ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your organization automates production deployments through a Git-based CI/CD pipeline. To strengthen security, management wants to implement Segregation of Duties so that no single engineer can both introduce and release malicious code. Which practice best satisfies this requirement while keeping the pipeline largely automated?
Require that every change be merged only after a peer with no deployment privileges approves the pull request, then allow an automated service account to deploy.
Let the pipeline deploy automatically on every commit and send an email notification to the security team after deployment completes.
Hold a weekly change-control board meeting where the developer who wrote the change presents it and manually deploys to production afterward.
Grant each developer administrative access to both the repository and production so outages can be fixed quickly without approvals.
Segregation of Duties is achieved when the tasks of modifying code and releasing it are split between different principals. Requiring a peer who does not have deployment rights to review and approve each pull request establishes an independent check on code changes. Using an automated service account-restricted to deployment only-executes the release without granting that same power to the developer or reviewer, so no single individual can both change and deploy code. Granting all developers full production access violates SoD, as any one person could make and ship unvetted changes. A weekly CAB where the author also performs the deployment still concentrates control in one person at the crucial moment. Simply emailing the security team after an automatic, unapproved deployment detects issues only after they occur and does not separate duties at all.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is Segregation of Duties (SoD) important in a CI/CD pipeline?
Open an interactive chat with Bash
How does a peer review before merging strengthen security?
Open an interactive chat with Bash
What is an automated service account, and why is it used in CI/CD pipelines?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Concepts
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .