5 exercises — practise answering Software Supply Chain Security Engineer interview questions in professional technical English.
0 / 5 completed
1 / 5
The interviewer asks: "Why would you generate an SBOM, and how do you make it useful rather than a compliance checkbox?" Which answer best demonstrates Software Supply Chain Security Engineer expertise?
Option B is strongest because it defines the SBOM as a machine-readable SPDX/CycloneDX inventory including transitive deps, generated automatically per build from the artefact, used for rapid CVE impact analysis, licence policy, and dependency detection, and signed plus linked to provenance. Option A treats it as a write-once audit document. Option C captures only top-level deps, missing the transitive dependencies where most risk hides. Option D dismisses automation entirely, the misconception that staleness makes SBOMs useless rather than an argument for continuous regeneration and scanning.
2 / 5
The interviewer asks: "Walk me through the SLSA framework and what moving up its levels actually buys you." Which answer best demonstrates Software Supply Chain Security Engineer expertise?
Option B is strongest because it correctly frames SLSA as integrity levels centred on verifiable provenance, with hardening requirements like hosted isolated builders and tamper resistance as levels increase, ties it to real attacks like SolarWinds, and lays out a practical adoption roadmap with provenance verification as a deploy gate. Option A confuses SLSA with antivirus. Option C reduces it to code-review counts. Option D claims the top level means zero vulnerabilities, the misconception that build integrity equals the absence of vulnerable code.
3 / 5
The interviewer asks: "How do Sigstore and Cosign fit into signing your artefacts, and why is keyless signing appealing?" Which answer best demonstrates Software Supply Chain Security Engineer expertise?
Option B is strongest because it accurately describes Cosign keyless signing via OIDC identity, Fulcio short-lived certificates, the Rekor transparency log, identity-matching verification, admission-controller enforcement, and signing SBOMs and attestations too. Option A relies on a single long-lived key on the build server, exactly the key-management risk keyless avoids. Option C reduces signing to a download checksum, missing authenticity and identity. Option D claims keyless means no cryptography, the misconception that it trades security for speed when it still uses certificates, signatures, and a transparency log.
4 / 5
The interviewer asks: "What is a provenance attestation and how does it get used to make deployment decisions?" Which answer best demonstrates Software Supply Chain Security Engineer expertise?
Option B is strongest because it defines provenance as a signed in-toto/SLSA attestation recording source commit, builder identity, build parameters, and artefact digest, then shows it enforced by a policy engine that checks repo, branch, builder, and digest before allowing deploy. Option A reduces it to a commit message with no integrity guarantee. Option C confuses provenance with a user-facing changelog. Option D claims attestations can't be verified or enforced, the misconception that ignores policy-engine gating which is precisely their purpose.
5 / 5
The interviewer asks: "How do you defend against dependency confusion, and how does the OSSF Scorecard help your overall posture?" Which answer best demonstrates Software Supply Chain Security Engineer expertise?
Option B is strongest because it explains the attack precisely and defends with namespace scoping, internal-registry-only resolution, version pinning with integrity hashes, name reservation, and a single trusted mirroring proxy, then uses OSSF Scorecard to measure and prioritise hardening across repos and dependencies. Option A relies on developer vigilance, which is not a control. Option C auto-upgrades to latest, which actually increases exposure to malicious higher versions. Option D wrongly assumes popular registries prevent name collisions, the misconception at the heart of dependency-confusion attacks.