SC-100 Certification Practice Question #251

Question

You have a Microsoft 365 tenant.

You have an Azure subscription that contains Azure App Service web apps. The apps have the following characteristics:

•	The apps use third-party and open-source components.
•	The apps were developed by using C#, Python, and Java.
•	The app deployment process is managed by using Azure DevOps.
•	The source code for the apps is stored in GitHub Enterprise Cloud repositories and protected by using GitHub Advanced Security.

You need to reduce the risk of supply chain attacks during the application lifecycle.

What should you implement?

Accepted Answer

The apps use third-party and open-source components across C#, Python, and Java, with source in GitHub Enterprise Cloud protected by GitHub Advanced Security. Reducing supply-chain risk over the application lifecycle means tracking and remediating vulnerable dependencies. The Microsoft cloud security benchmark control DS-2 (software supply chain security) explicitly recommends Dependabot to track and automatically remediate vulnerable dependencies by raising pull requests. This is multi-ecosystem (unlike NuGet Audit, which is .NET-only) and dependency-focused (unlike secret scanning or Defender for Cloud Apps app governance). Suggested Answer, the unanimous Most Voted (6 votes), the 6-👍 Highly Voted comment, and MS Learn all agree on B.

More SC-100 practice questions