

























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This foundational guide introduces DevSecOps concepts, emphasizing the integration of security into DevOps workflows. Topics include secure development lifecycle, threat modeling, vulnerability management, automation, and security culture. Designed for beginners, it balances theory with practical security use cases. Exam-focused content and review questions ensure candidates are fully prepared for the DevSecOps Certified Foundation exam.
Typology: Exams
1 / 97
This page cannot be seen from the preview
Don't miss anything!


























































































Question 1. Which of the following best describes the primary purpose of the CALMS framework in DevSecOps? A) To define a set of security tools for static analysis B) To outline a cultural and process model that integrates security with DevOps principles C) To mandate a specific cloud provider for deployment D) To replace the Scrum framework in agile teams Answer: B Explanation: CALMS (Culture, Automation, Lean, Measurement, Sharing) provides a holistic model for embedding security into DevOps by focusing on cultural change, automation, lean thinking, metrics, and knowledge sharing. Question 2. In the context of the Three Ways, which way directly addresses the need for rapid detection of security vulnerabilities? A) First Way – Flow B) Second Way – Feedback C) Third Way – Continual Learning D) None of the above Answer: B Explanation: The Second Way emphasizes feedback loops, enabling early detection of security issues and quick corrective actions throughout the pipeline. **Question 3. Which statement correctly differentiates a threat from a vulnerability? ** A) A threat is a weakness in code; a vulnerability is an actor attempting exploitation. B) A threat is a potential attacker; a vulnerability is a flaw that can be exploited. C) A threat and a vulnerability are interchangeable terms. D) A threat is always external, while a vulnerability is always internal.
Answer: B Explanation: A threat refers to a potential adversary or event that could cause harm, whereas a vulnerability is a specific weakness that the threat could exploit. Question 4. Which of the following is considered an attack surface in modern cloud-native applications? A) The developer’s IDE settings B) API endpoints exposed to the internet C) The physical security of the data center D) The organization’s HR policies Answer: B Explanation: API endpoints are common entry points for attackers, especially in microservice architectures, making them a critical attack surface. Question 5. What is the main advantage of using data science techniques in security operations? A) Replacing all human analysts with AI B) Predicting and detecting threats proactively rather than reactively C) Eliminating the need for encryption D) Reducing the number of security tools required Answer: B Explanation: Data science enables pattern recognition and anomaly detection, allowing organizations to anticipate attacks before they materialize. Question 6. Which concept best illustrates “Security as Code”? A) Writing security policies in plain English and storing them in a wiki
Question 9. Which role is most likely to own the responsibility for implementing automated security testing in the CI pipeline? A) Chief Financial Officer (CFO) B) Site Reliability Engineer (SRE) C) Marketing Manager D) Human Resources (HR) Specialist Answer: B Explanation: SREs focus on reliability and operational excellence, which includes integrating automated security checks into CI/CD. Question 10. What key shift does the “DevSecOps State of Mind” promote? A) From security as a final gate to security as an enabler throughout development B) From continuous delivery to annual releases C) From cloud adoption to on-premise only D) From automated testing to manual code reviews only Answer: A Explanation: The mindset encourages embedding security early and continuously, making it a facilitator rather than a bottleneck. Question 11. Which of the following best describes “continuous compliance”? A) Performing a compliance audit once a year B) Automating compliance checks at every stage of the pipeline to ensure ongoing adherence C) Ignoring compliance requirements during fast releases D) Delegating compliance to a single team after release
Answer: B Explanation: Continuous compliance integrates policy checks into CI/CD, providing real-time assurance that controls are met. Question 12. When securing Infrastructure as Code (IaC), which practice is most effective? A) Storing IaC files in an unsecured shared drive B) Scanning IaC templates with policy-as-code tools before applying them C) Manually reviewing each line of code after deployment D) Using proprietary, undocumented scripting languages Answer: B Explanation: Policy-as-code tools (e.g., Checkov, Terrascan) automatically validate IaC against security best practices before provisioning resources. Question 13. Which testing type analyzes the binary or source code without executing it? A) SAST (Static Application Security Testing) B) DAST (Dynamic Application Security Testing) C) IAST (Interactive Application Security Testing) D) Penetration Testing Answer: A Explanation: SAST examines code statically to find vulnerabilities such as injection flaws before runtime. Question 14. In a CI/CD pipeline, where is Software Composition Analysis (SCA) most appropriately placed? A) After production deployment
Question 17. Which metric would best indicate the effectiveness of “shift-left” security practices? A) Number of features released per quarter B) Percentage of security defects found in production C) Average time developers spend in meetings D. Total cost of cloud infrastructure Answer: B Explanation: A lower percentage of security defects discovered in production demonstrates that security testing earlier in the lifecycle is effective. Question 18. In the context of DevSecOps, what does “lean” primarily aim to eliminate? A) All automation B) Non-value-adding activities such as redundant manual security checks C) Security policies D. Documentation of incidents Answer: B Explanation: Lean focuses on removing waste, which includes unnecessary manual steps that slow down delivery without improving security. Question 19. Which of the following is a common “break-the-build” condition for a security gate? A) Presence of any low-severity vulnerability B) Presence of at least one critical or high-severity vulnerability in the codebase C) Absence of unit tests D) Use of any open-source library Answer: B
Explanation: Critical or high-severity findings are typically set as gating thresholds to prevent insecure code from advancing. Question 20. Which stakeholder is most directly impacted by a breach of customer data due to insecure API design? A) Finance department B) Customer Success team C) End-users/customers D) Facility management Answer: C Explanation: Insecure APIs that expose customer data directly affect the privacy and safety of the end-users. Question 21. What is the primary purpose of “measurement” in the CALMS framework? A) To increase the number of meetings B) To collect data that drives continuous improvement of security practices C. To replace all manual testing with automated scripts D. To enforce strict hierarchical reporting structures Answer: B Explanation: Measurement provides visibility into performance and security posture, enabling data-driven decisions. Question 22. Which practice helps break down silos between development and security teams? A) Assigning security tasks only to a separate “red team” B) Conducting joint threat-modeling workshops early in the project lifecycle
Question 25. Which of the following is a typical outcome of integrating security scanning into pull-request (PR) workflows? A) Developers receive immediate feedback on security issues before merging B. Security scans are only performed after the code reaches production C. The PR process becomes slower without any security benefit D. All code must be rewritten in a new language Answer: A Explanation: Embedding scans in PRs enables early detection, allowing developers to remediate issues before code is merged. Question 26. In container security, which of the following is a recommended best practice? A) Running containers as root whenever possible B) Using minimal base images and scanning them for known vulnerabilities C. Ignoring image signatures D. Allowing unrestricted network access from containers Answer: B Explanation: Minimal images reduce the attack surface, and scanning ensures known vulnerabilities are not introduced. Question 27. Which cloud-native security control helps enforce least-privilege access for workloads? A. IAM role-based access control (RBAC) tied to service identities B. Unlimited admin access for all services C. Disabling encryption at rest D. Allowing all inbound traffic by default Answer: A
Explanation: RBAC with scoped identities ensures workloads only have permissions they truly need. Question 28. What is the main reason for automating compliance checks in the pipeline rather than performing them manually after release? A. To increase the workload of auditors B. To detect non-compliance early, reducing rework and risk exposure C. To eliminate the need for security altogether D. To slow down the deployment process intentionally Answer: B Explanation: Early detection of compliance gaps prevents costly remediation later and keeps the product continuously compliant. Question 29. Which of the following best illustrates “feedback” in the Second Way as applied to security? A. Continuous deployment without any testing B. Automated alerts from a SAST tool that feed back into the developer’s IDE C. Ignoring all security findings until a post-mortem meeting D. Conducting a quarterly security review only Answer: B Explanation: Real-time alerts that return to developers provide the feedback loop needed for rapid correction. Question 30. Which of these statements aligns with the “First Way – Flow” principle in a secure pipeline? A. Delay security testing until after production release B. Ensure that security checks are integrated early to maintain smooth, continuous flow of code
Question 33. In a DevSecOps pipeline, which stage is the most appropriate for running a secret-scanning tool? A. After deployment to production B. During the build stage, before artefact creation C. During the planning meeting D. At the end of the sprint retrospective Answer: B Explanation: Scanning for hard-coded secrets during build ensures they are removed before the artefact is packaged. Question 34. Which of the following is an example of “continuous monitoring” in a cloud environment? A. Running a nightly backup job only B. Using a cloud-native security posture management (CSPM) service that evaluates configurations in real time C. Manually checking firewall rules once a month D. Disabling logging to reduce costs Answer: B Explanation: CSPM provides ongoing, automated assessment of cloud resources, aligning with continuous monitoring goals. Question 35. What is the primary advantage of using policy-as-code tools like Open Policy Agent (OPA) in DevSecOps? A. They replace all developers with AI B. Policies become version-controlled, testable, and automatically enforced during CI/CD C. They eliminate the need for any security testing
D. They only work for on-premise environments Answer: B Explanation: Policy-as-code enables automated, repeatable enforcement of security rules integrated into pipelines. Question 36. Which of the following best describes “risk reduction” as a DevSecOps outcome? A. Eliminating all possible threats B. Lowering the probability or impact of security incidents through proactive controls C. Ignoring low-severity findings to speed up delivery D. Outsourcing security to a third party without oversight Answer: B Explanation: Risk reduction focuses on decreasing either the likelihood or the damage of potential incidents. Question 37. Which of the following is a key characteristic of “continuous compliance” tools? A. They generate compliance reports only at year-end B. They integrate with CI pipelines to provide real-time compliance status C. They require manual data entry for each control D. They operate only after the application is live in production Answer: B Explanation: Continuous compliance tools embed checks into CI/CD, delivering immediate visibility into compliance posture.
Explanation: Automation and early feedback reduce the need for costly rework, thus enhancing delivery speed. Question 41. What is the main purpose of a “security champion” within a development team? A. To approve all budgets for security tools B. To act as a liaison, promoting security best practices and facilitating knowledge sharing C. To enforce strict gatekeeping that slows down releases D. To write all production code alone Answer: B Explanation: Security champions embed security expertise in the team, fostering a security-first culture. Question 42. Which of the following is an example of “lean waste” in a security process? A. Automated linting of code B. Repeating the same manual vulnerability scan after every commit without incremental changes C. Using version control for IaC files D. Conducting a one-time security training session Answer: B Explanation: Redundant manual scans that add no new value constitute waste in a lean system. Question 43. In a DevSecOps pipeline, which tool category is primarily responsible for detecting open-source license compliance issues? A. SAST
B. SCA (Software Composition Analysis) C. DAST D. IAST Answer: B Explanation: SCA scans dependencies for known licenses and associated compliance obligations. Question 44. Which of the following is a direct benefit of integrating security metrics into a dashboard shared across teams? A. Hiding security issues from management B. Providing transparency, aligning goals, and enabling data-driven improvements C. Replacing the need for any security testing D. Reducing the number of developers needed on a project Answer: B Explanation: Shared dashboards promote visibility, fostering collaboration and continuous improvement. Question 45. Which of the following is a common reason for “false positives” in static code analysis? A. Overly permissive rule sets that flag benign patterns as vulnerabilities B. Running the tool on compiled binaries only C. Using only dynamic testing techniques D. Disabling all security plugins Answer: A Explanation: Aggressive rule configurations can misinterpret safe code as risky, leading to false alerts.
Answer: A Explanation: In IaaS, the provider secures the underlying infrastructure while the customer secures the OS, applications, and data, yielding the highest shared responsibility. Question 49. In the context of CI/CD, what is a “pipeline as code” approach? A. Writing pipeline definitions in a version-controlled file (e.g., YAML) that can be reviewed and audited B. Manually configuring each pipeline step through a UI only C. Hard-coding credentials into the pipeline scripts D. Using paper-based checklists for each build Answer: A Explanation: Defining pipelines as code enables versioning, peer review, and reproducibility. Question 50. Which of the following is a primary reason to perform “runtime application self-protection” (RASP) testing? A. To replace all static analysis tools B. To detect and block attacks in real time while the application is executing C. To generate UI mockups for stakeholders D. To measure server uptime only Answer: B Explanation: RASP instruments the application to monitor and intervene against attacks during execution. Question 51. What is the most effective way to manage secrets (API keys, passwords) in a CI/CD pipeline?
A. Storing them in plain-text files within the repository B. Using a dedicated secret management solution that injects them at runtime C. Hard-coding them into source code D. Sharing them via email among developers Answer: B Explanation: Secret managers provide secure storage, rotation, and controlled access, reducing exposure risk. Question 52. Which of the following describes “continuous threat modeling”? A. Performing a one-time analysis at project kickoff B. Updating threat models iteratively as the architecture evolves and new features are added C. Ignoring threat modeling after the first release D. Conducting threat modeling only after a breach occurs Answer: B Explanation: Continuous threat modeling ensures the security view stays current with changes in the system. Question 53. Which of the following is a key advantage of using “GitOps” for infrastructure management from a security perspective? A. It eliminates the need for any security testing B. All infrastructure changes are versioned, reviewed, and auditable through pull requests C. It requires manual deployment of every change D. It stores credentials directly in the Git repository Answer: B