Exam SY0-601 topic 1 question 530 discussion

Enforcing the use of a controlled and trusted source of container images is the best solution to prevent incidents like the one described. When using containerized applications, it is crucial to ensure that the container images come from trusted sources, such as a private container registry, where the images are scanned for vulnerabilities and controlled by the organization. This way, the risk of downloading images with zero-day vulnerabilities or other malicious code from public registries is minimized.

For those choosing B, how does a zero-day attack have a known signature??

this is such a weird question . just because you get it from a trusted source doesnt mean it wont have zero day vulnerabilities. it says prevent , that wont prevent because you wont know, the point of a zero day attack is that nobody knows until it happens ?

I personally think A-C won’t help against a zero day. D. At least it is segmented more from the network & less likely for threat actors to leverage any vulnerabilities they can find.

I am voting for option A.

You want to prevent this from happening again not minimize the risk. You cant protect against zero-day vulnerabilities so the only way is to install IPS to detect and prevent against malicious code.

For whomever selected C....two hyphenated words "zero-day". Answer is A.

Normally, I would select A as the answer, however, the mention of "Zero-Day" means that any trusted source would not have a defense against the vulnerability! C wouldn't really work, either, since, as above it's a "Zero-Day" problem - how can you define a scan for something you have no info on? D won;t work, either. If you have an IPS solution that works with heuristics and/or AI, you can detect Zero Day attacks and prevent them.

Those for A should bear in mind that not all applications from trusted sources are necessarily vulnerability-free. While obtaining applications from reputable or trusted sources can reduce the risk of encountering malicious software or intentionally harmful applications, it does not guarantee that the applications themselves are free from vulnerabilities.

A. Enforce the use of a controlled trusted source of container images.

Going with A here

A zero-day vulnerability can not be detected by a vulnerability scan. C is not correct. I choose A.

chatgpt: C. Define a vulnerability scan to assess container images before being introduced into the environment. By implementing a vulnerability scanning process for container images, the organization can identify and assess any potential security vulnerabilities or weaknesses before deploying them into the environment. This allows for proactive detection and mitigation of known vulnerabilities, reducing the risk of introducing a zero-day vulnerability or other security issues. Enforcing the use of a controlled trusted source of container images (option A) is also important to ensure the integrity and security of the images, but it may not be sufficient on its own to prevent zero-day vulnerabilities. Deploying an IPS solution (option B) capable of detecting signatures of attacks targeting containers can provide additional security measures, but it may not be effective against zero-day vulnerabilities. Creating a dedicated VPC (option D) can enhance isolation and segmentation but does not directly address the issue of vulnerability detection in container images.

a verified trusted source has already been reviewed/assessed and has had a vulnerability scan. Going with A

Should be C