




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An advanced-level exam simulation emphasizing real-world secure DevOps implementations. Topics include pipeline hardening, vulnerability management, governance, advanced security automation, secrets management, and security risk scoring. Scenario-based questions mirror enterprise security challenges across cloud-native platforms.
Typology: Exams
1 / 101
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which of the following best describes the primary business driver for adopting DevSecOps? A) Reducing server costs B) Faster time‑to‑market for secure code C) Increasing number of releases per day D) Centralizing all security decisions Answer: B Explanation: The chief business driver is delivering functional, secure software quickly, which reduces risk and improves market competitiveness. Question 2. In the First Way of DevSecOps, what is the most important security‑related practice? A) Automating security testing in the CI pipeline B) Conducting quarterly security audits C) Implementing a manual code review process D) Isolating security teams from developers Answer: A Explanation: The First Way emphasizes flow; embedding automated security tests early ensures security moves with the code through the pipeline. Question 3. Which metric directly measures how quickly a security incident is identified? A) MTTR (Mean Time To Recover) B) MTTC (Mean Time To Contain) C) MTTD (Mean Time To Detect) D) Deployment Frequency
Answer: C Explanation: MTTD captures the interval between the occurrence of a security event and its detection. Question 4. Which DORA metric, when correlated with security, indicates the effectiveness of rapid remediation? A) Lead Time for Changes B) Change Failure Rate C) Time to Restore Service D) Deployment Frequency Answer: B Explanation: A lower Change Failure Rate often reflects that security issues are being caught and fixed before they cause failures. Question 5. Zero Trust architecture primarily enforces which principle? A) All internal traffic is trusted by default B) Least privilege access for every request C) Unlimited network segmentation D) Centralized logging only Answer: B Explanation: Zero Trust assumes no implicit trust and enforces least‑privilege checks on every access request. Question 6. In threat modeling, the STRIDE acronym does NOT include which element?
Explanation: NetworkPolicy objects define how pods are allowed to communicate, providing micro‑segmentation. Question 9. Which IaC scanning tool is specifically designed to detect insecure Terraform configurations? A) SonarQube B) Checkov C) JUnit D) Selenium Answer: B Explanation: Checkov parses Terraform (and other IaC) files to find misconfigurations such as open security groups. Question 10. In a CI/CD pipeline, the optimal placement for a SAST scan is: A) After the production deployment B) During the build stage before compilation C) In the release stage after artifact creation D) Only on the master branch Answer: B Explanation: Running SAST early (during build) catches vulnerable source code before it progresses downstream. Question 11. Which of the following best describes Software Composition Analysis (SCA)? A) Scanning compiled binaries for memory leaks B) Identifying known vulnerabilities in third‑party libraries
C) Monitoring runtime network traffic for anomalies D) Enforcing code style guidelines Answer: B Explanation: SCA tools analyze dependencies to locate vulnerable or non‑compliant open‑source components. Question 12. What is the primary purpose of image signing in container registries? A) To reduce image size B) To verify the publisher’s identity and integrity of the image C) To encrypt the container runtime D) To automatically update containers Answer: B Explanation: Signed images provide cryptographic proof that the image has not been tampered with and originates from a trusted source. Question 13. Which security control is most appropriate for protecting secrets used by CI pipelines? A) Storing them in plain text files in the repo B) Using a dedicated secret management solution like HashiCorp Vault C) Hard‑coding them into source code D) Sharing them over email Answer: B Explanation: Secret managers provide secure storage, rotation, and audit logging for credentials.
Answer: B Explanation: SoD separates responsibilities (e.g., development vs. production deployment) to reduce risk of malicious or accidental misuse. Question 17. Which AI‑driven security technique can improve SAST accuracy? A) Random code mutation B) Machine‑learning models that prioritize high‑risk findings based on historical data C) Manual code reviews only D) Static HTML analysis Answer: B Explanation: ML models learn from past vulnerabilities to rank SAST alerts, reducing false positives. Question 18. Which of the following architectures introduces the most new security considerations for DevSecOps? A) Monolithic on‑premise applications B. Serverless functions executing in a managed cloud environment C) Single‑tier desktop applications D) Traditional client‑server with static web pages Answer: B Explanation: Serverless abstracts infrastructure, requiring new controls around function permissions, event data handling, and short‑lived execution contexts.
Question 19. Which of the following is NOT a typical responsibility of a Security Champion within a development team? A) Advocating secure coding practices B) Performing regular code reviews for security issues C) Managing the organization’s financial budget D) Facilitating security training for peers Answer: C Explanation: Security Champions focus on security advocacy and technical guidance, not financial management. Question 20. When implementing “Shift‑Left” testing, which stage should a DAST scan be introduced for maximum effectiveness? A) After production release B) During early integration testing in a staging environment that mimics production C) Only on the developer’s local machine D) During code commit to version control Answer: B Explanation: DAST requires a running application; running it in a production‑like staging environment catches runtime vulnerabilities early. Question 21. Which of the following metrics would best indicate the security hygiene of IaC templates across a repository? A) Number of commits per day B) Ratio of IaC files with no high‑severity misconfigurations detected by scanning tools C) Average build time
Question 24. Which of the following is a core component of a DevSecOps incident response plan? A) Manual rollback procedures without automation B) Automated rollback of the offending change combined with ticket creation for post‑mortem analysis C) Ignoring incidents during peak traffic periods D) Only notifying senior management after a breach Answer: B Explanation: Automation speeds containment, while ticketing ensures follow‑up and learning. Question 25. Which regulatory framework specifically mandates encryption of data at rest for cardholder information? A) GDPR B) HIPAA C) PCI‑DSS D) SOC 2 Answer: C Explanation: PCI‑DSS requires strong encryption for stored cardholder data. Question 26. What is the primary advantage of “Policy as Code” in a CI/CD pipeline? A) Policies are written in natural language for easier reading B) Policies can be version‑controlled, tested, and automatically enforced during builds C) Policies are only applied after production release D) Policies replace all security testing tools
Answer: B Explanation: Encoding policies as code enables automation, testing, and traceability. Question 27. Which of the following best describes the concept of “Observability” for security? A) Collecting only alerts from IDS B) Providing comprehensive, correlated logs, metrics, and traces to understand security events end‑to‑end C) Using a single dashboard for all teams D) Ignoring performance data Answer: B Explanation: Observability combines logs, metrics, and traces to give deep insight into system behavior, including security incidents. Question 28. In the context of the Third Way (Culture of Continual Experimentation), which practice most directly supports security learning? A) Conducting annual security trainings only B) Running “security canary” experiments that deliberately introduce low‑risk vulnerabilities to test detection capabilities C) Disabling all security alerts to reduce noise D) Mandating that only senior staff can modify security settings Answer: B Explanation: Security canaries provide real‑world feedback on detection and response, fostering a learning culture.
Answer: B Explanation: Serverless functions are triggered by events; maliciously crafted events can exploit insecure code. Question 32. Which of the following is a key advantage of using a “GitOps” approach for security configuration management? A) Manual approval of every change is required B) All configuration changes are version‑controlled and applied automatically via pull requests, ensuring traceability and repeatability C) Configurations are stored only in encrypted PDFs D) Security policies are applied after deployment Answer: B Explanation: GitOps treats configuration as code, enabling auditability and automated enforcement. Question 33. Which metric would best help a security leader demonstrate the value of automated container scanning to executives? A) Number of containers deployed per week B) Percentage reduction in high‑severity vulnerabilities over the last quarter C) Average CPU usage of scanning tools D) Number of developers on the team Answer: B Explanation: Executives care about risk reduction; showing a decrease in critical vulnerabilities quantifies impact.
Question 34. Which of the following is NOT a recommended practice for securing data in transit? A) Enforcing TLS 1.2 or higher for all services B) Using self‑signed certificates without validation C) Implementing mutual TLS for service‑to‑service communication D) Rotating certificates before expiration Answer: B Explanation: Self‑signed certificates without proper validation expose the communication to man‑in‑the‑middle attacks. Question 35. In a CI pipeline, which stage should enforce “Least Privilege” for the build agent? A) After artifact upload to the repository B) During the initial provisioning of the build environment, granting only required permissions for the job C) When the agent is decommissioned D) Only during production deployment Answer: B Explanation: The build agent should start with minimal permissions needed for the job, reducing attack surface. Question 36. Which of the following describes “Threat Intelligence” in a DevSecOps context? A) Real‑time data about emerging vulnerabilities, indicators of compromise, and attacker tactics used to proactively harden pipelines B) Manual collection of logs after an incident
Explanation: GDPR requires detailed records of personal data handling; automating this across distributed services is challenging. Question 39. Which of the following best illustrates “Infrastructure as Code (IaC) security testing as a gate” in a pipeline? A) Running a manual checklist after deployment B) Automatically scanning IaC templates with tools like Terrascan before the “Terraform apply” step, and failing the build on high‑severity findings C) Ignoring IaC vulnerabilities until a security audit D) Deploying without any validation Answer: B Explanation: The gate enforces automated scanning and blocks progression when critical issues are found. Question 40. Which of the following is a primary advantage of using “Sidecar” containers for security functions? A) They replace the main application container entirely B) They allow security capabilities (e.g., runtime scanning) to be added without modifying the application image C) They increase the size of the container image dramatically D) They remove the need for any network policies Answer: B Explanation: Sidecars run alongside the main container, providing security features transparently.
Question 41. Which of the following statements about “Mean Time To Contain (MTTC)” is correct? A) It measures the time from detection to full system recovery B) It measures the time from detection to the point where the spread of the incident is halted C) It measures the time taken to develop a new feature D) It measures the time between code commit and deployment Answer: B Explanation: MTTC captures how quickly a team can isolate and stop further impact after detection. Question 42. Which of the following is a key consideration when securing a CI/CD pipeline that runs in a public cloud? A) Storing credentials in environment variables without encryption B) Using cloud‑native IAM roles and short‑lived tokens for pipeline resources C) Disabling all network segmentation D) Allowing unrestricted internet access from build agents Answer: B Explanation: Cloud‑native IAM and temporary tokens limit exposure and follow least‑privilege principles. Question 43. Which of the following best describes “Dynamic Application Security Testing (DAST)”? A) Analyzing source code without executing it B) Scanning a running application for vulnerabilities such as XSS or SQLi by simulating attacks C) Checking license compliance of third‑party libraries
Question 46. Which of the following statements about “Security Gates” in a pipeline is FALSE? A) They can be automated to fail the build on policy violations B) They only need to be placed at the final production deployment stage C) They provide early feedback to developers about security issues D) They can be integrated with tools like SAST, SCA, and IaC scanners Answer: B Explanation: Effective security gates are placed throughout the pipeline, not just at the end, to catch issues early. Question 47. Which of the following is a core benefit of integrating “Threat Intelligence feeds” into a SIEM? A) Reducing the amount of log data stored B) Enabling correlation of internal alerts with known external threat indicators, improving detection accuracy C) Eliminating the need for any internal logging D) Automatically fixing all vulnerabilities Answer: B Explanation: Threat feeds provide context that helps the SIEM prioritize and enrich alerts. Question 48. Which of the following best describes “Continuous Risk Assessment” in a fast‑moving DevSecOps environment? A) Conducting a risk assessment once a year B) Embedding automated risk scoring of changes (e.g., based on affected assets, vulnerability severity) into the CI pipeline and updating risk posture in near real‑time
C) Ignoring risk until an incident occurs D) Performing risk assessment only for production Answer: B Explanation: Continuous risk assessment evaluates each change’s impact automatically, keeping risk up‑to‑date. Question 49. Which of the following is the most appropriate way to protect API keys used by automated tests? A) Hard‑code them in test scripts B) Store them in a secret manager and inject them at runtime via environment variables C) Write them in plain text files committed to source control D) Share them publicly on a wiki Answer: B Explanation: Secret managers provide secure storage, access control, and rotation capabilities. Question 50. Which of the following is a primary reason to use “Immutable Infrastructure” in a DevSecOps pipeline? A) Allows ad‑hoc changes on running servers B) Guarantees that any change results in a new, version‑controlled artifact, reducing configuration drift and simplifying security audits C) Eliminates the need for monitoring D) Increases the time required for deployments Answer: B