ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your organization receives a third-party microservice as a container image, which must move from the vendor's registry to your staging registry and then to production. To maintain an auditable chain of custody for the image during each hand-off, which control provides the strongest assurance?

Import the image only after receiving the vendor's most recent vulnerability scan report.
Store the image in an internal private registry that is protected by network firewalls.
Require every repository to validate a vendor-issued digital signature and record the image's cryptographic hash and handler identity at each transfer.
Move the image only over SFTP with user passwords rotated on a quarterly schedule.

Report Issue

Answer Description

The most effective way to enforce an end-to-end chain of custody is to use cryptographic mechanisms that prove both origin and integrity at every transfer point and to record who handled the artifact. Requiring each repository to validate a vendor-supplied digital signature while logging the verified hash and the identity of the individual or process that performed the transfer establishes immutable evidence that the component is authentic, unaltered, and traceable through its entire lifecycle. Secure transport methods such as SFTP, network segmentation, or requesting a vulnerability report improve security but do not by themselves create a verifiable custody trail. Without verified signatures and logged hash values, tampering between hops could go undetected, and the organization would lack defensible records of custody.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.