nerdexam
Isaca

AAISM · Question #27

An AI research team is developing a natural language processing model that relies on several open-source libraries. Which of the following is the team's BEST course of action to ensure the integrity o

The correct answer is B. Scan the packages and libraries for malware prior to installation. Scanning packages and libraries for malware prior to installation is a direct supply chain security control that verifies software integrity before it enters the environment. Open-source packages are a known attack vector-malicious actors can inject malware into popular libraries

AI Security Design and Implementation

Question

An AI research team is developing a natural language processing model that relies on several open-source libraries. Which of the following is the team's BEST course of action to ensure the integrity of the software packages used?

Options

  • AMaintain a list of frequently used libraries to ensure consistent application in projects
  • BScan the packages and libraries for malware prior to installation
  • CUse the latest version of all libraries from public repositories
  • DRetrain the model regularly to handle package and library updates

How the community answered

(40 responses)
  • A
    5% (2)
  • B
    78% (31)
  • C
    3% (1)
  • D
    15% (6)

Explanation

Scanning packages and libraries for malware prior to installation is a direct supply chain security control that verifies software integrity before it enters the environment. Open-source packages are a known attack vector-malicious actors can inject malware into popular libraries (a 'typosquatting' or 'dependency confusion' attack). Maintaining a list of frequently used libraries (A) improves consistency but does not validate that those libraries are free from compromise. Using the latest version from public repositories (C) could actually introduce newly injected malicious code if the repository has been compromised. Retraining the model (D) addresses model performance but has no effect on the integrity of the underlying software packages.

Topics

#Supply Chain Security#Open-source Security#Software Integrity#Malware Scanning

Community Discussion

No community discussion yet for this question.

Full AAISM Practice