ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your DevSecOps team must enhance the CI/CD pipeline so that any build is automatically aborted when the project pulls in third-party libraries with known CVEs or incompatible licenses. Which type of application security tool should be placed immediately after dependency resolution to provide this control and near-real-time feedback to developers?
Software Composition Analysis (SCA) tools examine an application's dependency manifest and build artifacts to identify open-source and third-party components. They compare component versions against vulnerability databases and license policies, allowing the pipeline to fail a build when a component with a known CVE or an unapproved license is detected. Dynamic, interactive, and runtime protection tools evaluate the running application rather than its dependencies, so they cannot prevent vulnerable or non-compliant libraries from entering the build at this early stage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Software Composition Analysis (SCA)?
Open an interactive chat with Bash
What are CVEs, and why are they important in SCA tools?
Open an interactive chat with Bash
Why can't DAST, IAST, or RASP replace SCA in the CI/CD pipeline?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)