ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your DevSecOps team is designing a CI/CD pipeline for a container-based application. To stop an adversary from inserting a malicious image between the build and production deployment stages, which control should be added as a mandatory gate before release?

Embed container registry credentials directly in pipeline environment variables
Adopt blue/green deployment to switch traffic gradually to the new release
Validate a cryptographic signature on each container image before it is pulled to the production environment
Perform static application security testing only during the coding phase

Report Issue

Answer Description

Requiring that every container image be signed during the build and that the deployment stage verify the image's signature with a trusted public key provides cryptographic assurance that the artifact has not been altered and comes from an authorized source. Static analysis improves code quality but does not detect post-build tampering. Storing registry credentials in clear environment variables introduces-not mitigates-risk. Blue/green deployment reduces downtime and rollback risk but offers no guarantee that the image itself is authentic or untampered. Therefore, enforcing signature verification is the most effective safeguard against insertion of rogue images in the release pipeline.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is a cryptographic signature?

Open an interactive chat with Bash

Why is embedding container registry credentials in pipeline environment variables risky?

Open an interactive chat with Bash

How does image signing differ from other security measures like static application security testing (SAST)?

Open an interactive chat with Bash

What is a container image signature?

Open an interactive chat with Bash

How does cryptographic assurance work in CI/CD pipelines?

Open an interactive chat with Bash

Why is static application security testing (SAST) insufficient for detecting post-build tampering?

Open an interactive chat with Bash

ISC2 Certified Secure Software Lifecycle Professional (CSSLP)

Secure Software Deployment, Operations, Maintenance

Your Score:

Settings & Objectives

Secure Software Concepts

Secure Software Lifecycle Management

Secure Software Requirements

Secure Software Architecture and Design

Secure Software Implementation

Secure Software Testing

Secure Software Deployment, Operations, Maintenance

Secure Software Supply Chain

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot