Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Explanation:

Option D is the correct answer because it directly addresses the requirement to generate build provenance to demonstrate software integrity against supply chain threats. SLSA (Supply Chain Levels for Software Artifacts) is a Google-endorsed framework specifically designed for securing software supply chains, and SLSA Level 3 provides strong provenance-based assurances. Using Cloud Build to generate SLSA Level 3 provenance and viewing it in the Security Insights panel aligns with Google Cloud best practices and tools. The community discussion strongly supports D with 100% consensus and upvoted comments referencing official Google documentation. Other options are less suitable: A involves external audits which may not provide automated, verifiable provenance; B uses PGP signing which lacks the comprehensive framework of SLSA; and C focuses on open-source review rather than generating formal build provenance.

Explanation:

Comments (0)

No comments yet.

Your organization develops software involved in many open-source projects and is concerned about software supply chain threats. You need to generate build provenance to demonstrate that the software has not been tampered with.

What should you do?

Exam-Like

Hire an external auditor to review and provide provenance.
Define the scope and conditions.
Get support from the Security department or representative.
Publish the attestation to your public web page.

0.0%

Review the software process.
Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.
Publish the PGP signed attestation to your public web page.

0.0%

Publish the software code on GitHub as open source.
Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.
View the build provenance in the Security insights side panel within the Google Cloud console.

Google Professional Cloud Security Engineer

Get started today

Comments (0)

Get started today

Comments (0)

Your organization develops software involved in many open-source projects and is concerned about software supply chain threats. You need to generate build provenance to demonstrate that the software has not been tampered with. What should you do?

Your organization develops software involved in many open-source projects and is concerned about software supply chain threats. You need to generate build provenance to demonstrate that the software has not been tampered with.

What should you do?