DevSecOps Certified Foundation Exam, Exams of Technology

The DevSecOps Certified Foundation Exam provides foundational knowledge in incorporating security into the DevOps pipeline. It covers principles of security automation, secure coding practices, and compliance frameworks. This certification is ideal for those new to DevSecOps, ensuring they understand how to implement security practices in the development process to enhance overall software integrity.

Typology: Exams

2024/2025

Available from 04/14/2025

nicky-jone
nicky-jone 🇮🇳

2.9

(44)

28K documents

1 / 47

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
DevSecOps Certified Foundation Exam
1. What is the primary focus of DevSecOps?
A) Increasing deployment speed only
B) Integrating security throughout the software lifecycle
C) Outsourcing security functions
D) Limiting collaboration between teams
Answer: B
Explanation: DevSecOps embeds security practices into every phase of development and operations
rather than treating security as an afterthought.
2. Which term best describes the concept of shifting security left in the SDLC?
A) Post-deployment security
B) Late integration
C) Shift-Left
D) Reactive security
Answer: C
Explanation: The “Shift-Left” approach emphasizes integrating security early in the development process
to identify issues sooner.
3. DevSecOps is an evolution of which traditional practice?
A) ITIL
B) DevOps
C) Agile
D) Waterfall
Answer: B
Explanation: DevSecOps evolved from DevOps by adding integrated security practices throughout the
pipeline.
4. Which of the following best describes “security as code”?
A) Manual security testing
B) Embedding security controls into automated scripts and configuration files
C) Relying solely on human review for security checks
D) Using only traditional antivirus software
Answer: B
Explanation: “Security as code” refers to codifying security policies and controls, making them
automated and repeatable in pipelines.
5. What is a key business driver for adopting DevSecOps?
A) Slower release cycles
B) Increased manual testing
C) Reduced risk and improved security posture
D) Isolated IT operations
Answer: C
Explanation: Organizations adopt DevSecOps to reduce risk by ensuring security is continuously
integrated, thus improving overall security.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f

Partial preview of the text

Download DevSecOps Certified Foundation Exam and more Exams Technology in PDF only on Docsity!

DevSecOps Certified Foundation Exam

1. What is the primary focus of DevSecOps? A) Increasing deployment speed only B) Integrating security throughout the software lifecycle C) Outsourcing security functions D) Limiting collaboration between teams Answer: B Explanation: DevSecOps embeds security practices into every phase of development and operations rather than treating security as an afterthought. 2. Which term best describes the concept of shifting security left in the SDLC? A) Post-deployment security B) Late integration C) Shift-Left D) Reactive security Answer: C Explanation: The “Shift-Left” approach emphasizes integrating security early in the development process to identify issues sooner. 3. DevSecOps is an evolution of which traditional practice? A) ITIL B) DevOps C) Agile D) Waterfall Answer: B Explanation: DevSecOps evolved from DevOps by adding integrated security practices throughout the pipeline. 4. Which of the following best describes “security as code”? A) Manual security testing B) Embedding security controls into automated scripts and configuration files C) Relying solely on human review for security checks D) Using only traditional antivirus software Answer: B Explanation: “Security as code” refers to codifying security policies and controls, making them automated and repeatable in pipelines. 5. What is a key business driver for adopting DevSecOps? A) Slower release cycles B) Increased manual testing C) Reduced risk and improved security posture D) Isolated IT operations Answer: C Explanation: Organizations adopt DevSecOps to reduce risk by ensuring security is continuously integrated, thus improving overall security.

6. In a DevSecOps environment, which stakeholder is primarily responsible for embedding security practices into code? A) Marketing teams B) Developers C) Human Resources D) Sales representatives Answer: B Explanation: Developers play a key role in integrating secure coding practices and using automated security tools. 7. Which term describes the continuous feedback cycle in DevSecOps pipelines? A) One-off audits B) Feedback loops C) Static evaluation D) End-of-line reviews Answer: B Explanation: Continuous feedback loops ensure that security assessments and improvements are made at every stage. 8. How does DevSecOps differ from traditional security practices? A) It relies exclusively on manual reviews B) It delays security checks until after deployment C) It automates security within the CI/CD pipeline D) It does not involve developers Answer: C Explanation: DevSecOps integrates automated security checks into the CI/CD pipeline for early detection of vulnerabilities. 9. Which of the following is a benefit of integrating security into the CI/CD pipeline? A) Reduced speed of delivery B) Improved security posture with faster remediation C) Increased manual oversight D) Greater separation of teams Answer: B Explanation: Integrating security early allows for faster identification and remediation of vulnerabilities, enhancing security posture. 10. What is the role of continuous integration in DevSecOps? A) To slow down the development process B) To enable frequent, automated testing including security checks C) To replace all manual testing D) To eliminate the need for code reviews Answer: B Explanation: Continuous integration in DevSecOps includes automated security testing along with functional testing.

C) Security unit testing during development D) External audits only Answer: C Explanation: Security unit testing integrated during development helps catch vulnerabilities early in the SDLC.

17. What is the significance of secrets management in DevSecOps? A) It stores user data in plaintext B) It ensures sensitive information is securely stored and accessed C) It creates public repositories for passwords D) It delays the deployment process Answer: B Explanation: Secrets management tools securely store sensitive data like passwords and API keys, ensuring they are not exposed. 18. Which cloud service is commonly used for secrets management? A) AWS Secrets Manager B) Google Docs C) Dropbox D) FTP servers Answer: A Explanation: AWS Secrets Manager is widely used to securely manage and rotate secrets in cloud environments. 19. What does IaC stand for in DevSecOps practices? A) Infrastructure as Code B) Integration and Analysis Code C) International Application Control D) Immediate and Continuous Answer: A Explanation: Infrastructure as Code (IaC) allows teams to manage and provision infrastructure through code, ensuring consistency and security. 20. Which tool is often used for IaC scanning? A) GitLeaks B) Checkov C) Burp Suite D) Fortify Answer: B Explanation: Checkov is a popular tool for scanning IaC templates to identify security misconfigurations. 21. What is the primary purpose of container security tools like Aqua? A) To develop containerized applications B) To monitor and secure container environments C) To replace container orchestration D) To manage source code repositories Answer: B

Explanation: Container security tools such as Aqua provide monitoring, vulnerability scanning, and runtime protection for containerized applications.

22. Which of the following best defines “policy-as-code”? A) Policies stored in physical files B) Automated enforcement of policies through code C) Verbal instructions during meetings D) Manual policy review processes Answer: B Explanation: Policy-as-code involves writing security policies in code format so they can be automatically enforced throughout the pipeline. 23. What is the purpose of regulatory compliance frameworks like PCI-DSS in DevSecOps? A) To increase deployment frequency B) To ensure that security practices meet legal and industry standards C) To reduce collaboration between teams D) To delay security testing Answer: B Explanation: Regulatory frameworks such as PCI-DSS provide guidelines that ensure security practices are compliant with legal and industry standards. 24. Which concept describes aligning security testing with every code change in DevSecOps? A) Batch testing B) Continuous security C) Annual audits D) End-of-cycle reviews Answer: B Explanation: Continuous security means integrating security testing into every stage of the development process to catch issues early. 25. What does the term “artifact management” refer to in CI/CD pipelines? A) Managing physical hardware B) Storing and controlling build outputs and dependencies C) Documenting meeting minutes D) Manual code compilation Answer: B Explanation: Artifact management involves handling build outputs and dependencies securely to ensure they are not tampered with. 26. Which practice is crucial for secure deployment in a DevSecOps pipeline? A) Using shared credentials B) Automated rollback strategies C) Disabling logging D) Ignoring security alerts Answer: B Explanation: Secure deployment requires strategies such as automated rollbacks to quickly revert changes if a security issue is detected.

32. Which of the following threat modeling techniques uses a mnemonic to remember different threat types? A) SWOT B) STRIDE C) DREAD D) PESTLE Answer: B Explanation: STRIDE is a mnemonic that stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. 33. What is the main goal of vulnerability assessment in DevSecOps? A) To improve user interface design B) To identify and remediate security weaknesses C) To increase code complexity D) To slow down deployments Answer: B Explanation: Vulnerability assessments aim to uncover security weaknesses so that they can be fixed before they are exploited. 34. Which of the following tools is commonly used for DAST? A) Checkmarx B) OWASP ZAP C) SonarQube D) tfsec Answer: B Explanation: OWASP ZAP is a widely used Dynamic Application Security Testing tool that tests applications in their running state. 35. What is the importance of automated security testing in CI/CD pipelines? A) It delays deployments B) It ensures security checks are consistently applied to every build C) It replaces all human oversight D) It increases manual interventions Answer: B Explanation: Automated testing helps consistently enforce security standards by integrating checks into every build cycle. 36. Which tool is typically used for SAST among the following? A) Burp Suite B) Fortify C) Anchore D) CloudSploit Answer: B Explanation: Fortify is a well-known Static Application Security Testing tool that analyzes source code for vulnerabilities.

37. In DevSecOps, what is meant by “blameless postmortems”? A) Assigning blame to a single developer after an incident B) Analyzing failures without blaming individuals to foster learning and improvement C) Ignoring errors to avoid conflict D) Conducting audits without documentation Answer: B Explanation: Blameless postmortems focus on understanding incidents and learning from them without targeting individuals, which is key for continuous improvement. 38. How do automated security tools benefit DevSecOps processes? A) By eliminating the need for any manual testing B) By providing rapid feedback and consistent enforcement of security policies C) By increasing the overall cost of development D) By isolating security teams from developers Answer: B Explanation: Automation ensures that security tests run quickly and consistently, enabling faster feedback and remediation. 39. Which of the following best describes “security gates” in a CI/CD pipeline? A) Manual checkpoints that slow down deployment B) Automated checks that must be passed before progressing to the next stage C) Firewalls installed in production servers D) Final manual reviews only after deployment Answer: B Explanation: Security gates are automated checkpoints within the pipeline that validate security standards before code can progress. 40. What is the primary goal of threat intelligence in DevSecOps? A) To create marketing materials B) To collect and analyze data about potential security threats C) To replace vulnerability scanning D) To increase manual code reviews Answer: B Explanation: Threat intelligence involves gathering and analyzing data on emerging threats, helping teams proactively adjust their security measures. 41. Which vulnerability scoring system is commonly used in DevSecOps? A) DREAD B) CVSS C) SWOT D) PESTLE Answer: B Explanation: The Common Vulnerability Scoring System (CVSS) provides standardized metrics to assess the severity of vulnerabilities. **42. What does the “continuous” in continuous integration/delivery imply? A) Only running tests once per month

D) It eliminates the need for security tools Answer: B Explanation: Zero trust requires that every access request is continuously verified, which complements the continuous security approach of DevSecOps. **48. What is the significance of a Software Bill of Materials (SBOM) in DevSecOps? A) It lists all the code comments in an application B) It provides a detailed inventory of all components and dependencies C) It is used solely for budgeting purposes D) It replaces all vulnerability assessments Answer: B Explanation: An SBOM helps teams track and manage all software components, which is critical for identifying and mitigating supply chain vulnerabilities. **49. Which of the following is an example of an IaC scanning tool? A) tfsec B) Anchore C) SonarQube D) OWASP ZAP Answer: A Explanation: tfsec is designed to scan Infrastructure as Code templates to detect misconfigurations and security risks. **50. What is the primary benefit of using automated secrets detection tools like GitLeaks? A) They publicly expose credentials B) They help detect and prevent sensitive data from being committed to code repositories C) They slow down the development process D) They are used for performance testing Answer: B Explanation: Automated secrets detection tools scan code repositories to ensure that sensitive information isn’t inadvertently exposed. **51. Which of the following best describes “continuous improvement” in DevSecOps? A) A one-time audit after deployment B) A repetitive cycle of monitoring, feedback, and iterative enhancements C) Ignoring past incidents D) Relying on legacy systems Answer: B Explanation: Continuous improvement involves regularly reviewing processes and implementing changes to enhance security and efficiency. **52. What is the key difference between DevOps and DevSecOps? A) DevOps focuses on speed while DevSecOps integrates security from the start B) DevSecOps eliminates automation C) DevOps has more regulatory requirements D) DevSecOps delays releases for manual checks Answer: A

Explanation: DevSecOps builds on DevOps by embedding security practices into every phase of development, rather than addressing security at the end. **53. Which technique is used to prioritize vulnerabilities based on risk? A) Random sampling B) Risk assessment and prioritization C) Ignoring low-impact issues D) Manual testing only Answer: B Explanation: Risk assessment helps teams prioritize vulnerabilities based on potential impact and likelihood, enabling more efficient remediation. **54. Which tool category does Snyk belong to? A) SAST B) SCA C) DAST D) IaC scanning Answer: B Explanation: Snyk is a Software Composition Analysis tool that scans open-source libraries and dependencies for known vulnerabilities. **55. How does threat intelligence improve the DevSecOps process? A) By providing outdated vulnerability data B) By offering insights on emerging threats and attack trends C) By eliminating the need for continuous monitoring D) By slowing down decision-making Answer: B Explanation: Threat intelligence provides current data on emerging threats, allowing teams to proactively adapt their defenses. **56. What is one of the primary goals of incorporating compliance-as-code in DevSecOps? A) To ignore regulatory requirements B) To automate compliance checks and reduce manual audits C) To delay the release process D) To rely solely on external auditors Answer: B Explanation: Compliance-as-code automates the enforcement of regulatory standards, ensuring continuous compliance without heavy manual intervention. **57. In a DevSecOps culture, who should be responsible for security? A) Only the security team B) Everyone involved in the software delivery lifecycle C) Only management D) External contractors only Answer: B Explanation: DevSecOps promotes a culture where all team members—from developers to operations— share responsibility for security.

B) To provide a documented record of security-related activities for compliance and forensic purposes C) To replace automated testing D) To ensure manual reviews are skipped Answer: B Explanation: Auditing and traceability offer a comprehensive log of security events and changes, which is essential for compliance and incident investigation. **64. Which aspect of DevSecOps is enhanced by integrating automated feedback loops? A) Delayed issue resolution B) Faster identification and remediation of security vulnerabilities C) Increased manual intervention D) Reduced automation Answer: B Explanation: Automated feedback loops provide immediate insights into security issues, enabling teams to respond quickly and improve overall security posture. **65. What does “shift-left” in security imply for the SDLC? A) Testing security after deployment B) Integrating security measures early in the development cycle C) Ignoring early development security D) Delaying security considerations until the end Answer: B Explanation: “Shift-left” means that security is incorporated at the very beginning of the software development process rather than being an afterthought. **66. Which tool is primarily used for container vulnerability scanning? A) Checkmarx B) Anchore C) Fortify D) SonarQube Answer: B Explanation: Anchore is a tool that specifically scans container images for vulnerabilities and configuration issues. **67. Which metric is important for assessing the speed of vulnerability remediation? A) Code coverage percentage B) Mean Time to Remediate (MTTR) C) Deployment frequency D) Number of features released Answer: B Explanation: MTTR measures the average time taken to resolve vulnerabilities, reflecting the efficiency of the remediation process. **68. What is the purpose of using automated scripts in pipeline automation? A) To manually trigger tests B) To streamline and standardize repetitive tasks, including security checks C) To slow down deployments

D) To replace the need for any testing Answer: B Explanation: Automated scripts help ensure consistency and efficiency by performing routine tasks automatically, including security verifications. **69. How does DevSecOps help in reducing security risks? A) By deferring security checks until after deployment B) By integrating security controls into every stage of the development lifecycle C) By focusing solely on performance D) By ignoring code quality Answer: B Explanation: Continuous integration of security measures throughout the lifecycle minimizes the risk of vulnerabilities being deployed. **70. Which of the following best describes “security maturity models”? A) Models that measure the age of the software B) Frameworks that assess and guide the improvement of an organization’s security posture C) Models used only in manufacturing D) A way to evaluate team size Answer: B Explanation: Security maturity models help organizations gauge their current security practices and plan for progressive improvements. **71. What is one key advantage of embedding governance into DevSecOps pipelines? A) It slows down innovation B) It ensures consistent enforcement of security policies and regulatory requirements C) It eliminates the need for documentation D) It reduces developer collaboration Answer: B Explanation: Embedding governance helps automate policy enforcement, ensuring that security standards and regulations are consistently met. **72. Which of the following is a common challenge when integrating security into CI/CD pipelines? A) Too much manual testing B) Balancing speed with thorough security assessments C) Over-reliance on manual processes D) Excessive collaboration Answer: B Explanation: One common challenge is maintaining rapid development cycles while also ensuring that comprehensive security checks are performed. **73. What is the role of automated artifact signing in securing a CI/CD pipeline? A) It encrypts source code B) It verifies that build artifacts have not been tampered with C) It removes all logging D) It delays the build process Answer: B

Explanation: Aligning security with CI/CD pipelines automates many security processes, reducing the chance for errors and speeding up overall deployment cycles. **79. Which factor is most important when selecting a DevSecOps toolchain? A) High cost with minimal support B) Ease of integration, automation capability, and scalability C) Limited functionality D) Lack of community support Answer: B Explanation: An effective toolchain should integrate seamlessly, support automation, and scale with the organization’s needs. **80. What is one of the challenges associated with secrets management? A) Ensuring credentials are stored in plaintext B) Protecting sensitive information from accidental exposure in code repositories C) Increasing deployment times D) Overcomplicating user interfaces Answer: B Explanation: Secrets management focuses on safeguarding sensitive data like API keys and passwords from being exposed in code. **81. Which DevSecOps practice helps to prevent security misconfigurations in infrastructure? A) Manual server setups B) Infrastructure as Code (IaC) with automated scanning C) Ignoring configuration drift D) Ad hoc network changes Answer: B Explanation: IaC combined with automated scanning ensures that infrastructure configurations remain secure and consistent. **82. What is the benefit of using blameless postmortems after a security incident? A) To assign individual blame B) To learn from incidents without fear of retribution, thereby improving processes C) To ignore the root causes D) To delay future deployments Answer: B Explanation: Blameless postmortems foster a culture of continuous improvement by focusing on lessons learned rather than assigning blame. **83. How does integrating regulatory audits into the DevSecOps process help organizations? A) It complicates deployments without added benefit B) It ensures that security practices meet compliance requirements continuously C) It removes the need for documentation D) It delays security updates Answer: B Explanation: Continuous integration of compliance checks ensures that the organization remains audit- ready and meets regulatory standards.

**84. Which practice is key for building a collaborative security culture in DevSecOps? A) Isolating security teams from developers B) Encouraging cross-functional training and shared responsibility C) Mandating strict hierarchies D) Relying only on external consultants Answer: B Explanation: Cross-functional training and shared responsibilities help break down silos and foster a collaborative security culture. **85. What role does leadership play in a successful DevSecOps transformation? A) They only focus on profits B) They set the vision, allocate resources, and support cultural change C) They avoid engaging with development teams D) They mandate top-down control without feedback Answer: B Explanation: Leadership is critical in driving the change, providing direction, and supporting the necessary cultural and process adjustments. **86. How does the use of AI/ML enhance security automation in DevSecOps? A) By slowing down security responses B) By analyzing vast datasets to identify patterns and anomalies indicative of security threats C) By eliminating the need for human oversight D) By focusing solely on manual processes Answer: B Explanation: AI/ML can process large amounts of data quickly, flagging unusual patterns that may signal security threats. **87. Which emerging trend is focused on testing the resilience of security controls under unpredictable conditions? A) Static security testing B) Chaos engineering C) Manual vulnerability scanning D) Routine compliance audits Answer: B Explanation: Chaos engineering involves intentionally introducing failures to test the resilience and effectiveness of security controls. **88. What does “serverless security” primarily focus on? A) Securing dedicated hardware only B) Protecting functions and services in a serverless computing model C) Managing physical servers D) Eliminating network security Answer: B Explanation: Serverless security targets the unique challenges of securing functions and services when infrastructure management is abstracted.

B) Automatically identifying sensitive information embedded in code repositories C) Ignoring potential data leaks D) Encrypting all repository files without review Answer: B Explanation: Secrets detection tools scan code to find hardcoded sensitive data such as passwords and API keys, preventing data breaches. **95. What is the primary focus of secure deployment practices? A) Skipping security validations B) Ensuring that software is deployed with all security controls in place C) Relying solely on post-deployment monitoring D) Outsourcing deployment to third parties Answer: B Explanation: Secure deployment ensures that the software is released with all necessary security measures to protect it in production. **96. Which tool is primarily used for static analysis of source code for vulnerabilities? A) Burp Suite B) SonarQube C) Anchore D) GitLeaks Answer: B Explanation: SonarQube is widely used for static code analysis to detect vulnerabilities before the code is executed. **97. What is one benefit of container security in DevSecOps? A) It slows down the development process B) It provides isolation and reduces the attack surface for applications C) It removes the need for network segmentation D) It only applies to monolithic applications Answer: B Explanation: Container security isolates applications from each other, reducing potential attack vectors. **98. How do automated security tools contribute to feedback loops? A) By providing delayed reports B) By continuously testing and reporting security issues for immediate remediation C) By eliminating the need for any feedback D) By creating manual audit logs Answer: B Explanation: Automated tools generate constant feedback on security posture, enabling teams to address issues rapidly. **99. What is the significance of artifact management and signing in ensuring supply chain security? A) It increases the risk of tampered builds B) It verifies that software components are genuine and unaltered C) It delays software delivery D) It focuses solely on licensing compliance

Answer: B Explanation: Artifact signing ensures that build outputs have not been tampered with, thereby securing the supply chain from malicious modifications. **100. Which of the following best describes the role of feedback loops in DevSecOps? A) They are used only after a security breach B) They provide continuous, automated feedback on security performance throughout the development cycle C) They delay the development process D) They replace all manual testing Answer: B Explanation: Continuous feedback loops enable immediate detection and correction of security issues, fostering a proactive security environment. **101. What is the main purpose of integrating security into every phase of the SDLC in DevSecOps? A) To increase complexity B) To detect vulnerabilities early and reduce remediation costs C) To slow down delivery cycles D) To limit team collaboration Answer: B Explanation: Early integration of security practices minimizes vulnerabilities and reduces the cost and impact of remediation later in the cycle. **102. Which of the following best describes “continuous delivery” in a DevSecOps context? A) Manual release processes B) Automated deployment of code changes to production with integrated security checks C) Annual software releases D) Delayed deployment cycles Answer: B Explanation: Continuous delivery automates the deployment process, ensuring that security validations are part of every release. **103. How does secure requirements gathering benefit the SDLC? A) By eliminating security from early discussions B) By identifying potential security issues during the planning phase C) By focusing solely on functional requirements D) By delaying threat modeling Answer: B Explanation: Secure requirements gathering helps identify security needs and constraints early, shaping design and implementation accordingly. **104. Which of the following describes the importance of threat modeling in secure architecture design? A) It is irrelevant to security B) It proactively identifies potential vulnerabilities and informs design decisions C) It is only used after a breach occurs D) It replaces automated testing