DevSecOps Foundation Practice Exam, Exams of Technology

A foundational assessment covering the integration of security practices into DevOps pipelines. It focuses on secure coding, automated scanning, compliance-as-code, shift-left testing, threat modeling, container security, and security automation tools. Perfect for candidates aiming to embed security throughout the SDLC.

Typology: Exams

2025/2026

Available from 01/09/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
DevSecOps Foundation Practice Exam
**Question 1. What does the “C” in CALMS represent?** A) Collaboration B) Culture C)
Compliance D) Continuity
Answer: B
Explanation: CALMS starts with Culture.
**Question 2. Which DevOps “Way” focuses on rapid feedback?** A) First Way B) Second Way
C) Third Way D) Fourth Way
Answer: B
Explanation: The Second Way emphasizes feedback loops.
**Question 3. In DevSecOps, “shifting left” means moving security to which phase?** A)
Deployment B) Planning C) Development D) Monitoring
Answer: C
Explanation: Security is embedded early in development.
**Question 4. Which OWASP Top Ten category deals with broken authentication?** A) A01 B)
A02 C) A03 D) A04
Answer: A
Explanation: A01 is Broken Access Control (formerly Authentication).
**Question 5. What is the primary goal of continuous compliance?** A) Automate audits B)
Reduce costs C) Speed releases D) Increase features
Answer: A
Explanation: Continuous compliance automates audit checks.
**Question 6. Which metric measures the time to detect a security incident?** A) MTTR B)
MTTD C) MTTC D) MTBF
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download DevSecOps Foundation Practice Exam and more Exams Technology in PDF only on Docsity!

Question 1. What does the “C” in CALMS represent? A) Collaboration B) Culture C) Compliance D) Continuity Answer: B Explanation: CALMS starts with Culture. Question 2. Which DevOps “Way” focuses on rapid feedback? A) First Way B) Second Way C) Third Way D) Fourth Way Answer: B Explanation: The Second Way emphasizes feedback loops. Question 3. In DevSecOps, “shifting left” means moving security to which phase? A) Deployment B) Planning C) Development D) Monitoring Answer: C Explanation: Security is embedded early in development. Question 4. Which OWASP Top Ten category deals with broken authentication? A) A01 B) A02 C) A03 D) A Answer: A Explanation: A01 is Broken Access Control (formerly Authentication). Question 5. What is the primary goal of continuous compliance? A) Automate audits B) Reduce costs C) Speed releases D) Increase features Answer: A Explanation: Continuous compliance automates audit checks. Question 6. Which metric measures the time to detect a security incident? A) MTTR B) MTTD C) MTTC D) MTBF Answer: B

Explanation: MTTD = Mean Time To Detect. Question 7. Which practice is an example of “Security as Code”? A) Manual pen‑test B) Policy as Code C) Hard‑coded passwords D) Static network diagrams Answer: B Explanation: Policies written in version‑controlled code. Question 8. What does SCA stand for in application security testing? A) Static Code Analysis B) Software Composition Analysis C) Secure Container Audit D) Service Configuration Assessment Answer: B Explanation: SCA scans open‑source components. Question 9. Which cloud-native platform is commonly secured with runtime policies? A) Docker B) Kubernetes C) VMware D) Hyper‑V Answer: B Explanation: Kubernetes uses runtime admission controls. Question 10. In the Three Ways, “continuous learning” is associated with which way? A) First Way B) Second Way C) Third Way D) Fourth Way Answer: C Explanation: The Third Way promotes a learning culture. Question 11. Which of the following is a “threat agent”? A) CI pipeline B) Insider C) Dockerfile D) Service Level Agreement Answer: B Explanation: Insiders can be threat agents.

Explanation: Static Application Security Testing. Question 18. What does “policy as code” enable? A) Manual reviews B) Version control C) Hard‑coded values D) Paper‑based approvals Answer: B Explanation: Policies become versioned artifacts. Question 19. Which DevSecOps principle aligns security with business value? A) Automation B) Culture C) Measurement D) Sharing Answer: C Explanation: Measurement ties security to outcomes. Question 20. Which role typically owns the “definition of done” for security? A) Product Owner B) Security Engineer C) Scrum Master D) QA Analyst Answer: B Explanation: Security engineers define security completion criteria. Question 21. Which term describes a “checkbox trap”? A) Over‑automation B) Compliance without security C) Continuous delivery D) Rapid scaling Answer: B Explanation: Checking boxes without real security. Question 22. What is the main benefit of “value‑stream thinking” for security? A) Reduce documentation B) Optimize flow of work C) Increase team size D) Decrease code reviews Answer: B Explanation: It streamlines security through the pipeline.

Question 23. Which of these is a “runtime” security control? A) SAST B) Container scanning C) Host‑based IDS D) Code linting Answer: C Explanation: IDS monitors behavior at runtime. Question 24. Which governance model emphasizes self‑organization and consent? A) Westrum B) LaLoux C) Holacracy D) Waterfall Answer: C Explanation: Holacracy uses distributed authority. Question 25. What does “MTTC” measure? A) Time to change code B) Time to compile C) Time to certify D) Time to test Answer: A Explanation: Mean Time To Change. Question 26. Which of the following is NOT a typical DevSecOps stakeholder? A) Developer B) Security Analyst C) Marketing Manager D) Operations Engineer Answer: C Explanation: Marketing is not directly involved in pipeline security. Question 27. Which tool category helps manage secrets? A) SAST B) SCM C) Secret Management D) CI Server Answer: C Explanation: Secret managers store credentials securely. Question 28. Which of these is a “lean” practice? A) Large batch releases B) Continuous flow C) Fixed schedules D) Manual approvals Answer: B

Question 34. In the CALMS framework, “Sharing” primarily refers to: A) Open‑source code B) Knowledge exchange C) License management D) Resource pooling Answer: B Explanation: Sharing promotes collaboration and learning. Question 35. Which metric helps evaluate the effectiveness of security gates? A) Number of commits B) Gate pass rate C) Lines of code D) Sprint velocity Answer: B Explanation: Gate pass rate shows compliance. Question 36. Which of the following is a “threat intelligence” source? A) Internal logs B) Weather forecast C) Social media trends D) Stock market data Answer: A Explanation: Logs provide actionable threat data. Question 37. Which practice reduces “technical debt” related to security? A) Deferring fixes B) Incremental remediation C) Ignoring warnings D) Post‑release patches only Answer: B Explanation: Incremental fixes keep debt low. Question 38. What is a primary characteristic of a “high‑velocity” environment? A) Long release cycles B) Slow feedback C) Frequent deployments D) Manual testing only Answer: C Explanation: High‑velocity means many releases. Question 39. Which of these is a core component of “Security by Design”? A) Retroactive patches B) Early threat modeling C) After‑the‑fact audits D) Post‑deployment scanning Answer: B

Explanation: Designing with threats in mind from the start. Question 40. Which of the following best defines “risk tolerance”? A) Maximum budget B) Acceptable level of risk C) Number of users D) Size of the team Answer: B Explanation: Tolerance is what risk an organization can accept. Question 41. Which of these is a typical output of a “static analysis” tool? A) Network diagram B) Vulnerability report C) Performance benchmark D) User story Answer: B Explanation: Static tools generate vulnerability findings. Question 42. Which governance model focuses on cultural safety? A) Westrum B) LaLoux C) ITIL D) Prince Answer: A Explanation: Westrum classifies safety cultures. Question 43. What does “CI” stand for in CI/CD pipelines? A) Continuous Integration B) Code Inspection C) Cloud Infrastructure D) Configuration Interface Answer: A Explanation: CI merges code continuously. Question 44. Which of the following is a “continuous compliance” tool category? A) Static analysis B) Policy as Code C) Manual audit D) Spreadsheet tracking Answer: B Explanation: Policies as code enable continuous checks.

Explanation: Test results give immediate feedback. Question 51. Which of these is a primary purpose of “logging” in production? A) Increase latency B) Provide audit trail C) Reduce storage D) Hide errors Answer: B Explanation: Logs create an audit trail. Question 52. Which of the following is an example of “continuous monitoring”? A) Weekly manual scans B) Real‑time alerting C) Annual security audit D) Manual log review Answer: B Explanation: Real‑time alerts monitor continuously. Question 53. Which of these is a “lean” metric? A) Cycle time B) Number of developers C) Lines of code D) Budget variance Answer: A Explanation: Cycle time measures flow efficiency. Question 54. Which of the following best describes “automation fatigue”? A) Over‑reliance on scripts B) Exhaustion from too many alerts C) Lack of automation D) Manual processes only Answer: B Explanation: Too many alerts cause fatigue. Question 55. Which of these is a primary benefit of “security champions” program? A) Reduce headcount B) Centralize all security tasks C) Embed security knowledge D) Replace security team Answer: C Explanation: Champions spread security expertise.

Question 56. Which of the following is a “service mesh” security feature? A) Load balancing B) Mutual TLS C) Database indexing D) Static IP allocation Answer: B Explanation: Service mesh can enforce mTLS. Question 57. Which of these is a key component of “incident response” lifecycle? A) Development sprint B) Containment C) Marketing plan D) UI redesign Answer: B Explanation: Containment limits damage. Question 58. Which of these is an example of “continuous delivery” output? A) Manual release notes B) Automated artifact promotion C) Hand‑crafted installer D) Yearly patch Answer: B Explanation: Artifacts are promoted automatically. Question 59. Which of the following is a common “threat vector” for web apps? A) SQL injection B) Power outage C) Physical theft D) Water damage Answer: A Explanation: SQL injection attacks web inputs. Question 60. Which of these tools is typically used for SCA? A) SonarQube B) OWASP ZAP C) Black Duck D) JUnit Answer: C Explanation: Black Duck scans open‑source components. Question 61. Which of the following is a “security control” at the network layer? A) Input validation B) Firewall C) Code review D) Unit test Answer: B

Question 67. Which of the following is a “feedback” loop from production to development? A) Sprint planning B) Production alert tickets C) Design mockups D) Budget approval Answer: B Explanation: Alerts feed back to developers. Question 68. Which of these is an example of “infrastructure as code”? A) Manual server install B) Terraform scripts C) Hand‑written diagrams D) Spreadsheet inventory Answer: B Explanation: Terraform defines infrastructure declaratively. Question 69. Which of the following best describes “risk management” in DevSecOps? A) Ignoring low‑severity bugs B) Prioritizing remediation based on impact C) Fixing all issues immediately D) Outsourcing security Answer: B Explanation: Impact‑based prioritization manages risk. Question 70. Which of these is a “continuous compliance” check? A) Quarterly audit B) Real‑time policy enforcement C) Annual report D) Manual checklist Answer: B Explanation: Real‑time enforcement keeps compliance continuous. Question 71. Which of the following is a “security hygiene” practice for developers? A) Storing passwords in code B) Using secret managers C) Disabling logging D) Hard‑coding API keys Answer: B Explanation: Secret managers protect credentials.

Question 72. Which of these is a typical “DevSecOps KPI”? A) Number of coffee cups B) Mean Time To Detect C) Number of office plants D) Length of meetings Answer: B Explanation: MTTD measures detection speed. Question 73. Which of the following is a “continuous delivery” prerequisite? A) Manual approvals B) Automated testing C) Paper contracts D) Fixed release dates Answer: B Explanation: Automated tests ensure safe releases. Question 74. Which of these is a “runtime” security tool for containers? A) Dockerfile linter B) Falco C) Maven D) ESLint Answer: B Explanation: Falco monitors container behavior. Question 75. Which of the following is a “lean” principle applied to security? A) Build big batches B) Eliminate waste C) Increase handoffs D) Delay feedback Answer: B Explanation: Lean seeks waste reduction. Question 76. Which of these is an “identity federation” benefit? A) Centralized passwords B) Single sign‑on across domains C) Manual token exchange D) Increased password rotation Answer: B Explanation: Federation enables SSO. Question 77. Which of the following is a “security metric” for code quality? A) Lines of code B) Number of open tickets C) Vulnerabilities per KLOC D) Sprint velocity Answer: C

Question 83. Which of the following is a “continuous improvement” practice? A) One‑time training B) Retrospective analysis C) Fixed process D) No post‑mortems Answer: B Explanation: Retrospectives drive improvement. Question 84. Which of these is a “runtime” security concern for serverless functions? A) Function size B) Cold start latency C) Over‑privileged IAM role D) Naming convention Answer: C Explanation: Excessive permissions affect runtime security. Question 85. Which of the following best describes “DevSecOps state of mind”? A) Security as an afterthought B) Security as a shared responsibility C) Security as a separate team D) Security as a blocker Answer: B Explanation: Shared responsibility is the core mindset. Question 86. Which of these is a “continuous compliance” reporting format? A) PDF audit report B) Dashboard with real‑time status C) Hand‑written notes D) PowerPoint slide deck Answer: B Explanation: Dashboards provide live compliance view. Question 87. Which of the following is a “risk‑based” approach to patching? A) Patch everything immediately B) Patch based on severity and exposure C) Patch only after breach D) Never patch Answer: B Explanation: Prioritize patches by risk.

Question 88. Which of these is a “feedback” loop from security tools to developers? A) Quarterly newsletter B) Automated issue creation in tracker C) Annual training session D) Manual email summary Answer: B Explanation: Auto‑created issues give direct feedback. Question 89. Which of the following is a “lean” waste to eliminate in security pipelines? A) Parallel testing B) Redundant scans C) Automated builds D) Immediate feedback Answer: B Explanation: Duplicate scans waste time. Question 90. Which of these is a “continuous delivery” principle? A) Manual release approval B) Deploy to production only after long testing C) Automated, repeatable deployments D) Fixed release dates only Answer: C Explanation: Automation enables continuous delivery. Question 91. Which of the following is a “security automation” opportunity in IaC? A) Manual server patching B) Scanning Terraform files for secrets C) Hand‑written network diagrams D) Physical cabinet lock checks Answer: B Explanation: IaC scanning can be automated. Question 92. Which of these is a “runtime” security metric? A) Number of code commits B) Average container runtime C) Number of security incidents in production D) Lines of documentation Answer: C Explanation: Incidents in production reflect runtime security.

Question 98. Which of these is a “continuous monitoring” tool category? A) Static analysis B) SIEM C) Spreadsheet D) Manual checklist Answer: B Explanation: SIEM aggregates logs for monitoring. Question 99. Which of the following is a “security gate” for container images? A) Image size limit B) Vulnerability scan C) Image naming convention D) Build duration Answer: B Explanation: Scanning images blocks vulnerable builds. Question 100. Which of these is a “feedback” loop from production incidents? A) Post‑mortem documentation B) Quarterly budget review C) Marketing campaign C) Office party planning Answer: A Explanation: Post‑mortems feed lessons back to dev. Question 101. Which of the following is a “lean” metric for security work? A) Cycle time for vulnerability remediation B) Number of coffee cups consumed C) Length of meetings D) Office temperature Answer: A Explanation: Faster remediation reduces cycle time. Question 102. Which of these is a “policy as code” enforcement point? A) Manual checklist B) Automated pull‑request gate C) Hand‑written policy D) Email approval flow Answer: B Explanation: PR gate automatically enforces policies.

Question 103. Which of the following is a “runtime” security tool for serverless? A) CloudTrail B) AWS Config C) Open Policy Agent (OPA) D) IAM console Answer: C Explanation: OPA can enforce policies at runtime. Question 104. Which of these is a “security outcome” metric? A) Number of new features B) Mean Time To Respond to alerts C) Office décor D) Number of holidays taken Answer: B Explanation: MTTR measures response effectiveness. Question 105. Which of the following is a “continuous delivery” benefit? A) Longer release cycles B) Faster feedback C) Increased manual steps D) Higher cost Answer: B Explanation: Faster feedback accelerates improvement. Question 106. Which of these is a “security automation” candidate for PR checks? A) Code style linting B) Secret detection C) UI color palette D) Documentation spelling Answer: B Explanation: Secret detection can be automated. Question 107. Which of the following is a “feedback” loop from security scanning to developers? A) Weekly report B) Inline code comments C) Annual meeting D) Company newsletter Answer: B Explanation: Inline comments give immediate guidance.