Exam Professional Cloud Architect topic 1 question 166 discussion

B&E Code signing only verifies the author. In other words it only check who you are, but not what have you done

I think answer is D & E.

B. Source Code Security Analyzers: Integrating source code security analyzers into the CI/CD pipeline helps identify vulnerabilities in the codebase early in the development cycle. This ensures that security errors are caught and addressed before they make it into production. E. Vulnerability Security Scanner: Running a vulnerability scanner as part of the CI/CD pipeline identifies weaknesses in dependencies, configurations, and deployed artifacts. This provides an additional layer of security by detecting risks that might not be evident in the source code alone.

The question clearly states that "primary business objective are release speed and agility". To achieve this, you should have good unit tests in place (C). For this reason I think BC is a more balanced choice.

BD, D because it enables only validated trusted images to be deployed.

SAST & DAST ( @aAbdelhamid: our EA Work hahahahaha )

Option D does not directly address the primary concern of reducing the chance of security errors being accidentally introduced. Here’s why: Focus on Integrity: Code signing and using a trusted binary repository primarily ensure that the code and binaries have not been tampered with and are from a trusted source. While this is important for security, it doesn’t specifically target the detection and prevention of security vulnerabilities within the code itself. Indirect Impact on Security Errors: While code signing can help prevent the introduction of malicious code, it doesn’t directly scan for or identify security vulnerabilities that might be accidentally introduced by developers.

why the other options aren't as ideal: A. Ensure every code check-in is peer reviewed by a security SME: Manual reviews can become a bottleneck in agile environments and are less scalable than automated tools. C. Ensure you have stubs to unit test all interfaces between components: Good practice, but primarily focuses on functional rather than security testing. D. Enable code signing and a trusted binary repository...: Integrity checks are essential but don't directly prevent the introduction of the security errors themselves.

Cyber Sec professional here. Question asks to reduce chance of security errors accidentally introduced. This means to integrate Static Application Security Tests (SAST) and Dynamic Application Security Tests (DAST) as part of CI/CD pipeline. Hence B and E are the right match. D is to ensure only trusted code is deployed to production, not reduce 'security error accidentally introduced'.

I guess A and C are both time consuming and labor intensive. Also, aren't C stubs supposed to be used for unit tests? What remains is BDE. B is source code inspection. Doing D ensures that the repository is not contaminated. E's vulnerability scan detects whether there are any CVEs. I think all of them are correct. If you had to choose two, what would it be? Isn't it really slow if you do B and E?

https://cloud.google.com/blog/products/devops-sre/devsecops-and-cicd-using-google-cloud-built-in-services

The thing that makes me think D makes sense is that it ensures that only images that have passed though the configured CI/CD pipeline (with vulnerability checks) will be able to be deployed. This is better explained here: https://cloud.google.com/blog/products/containers-kubernetes/guard-against-security-vulnerabilities-with-container-registry-vulnerability-scanning

https://cloud.google.com/blog/products/containers-kubernetes/guard-against-security-vulnerabilities-with-container-registry-vulnerability-scanning

Code signing only verifies the author not content

DE https://cloud.google.com/blog/products/containers-kubernetes/guard-against-security-vulnerabilities-with-container-registry-vulnerability-scanning

trusted binary repository option seems a static thing. For a release if we haven not used any new packages, trusted binary repository would not add any extra value. So B&E which will are needed for every checking/release.

B and E is the answer for me also.