Exam AZ-400 topic 4 question 30 discussion

IMO this is the correct answer (it should be Yes). I've already explained in the previous answer why Continuous Integration is wrong, and that Whitesource Bolt is not necessarily part of CI. However, Whitesource Bolt *IS* an automated security testing solution (which is added to the build pipeline). This answer is more specific, and more correct, than the CI answer.

Automated security testing focuses on identifying security vulnerabilities (e.g., code injection risks, unpatched libraries, or misconfigurations). While it is a critical part of a secure development lifecycle, it does not directly address licensing violations or prohibited libraries, which are related to compliance and legal issues.

Answer is B. Licensing violation is not a code security issue. It is a legal issue. The "solution: You implement automated security testing." is for code testing & not legalities.

WhiteSource, Mend Bolt supports automated security testing when integrated into a CI pipeline.

B is correct

Automated Security Testing: Set up automated security testing in your CI/CD pipeline. Use tools like WhiteSource Bolt or Snyk to scan your codebase for vulnerabilities, security risks, and licensing issues. Configure Licensing Compliance Checks: Ensure that your automated tests also verify licensing compliance. Address any licensing violations or prohibited libraries promptly.

A. Here is an example: https://www.synopsys.com/software-integrity/software-composition-analysis-tools/black-duck-sca.html

answer is A

In my opinion licensing violation is not mandatory part of the security test

The answer is B, security testing can be implemented and it still won't check the issue of prohibited libraries or licensing issues

B - No. Implementing automated security testing does not specifically address the issues of licensing violations and prohibited libraries. While automated security testing is important for identifying vulnerabilities and security issues in code, it is not focused on issues related to licenses and libraries.

B - No. Implementing automated security testing does not specifically address the issues of licensing violations and prohibited libraries. While automated security testing is important for identifying vulnerabilities and security issues in code, it is not focused on issues related to licenses and libraries.

licencing issues isn't security scanning.... "finding and fixing open source vulnerabilities" using mend bolt, yes that would likely come under security scanning.

GPT4 Yes, implementing automated security testing with the right tools could meet the goal, but only partially. Automated security testing can help identify security vulnerabilities in your software, but on its own, it may not be fully equipped to identify licensing violations or usage of prohibited libraries.

No, this does not meet the goal. Automated security testing can help identify some security issues in the code, such as vulnerabilities, misconfigurations, or malicious code. However, automated security testing cannot detect licensing violations or prohibited libraries, which are related to the legal and compliance aspects of using open-source software. To identify these issues, you need to use a tool that can scan the open-source components and their licenses in your application, such as WhiteSource Bolt.

From ChatGPT: Implementing automated security testing can help to address the identified issues of licensing violations and prohibited libraries. Automated security testing involves running automated tests that check for security vulnerabilities, such as those related to licensing or the use of prohibited libraries, in the code. By implementing this practice, the company can detect security issues early in the development process, allowing them to be addressed before the code is deployed to production. Implementing continuous integration alone does not directly address the identified issues of licensing violations and prohibited libraries. Continuous integration is a software development practice that involves automatically building, testing, and integrating code changes into a shared repository multiple times a day. This practice can help detect issues early in the development process and ensure that code changes do not break the application.

"Licensing violations" is nothing to do with security, and "Prohibited libraries" is debateable, could be security if it is prohibitied due to vulnerability, or could be prohibited due to company policy. The CI option from a previous question makes far more sense.