Free Preparation Discussions
MENU
Eccouncil 312-97 Exam - Topic 7 Question 8 Discussion
Topic #: 7
(Rahul Mehta is working as a DevSecOps engineer in an IT company that develops cloud-native web applications. His organization follows a strict DevSecOps practice and wants to ensure that third-party open-source dependencies used in the application do not introduce known security vulnerabilities. Rahul decided to integrate a Software Composition Analysis (SCA) tool into the CI pipeline so that every build is automatically scanned. During one of the builds, the SCA tool detects a critical vulnerability in a transitive dependency. What should ideally happen in a mature DevSecOps pipeline when such a critical vulnerability is detected at build time?.)
In a mature DevSecOps pipeline, security controls are enforced as gates, not merely as informational checks. When an SCA tool detects a critical vulnerability in a dependency---whether direct or transitive---the correct response at the Build and Test stage is to fail the build. This prevents vulnerable artifacts from moving forward into later stages such as deployment or production, where remediation would be more expensive and risky. Allowing the build to continue, even with notifications, contradicts the shift-left security principle. Ignoring transitive dependencies is also dangerous, as many real-world vulnerabilities originate from indirect libraries. Failing the build forces developers to remediate the issue immediately by upgrading, replacing, or mitigating the vulnerable dependency. This approach reduces attack surface, enforces accountability, and ensures that only secure artifacts are released. Therefore, stopping the pipeline upon detection of critical vulnerabilities reflects a strong DevSecOps maturity model and effective security governance.
Derick
2 days agoOneida
7 days ago