Security Engineering
Supply Chain Security
9 practice questions. Free questions open a full answer guide; the rest unlock with Pro.
- What is a software bill of materials, and how does having one change your response when a critical CVE drops in a widely used library?
- Signing your container images proves who built them but not how. Walk me through how you'd establish verifiable build provenance for your artifacts and what an attacker can still do if you only sign and don't attest provenance.Go Pro
- How does a dependency confusion attack work, and what's the most durable way to prevent it across your build systems?Go Pro
- What is a dependency confusion or typosquatting attack on a package registry, and what's a basic defense you'd put in place?Go Pro
- Why would a team cryptographically sign its build artifacts, and what does verifying that signature before deployment actually protect against?Go Pro
- Sigstore lets you sign artifacts with no long-lived keys and writes every signature to a public transparency log. Walk me through how keyless signing actually works and what the transparency log buys you that a private key in a vault doesn't.Go Pro
- Your org mandates an SBOM for every service, and now you have thousands of them sitting in a bucket. Why is generating SBOMs the easy part, and how do you make them actually reduce risk?Go Pro
- What is a Software Bill of Materials (SBOM), and why would a team generate one for every build?Go Pro
- What does build provenance give you that a signed container image alone doesn't, and how does a framework like SLSA use it?Go Pro
Want questions matched to your role? Paste a job title, job description, or CV for a personalized set, or go Pro to unlock the full bank.