ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your team plans to integrate an open-source JSON parsing library obtained from a public mirror. To ensure the component truly originates from the legitimate project and has not been altered, which verification step provides the most reliable evidence of provenance before inclusion in your codebase?
Compare the library's detached PGP signature with the project maintainer's published public key.
Run an automated static code analyzer to identify potential vulnerabilities.
Review the project's issue tracker for recent security complaints.
Download the library exclusively over HTTPS from the mirror site.
The strongest way to confirm a component's provenance is to validate a cryptographic signature that can be tied to the official maintainer. Verifying the library's detached PGP (or other digital) signature with the maintainer's published public key proves both authenticity (it was produced by the expected source) and integrity (it has not been modified). Downloading over HTTPS only protects the transport channel, not the file's origin. Reviewing issue trackers or running static analysis helps assess code quality and vulnerabilities but does not demonstrate where the component came from. Therefore, signature verification is the most reliable evidence of trusted origin.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a PGP signature and why is it used for software verification?
Open an interactive chat with Bash
Why is HTTPS insufficient to verify a file’s origin?
Open an interactive chat with Bash
How does a detached PGP signature differ from inline signatures?
Open an interactive chat with Bash
What is a detached PGP signature?
Open an interactive chat with Bash
Why is verifying a cryptographic signature better than downloading over HTTPS?
Open an interactive chat with Bash
How do you obtain the maintainer's public key for PGP verification?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Supply Chain
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .