Back to the course
Test yourself

Software supply chain security

Final exam · 54 questions · answers explained as you pick
Threat landscape & mindset
9 questions
01The "software supply chain" refers to…
Incorrect — dependencies are one link; the chain is broader.
Correct — source, deps, build, registry, deploy — all attack surface.
Incorrect — that is delivery, not the build supply chain.
Incorrect — the cluster is the end, not the whole chain.
02Attackers target the supply chain because…
Correct — leverage: a poisoned dependency or build ships inside trusted artifacts.
Incorrect — these attacks are often sophisticated; leverage is the driver.
Incorrect — production is usually the hardened part — the chain is softer.
Incorrect — they can be detected; the appeal is reach.
03Supply-chain security asks a different question than vuln scanning:…
Incorrect — performance is unrelated.
Incorrect — that is exactly what vuln scanning asks.
Correct — trust and provenance, not just known flaws.
Incorrect — size is a hardening concern, not the trust question.
04The SolarWinds / Codecov pattern subverts…
Incorrect — no — the artifact was compromised before it ran.
Correct — reviewing source is not enough if the build is subverted.
Incorrect — not the mechanism of these attacks.
Incorrect — the compromise was upstream, in the build/CI.
05Dependency confusion exploits…
Correct — publish public "acme-auth" 99.0.0 and builds pull the attacker’s.
Incorrect — not how confusion works.
Incorrect — it abuses resolution order, not MITM.
Incorrect — that is a different attack.
06The "clean-source illusion" is that…
Incorrect — the point is the opposite risk.
Incorrect — it misses build/dep/account compromises.
Correct — why you must verify deps, build, and artifact independently of source review.
Incorrect — the code genuinely looked fine; the change was elsewhere.
07DevSecOps means…
Incorrect — that is the model DevSecOps replaces.
Correct — embedded, not bolted on.
Incorrect — the opposite.
Incorrect — one tool is not the practice.
08"Shift left" means…
Correct — secret/SAST at commit, scans at build, verify at deploy.
Incorrect — nothing to do with geography.
Incorrect — that is shifting right — the opposite.
Incorrect — unrelated.
09The failure mode of DevSecOps controls is…
Incorrect — fast is good; friction is the problem.
Correct — the most secure pipeline is the one the team keeps running.
Incorrect — false positives are the friction, not their absence.
Incorrect — automation (unskippable) is the goal.
9 questions · explanations appear as you answer
Securing source & dependencies
9 questions
01The foundation of source security is…
Correct — the reviewed-source assumption everything else depends on.
Incorrect — visibility is unrelated to integrity.
Incorrect — that removes the checks, not adds them.
Incorrect — unrelated to source integrity.
02Signed commits protect against…
Incorrect — unrelated to build speed.
Correct — the author field is just text; signing proves identity.
Incorrect — that is dependency scanning.
Incorrect — unrelated.
03The highest-value files to require code-owner review for are…
Incorrect — low risk.
Incorrect — important, but not the highest-value target.
Correct — they control how everything is built and shipped.
Incorrect — not security-critical.
04A lockfile (package-lock.json, go.sum) provides…
Correct — every build resolves to identical, verified bytes.
Incorrect — it is about build reproducibility, not runtime.
Incorrect — it records hashes; it does not encrypt.
Incorrect — that is a scan report.
05In CI you should install dependencies with…
Incorrect — it can update the lockfile and resolve new versions, defeating the pin.
Correct — strictly from the lockfile, fails on drift.
Incorrect — then nothing is pinned.
Incorrect — integrity, not speed, decides here.
06You should pin the container base image by…
Incorrect — that is exactly the mutable reference to avoid.
Incorrect — a name resolves to a mutable tag.
Correct — immutable bytes; a re-pushed base cannot slip in.
Incorrect — not an image identifier.
07Two defenses against dependency confusion are…
Correct — a public name cannot collide; the resolver never reaches public for @acme/*.
Incorrect — version length is irrelevant.
Incorrect — does not stop resolution hijacking.
Incorrect — that weakens integrity.
08Pinning dependencies creates a tension resolved by…
Incorrect — frozen versions rot into known-vulnerable ones.
Correct — stay pinned and current at once.
Incorrect — that reintroduces the drift risk.
Incorrect — drift makes the eventual update a scary migration.
09A security-driven dependency update should be…
Incorrect — too slow — the exploit window is days.
Incorrect — a CVE fix is not optional.
Correct — the disclosure-to-exploitation window is small.
Incorrect — deferring a security patch is the risk.
9 questions · explanations appear as you answer
Build integrity & SLSA
9 questions
01SLSA is a framework that answers…
Incorrect — that is scanning; SLSA is about build integrity.
Correct — a ladder of guarantees about the build process and provenance.
Incorrect — unrelated to speed.
Incorrect — not what SLSA defines.
02SLSA Level 2 requires that provenance is…
Correct — not something a developer could hand-forge.
Incorrect — that would be forgeable — below L2.
Incorrect — L1 already requires provenance to exist.
Incorrect — not how provenance works.
03The key idea at higher SLSA levels is that…
Incorrect — unrelated to speed.
Incorrect — the opposite — that would let a malicious build lie.
Correct — so a compromised build cannot forge its own origin.
Incorrect — higher levels need stronger, non-falsifiable provenance.
04A hermetic build is one that…
Correct — it cannot fetch an attacker-controllable input mid-build.
Incorrect — that is the anti-pattern hermeticity forbids.
Incorrect — location is not the definition.
Incorrect — unrelated.
05A reproducible build means…
Incorrect — reproducible is about output, not speed.
Correct — independent builders matching = strong tamper evidence.
Incorrect — re-running is not the same as identical output.
Incorrect — caching is unrelated to determinism.
06The most common break in build integrity is…
Incorrect — stage count is not a security issue.
Incorrect — speed is not integrity.
Correct — vendor and pin inputs; build with no network.
Incorrect — containers are fine; the fetch is the problem.
07A trusted builder is characterized by being…
Correct — shrinks what a compromised build can reach and forge.
Incorrect — that is an untrustworthy builder.
Incorrect — manual is not the trust property.
Incorrect — speed is not trust.
08Even perfect SLSA provenance is worthless unless…
Incorrect — storage is not the point; verification is.
Correct — unverified provenance changes nothing.
Incorrect — publicity is not verification.
Incorrect — provenance is signed, not encrypted.
09Building a critical artifact on a shared, privileged runner makes it effectively…
Incorrect — the opposite — the builder is not isolated.
Incorrect — isolation is unrelated to reproducibility, and it is missing.
Correct — builder isolation is the foundation the framework needs.
Incorrect — a shared privileged runner is not hermetic.
9 questions · explanations appear as you answer
Sign, attest & inventory
9 questions
01Sigstore’s three pieces are…
Correct — together they enable keyless signing.
Incorrect — those are scanning/SBOM tools, not Sigstore.
Incorrect — those are policy engines.
Incorrect — those are delivery tools.
02Keyless signing removes the risk of…
Incorrect — unrelated.
Correct — the ephemeral key lives minutes; trust is in identity + Rekor.
Incorrect — that is scanning.
Incorrect — unrelated to signing.
03Rekor (the transparency log) lets you…
Incorrect — it logs, it does not encrypt.
Incorrect — that is a registry.
Correct — like certificate transparency for artifacts.
Incorrect — not its function.
04An SBOM is…
Correct — the ingredients label; SPDX or CycloneDX.
Incorrect — that is signing/attestation.
Incorrect — unrelated.
Incorrect — that is Kubernetes YAML.
05An SBOM only delivers value when it is…
Incorrect — deleting it removes the value.
Correct — the whole point is fast fleet-wide lookup.
Incorrect — a log nobody queries is a checkbox.
Incorrect — secrecy is not the issue; queryability is.
06The SBOM "zero-day drill" is…
Incorrect — not the point of an SBOM.
Incorrect — the value is operational, not just audit.
Correct — Log4Shell triage: minutes with SBOMs, days without.
Incorrect — signing helps trust; the drill is the query.
07An attestation is…
Correct — provenance, SBOM, scan result — evidence you can verify.
Incorrect — an attestation carries a claim (predicate), not only a signature.
Incorrect — no — it is a statement about one.
Incorrect — unrelated.
08SLSA provenance is best described as the artifact’s…
Incorrect — that is a scan, not provenance.
Correct — machine-verifiable record of how it was made.
Incorrect — unrelated.
Incorrect — unrelated.
09Attestations should be bound to the ___ and generated by the ___.
Incorrect — a tag is mutable; the developer/build could forge it.
Incorrect — not the trust-establishing binding.
Correct — cannot be transplanted, and the build cannot forge favorable claims.
Incorrect — not how provenance is anchored.
9 questions · explanations appear as you answer
Verify & enforce
9 questions
01The step that turns the whole chain from documentation into enforcement is…
Correct — unsigned/unattested = unscheduled.
Incorrect — that produces evidence; it does not enforce.
Incorrect — signing is evidence; verification enforces.
Incorrect — a doc is not enforcement.
02A meaningful admission policy verifies…
Incorrect — a signature-only check lets an attacker sign their own image.
Correct — each skipped assertion is a hole.
Incorrect — irrelevant to trust.
Incorrect — not a trust property.
03You should roll out a verification policy by…
Incorrect — that blocks everything and gets rolled back.
Incorrect — Audit only warns; it never enforces.
Correct — staged rollout sticks.
Incorrect — exemptions must be explicit and narrow, not a blanket skip.
04Policy-as-code (Kyverno/OPA) lets you…
Correct — not a wiki page — the cluster mechanically enforces them.
Incorrect — that is a scanner.
Incorrect — that is Cosign.
Incorrect — unrelated.
05Policy-as-code should run…
Incorrect — you also want shift-left feedback in CI.
Correct — CI is the guardrail; admission is the wall.
Incorrect — CI can be bypassed; admission is the backstop.
Incorrect — it is core enforcement.
06Signature verification and an allowed-registries policy…
Incorrect — they close different holes.
Incorrect — no — one checks the signer, one checks the source.
Correct — an attacker only needs the assertion you left out.
Incorrect — they complement each other.
07Restricting pulls to your own registry closes the gap where…
Correct — registry restriction plus identity verification covers it.
Incorrect — unrelated to size.
Incorrect — unrelated.
Incorrect — not the gap.
08A private registry as a pull-through cache helps because…
Incorrect — the opposite of the intent.
Correct — an upstream outage or poisoned public image does not reach you unfiltered.
Incorrect — signing is still required.
Incorrect — unrelated to runtime.
09If workloads can pull from any registry, then…
Incorrect — it widens your attack surface significantly.
Incorrect — an attacker-signed image from their registry still passes a signature-only check.
Correct — a typosquatted/backdoored public image is one manifest edit from prod.
Incorrect — not the concern.
9 questions · explanations appear as you answer
Operate DevSecOps
9 questions
01An artifact you signed as clean can become vulnerable later because…
Correct — so you rescan running images continuously.
Incorrect — that is not why it becomes vulnerable.
Incorrect — a digest is immutable.
Incorrect — the point is it was clean at build, then a CVE dropped.
02Continuous rescanning of running images uses…
Incorrect — unnecessary — scan the stored SBOM against fresh CVE data.
Correct — answers "are we exposed?" without rebuilding.
Incorrect — not scalable for CVE tracking.
Incorrect — logs are not a scannable inventory.
03VEX (Vulnerability Exploitability eXchange) is for…
Incorrect — that is Cosign.
Incorrect — that is Syft.
Correct — cuts alert-fatigue so real findings survive.
Incorrect — unrelated.
04The operational loop closes when a finding…
Correct — alerts without action are noise.
Incorrect — that is not operating security.
Incorrect — suppression needs an auditable VEX reason.
Incorrect — broadcast is not remediation.
05A supply-chain incident differs from a normal one because you must…
Incorrect — the blast radius follows the chain outward.
Correct — scope by "which artifacts + deploys touched it".
Incorrect — those are exactly what you must trace.
Incorrect — you must scope and contain immediately.
06In a supply-chain incident, your best forensic trail is…
Incorrect — they do not tell you what was built with the bad component.
Incorrect — guessing is what SBOMs/provenance replace.
Correct — scoping becomes a series of queries, not a blind hunt.
Incorrect — irrelevant.
07Eradicating a supply-chain compromise means…
Correct — do not patch the poisoned artifact; assume broad credential exposure.
Incorrect — the entry path and exposure remain.
Incorrect — that reruns the compromised artifact.
Incorrect — a build breach may have exposed many; rotate broadly.
08On the maturity roadmap, you start with…
Incorrect — those are the leading stage, not the start.
Correct — cheap foundational controls that stop the most common attacks.
Incorrect — valuable, but it builds on the base.
Incorrect — all-or-nothing is the trap; adopt incrementally.
09"Good" DevSecOps looks like…
Incorrect — a doc is not enforcement.
Incorrect — point-in-time is not continuous security.
Correct — you cannot deploy unsigned; a CVE is a query, not a crisis.
Incorrect — speed alone is not the security goal.
9 questions · explanations appear as you answer