ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your development team is designing a peer-to-peer (P2P) software-distribution feature that lets workstations obtain updates from any reachable peer, including devices outside the enterprise. Because some peers may be malicious, what is the most effective architectural control to ensure that a workstation installs only legitimate, untampered update packages received through the P2P network?
Have peers authenticate to each other with a shared secret exchanged at session setup.
Digitally sign every update with the vendor's private key and require signature verification before installation.
Restrict each node to a small, fixed number of simultaneous peer connections.
Distribute a cryptographic checksum generated by the first peer that offers the file and compare it after download.
In a P2P environment, participating nodes are not centrally vetted, so update packages can be modified or forged in transit. The most reliable way to guarantee both integrity and authenticity is to have the software vendor sign each release with its private signing key and require every peer to verify that detached or embedded digital signature before accepting and installing the code. A per-session shared secret does not protect against content tampering once a peer is compromised. Checksums supplied by another peer can be forged alongside the package itself, providing no independent trust anchor. Limiting the number of peer connections may reduce exposure but does nothing to verify the correctness of the code obtained. Therefore, mandatory verification of vendor-issued digital signatures on every update is the strongest and most direct mitigation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a vendor's private signing key, and how does it ensure the authenticity of updates?
Open an interactive chat with Bash
Why are shared secrets exchanged at session setup insufficient to prevent malicious updates?
Open an interactive chat with Bash
How does a cryptographic checksum differ from a digital signature in verifying software updates?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .