1. What is a software supply chain attack?
A) A technique used to optimize software development pipelines
B) A method of bypassing firewalls using third-party applications
C) An attack that targets software updates, dependencies, or repositories
D) A way to improve CI/CD efficiency
β Answer: C) An attack that targets software updates, dependencies, or repositories
π‘ Explanation: A software supply chain attack occurs when attackers compromise software dependencies, third-party libraries, or update mechanisms to introduce malicious code into applications used by end-users.
2. Which of the following is a common type of software supply chain attack?
A) Credential stuffing
B) Dependency confusion
C) Session hijacking
D) SQL injection
β Answer: B) Dependency confusion
π‘ Explanation: Dependency confusion occurs when attackers upload malicious packages with higher version numbers to public repositories, tricking package managers into downloading them instead of legitimate dependencies.
3. How can developers prevent dependency confusion attacks?
A) Always use the latest version of dependencies from public repositories
B) Rely solely on default settings of package managers
C) Use namespace-based scoping and private registries
D) Disable automatic updates of dependencies
β Answer: C) Use namespace-based scoping and private registries
π‘ Explanation: Namespace-based scoping ensures that packages are fetched from trusted sources, and private registries prevent unauthorized packages from being injected into the software supply chain.
4. What is the primary risk of using unverified third-party dependencies?
A) Performance degradation
B) Increased software licensing costs
C) Introduction of malicious code or vulnerabilities
D) Slower development cycles
β Answer: C) Introduction of malicious code or vulnerabilities
π‘ Explanation: Attackers often exploit third-party dependencies by injecting malicious code, backdoors, or security vulnerabilities, which can be propagated throughout the software ecosystem.
5. Which security measure helps detect tampering in open-source dependencies?
A) Code minification
B) Software Bill of Materials (SBOM)
C) Load balancing
D) Web application firewall (WAF)
β Answer: B) Software Bill of Materials (SBOM)
π‘ Explanation: An SBOM is a structured list of all software components, including dependencies, making it easier to identify vulnerabilities, malicious packages, and tampering in the software supply chain.
6. What is a common technique attackers use to inject malicious code into popular open-source libraries?
A) Reverse engineering
B) Watering hole attacks
C) Typosquatting
D) Heap spraying
β Answer: C) Typosquatting
π‘ Explanation: Typosquatting occurs when attackers create malicious packages with names similar to legitimate dependencies (e.g., “lodas” instead of “lodash”), tricking developers into installing them.
7. Which tool is commonly used to scan for vulnerabilities in software dependencies?
A) Wireshark
B) Burp Suite
C) Dependabot
D) Nmap
β Answer: C) Dependabot
π‘ Explanation: Dependabot (by GitHub) automatically scans for vulnerabilities in dependencies and suggests updates to fix them, helping to secure the software supply chain.
8. How can developers ensure they are using secure dependencies?
A) Use hash verification to validate package integrity
B) Avoid updating dependencies frequently
C) Only use closed-source software
D) Disable package manager security warnings
β Answer: A) Use hash verification to validate package integrity
π‘ Explanation: Hash verification ensures that a downloaded package matches its expected cryptographic checksum, preventing attackers from injecting malicious versions.
9. Which of the following is an example of a maliciously injected dependency?
A) Log4Shell in Log4j
B) Cross-site scripting (XSS) in React
C) SQL injection in Django
D) Buffer overflow in C++ applications
β Answer: A) Log4Shell in Log4j
π‘ Explanation: The Log4Shell vulnerability in Log4j was an example of how a widely used dependency could be exploited, leading to remote code execution (RCE) attacks.
10. What is the best practice when managing third-party dependencies?
A) Allow all dependencies without review
B) Use least privilege access for package installation
C) Always update to the latest version without testing
D) Rely solely on developer-recommended dependencies
β Answer: B) Use least privilege access for package installation
π‘ Explanation: Granting limited privileges to package managers reduces the risk of malicious dependencies compromising an entire system.
11. What is the purpose of digital signatures in software package distribution?
A) Improve software performance
B) Authenticate and verify package integrity
C) Compress files for faster downloads
D) Enhance user experience
β Answer: B) Authenticate and verify package integrity
π‘ Explanation: Digital signatures verify that software packages come from trusted sources and haven’t been altered.
12. Which programming language’s package manager has been affected by dependency attacks in the past?
A) JavaScript (npm)
B) Python (pip)
C) Ruby (RubyGems)
D) All of the above
β Answer: D) All of the above
π‘ Explanation: Npm, pip, and RubyGems have all been targeted by dependency attacks, supply chain compromises, and typosquatting exploits.
13. Which repository best practices can help prevent supply chain attacks?
A) Enable two-factor authentication (2FA) for contributors
B) Allow anyone to publish packages freely
C) Remove all access controls for efficiency
D) Disable dependency updates
β Answer: A) Enable two-factor authentication (2FA) for contributors
π‘ Explanation: 2FA for repository maintainers helps prevent unauthorized access and package tampering.
14. What role does Software Composition Analysis (SCA) play in supply chain security?
A) It identifies and tracks open-source components used in software
B) It improves software execution speed
C) It helps compress dependency files
D) It ensures backward compatibility
β Answer: A) It identifies and tracks open-source components used in software
π‘ Explanation: SCA tools analyze software components, detect vulnerabilities, and track dependencies in the software supply chain.
15. What is the best way to secure CI/CD pipelines from supply chain attacks?
A) Allow unrestricted access to deployment environments
B) Implement code signing and automated security checks
C) Use hardcoded credentials for deployment
D) Disable security monitoring
β Answer: B) Implement code signing and automated security checks
π‘ Explanation: Code signing and automated security checks ensure only trusted code is deployed.
16. What is the primary function of an artifact repository in a secure software supply chain?
A) Storing and managing software artifacts securely
B) Encrypting source code before deployment
C) Automatically fixing security vulnerabilities in dependencies
D) Preventing software piracy
β Answer: A) Storing and managing software artifacts securely
π‘ Explanation: Artifact repositories (like JFrog Artifactory or Nexus) securely store and manage software components, ensuring verified dependencies are used in builds.
17. What is a βmalicious dependency injectionβ attack?
A) An attack where an attacker injects a malicious third-party dependency into a project
B) A denial-of-service attack on package managers
C) An attack that manipulates authentication tokens
D) A phishing attack targeting software developers
β Answer: A) An attack where an attacker injects a malicious third-party dependency into a project
π‘ Explanation: Attackers upload modified versions of dependencies to trick developers into unknowingly including malicious code in their software.
18. What is the most effective way to prevent typosquatting attacks?
A) Only use dependencies from popular repositories
B) Manually check package names before installation
C) Use a private package registry and strict dependency policies
D) Always install the latest version of dependencies
β Answer: C) Use a private package registry and strict dependency policies
π‘ Explanation: Private registries help developers avoid installing malicious lookalike (typosquatted) packages from public repositories.
19. Why is verifying package signatures important before installation?
A) It checks for syntax errors in the package
B) It ensures the package is installed faster
C) It verifies the authenticity and integrity of the package
D) It allows automatic dependency updates
β Answer: C) It verifies the authenticity and integrity of the package
π‘ Explanation: Package signatures (PGP, SHA hashes, etc.) confirm that a package is untampered and comes from a trusted source.
20. What is the main goal of supply chain security in DevSecOps?
A) To integrate security at every stage of development
B) To automate software development processes
C) To minimize the need for manual testing
D) To improve software execution speed
β Answer: A) To integrate security at every stage of development
π‘ Explanation: DevSecOps ensures that security is embedded throughout the development pipeline, including supply chain security.
21. What is the risk of using outdated dependencies in a project?
A) Increased software development costs
B) Performance degradation
C) Potential exploitation of known vulnerabilities
D) Slower code compilation
β Answer: C) Potential exploitation of known vulnerabilities
π‘ Explanation: Attackers exploit known vulnerabilities in outdated dependencies, which could lead to security breaches.
22. How does a βdependency chain attackβ work?
A) It disrupts the connection between dependencies
B) It exploits multiple dependencies by injecting malware into one
C) It causes performance issues in package managers
D) It forces a software update rollback
β Answer: B) It exploits multiple dependencies by injecting malware into one
π‘ Explanation: If an attacker compromises a package, all dependent projects inherit the malicious code, making the attack widespread.
23. Which of the following helps protect against malicious package updates?
A) Allowing auto-updates for all dependencies
B) Using deterministic builds and dependency locking
C) Relying on package maintainers for security patches
D) Avoiding the use of open-source dependencies
β Answer: B) Using deterministic builds and dependency locking
π‘ Explanation: Dependency locking (e.g., package-lock.json, Pipfile.lock) ensures only approved versions are installed, preventing unintended updates.
24. What is a real-world example of a supply chain attack?
A) WannaCry ransomware
B) SolarWinds Orion attack
C) SQL injection in WordPress
D) Cross-site scripting in Twitter
β Answer: B) SolarWinds Orion attack
π‘ Explanation: The SolarWinds attack was a sophisticated supply chain attack where a compromised update led to breaches in major organizations.
25. Which of the following is a key principle of Zero Trust security in supply chains?
A) Trust all internal software components
B) Never trust, always verify
C) Use a single security checkpoint
D) Allow unrestricted package installations
β Answer: B) Never trust, always verify
π‘ Explanation: Zero Trust ensures that every component, even internal dependencies, is verified before use.
26. What does “least privilege” mean in software supply chain security?
A) Granting only necessary access rights
B) Providing developers with full admin privileges
C) Allowing unrestricted access to all dependencies
D) Using a single shared account for all deployments
β Answer: A) Granting only necessary access rights
π‘ Explanation: Least privilege minimizes risk by restricting access to only what’s needed, reducing attack surfaces.
27. Which organization provides official guidelines for securing the software supply chain?
A) NIST
B) FIFA
C) WHO
D) Facebook
β Answer: A) NIST
π‘ Explanation: The National Institute of Standards and Technology (NIST) offers guidelines on securing software supply chains.
28. What is the purpose of hashing software dependencies?
A) To improve package download speed
B) To verify package integrity
C) To reduce software licensing costs
D) To encrypt package contents
β Answer: B) To verify package integrity
π‘ Explanation: Hashing (SHA-256, etc.) ensures that dependencies havenβt been tampered with during transit.
29. Which security framework helps prevent software supply chain attacks?
A) MITRE ATT&CK
B) OWASP Top 10
C) CIS Controls
D) All of the above
β Answer: D) All of the above
π‘ Explanation: MITRE ATT&CK, OWASP Top 10, and CIS Controls provide guidance on preventing supply chain attacks.
30. What is the risk of not auditing third-party dependencies?
A) Dependency conflicts
B) Increased file size
C) Inclusion of vulnerabilities and backdoors
D) Slower debugging process
β Answer: C) Inclusion of vulnerabilities and backdoors
π‘ Explanation: Unchecked third-party dependencies might contain security flaws or intentional backdoors.
31. What does SBOM stand for?
A) Software-Based Operation Management
B) Secure Binary Operations Model
C) Software Bill of Materials
D) Systematic Bug Output Management
β Answer: C) Software Bill of Materials
π‘ Explanation: SBOM is a structured list of all software components and dependencies, essential for supply chain security.
32. Which security principle ensures that only authorized dependencies are used in a project?
A) Role-Based Access Control (RBAC)
B) Software Bill of Materials (SBOM)
C) Allowlisting
D) Data Encryption
β Answer: C) Allowlisting
π‘ Explanation: Allowlisting ensures that only pre-approved (trusted) dependencies are installed, reducing the risk of using compromised or malicious libraries.
33. Which command is used to verify installed Python dependencies against a secure requirements file?
A) pip install -U
B) pip install --require-hashes -r requirements.txt
C) npm audit
D) brew install --secure
β
Answer: B) pip install --require-hashes -r requirements.txt
π‘ Explanation: The --require-hashes flag ensures that dependencies match known secure cryptographic hashes, preventing unauthorized modifications.
34. What is an example of a compromised open-source dependency causing a large-scale security breach?
A) Pegasus Spyware
B) Log4Shell (Log4j vulnerability)
C) Shellshock
D) POODLE attack
β Answer: B) Log4Shell (Log4j vulnerability)
π‘ Explanation: The Log4Shell exploit in Log4j affected millions of applications, proving how dangerous an insecure dependency can be.
35. Which package manager security feature checks for known vulnerabilities in dependencies?
A) npm audit
B) pip install --secure
C) git commit --scan
D) chmod 777
β
Answer: A) npm audit
π‘ Explanation: npm audit scans JavaScript dependencies for known security vulnerabilities and suggests fixes.
36. What is a secure alternative to public repositories for managing software dependencies?
A) Using direct GitHub downloads
B) Implementing private package registries
C) Copying dependencies manually
D) Avoiding dependencies altogether
β Answer: B) Implementing private package registries
π‘ Explanation: Private registries (e.g., JFrog Artifactory, AWS CodeArtifact, GitHub Packages) reduce exposure to publicly compromised dependencies.
37. Which security measure prevents unauthorized modifications to software artifacts?
A) Digital Signatures
B) Minification
C) Dynamic Linking
D) DNS Spoofing
β Answer: A) Digital Signatures
π‘ Explanation: Digitally signing software artifacts ensures authenticity and integrity, preventing tampering during distribution.
38. Why is “immutable infrastructure” beneficial in software supply chain security?
A) It prevents developers from writing insecure code
B) It ensures that deployed artifacts cannot be modified after release
C) It speeds up software development cycles
D) It reduces the need for security updates
β Answer: B) It ensures that deployed artifacts cannot be modified after release
π‘ Explanation: Immutable infrastructure prevents post-deployment tampering, reducing the risk of supply chain attacks.
39. How can organizations verify the integrity of third-party software?
A) By using checksum and hash validation
B) By reading user reviews online
C) By installing from multiple sources
D) By testing the software only once
β Answer: A) By using checksum and hash validation
π‘ Explanation: Cryptographic hash verification (SHA-256, PGP signatures) ensures that downloaded software is genuine and untampered.
40. Which of the following is a major risk when using CI/CD pipelines without security controls?
A) Faster deployments
B) Unauthorized code injection
C) Increased server uptime
D) Reduced software complexity
β Answer: B) Unauthorized code injection
π‘ Explanation: Unsecured CI/CD pipelines are vulnerable to code injection, where attackers modify or introduce malicious code during deployment.
41. How can organizations enforce dependency version control?
A) Using dependency locking files (e.g., package-lock.json, Pipfile.lock)
B) Allowing automatic dependency updates
C) Ignoring outdated dependencies
D) Disabling version constraints
β
Answer: A) Using dependency locking files (e.g., package-lock.json, Pipfile.lock)
π‘ Explanation: Dependency locking files ensure that only verified dependency versions are used across different environments.
42. What is “artifact poisoning” in software supply chain security?
A) A process to remove vulnerabilities from dependencies
B) Injecting malicious code into prebuilt software artifacts
C) A technique for making malware undetectable
D) Encrypting dependencies for secure distribution
β Answer: B) Injecting malicious code into prebuilt software artifacts
π‘ Explanation: Artifact poisoning occurs when attackers inject malicious payloads into software artifacts, compromising entire CI/CD pipelines.
43. What security risk is associated with unsigned third-party software packages?
A) Performance issues
B) Inability to verify authenticity
C) Increased file size
D) Compatibility problems
β Answer: B) Inability to verify authenticity
π‘ Explanation: Unsigned software packages lack cryptographic proof of their authenticity, making them susceptible to tampering.
44. Why should software supply chains implement multi-factor authentication (MFA)?
A) To reduce dependency vulnerabilities
B) To prevent unauthorized access to repositories
C) To improve software development speed
D) To avoid the need for passwords
β Answer: B) To prevent unauthorized access to repositories
π‘ Explanation: MFA adds an extra layer of security, making it harder for attackers to compromise developer accounts and repositories.
45. What is a secure practice for managing open-source dependencies?
A) Trusting only well-known libraries without verification
B) Monitoring dependencies for new security advisories
C) Avoiding dependency updates
D) Using trial-and-error to check for security flaws
β Answer: B) Monitoring dependencies for new security advisories
π‘ Explanation: Continuous monitoring for security advisories (e.g., CVE reports, OWASP alerts) helps developers patch vulnerabilities quickly.
46. How can organizations prevent malicious dependency updates?
A) Using automated dependency approval processes
B) Allowing all updates without verification
C) Manually testing every update
D) Avoiding dependency versioning
β Answer: A) Using automated dependency approval processes
π‘ Explanation: Automated approval processes (e.g., CI/CD pipeline security checks) ensure only verified updates are allowed.
47. What security risk arises from excessive use of third-party dependencies?
A) Increased development costs
B) Greater attack surface for supply chain exploits
C) Higher software execution speeds
D) Better user experience
β Answer: B) Greater attack surface for supply chain exploits
π‘ Explanation: The more third-party dependencies a project uses, the greater the risk of an attack through compromised libraries.
48. What role does “package pinning” play in secure software development?
A) It ensures software packages are updated automatically
B) It locks dependency versions to prevent unverified updates
C) It removes unnecessary dependencies
D) It improves package installation speed
β Answer: B) It locks dependency versions to prevent unverified updates
π‘ Explanation: Package pinning ensures that only specific, tested versions of dependencies are used, preventing accidental upgrades to vulnerable versions.
49. What does “Secure by Design” mean in software supply chain security?
A) Security is added at the final stage of development
B) Security is integrated throughout the entire development lifecycle
C) Security measures are optional
D) Only external software is made secure
β Answer: B) Security is integrated throughout the entire development lifecycle
π‘ Explanation: Secure by Design means that security is built into the software development process from the start.
50. What should organizations do when a supply chain attack is detected?
A) Continue using the compromised software
B) Patch affected dependencies and notify users
C) Ignore the issue if no immediate damage is seen
D) Permanently shut down all affected systems
β Answer: B) Patch affected dependencies and notify users
π‘ Explanation: Immediate patching and alerting users helps prevent further exploitation and limits the damage of a supply chain attack.
51. Which security framework provides best practices for securing software supply chains?
A) MITRE ATT&CK
B) NIST Cybersecurity Framework
C) CIS Controls
D) All of the above
β Answer: D) All of the above
π‘ Explanation: MITRE ATT&CK, NIST, and CIS Controls provide guidance on securing software supply chains, including detecting, preventing, and mitigating attacks.
52. What is a major risk of using code from unverified GitHub repositories?
A) It may not be optimized for performance
B) It could contain malicious backdoors
C) It may increase software licensing fees
D) It may not support all programming languages
β Answer: B) It could contain malicious backdoors
π‘ Explanation: Unverified GitHub repositories can host malicious or compromised code, allowing attackers to inject backdoors into software.
53. Which tool is commonly used for static analysis of third-party dependencies?
A) Metasploit
B) OWASP Dependency-Check
C) Nessus
D) Wireshark
β Answer: B) OWASP Dependency-Check
π‘ Explanation: OWASP Dependency-Check scans project dependencies for known vulnerabilities by checking against databases like NVD (National Vulnerability Database).
54. What is the main function of an automated security scanner in CI/CD pipelines?
A) To detect and patch security vulnerabilities in real time
B) To increase build speed
C) To remove outdated dependencies automatically
D) To monitor network traffic
β Answer: A) To detect and patch security vulnerabilities in real time
π‘ Explanation: Automated CI/CD security scanners (e.g., Snyk, SonarQube, Dependabot) help detect vulnerabilities before deployment.
55. What is the risk of using hardcoded API keys in open-source software?
A) Slower application response times
B) Potential credential leaks and unauthorized access
C) Increased software licensing costs
D) Reduced application functionality
β Answer: B) Potential credential leaks and unauthorized access
π‘ Explanation: Hardcoded API keys in open-source projects can be exposed publicly, leading to unauthorized access to sensitive services.
56. What is a “shadow dependency”?
A) A dependency that is explicitly defined in the project’s package manager
B) A hidden dependency that is installed indirectly through another package
C) A backup version of a dependency
D) A redundant dependency
β Answer: B) A hidden dependency that is installed indirectly through another package
π‘ Explanation: Shadow dependencies are indirectly included dependencies, making them harder to track and secure.
57. How does “Runtime Application Self-Protection (RASP)” help in securing software?
A) It detects and blocks attacks in real-time during software execution
B) It speeds up application runtime
C) It prevents dependency conflicts
D) It removes unused dependencies
β Answer: A) It detects and blocks attacks in real-time during software execution
π‘ Explanation: RASP security continuously monitors applications at runtime, detecting and blocking threats in real-time.
58. What is the recommended way to handle deprecated dependencies?
A) Keep using them until an attack occurs
B) Patch them manually without vendor updates
C) Regularly audit and replace them with secure alternatives
D) Remove them only if they cause errors
β Answer: C) Regularly audit and replace them with secure alternatives
π‘ Explanation: Deprecated dependencies no longer receive security updates, making them vulnerable. Regular audits ensure their timely replacement.
59. What is an “insider threat” in the context of software supply chain security?
A) A cyberattack from a foreign country
B) A malicious or negligent insider (employee, contractor, etc.)
C) A third-party vendor causing software vulnerabilities
D) A software bug introduced unintentionally
β Answer: B) A malicious or negligent insider (employee, contractor, etc.)
π‘ Explanation: Insider threats occur when employees, contractors, or trusted insiders intentionally or unintentionally compromise security.
60. What does “secure artifact signing” achieve?
A) Encrypts all software dependencies
B) Ensures that only verified and trusted artifacts are used
C) Automatically updates dependencies
D) Enhances software performance
β Answer: B) Ensures that only verified and trusted artifacts are used
π‘ Explanation: Secure artifact signing uses cryptographic signatures to verify the authenticity and integrity of software packages.
61. How does “least privilege access” help prevent software supply chain attacks?
A) It restricts permissions, limiting potential attack vectors
B) It allows developers to install any dependency
C) It speeds up software development
D) It prevents software updates
β Answer: A) It restricts permissions, limiting potential attack vectors
π‘ Explanation: Least privilege access ensures that users and processes only have the permissions they need, reducing attack surfaces.
62. What is the primary purpose of a software inventory in supply chain security?
A) To list all developers working on a project
B) To track and monitor all software components, including dependencies
C) To manage CI/CD pipelines
D) To store backup copies of software
β Answer: B) To track and monitor all software components, including dependencies
π‘ Explanation: Software inventories (SBOMs) help organizations identify all software components used, making it easier to detect vulnerabilities.
63. Why is it risky to use default credentials for software deployment?
A) They may be easily guessed or leaked
B) They make debugging easier
C) They improve software performance
D) They reduce dependency size
β Answer: A) They may be easily guessed or leaked
π‘ Explanation: Default credentials are a major security risk because they are often widely known or easily brute-forced.
64. What type of attack involves inserting malicious code into a trusted software update?
A) Phishing attack
B) Supply chain attack
C) Social engineering attack
D) Drive-by download
β Answer: B) Supply chain attack
π‘ Explanation: Supply chain attacks often involve compromising legitimate software updates to spread malware.
65. How can an organization detect malicious code in dependencies before deployment?
A) By performing static code analysis
B) By waiting for users to report security issues
C) By only using dependencies from major repositories
D) By manually inspecting all dependencies
β Answer: A) By performing static code analysis
π‘ Explanation: Static analysis tools (e.g., SonarQube, Snyk) detect malicious code and vulnerabilities before deployment.
66. What is an “air-gapped” environment?
A) A network that is physically isolated from external connections
B) A cloud-based security solution
C) A software update mechanism
D) A form of encrypted communication
β Answer: A) A network that is physically isolated from external connections
π‘ Explanation: Air-gapped environments prevent external threats from reaching critical systems, enhancing supply chain security.
67. Which package management practice minimizes exposure to supply chain attacks?
A) Using verified package registries and dependency locking
B) Downloading packages directly from developers’ websites
C) Updating dependencies without checking for vulnerabilities
D) Installing multiple versions of the same package
β Answer: A) Using verified package registries and dependency locking
π‘ Explanation: Verified registries and dependency locking prevent the use of compromised or unauthorized dependencies.
68. What is the risk of using an open-source package with an inactive maintainer?
A) The package may contain proprietary code
B) The package may have unpatched vulnerabilities
C) It will always cause performance issues
D) It automatically becomes a security risk
β Answer: B) The package may have unpatched vulnerabilities
π‘ Explanation: Open-source packages with inactive maintainers may have security vulnerabilities that are never patched, making them easy targets for attackers.
69. Which technique helps prevent malware injection in third-party dependencies?
A) Downloading dependencies manually
B) Using content trust and package signing
C) Avoiding all third-party dependencies
D) Keeping software dependencies undocumented
β Answer: B) Using content trust and package signing
π‘ Explanation: Package signing (e.g., PGP, SHA-256 hashes) ensures that downloaded packages haven’t been tampered with.
70. What is a major risk of using automated dependency resolution in package managers?
A) Dependencies may be upgraded to compromised versions
B) It improves security by enforcing the latest versions
C) It prevents dependency conflicts
D) It always chooses the most secure version available
β Answer: A) Dependencies may be upgraded to compromised versions
π‘ Explanation: Automatic dependency resolution may unknowingly install a compromised or vulnerable version of a package.
71. How can developers protect software against dependency confusion attacks?
A) Using namespace-scoped private package registries
B) Always installing the latest package versions
C) Using deprecated dependencies
D) Manually inspecting every dependencyβs source code
β Answer: A) Using namespace-scoped private package registries
π‘ Explanation: Namespace-scoped registries prevent attackers from tricking package managers into pulling malicious lookalike packages.
72. What is a “dead dependency”?
A) A package that is rarely updated but still secure
B) A dependency that has been deprecated and no longer maintained
C) A dependency that is explicitly required in the codebase
D) A package with zero security vulnerabilities
β Answer: B) A dependency that has been deprecated and no longer maintained
π‘ Explanation: Dead dependencies pose security risks because they no longer receive updates or patches, making them potential attack vectors.
73. Which security practice minimizes the risk of “zombie dependencies”?
A) Ignoring dependency update notifications
B) Regularly auditing and removing unused dependencies
C) Keeping all dependencies on the latest beta versions
D) Disabling security scanning tools
β Answer: B) Regularly auditing and removing unused dependencies
π‘ Explanation: Zombie dependencies are outdated or unused packages that increase security risks. Regular audits help identify and remove them.
74. How can a software supply chain attack be executed through “dependency shadowing”?
A) By publishing a malicious package with a similar name to an existing dependency
B) By encrypting software dependencies
C) By restricting dependency access controls
D) By updating dependencies to their latest versions
β Answer: A) By publishing a malicious package with a similar name to an existing dependency
π‘ Explanation: Dependency shadowing is a supply chain attack where attackers upload malicious packages with names similar to trusted dependencies.
75. What is an effective way to monitor for compromised dependencies?
A) Using automated security scanners like Snyk or Dependabot
B) Trusting all dependencies from major open-source communities
C) Allowing any developer to install dependencies without review
D) Using only closed-source software
β Answer: A) Using automated security scanners like Snyk or Dependabot
π‘ Explanation: Automated dependency scanners regularly check for vulnerabilities and recommend updates, helping prevent supply chain attacks.
76. Why is it important to track indirect dependencies in software projects?
A) Indirect dependencies never contain vulnerabilities
B) Attackers can inject malicious code through transitive dependencies
C) Direct dependencies are more important than indirect ones
D) They donβt affect the security of an application
β Answer: B) Attackers can inject malicious code through transitive dependencies
π‘ Explanation: Transitive (indirect) dependencies are automatically included by other packages, and attackers can exploit them to insert malicious code.
77. Which attack occurs when an attacker gains control of a legitimate package maintainerβs account?
A) SQL injection
B) Package hijacking
C) Clickjacking
D) Brute force attack
β Answer: B) Package hijacking
π‘ Explanation: Package hijacking occurs when an attacker takes control of a package maintainerβs account and injects malicious updates.
78. How does a “supply chain poisoning” attack work?
A) By injecting malicious code into legitimate dependencies or software updates
B) By encrypting all source code in the supply chain
C) By attacking the end-user instead of the supply chain
D) By disabling security monitoring in the supply chain
β Answer: A) By injecting malicious code into legitimate dependencies or software updates
π‘ Explanation: Supply chain poisoning involves injecting malicious payloads into trusted software dependencies, leading to widespread infections.
79. Which security principle ensures that only verified and approved dependencies are used in a project?
A) Dependency allowlisting
B) Dependency blacklisting
C) Open-source software adoption
D) Using the latest software versions without verification
β Answer: A) Dependency allowlisting
π‘ Explanation: Allowlisting only trusted dependencies prevents developers from accidentally installing malicious or compromised packages.
80. What is the role of “secure coding practices” in preventing supply chain attacks?
A) They reduce the likelihood of introducing vulnerabilities through dependencies
B) They ensure software runs faster
C) They eliminate the need for security testing
D) They replace security patches
β Answer: A) They reduce the likelihood of introducing vulnerabilities through dependencies
π‘ Explanation: Secure coding practices help identify and mitigate risks from software supply chain attacks, reducing dependency vulnerabilities.
81. What is a “rogue developer attack” in software supply chains?
A) When an attacker gains access to the build server
B) When a developer intentionally injects malicious code into a project
C) When a developer unintentionally commits vulnerable code
D) When a developer is locked out of their account
β Answer: B) When a developer intentionally injects malicious code into a project
π‘ Explanation: A rogue developer may introduce malicious code into a software project, either as an insider threat or due to a compromised developer account.
82. What is “certificate pinning” in securing software updates?
A) A method to cache software updates for faster installation
B) A security mechanism that enforces trusted certificates for software updates
C) A process for automatically renewing SSL certificates
D) A technique to hide software dependencies
β Answer: B) A security mechanism that enforces trusted certificates for software updates
π‘ Explanation: Certificate pinning ensures that only specific, trusted certificates are used to verify software updates, preventing man-in-the-middle (MITM) attacks.
83. How does “vendor risk assessment” improve software supply chain security?
A) It forces vendors to release all source code
B) It evaluates vendors for security compliance and potential risks
C) It ensures all vendors use the same programming language
D) It prevents developers from using any third-party software
β Answer: B) It evaluates vendors for security compliance and potential risks
π‘ Explanation: Vendor risk assessments help identify security vulnerabilities in third-party vendors, reducing the risk of supply chain attacks.
84. What is a “package injection attack”?
A) An attack where an attacker injects malicious code into a trusted software package
B) A method to speed up dependency resolution
C) A technique for optimizing software packaging
D) A way to remove unused dependencies
β Answer: A) An attack where an attacker injects malicious code into a trusted software package
π‘ Explanation: Package injection attacks occur when attackers modify legitimate software packages to include malicious code, often targeting open-source repositories.
85. How can organizations detect unauthorized changes in dependencies?
A) By using checksum verification and digital signatures
B) By checking user reviews online
C) By manually inspecting package metadata
D) By using outdated software intentionally
β Answer: A) By using checksum verification and digital signatures
π‘ Explanation: Cryptographic checksums (SHA-256, PGP signatures) ensure that dependencies havenβt been altered or tampered with.
86. What is a “build system compromise” in the software supply chain?
A) An attack where the build environment is compromised to insert malicious code
B) A process to enhance build efficiency
C) A technique to speed up software compilation
D) A vulnerability that only affects cloud-based software
β Answer: A) An attack where the build environment is compromised to insert malicious code
π‘ Explanation: Attackers may compromise CI/CD pipelines to inject malicious code into software builds before distribution.
87. Why is role-based access control (RBAC) important in software supply chain security?
A) It prevents developers from writing insecure code
B) It ensures least privilege access to critical software components
C) It speeds up dependency resolution
D) It removes unnecessary software dependencies
β Answer: B) It ensures least privilege access to critical software components
π‘ Explanation: RBAC enforces least privilege principles, ensuring that only authorized users can modify software dependencies and repositories.
88. What is “end-to-end encryption” in the context of securing software updates?
A) Encrypting source code before deployment
B) Encrypting software update files during transmission
C) A way to minimize software execution time
D) A technique to compress software updates
β Answer: B) Encrypting software update files during transmission
π‘ Explanation: End-to-end encryption (E2EE) ensures that software updates remain protected from tampering during transmission.
89. How can organizations detect if an open-source library has been compromised?
A) By monitoring vulnerability databases (e.g., CVE, NVD)
B) By trusting all major open-source repositories
C) By disabling security scanners
D) By only using older versions of dependencies
β Answer: A) By monitoring vulnerability databases (e.g., CVE, NVD)
π‘ Explanation: Regularly checking vulnerability databases helps organizations identify security flaws in open-source libraries.
90. What is the primary benefit of using a Software Bill of Materials (SBOM)?
A) It speeds up software compilation
B) It provides visibility into all components in a software system
C) It enhances user experience
D) It removes the need for security patches
β Answer: B) It provides visibility into all components in a software system
π‘ Explanation: SBOM lists all software components, making it easier to track dependencies and detect security vulnerabilities.
91. What is a “dependency chain vulnerability”?
A) A vulnerability that only exists in direct dependencies
B) A vulnerability introduced through indirect or transitive dependencies
C) A vulnerability affecting package managers
D) A technique for updating dependencies faster
β Answer: B) A vulnerability introduced through indirect or transitive dependencies
π‘ Explanation: Dependency chain vulnerabilities occur when a package indirectly includes a vulnerable or malicious dependency, often unnoticed by developers.
92. How can organizations protect against “watering hole attacks” in software supply chains?
A) By installing all updates automatically
B) By monitoring trusted software repositories for compromise
C) By avoiding open-source software
D) By disabling network access for developers
β Answer: B) By monitoring trusted software repositories for compromise
π‘ Explanation: Watering hole attacks target trusted sources, such as software repositories, to distribute malware to unsuspecting users.
93. Why is verifying third-party dependencies critical in secure development?
A) They always contain security flaws
B) They may introduce malicious code or vulnerabilities
C) They slow down software performance
D) They cannot be trusted under any circumstances
β Answer: B) They may introduce malicious code or vulnerabilities
π‘ Explanation: Third-party dependencies can introduce security risks if not verified, making it essential to audit and monitor them.
94. What is a “vulnerability disclosure program” (VDP) in software security?
A) A way to hide software vulnerabilities
B) A program allowing researchers to report security flaws responsibly
C) A feature of package managers
D) A security mechanism used for software encryption
β Answer: B) A program allowing researchers to report security flaws responsibly
π‘ Explanation: VDPs encourage security researchers to report vulnerabilities ethically, helping organizations fix issues before exploitation.
95. Which of the following ensures secure software distribution?
A) Code signing and digital signatures
B) Open-source software licensing
C) Using only enterprise software
D) Automatic software updates without verification
β Answer: A) Code signing and digital signatures
π‘ Explanation: Digital signatures and code signing verify that software has not been tampered with during distribution.
96. What is the impact of a “man-in-the-middle attack” on software supply chains?
A) It improves dependency security
B) It allows attackers to intercept and modify software updates
C) It speeds up software installation
D) It only affects cloud services
β Answer: B) It allows attackers to intercept and modify software updates
π‘ Explanation: MITM attacks can allow attackers to alter software updates and inject malicious code into a software supply chain.
97. How does “access control” help prevent supply chain attacks?
A) By ensuring only authorized users can modify dependencies
B) By restricting internet access
C) By slowing down software updates
D) By preventing users from installing any software
β Answer: A) By ensuring only authorized users can modify dependencies
π‘ Explanation: Strict access control policies limit who can publish, update, or modify dependencies, preventing unauthorized changes.
98. What is an “N-day vulnerability”?
A) A vulnerability with a known patch, but still exploited
B) A vulnerability that affects only new software
C) A vulnerability that no longer exists
D) A coding error that slows down software
β Answer: A) A vulnerability with a known patch, but still exploited
π‘ Explanation: N-day vulnerabilities are publicly known but not yet patched in many systems, making them attractive to attackers.
99. How does “immutable infrastructure” enhance software supply chain security?
A) By preventing unauthorized modifications after deployment
B) By allowing faster software updates
C) By reducing software licensing costs
D) By making debugging easier
β Answer: A) By preventing unauthorized modifications after deployment
π‘ Explanation: Immutable infrastructure ensures that once software is deployed, it cannot be altered, reducing supply chain attack risks.
100. What is the role of a “security champion” in DevSecOps?
A) A developer who advocates for security best practices in the development team
B) A penetration tester who hacks software
C) A security officer who only works on compliance
D) A software engineer who does not focus on security
β Answer: A) A developer who advocates for security best practices in the development team
π‘ Explanation: A security champion ensures that security is prioritized throughout the software development lifecycle.
101. What is the primary purpose of “content trust” in package managers?
A) To improve package installation speed
B) To verify the authenticity and integrity of software packages
C) To ensure that dependencies are always up to date
D) To reduce software dependency size
β Answer: B) To verify the authenticity and integrity of software packages
π‘ Explanation: Content trust ensures that software packages come from trusted sources and haven’t been tampered with, preventing supply chain attacks.
102. How can developers ensure the security of open-source dependencies?
A) By using automated dependency scanning tools
B) By relying on package maintainers for security updates
C) By manually checking the source code of every package
D) By always using the latest available versions
β Answer: A) By using automated dependency scanning tools
π‘ Explanation: Tools like Snyk, OWASP Dependency-Check, and GitHub Dependabot help detect vulnerabilities in open-source dependencies.
103. What is a “backdoored dependency”?
A) A dependency that contains hidden malicious code
B) A dependency that has reached its end-of-life
C) A package that has been optimized for performance
D) A dependency that has been deprecated
β Answer: A) A dependency that contains hidden malicious code
π‘ Explanation: Backdoored dependencies include hidden malicious code, allowing attackers to execute unauthorized actions within software.
104. What is “Artifact Attestation” in secure software supply chains?
A) A process for verifying the authenticity of software artifacts
B) A method for generating secure encryption keys
C) A technique for increasing software execution speed
D) A tool for tracking software licensing
β Answer: A) A process for verifying the authenticity of software artifacts
π‘ Explanation: Artifact attestation ensures that software artifacts (e.g., builds, binaries) are securely signed and verified, preventing tampering.
105. Why is “continuous dependency monitoring” critical in software security?
A) It allows automatic updates for all software components
B) It helps detect vulnerabilities in dependencies over time
C) It improves software execution speed
D) It eliminates the need for software testing
β Answer: B) It helps detect vulnerabilities in dependencies over time
π‘ Explanation: Continuous monitoring helps identify new vulnerabilities in existing dependencies, reducing supply chain attack risks.
106. What is a “malicious package takeover”?
A) When an attacker gains control of a legitimate package and injects malware
B) When a package is accidentally deleted from a repository
C) When a package manager updates a dependency incorrectly
D) When developers remove an outdated package
β Answer: A) When an attacker gains control of a legitimate package and injects malware
π‘ Explanation: Attackers can take over legitimate package maintainers’ accounts, push malicious updates, and compromise thousands of systems.
107. What does “Immutable Builds” mean in securing CI/CD pipelines?
A) Builds that cannot be modified after creation
B) Builds that execute twice for security verification
C) Builds that run faster than mutable builds
D) Builds that require manual approval for execution
β Answer: A) Builds that cannot be modified after creation
π‘ Explanation: Immutable builds prevent post-build tampering, ensuring that the software remains secure from build to deployment.
108. Why should organizations enforce multi-factor authentication (MFA) for package repository accounts?
A) To slow down unauthorized access attempts
B) To prevent account takeovers and unauthorized package modifications
C) To allow multiple users to share an account securely
D) To reduce the time required for software deployment
β Answer: B) To prevent account takeovers and unauthorized package modifications
π‘ Explanation: MFA adds an extra layer of security, making it significantly harder for attackers to compromise developer accounts and manipulate repositories.
109. How does “digital supply chain risk management” help organizations?
A) By identifying, assessing, and mitigating risks associated with software dependencies
B) By automatically updating dependencies without security checks
C) By allowing software to be deployed faster
D) By reducing software testing requirements
β Answer: A) By identifying, assessing, and mitigating risks associated with software dependencies
π‘ Explanation: Digital supply chain risk management helps organizations proactively detect and mitigate security risks in third-party dependencies.
110. What is the best way to ensure the security of software artifacts?
A) By enabling cryptographic signing and verification for all artifacts
B) By storing them in cloud-based repositories without access control
C) By allowing developers to modify artifacts after deployment
D) By removing all metadata from artifacts
β Answer: A) By enabling cryptographic signing and verification for all artifacts
π‘ Explanation: Cryptographic signing ensures that software artifacts are authentic and untampered, preventing supply chain attacks.
111. What is a “dependency lockfile,” and why is it important for security?
A) A file that locks unauthorized users out of the dependency list
B) A file that ensures the same package versions are installed across environments
C) A file that encrypts dependencies before installation
D) A file that speeds up software execution
β Answer: B) A file that ensures the same package versions are installed across environments
π‘ Explanation: Dependency lockfiles (e.g., package-lock.json, Pipfile.lock) prevent package managers from installing unintended versions, reducing the risk of dependency hijacking or unexpected vulnerabilities.
112. What is a “Secure Software Development Lifecycle (SSDLC)”?
A) A framework that integrates security practices into every phase of software development
B) A method for accelerating software delivery
C) A way to reduce the size of software dependencies
D) A process to ensure software is always open source
β Answer: A) A framework that integrates security practices into every phase of software development
π‘ Explanation: SSDLC ensures that security is embedded throughout planning, development, testing, deployment, and maintenance, reducing the risk of software supply chain attacks.
113. How does “attack surface reduction” improve supply chain security?
A) It minimizes the number of components that can be targeted by attackers
B) It prevents unauthorized software updates
C) It speeds up software installation
D) It reduces the size of application logs
β Answer: A) It minimizes the number of components that can be targeted by attackers
π‘ Explanation: Reducing the attack surface by removing unused dependencies, limiting access, and enforcing security controls makes it harder for attackers to exploit vulnerabilities.
114. Why is “zero trust architecture” important in securing software supply chains?
A) It assumes no entity is automatically trusted, enforcing continuous verification
B) It allows developers to disable authentication for faster access
C) It guarantees that software is completely free from vulnerabilities
D) It eliminates the need for dependency security audits
β Answer: A) It assumes no entity is automatically trusted, enforcing continuous verification
π‘ Explanation: Zero trust principles ensure that all components, users, and dependencies are continuously verified, reducing the risk of unauthorized access and supply chain attacks.
115. What is “software provenance,” and why is it important in supply chain security?
A) The process of tracking the origin and history of software components
B) A method of improving software performance
C) A technique for encrypting open-source software
D) A way to increase software licensing costs
β Answer: A) The process of tracking the origin and history of software components
π‘ Explanation: Software provenance ensures that organizations know where software components come from, who developed them, and whether they have been tampered with, helping to prevent supply chain attacks.
116. What is a “reproducible build,” and how does it enhance security?
A) A build process that ensures identical output when using the same source code
B) A method of compressing build artifacts
C) A feature of software licensing
D) A technique for obfuscating security logs
β Answer: A) A build process that ensures identical output when using the same source code
π‘ Explanation: Reproducible builds prevent malicious build-time modifications by ensuring that compiled software is identical across different environments, increasing trust in the build process.
117. Why is “privileged access management (PAM)” important in securing software repositories?
A) It restricts who can modify and publish software artifacts
B) It speeds up dependency resolution
C) It reduces network traffic
D) It allows all developers to have administrative access
β Answer: A) It restricts who can modify and publish software artifacts
π‘ Explanation: PAM ensures that only authorized individuals have access to critical software repositories, reducing the risk of insider threats and unauthorized modifications.
118. How does “container image signing” enhance security in the software supply chain?
A) It verifies that container images have not been tampered with
B) It speeds up container execution
C) It improves container networking
D) It ensures containers do not contain vulnerabilities
β Answer: A) It verifies that container images have not been tampered with
π‘ Explanation: Container image signing (e.g., using Notary, Sigstore, or Cosign) ensures that container images come from trusted sources and haven’t been modified by attackers.
119. What is “secure boot” in the context of software supply chains?
A) A security feature that ensures only trusted software runs on a system
B) A process for accelerating software startup
C) A method for encrypting software packages
D) A way to disable software updates
β Answer: A) A security feature that ensures only trusted software runs on a system
π‘ Explanation: Secure boot ensures that only digitally signed and verified software components are loaded during system startup, preventing tampered software from executing.
120. What is the role of “vulnerability intelligence feeds” in supply chain security?
A) They provide real-time alerts on new vulnerabilities affecting software dependencies
B) They increase the complexity of software deployment
C) They eliminate the need for dependency management
D) They reduce software testing requirements
β Answer: A) They provide real-time alerts on new vulnerabilities affecting software dependencies
π‘ Explanation: Vulnerability intelligence feeds (e.g., CVE databases, NVD, GitHub Security Alerts) help organizations stay informed about emerging security threats and patches.
121. What is the main benefit of using “package mirroring” in software supply chains?
A) It reduces reliance on external package repositories and increases security
B) It improves the graphical user interface of software
C) It speeds up dependency resolution without security benefits
D) It allows software to run without dependencies
β Answer: A) It reduces reliance on external package repositories and increases security
π‘ Explanation: Package mirroring helps prevent supply chain attacks by hosting a local copy of trusted dependencies, reducing the risk of using compromised external sources.
122. What is “binary transparency,” and why is it important in securing software supply chains?
A) A technique that ensures software binaries are verified against their source code
B) A method for compressing software binaries
C) A feature used only for debugging applications
D) A way to improve software execution speed
β Answer: A) A technique that ensures software binaries are verified against their source code
π‘ Explanation: Binary transparency helps ensure that software binaries match their expected source code, preventing malicious modifications.
123. What is an “exploit chain” in the context of software supply chain attacks?
A) A series of vulnerabilities that attackers exploit together to gain control
B) A way to speed up software compilation
C) A technique to improve dependency resolution
D) A method to distribute open-source software
β Answer: A) A series of vulnerabilities that attackers exploit together to gain control
π‘ Explanation: Exploit chains allow attackers to combine multiple vulnerabilities in dependencies or build systems to escalate their attack.
124. Why is “source composition analysis (SCA)” important in securing software supply chains?
A) It identifies and tracks open-source components and vulnerabilities
B) It increases the performance of software
C) It reduces software licensing costs
D) It removes unused code from software packages
β Answer: A) It identifies and tracks open-source components and vulnerabilities
π‘ Explanation: SCA tools (e.g., OWASP Dependency-Check, Snyk) help detect security flaws, outdated packages, and compliance issues in third-party dependencies.
125. What is a “trusted execution environment (TEE)” in software security?
A) A secure area of a system that ensures safe execution of critical applications
B) A feature that increases system performance
C) A cloud-based security mechanism
D) A software licensing tool
β Answer: A) A secure area of a system that ensures safe execution of critical applications
π‘ Explanation: TEE isolates and protects sensitive operations, preventing malware or attackers from tampering with critical software functions.
126. How does “automated threat modeling” help secure software supply chains?
A) It identifies and mitigates risks in software dependencies before deployment
B) It speeds up software execution
C) It removes all dependencies from the software
D) It ensures that all software is open source
β Answer: A) It identifies and mitigates risks in software dependencies before deployment
π‘ Explanation: Threat modeling tools (e.g., Microsoft Threat Modeling Tool, OWASP Threat Dragon) help identify risks and suggest mitigations in software supply chains.
127. Why is “ephemeral build environments” a security best practice?
A) It ensures that each build starts from a clean, uncompromised state
B) It speeds up software updates
C) It allows developers to bypass authentication
D) It increases software execution speed
β Answer: A) It ensures that each build starts from a clean, uncompromised state
π‘ Explanation: Ephemeral (temporary) build environments prevent persistent threats from affecting the software build process, reducing the risk of supply chain attacks.
128. What is “Just-in-Time (JIT) access control,” and how does it improve software security?
A) It grants access to critical systems only when needed and revokes it immediately after
B) It improves the performance of security logs
C) It removes vulnerabilities from outdated dependencies
D) It allows unrestricted access to all developers
β Answer: A) It grants access to critical systems only when needed and revokes it immediately after
π‘ Explanation: JIT access control minimizes attack exposure by limiting access to sensitive systems, ensuring that privileges are granted only when necessary.
129. How does “dependency obsolescence tracking” improve software security?
A) It alerts developers when dependencies are outdated or no longer maintained
B) It speeds up software updates
C) It allows developers to bypass security checks
D) It removes all software dependencies automatically
β Answer: A) It alerts developers when dependencies are outdated or no longer maintained
π‘ Explanation: Tracking obsolete dependencies ensures that vulnerable and unmaintained components are replaced with secure alternatives, reducing the risk of supply chain attacks.
130. What is the role of “continuous integration/continuous deployment (CI/CD) security checks” in software supply chain protection?
A) They automate security scans and enforce security policies in the build pipeline
B) They improve network performance
C) They allow software to be deployed without authentication
D) They increase dependency update frequency
β Answer: A) They automate security scans and enforce security policies in the build pipeline
π‘ Explanation: CI/CD security checks (e.g., static analysis, artifact signing, dependency scanning) help detect vulnerabilities before software is deployed, preventing supply chain attacks.
131. What is “repository access control,” and how does it help prevent supply chain attacks?
A) A method to limit who can publish, modify, or download software packages
B) A way to increase software download speeds
C) A feature that automatically updates dependencies
D) A technique to encrypt all software files
β Answer: A) A method to limit who can publish, modify, or download software packages
π‘ Explanation: Restricting repository access prevents unauthorized changes to software artifacts, reducing the risk of malicious package injection.
132. Why is “time-based access control” a good security practice for developers working with sensitive dependencies?
A) It ensures developers have access only for a limited time, reducing exposure to attacks
B) It speeds up dependency resolution
C) It increases the availability of software repositories
D) It removes the need for authentication in software supply chains
β Answer: A) It ensures developers have access only for a limited time, reducing exposure to attacks
π‘ Explanation: Time-based access control (e.g., Just-in-Time (JIT) access) minimizes the window of opportunity for attackers to exploit compromised credentials.
133. What is “software chain of custody,” and why is it important?
A) A record of all software components and changes throughout its lifecycle
B) A method for encrypting software dependencies
C) A way to speed up software execution
D) A tool for improving software licensing
β Answer: A) A record of all software components and changes throughout its lifecycle
π‘ Explanation: Maintaining a chain of custody ensures software integrity, tracking all modifications, contributors, and dependencies to detect unauthorized changes.
134. How does “threat intelligence sharing” enhance supply chain security?
A) It allows organizations to share information on emerging supply chain threats
B) It increases software execution speed
C) It removes vulnerabilities automatically
D) It prevents all forms of cyberattacks
β Answer: A) It allows organizations to share information on emerging supply chain threats
π‘ Explanation: Sharing threat intelligence with cybersecurity communities (e.g., ISACs, CVE databases) helps organizations identify and mitigate supply chain risks early.
135. What is “Artifact Lifecycle Management” in secure software development?
A) A process to track and secure software artifacts from creation to deployment
B) A technique to speed up software compilation
C) A method for storing outdated dependencies
D) A tool for managing software licenses
β Answer: A) A process to track and secure software artifacts from creation to deployment
π‘ Explanation: Artifact Lifecycle Management ensures that software builds are properly versioned, secured, and verified to prevent supply chain attacks.
136. What is “exploit prevention” in the context of software supply chain security?
A) Techniques to proactively block software vulnerabilities from being exploited
B) A way to speed up software installation
C) A method to improve UI/UX design
D) A process to increase software licensing fees
β Answer: A) Techniques to proactively block software vulnerabilities from being exploited
π‘ Explanation: Exploit prevention techniques (e.g., sandboxing, memory protection, access controls) reduce the risk of supply chain vulnerabilities being weaponized.
137. How do “transparency logs” help improve software supply chain security?
A) They record all actions taken on a software package to detect unauthorized modifications
B) They help encrypt software updates
C) They prevent dependency conflicts
D) They reduce software execution time
β Answer: A) They record all actions taken on a software package to detect unauthorized modifications
π‘ Explanation: Transparency logs (e.g., Googleβs Binary Transparency) allow organizations to audit changes in software dependencies and detect unauthorized modifications.
138. What is the importance of “multi-layered security” in software supply chains?
A) It combines multiple security controls to protect software at different stages
B) It speeds up software execution
C) It prevents all cyberattacks automatically
D) It removes the need for security updates
β Answer: A) It combines multiple security controls to protect software at different stages
π‘ Explanation: Multi-layered security involves secure coding, dependency scanning, access control, monitoring, and response mechanisms to protect the software supply chain.
139. What is the best way to prevent “dependency substitution attacks”?
A) Using cryptographic signing and namespace scoping for dependencies
B) Manually checking every package update
C) Only using dependencies from the largest repositories
D) Avoiding all third-party dependencies
β Answer: A) Using cryptographic signing and namespace scoping for dependencies
π‘ Explanation: Cryptographic signatures and namespace scoping ensure that only trusted dependencies are used, preventing attackers from injecting substituted malicious versions.
140. Why should software organizations implement “least privilege access” in CI/CD pipelines?
A) To limit the risk of unauthorized changes to software dependencies
B) To speed up deployment
C) To allow all developers unrestricted access to repositories
D) To eliminate the need for authentication in software pipelines
β Answer: A) To limit the risk of unauthorized changes to software dependencies
π‘ Explanation: Least privilege access ensures that users and processes only have the permissions necessary to perform their tasks, reducing the risk of malicious or accidental modifications to software dependencies.
141. What is “Secure Software Attestation” in the context of software supply chains?
A) A process that proves software components are genuine and untampered
B) A method of improving software execution speed
C) A technique for reducing software size
D) A process for encrypting network traffic
β Answer: A) A process that proves software components are genuine and untampered
π‘ Explanation: Secure software attestation verifies that software components and dependencies are from trusted sources and have not been altered.
142. How does “Continuous Threat Modeling” enhance software supply chain security?
A) It regularly assesses potential risks in the development pipeline
B) It allows software developers to work without security constraints
C) It speeds up software deployment
D) It removes the need for dependency verification
β Answer: A) It regularly assesses potential risks in the development pipeline
π‘ Explanation: Continuous threat modeling ensures that new threats are constantly evaluated and mitigated, preventing supply chain vulnerabilities.
143. What is the function of a “repository integrity check” in package management?
A) To verify that all software packages in a repository are authentic and untampered
B) To improve repository search speeds
C) To allow automatic package installation without verification
D) To remove old versions of software packages
β Answer: A) To verify that all software packages in a repository are authentic and untampered
π‘ Explanation: Repository integrity checks ensure that malicious or unauthorized changes to software packages are detected and prevented.
144. Why is “just-in-time (JIT) privilege escalation” considered risky in software development?
A) Attackers could exploit JIT privileges to gain temporary elevated access
B) It prevents developers from using necessary tools
C) It slows down software development
D) It forces unnecessary security updates
β Answer: A) Attackers could exploit JIT privileges to gain temporary elevated access
π‘ Explanation: JIT privilege escalation can be exploited by attackers if not properly secured, allowing them to gain unauthorized access to critical systems.
145. What is the best way to prevent “malicious dependency updates” in CI/CD pipelines?
A) By implementing automated dependency verification and version locking
B) By trusting all package maintainers
C) By only using dependencies from public repositories
D) By allowing all developers to update dependencies freely
β Answer: A) By implementing automated dependency verification and version locking
π‘ Explanation: Automated dependency verification tools ensure that only secure and verified versions of dependencies are used in the CI/CD pipeline.
146. What is the main security risk associated with “dependency sprawl”?
A) More dependencies increase the attack surface for supply chain attacks
B) It slows down software execution
C) It makes debugging more difficult
D) It increases software licensing costs
β Answer: A) More dependencies increase the attack surface for supply chain attacks
π‘ Explanation: Dependency sprawl occurs when software relies on too many third-party components, increasing the risk of supply chain vulnerabilities.
147. How can organizations detect unauthorized changes in build artifacts?
A) By using cryptographic hashing and artifact integrity monitoring
B) By manually inspecting every file
C) By only using closed-source software
D) By avoiding software updates
β Answer: A) By using cryptographic hashing and artifact integrity monitoring
π‘ Explanation: Cryptographic hashes (e.g., SHA-256) and artifact monitoring tools can detect unauthorized modifications in software builds.
148. What is “Rollback Protection” in software update security?
A) A security feature that prevents reverting to vulnerable software versions
B) A method for increasing software execution speed
C) A way to automate software installation
D) A feature that removes outdated dependencies
β Answer: A) A security feature that prevents reverting to vulnerable software versions
π‘ Explanation: Rollback protection ensures that attackers cannot force a system to downgrade to an older, vulnerable version of software.
149. What is the primary goal of a “Supply Chain Risk Management (SCRM)” strategy?
A) To identify, assess, and mitigate security risks in software supply chains
B) To improve the speed of software updates
C) To reduce the cost of software development
D) To remove all third-party dependencies
β Answer: A) To identify, assess, and mitigate security risks in software supply chains
π‘ Explanation: SCRM ensures that organizations proactively monitor and address supply chain security threats.
150. How can “container scanning” improve supply chain security?
A) It identifies vulnerabilities in containerized applications and dependencies
B) It removes the need for security testing
C) It speeds up container deployment
D) It reduces software licensing costs
β Answer: A) It identifies vulnerabilities in containerized applications and dependencies
π‘ Explanation: Container scanning tools (e.g., Trivy, Clair, Anchore) analyze container images for vulnerabilities in dependencies before deployment.
151. What is a “dependency attack vector” in a software supply chain?
A) A method attackers use to exploit weaknesses in third-party dependencies
B) A technique to improve software licensing
C) A way to speed up dependency installation
D) A feature used only in proprietary software
β Answer: A) A method attackers use to exploit weaknesses in third-party dependencies
π‘ Explanation: Dependency attack vectors include techniques like dependency confusion, typosquatting, and package hijacking, where attackers exploit software supply chain vulnerabilities.
152. How can “Code Integrity Verification” prevent supply chain attacks?
A) By ensuring that software code has not been tampered with before execution
B) By increasing the software execution speed
C) By allowing software to update automatically
D) By reducing software size
β Answer: A) By ensuring that software code has not been tampered with before execution
π‘ Explanation: Code Integrity Verification uses cryptographic signatures and hashing to ensure that software has not been altered by malicious actors.
153. What is the role of “trusted signing keys” in secure software distribution?
A) They verify the authenticity of software packages before installation
B) They improve software performance
C) They allow software to run faster on cloud platforms
D) They eliminate the need for dependency management
β Answer: A) They verify the authenticity of software packages before installation
π‘ Explanation: Trusted signing keys ensure that software updates and dependencies are from legitimate sources, preventing malicious tampering.
154. What is a major risk of “open-source package dependencies”?
A) Attackers can inject malicious code into widely used open-source packages
B) They always contain security vulnerabilities
C) They slow down software development
D) They cannot be used in commercial applications
β Answer: A) Attackers can inject malicious code into widely used open-source packages
π‘ Explanation: Malicious actors can target open-source projects to insert backdoors, trojans, or other exploits into widely used libraries.
155. How does “Immutable Infrastructure” protect software supply chains?
A) By ensuring deployed infrastructure cannot be changed after deployment
B) By making software updates faster
C) By reducing dependency management complexity
D) By allowing automatic software rollback
β Answer: A) By ensuring deployed infrastructure cannot be changed after deployment
π‘ Explanation: Immutable Infrastructure prevents unauthorized modifications after deployment, reducing the risk of supply chain compromise.
156. What is the purpose of “API Access Controls” in supply chain security?
A) To restrict who can access and modify API-driven services
B) To improve the speed of API requests
C) To remove the need for authentication
D) To allow unrestricted data flow between applications
β Answer: A) To restrict who can access and modify API-driven services
π‘ Explanation: API Access Controls enforce strict permissions and authentication to prevent unauthorized changes to software dependencies.
157. What is “Reputation-Based Security” in the context of software dependencies?
A) A method that checks the reputation of software components before installation
B) A technique for improving software performance
C) A way to measure the number of users using a dependency
D) A process to make software licensing more transparent
β Answer: A) A method that checks the reputation of software components before installation
π‘ Explanation: Reputation-Based Security uses threat intelligence and trust scores to determine whether a software component is safe to use.
158. What is a “Transparent Software Supply Chain”?
A) A supply chain that records all changes to software components for security audits
B) A software delivery method that eliminates security threats
C) A way to ensure software is always updated automatically
D) A method for increasing the size of software dependencies
β Answer: A) A supply chain that records all changes to software components for security audits
π‘ Explanation: A Transparent Software Supply Chain tracks modifications, builds, and software lineage to detect and prevent supply chain attacks.
159. What is a “secure enclave” in software security?
A) A protected execution environment that isolates sensitive processes
B) A tool that speeds up software compilation
C) A way to encrypt software source code
D) A feature used only in hardware security
β Answer: A) A protected execution environment that isolates sensitive processes
π‘ Explanation: Secure enclaves (e.g., Intel SGX, ARM TrustZone) protect critical computations from malware and unauthorized access.
160. How does “Dependency Conflict Resolution” contribute to software security?
A) By ensuring only secure versions of dependencies are used in a project
B) By removing all dependencies
C) By allowing developers to override security policies
D) By making software execution faster
β Answer: A) By ensuring only secure versions of dependencies are used in a project
π‘ Explanation: Dependency conflict resolution ensures that the most secure, stable, and compatible versions of dependencies are used, reducing the risk of supply chain vulnerabilities.
161. What is “Automated Dependency Management,” and how does it improve security?
A) A process that automatically updates dependencies while checking for security vulnerabilities
B) A way to increase software execution speed
C) A method that disables old software dependencies
D) A feature that allows developers to install dependencies without verification
β Answer: A) A process that automatically updates dependencies while checking for security vulnerabilities
π‘ Explanation: Automated dependency management (e.g., Dependabot, Renovate) ensures that vulnerabilities in third-party dependencies are quickly identified and patched.
162. How does “Software Composition Analysis (SCA)” contribute to software security?
A) By identifying and analyzing open-source components for vulnerabilities
B) By removing outdated software automatically
C) By increasing software licensing costs
D) By making software execution faster
β Answer: A) By identifying and analyzing open-source components for vulnerabilities
π‘ Explanation: SCA tools (e.g., Black Duck, Snyk, OWASP Dependency-Check) scan software dependencies for known vulnerabilities, reducing supply chain risks.
163. What is “Continuous Compliance Monitoring” in software supply chains?
A) A process that ensures software components follow security and regulatory standards
B) A tool that increases software compilation speed
C) A method that prevents software from running on certain systems
D) A technique that reduces software size
β Answer: A) A process that ensures software components follow security and regulatory standards
π‘ Explanation: Continuous compliance monitoring ensures that software dependencies comply with security policies and regulatory standards like GDPR, NIST, and ISO 27001.
164. How can organizations prevent “unintended dependency inclusion” in software projects?
A) By enforcing dependency allowlisting and regularly auditing software packages
B) By allowing developers to install any dependency they need
C) By only using dependencies from public repositories
D) By disabling security checks in package managers
β Answer: A) By enforcing dependency allowlisting and regularly auditing software packages
π‘ Explanation: Unintended dependency inclusion can introduce security risks; allowlisting ensures that only approved, verified dependencies are used.
165. Why is “Patch Lag” a significant risk in software supply chains?
A) It leaves software exposed to known vulnerabilities for extended periods
B) It prevents developers from using open-source libraries
C) It improves software execution speed
D) It increases the size of dependency files
β Answer: A) It leaves software exposed to known vulnerabilities for extended periods
π‘ Explanation: Patch lag occurs when organizations delay updating software dependencies, making them vulnerable to exploits targeting known security flaws.
166. What is “Infrastructure as Code (IaC) Security,” and why is it important?
A) A practice that secures automated infrastructure deployments from vulnerabilities
B) A technique to reduce software build times
C) A method for improving software licensing
D) A way to speed up software downloads
β Answer: A) A practice that secures automated infrastructure deployments from vulnerabilities
π‘ Explanation: IaC security ensures that configuration files and automated infrastructure deployments (e.g., Terraform, Ansible, Kubernetes) are hardened against attacks.
167. How does “Least Functionality” improve security in software supply chains?
A) By ensuring software components include only essential features to reduce attack surfaces
B) By allowing all developers to modify software without restrictions
C) By speeding up software execution
D) By making all software components open source
β Answer: A) By ensuring software components include only essential features to reduce attack surfaces
π‘ Explanation: Least Functionality reduces security risks by limiting software features to only those required, minimizing potential attack vectors.
168. What is the role of “Content Security Policy (CSP)” in software supply chain security?
A) It prevents malicious scripts from executing by enforcing security policies in web applications
B) It speeds up website performance
C) It removes vulnerabilities from outdated dependencies automatically
D) It encrypts software source code
β Answer: A) It prevents malicious scripts from executing by enforcing security policies in web applications
π‘ Explanation: CSP mitigates supply chain risks in web applications by restricting which scripts, styles, and resources can be loaded, preventing malicious code execution.
169. What is “Automated Threat Intelligence Feeds” in the context of software security?
A) A system that provides real-time security updates on emerging threats affecting software dependencies
B) A tool that speeds up software installation
C) A way to increase software licensing costs
D) A technique for improving dependency management
β Answer: A) A system that provides real-time security updates on emerging threats affecting software dependencies
π‘ Explanation: Automated threat intelligence feeds (e.g., CVE databases, threat sharing communities) help organizations quickly respond to new supply chain vulnerabilities.
170. How does “Secure Shell (SSH) Key Management” help prevent supply chain attacks?
A) It ensures that only authorized users can securely access software repositories
B) It increases software performance
C) It removes the need for password authentication
D) It allows developers to modify dependencies freely
β Answer: A) It ensures that only authorized users can securely access software repositories
π‘ Explanation: SSH key management secures access to software repositories and infrastructure, preventing unauthorized modifications to critical software components.
171. How does “Runtime Application Self-Protection (RASP)” enhance software supply chain security?
A) By detecting and blocking attacks in real-time within running applications
B) By improving software licensing
C) By reducing software execution time
D) By automating software development
β Answer: A) By detecting and blocking attacks in real-time within running applications
π‘ Explanation: RASP is a security mechanism that monitors applications at runtime, detecting and preventing supply chain exploitation in real-time.
172. What is the primary risk of using third-party CI/CD integrations in a software pipeline?
A) They can introduce unauthorized access or code execution risks
B) They increase software licensing costs
C) They slow down the deployment process
D) They limit the number of dependencies a project can use
β Answer: A) They can introduce unauthorized access or code execution risks
π‘ Explanation: Unsecured third-party CI/CD tools may be exploited to modify code, inject malicious dependencies, or steal credentials.
173. How does “signed commits” in Git improve supply chain security?
A) They ensure that code commits are verified and come from authorized developers
B) They reduce software deployment time
C) They allow software to run on multiple operating systems
D) They make the software open source
β Answer: A) They ensure that code commits are verified and come from authorized developers
π‘ Explanation: Signed commits use cryptographic signatures to verify that commits are made by trusted developers, preventing unauthorized code changes.
174. What is the purpose of “code provenance tracking” in software security?
A) To trace the origin of software components and ensure they come from trusted sources
B) To make software deployment faster
C) To encrypt software dependencies
D) To improve application performance
β Answer: A) To trace the origin of software components and ensure they come from trusted sources
π‘ Explanation: Code provenance tracking ensures transparency and accountability in the software supply chain, helping detect tampered or malicious code.
175. How can organizations secure their “software artifact repositories”?
A) By enforcing access controls, signing artifacts, and enabling audit logs
B) By allowing all developers unrestricted access
C) By disabling versioning for artifacts
D) By using only free-tier repositories
β Answer: A) By enforcing access controls, signing artifacts, and enabling audit logs
π‘ Explanation: Secure artifact repositories prevent unauthorized modifications and ensure that only verified software artifacts are used.
176. What is a “Build-Time Attack” in software supply chain security?
A) A cyberattack that targets the software build process to inject malicious code
B) A method of accelerating software compilation
C) A way to optimize software execution time
D) A technique used only for testing software
β Answer: A) A cyberattack that targets the software build process to inject malicious code
π‘ Explanation: Build-time attacks compromise the CI/CD pipeline to insert malicious payloads into software before it is released.
177. How does “Access Token Expiry Enforcement” improve software supply chain security?
A) By automatically revoking old or unused access tokens to prevent unauthorized access
B) By speeding up authentication processes
C) By reducing the size of software dependencies
D) By allowing developers to bypass authentication
β Answer: A) By automatically revoking old or unused access tokens to prevent unauthorized access**
π‘ Explanation: Access token expiry policies ensure that stale or leaked authentication tokens cannot be reused by attackers.
178. Why is “End-to-End Encryption (E2EE)” important in secure software distribution?
A) It prevents attackers from intercepting software updates or data in transit
B) It increases software performance
C) It reduces software licensing fees
D) It eliminates the need for access controls
β Answer: A) It prevents attackers from intercepting software updates or data in transit
π‘ Explanation: E2EE encrypts software updates and communications, preventing man-in-the-middle (MITM) attacks.
179. How does “Container Image Scanning” help mitigate supply chain risks?
A) By analyzing container images for vulnerabilities before deployment
B) By reducing software execution time
C) By removing the need for access controls
D) By allowing all dependencies to be installed automatically
β Answer: A) By analyzing container images for vulnerabilities before deployment
π‘ Explanation: Container image scanning ensures that malicious or vulnerable components are not included in deployed containerized applications.
180. What is a “Security Gate” in a CI/CD pipeline?
A) A security control that blocks deployments if security policies are violated
B) A method for increasing software speed
C) A tool that only developers can use
D) A way to automate software licensing
β Answer: A) A security control that blocks deployments if security policies are violated
π‘ Explanation: Security gates in CI/CD pipelines enforce security checks before allowing software to be built, tested, or deployed, preventing vulnerabilities from reaching production.
181. What is “Code Dependency Graph Analysis” in software security?
A) A technique that maps dependencies and detects security vulnerabilities in software packages
B) A way to improve software execution speed
C) A method for encrypting software repositories
D) A feature used only in closed-source software
β Answer: A) A technique that maps dependencies and detects security vulnerabilities in software packages
π‘ Explanation: Code dependency graph analysis visualizes the relationships between software components to identify security risks in direct and transitive dependencies.
182. Why should organizations use “least privilege” principles for CI/CD pipeline access?
A) To reduce the risk of unauthorized modifications and insider threats
B) To allow developers unrestricted access to modify dependencies
C) To speed up software builds
D) To eliminate the need for authentication
β Answer: A) To reduce the risk of unauthorized modifications and insider threats
π‘ Explanation: Applying least privilege access controls ensures that only authorized users have access to critical build and deployment processes, reducing attack vectors.
183. What is “Third-Party Risk Management” (TPRM) in software supply chains?
A) A framework for assessing and mitigating risks associated with external vendors and dependencies
B) A technique to speed up software compilation
C) A tool that prevents open-source software usage
D) A process that removes the need for security testing
β Answer: A) A framework for assessing and mitigating risks associated with external vendors and dependencies
π‘ Explanation: TPRM helps organizations evaluate and manage risks posed by third-party suppliers, software, and dependencies in the software supply chain.
184. How does “Multi-Factor Authentication (MFA)” improve software repository security?
A) By preventing unauthorized access to code repositories and developer accounts
B) By increasing software download speeds
C) By reducing software licensing costs
D) By allowing developers to bypass authentication
β Answer: A) By preventing unauthorized access to code repositories and developer accounts
π‘ Explanation: MFA adds an extra security layer, ensuring that only authorized developers can access and modify software repositories.
185. What is “Digital Software Signatures,” and why are they important in supply chain security?
A) A cryptographic method that verifies software authenticity and prevents tampering
B) A way to speed up software execution
C) A tool that removes outdated software dependencies
D) A process to improve software performance
β Answer: A) A cryptographic method that verifies software authenticity and prevents tampering
π‘ Explanation: Digital software signatures ensure that software is authentic, unmodified, and from a trusted source, reducing supply chain attacks.
186. What is “Hash Verification” in software package security?
A) A process that ensures downloaded software matches its expected cryptographic hash
B) A method to increase software performance
C) A technique for minimizing software licensing costs
D) A way to speed up software downloads
β Answer: A) A process that ensures downloaded software matches its expected cryptographic hash
π‘ Explanation: Hash verification (e.g., SHA-256) ensures that a software package has not been altered during download or deployment.
187. How does “Static Application Security Testing (SAST)” protect against supply chain attacks?
A) By analyzing source code for vulnerabilities before software is compiled
B) By encrypting all software dependencies
C) By allowing only closed-source software
D) By reducing the number of required dependencies
β Answer: A) By analyzing source code for vulnerabilities before software is compiled
π‘ Explanation: SAST tools (e.g., SonarQube, Checkmarx) detect vulnerabilities early in the software development lifecycle, preventing supply chain risks.
188. What is “Dynamic Application Security Testing (DAST)” in supply chain security?
A) A security testing method that analyzes running applications for vulnerabilities
B) A way to increase software execution speed
C) A method for compressing software updates
D) A tool for managing software licenses
β Answer: A) A security testing method that analyzes running applications for vulnerabilities
π‘ Explanation: DAST tools (e.g., OWASP ZAP, Burp Suite) detect vulnerabilities in real-time by scanning running applications for security flaws.
189. How does “Configuration Drift Detection” improve supply chain security?
A) By identifying unauthorized or unexpected changes in infrastructure and software settings
B) By increasing software download speeds
C) By improving graphical user interfaces
D) By eliminating the need for version control
β Answer: A) By identifying unauthorized or unexpected changes in infrastructure and software settings
π‘ Explanation: Configuration drift detection ensures that software and infrastructure remain compliant with security policies, preventing misconfigurations from leading to security vulnerabilities.
190. Why is “Secure Code Review” critical for preventing supply chain attacks?
A) It identifies vulnerabilities in software before it reaches production
B) It speeds up software execution
C) It eliminates the need for dependency tracking
D) It makes software updates faster
β Answer: A) It identifies vulnerabilities in software before it reaches production
π‘ Explanation: Manual and automated secure code reviews help detect security flaws, backdoors, and supply chain threats before software is deployed.
191. How does “Dependency Pinning” improve software supply chain security?
A) By locking dependencies to specific, verified versions to prevent unauthorized updates
B) By reducing software execution time
C) By increasing software licensing fees
D) By removing all dependencies from the software
β Answer: A) By locking dependencies to specific, verified versions to prevent unauthorized updates
π‘ Explanation: Dependency pinning ensures that only approved versions of dependencies are used, preventing attackers from injecting malicious updates.
192. What is “Secure Software Distribution,” and why is it important?
A) A process that ensures software updates come from trusted sources and are untampered
B) A method for making software install faster
C) A way to increase software licensing costs
D) A feature used only in proprietary software
β Answer: A) A process that ensures software updates come from trusted sources and are untampered
π‘ Explanation: Secure software distribution uses cryptographic signing, package verification, and secure update mechanisms to prevent supply chain compromises.
193. How does “Identity and Access Management (IAM)” improve software supply chain security?
A) By ensuring only authorized users can modify software components and dependencies
B) By increasing software performance
C) By preventing software from using third-party components
D) By encrypting software dependencies
β Answer: A) By ensuring only authorized users can modify software components and dependencies
π‘ Explanation: IAM enforces strict access controls, ensuring that only authorized developers and processes can make changes to critical software components.
194. What is a “Build Provenance Record” in secure software development?
A) A record that tracks the origin and integrity of software builds
B) A method to speed up software execution
C) A tool that increases software licensing costs
D) A process that prevents open-source software usage
β Answer: A) A record that tracks the origin and integrity of software builds
π‘ Explanation: Build provenance records store information about who built the software, what dependencies were used, and how it was compiled, ensuring trust and security.
195. How does “Role-Based Access Control (RBAC)” enhance repository security?
A) By limiting repository actions based on user roles to prevent unauthorized modifications
B) By making software run faster
C) By increasing software licensing fees
D) By allowing all users to have administrator access
β Answer: A) By limiting repository actions based on user roles to prevent unauthorized modifications
π‘ Explanation: RBAC restricts access so that only authorized users can make changes, reducing the risk of accidental or malicious modifications.
196. What is “Trusted Platform Module (TPM)” in software security?
A) A hardware-based security module that helps protect encryption keys and system integrity
B) A method to increase software execution speed
C) A way to disable security features in software
D) A software component that manages licensing
β Answer: A) A hardware-based security module that helps protect encryption keys and system integrity
π‘ Explanation: TPM chips store cryptographic keys and enforce hardware-based security policies, preventing unauthorized software modifications.
197. What is the purpose of “Package Signature Verification” in software supply chains?
A) To ensure that software packages come from trusted sources and have not been tampered with
B) To increase the speed of software installations
C) To improve software UI design
D) To make software licensing more restrictive
β Answer: A) To ensure that software packages come from trusted sources and have not been tampered with
π‘ Explanation: Package signature verification uses cryptographic signing to prevent malicious or unauthorized software modifications.
198. How does “Immutable Infrastructure” contribute to securing the software supply chain?
A) By ensuring that deployed environments cannot be altered after creation
B) By removing all dependencies from software
C) By allowing unrestricted software modifications
D) By eliminating the need for software updates
β Answer: A) By ensuring that deployed environments cannot be altered after creation
π‘ Explanation: Immutable infrastructure ensures that once software is deployed, it cannot be changed, reducing the risk of supply chain attacks.
199. What is “Certificate Transparency,” and how does it improve security?
A) A system that logs issued SSL/TLS certificates to detect unauthorized certificate use
B) A way to improve software performance
C) A method to speed up dependency resolution
D) A way to remove security headers from applications
β Answer: A) A system that logs issued SSL/TLS certificates to detect unauthorized certificate use
π‘ Explanation: Certificate Transparency (CT) ensures that all SSL/TLS certificates issued are publicly recorded, preventing certificate misuse or fraud.
200. Why is “End-to-End Software Validation” necessary in supply chain security?
A) It ensures that software components remain secure throughout the entire lifecycle
B) It speeds up software compilation
C) It eliminates the need for security audits
D) It reduces software licensing costs
β Answer: A) It ensures that software components remain secure throughout the entire lifecycle
π‘ Explanation: End-to-end validation ensures that software is securely developed, tested, and distributed, preventing tampering and vulnerabilities.
201. What is “Artifact Trust Enforcement” in CI/CD pipelines?
A) A mechanism that requires all software artifacts to be signed and verified before deployment
B) A process to reduce software build times
C) A way to increase software execution speed
D) A method to remove all software dependencies
β Answer: A) A mechanism that requires all software artifacts to be signed and verified before deployment
π‘ Explanation: Artifact trust enforcement ensures that only trusted, verified software components are used, preventing supply chain tampering.
202. How does “Package Repository Mirroring” improve software security?
A) By hosting local copies of trusted software packages to reduce reliance on external repositories
B) By removing all software dependencies
C) By reducing software licensing costs
D) By speeding up dependency installation
β Answer: A) By hosting local copies of trusted software packages to reduce reliance on external repositories
π‘ Explanation: Repository mirroring prevents attacks on public package managers by ensuring that software is retrieved from secure, local sources.
203. What is “Security Policy as Code” in DevSecOps?
A) A practice that automates security policies through code-based enforcement
B) A method to speed up CI/CD pipelines
C) A way to eliminate dependency updates
D) A process that prevents open-source software usage
β Answer: A) A practice that automates security policies through code-based enforcement
π‘ Explanation: Security Policy as Code (SPaC) integrates security rules into infrastructure and CI/CD workflows, ensuring consistent enforcement.
204. How does “Time-Based One-Time Passwords (TOTP)” improve authentication security?
A) By generating temporary, unique codes for authentication to reduce the risk of credential theft
B) By speeding up software deployment
C) By reducing software build sizes
D) By eliminating the need for authentication
β Answer: A) By generating temporary, unique codes for authentication to reduce the risk of credential theft
π‘ Explanation: TOTP-based authentication (e.g., Google Authenticator, Authy) provides extra security against credential theft and phishing.
205. What is “Tamper-Evident Logging,” and how does it enhance security?
A) A logging mechanism that detects and alerts on unauthorized modifications
B) A tool that increases software execution speed
C) A way to automate dependency installation
D) A method to remove outdated dependencies
β Answer: A) A logging mechanism that detects and alerts on unauthorized modifications
π‘ Explanation: Tamper-evident logging ensures that log entries cannot be altered without detection, improving incident response and security visibility.