ISC2 CISSP Practice Question

The correct answer is not validating digital signatures of downloaded components. Digital signatures verify the authenticity and integrity of software components, confirming they come from the expected source and haven't been tampered with. Failing to validate these signatures creates risk of supply chain attacks where malicious code is disguised as legitimate components.

Bypassing vulnerability scanning during the integration pipeline for approved vendors introduces significant risk by assuming that trusted vendors never distribute vulnerable components. This practice could allow known vulnerabilities to be integrated into the application without detection, but it's not as severe as completely failing to verify the authenticity of components.

Using dynamically linked libraries instead of statically compiled dependencies is an architectural choice with security implications but isn't inherently a high-risk practice. While dynamic linking can introduce dependency confusion risks and version compatibility issues, modern dependency management typically addresses these concerns and provides benefits like easier patching.

Implementing just-in-time component fetching during production deployment involves retrieving dependencies at runtime rather than bundling them with the application. This approach can introduce availability risks and potential supply chain attacks if components change between testing and production use, but properly implemented verification mechanisms can mitigate these risks.