws in third-party components as early as possible, catch coding mistakes before merge, and validate the application's behavior in the QA environment. Which sequencing of automated security tests best fulfills these requirements?
Execute SAST only after the application is in production, then run DAST on the source repository, followed by SCA post-release.
Run SCA during dependency resolution in the build stage, trigger SAST on every code commit, and execute DAST against the deployed QA build.
Perform only SAST during builds and rely on a final round of manual penetration testing before go-live to uncover component and runtime issues.
Run DAST during the build job, perform SCA after deployment to QA, and keep SAST for monitoring in production.
Running Software Composition Analysis (SCA) during dependency resolution immediately flags known vulnerabilities in open-source libraries, giving developers rapid feedback before those components are compiled or committed further downstream. Static Application Security Testing (SAST) is most effective when executed on every source-code commit or merge request, because it inspects the codebase itself for weaknesses early in the lifecycle. Dynamic Application Security Testing (DAST) needs a running target, so it should execute against the deployed build in a QA or staging environment to uncover runtime issues such as authentication or input-handling flaws. The alternative sequences either delay SCA (allowing vulnerable components deeper into the pipeline), misuse DAST or SAST in stages where they are ineffective, or omit critical automated tests altogether, increasing the chance of undetected defects reaching production.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is Software Composition Analysis (SCA) run during dependency resolution in the build stage?
Open an interactive chat with Bash
How does Static Application Security Testing (SAST) help when triggered on every code commit?
Open an interactive chat with Bash
Why is Dynamic Application Security Testing (DAST) executed against the deployed QA build?
Open an interactive chat with Bash
What is SCA in a CI/CD pipeline?
Open an interactive chat with Bash
How does SAST differ from DAST in a CI/CD pipeline?
Open an interactive chat with Bash
Why is running DAST in the QA environment preferred?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)