ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

Your team must integrate an untrusted data analytics plugin into a Linux-based microservices platform. The plugin needs near-native performance but must be confined so it cannot access files beyond its working directory or affect other services. Which isolation technique offers the most appropriate balance of strong operating-system-level separation and minimal performance overhead?

Execute the plugin within the same process under a language runtime sandbox (e.g., Java SecurityManager).
Place the plugin in a traditional chroot jail on the host operating system.
Run the plugin inside a container that leverages Linux namespaces and cgroups for isolation.
Run the plugin in a full hardware-assisted virtual machine with its own guest operating system.

Report Issue

Answer Description

Containers implement operating-system-level virtualization using namespaces and cgroups to restrict a process's view of the filesystem, process table, network stack, and resource consumption. Because containers share the host kernel, they avoid the heavy memory and CPU overhead of running a full guest operating system, delivering performance close to bare metal while still providing substantially stronger isolation than simple chroot jails or language runtimes. Full virtual machines give robust isolation but add significant resource and management overhead, while chroot and language-based sandboxes rely on discretionary mechanisms that are easier to bypass. Therefore, running the plugin inside a container is the best choice for secure, efficient isolation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.