ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your organization is selecting an open-source encryption library to embed in a closed-source SaaS offering that will be distributed to customers. Which license feature would most endanger your ability to keep the company's proprietary code confidential once the service is delivered?

The library carries the MIT License, obligating only preservation of the original copyright notice.
The library is licensed under GNU GPLv3, requiring any derivative software to be released under the same license.
The library uses the Apache License 2.0, which includes a patent grant to recipients.
The library is under the GNU LGPL, permitting dynamic linking without disclosure of proprietary source code.

Report Issue

Answer Description

The GNU General Public License v3 is a strong copyleft license. If a GPL-licensed component is incorporated into a larger program and that program is distributed to customers, the entire derivative work must be released under the GPL. This obligation would force the organization to provide its proprietary source code, conflicting with the goal of keeping it confidential.

By contrast, the MIT License is permissive, generally requiring only that copyright and license notices be retained, so it does not compel source-code disclosure. The Apache License 2.0 does include a patent grant and notice requirements, but it also allows proprietary derivatives. The GNU Lesser GPL (LGPL) is less restrictive than GPL; it allows dynamic linking without obligating the release of the entire application's source code, provided modifications to the library itself are shared. Therefore, the GPLv3 reciprocal requirement presents the greatest legal risk to proprietary code.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.