Google Cloud Professional Cloud Security Engineer — Question 104

Your organization develops software involved in many open source projects and is concerned about software supply chain threats. You need to deliver provenance for the build to demonstrate the software is untampered.

What should you do?

Answer options

• A. 1. Hire an external auditor to review and provide provenance. 2. Define the scope and conditions. 3. Get support from the Security department or representative. 4. Publish the attestation to your public web page.
• B. 1. Review the software process. 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact. 3. Publish the PGP signed attestation to your public web page.
• C. 1. Publish the software code on GitHub as open source. 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.
• D. 1. Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build. 2. View the build provenance in the Security insights side panel within the Google Cloud console.

Correct answer: D

Explanation

The correct answer, D, focuses on generating SLSA level 3 assurance, which is specifically designed to provide provenance for software artifacts and ensures that the supply chain is secure. Options A and B involve external verification and signing practices but do not directly address the need for build provenance through established frameworks, while option C emphasizes open sourcing the code without guaranteeing integrity or provenance.