Your organization develops software involved in many open source projects and is concerned about software...

Google Professional-Cloud-Security-Engineer Question Answer

Your organization develops software involved in many open source projects and is concerned about software supply chain threats You need to deliver provenance for the build to demonstrate the software is untampered.

What should you do?

• 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.

• 2. View the build provenance in the Security insights side panel within the Google Cloud console.

• 1. Review the software process.

• 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.

• 3. Publish the PGP signed attestation to your public web page.

• 1, Publish the software code on GitHub as open source.

• 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

• 1. Hire an external auditor to review and provide provenance

• 2. Define the scope and conditions.

• 3. Get support from the Security department or representative.

• 4. Publish the attestation to your public web page.