





















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The CDSOE Exam validates technical expertise in designing and implementing secure DevOps pipelines. Topics include secure CI/CD, code scanning, container and cloud security, secrets management, vulnerability management, and incident response. Candidates demonstrate the ability to embed security controls across the software lifecycle.
Typology: Exams
1 / 93
This page cannot be seen from the preview
Don't miss anything!






















































































Question 1. What is the primary difference between DevOps and DevSecOps? A) DevOps includes security testing, DevSecOps does not. B) DevSecOps integrates security early and continuously, while DevOps treats security as an after‑thought. C) DevOps focuses on operations only, DevSecOps focuses on development only. D) DevSecOps eliminates the need for operations teams. Answer: B Explanation: DevSecOps embeds security practices throughout the software lifecycle, shifting security left, whereas traditional DevOps often adds security later. Question 2. In a “Shift Left” strategy, which activity is moved earlier in the software development lifecycle? A) Production monitoring B) Incident response planning C) Security testing and threat modeling D) Post‑deployment performance tuning Answer: C Explanation: “Shift Left” means performing security activities such as testing and threat modeling earlier, during design and coding phases. Question 3. Which of the following best describes the “Shift Right” approach? A) Conducting security audits after the product is retired. B) Performing continuous security testing in production environments. C) Deferring all security controls to the operations team. D) Ignoring security until a breach occurs. Answer: B
Explanation: “Shift Right” complements “Shift Left” by adding runtime security checks, monitoring, and testing in live environments. Question 4. The “Three Ways” of DevSecOps include Flow, Feedback, and Continuous Learning. Which of these focuses on reducing hand‑offs and bottlenecks? A) Flow B) Feedback C) Continuous Learning D) All of the above Answer: A Explanation: Flow optimizes the value stream, minimizing delays and hand‑offs between teams. Question 5. Which cultural change is most critical for successful DevSecOps adoption? A) Hiring only security specialists. B) Isolating security teams from developers. C) Promoting shared responsibility for security across all roles. D) Eliminating all manual testing. Answer: C Explanation: DevSecOps thrives when development, security, and operations all own security outcomes. Question 6. A “Security Champion” in a development team primarily: A) Writes all security policies for the organization. B) Serves as the point of contact for security questions and advocates secure coding practices. C) Performs only penetration testing. D) Replaces the security operations team.
B) Data retention policies with secure deletion mechanisms C) Multi‑factor authentication D) Network segmentation Answer: B Explanation: GDPR’s right to be forgotten requires that personal data can be deleted securely, which is achieved via proper retention and deletion controls. Question 10. A “Security User Story” for a payment API should include which of the following acceptance criteria? A) The API must respond within 200 ms. B) All credit‑card numbers must be stored in plaintext. C) The API must reject requests without a valid JWT and log the attempt. D) The API must use HTTP instead of HTTPS. Answer: C Explanation: Acceptance criteria must enforce authentication, authorization, and audit logging, aligning with security requirements. Question 11. Which principle is NOT a core tenet of Zero Trust Architecture (ZTA)? A) Verify explicitly B) Trust but verify C) Assume breach D) Least privileged access Answer: B Explanation: Zero Trust replaces “trust but verify” with “never trust, always verify”; “trust but verify” is contrary to ZTA.
Question 12. In microservices security, which pattern helps limit blast radius when a service is compromised? A) Monolithic deployment B) Shared database for all services C) Service‑level network segmentation and mutual TLS D) Disabling all logging Answer: C Explanation: Segmentation and mutual TLS isolate services, reducing impact of a breach. Question 13. OWASP Top 10 item “Broken Access Control” primarily concerns which risk? A) Injection of malicious SQL statements. B) Unauthorized users gaining privileges they should not have. C) Exposure of sensitive data over unencrypted channels. D) Cross‑site scripting attacks. Answer: B Explanation: Broken Access Control allows attackers to act beyond their intended permissions. Question 14. Which OWASP Top 10 vulnerability is mitigated by using prepared statements or parameterized queries? A) Security Misconfiguration B) Insecure Deserialization C) SQL Injection D) Using Components with Known Vulnerabilities Answer: C Explanation: Prepared statements separate code from data, preventing malicious SQL from being executed.
Question 18. Software Composition Analysis (SCA) primarily helps organizations to: A) Optimize CPU usage of applications. B) Detect vulnerable open‑source components and manage license compliance. C) Perform load testing on APIs. D) Encrypt all data in transit. Answer: B Explanation: SCA inventories third‑party libraries, identifying known vulnerabilities and license issues. Question 19. A Software Bill of Materials (SBOM) is useful because it: A) Lists every line of source code in the application. B) Provides a detailed inventory of all components, enabling rapid vulnerability response. C) Encrypts all third‑party libraries. D) Replaces the need for SAST tools. Answer: B Explanation: An SBOM documents component versions, allowing quick identification of affected assets when a vulnerability is disclosed. Question 20. Which CI tool feature is essential for securing the build server itself? A) Unlimited parallel jobs. B) Role‑based access control (RBAC) and credential isolation. C) Automatic version bumping. D) Publicly exposing build logs. Answer: B
Explanation: RBAC and credential isolation protect the build environment from unauthorized access and secret leakage. Question 21. Automated secret scanning in a Git repository aims to: A) Replace all encryption mechanisms. B) Detect and prevent accidental commits of API keys, passwords, or certificates. C) Automatically generate new secrets for each commit. D) Disable branch protection rules. Answer: B Explanation: Secret scanning tools search for patterns that resemble credentials, preventing their exposure in source control. Question 22. Dynamic Application Security Testing (DAST) differs from SAST because DAST: A) Analyzes source code directly. B) Tests a running application from the outside, simulating attacks. C) Requires no network connectivity. D) Can only be performed on mobile apps. Answer: B Explanation: DAST is a black‑box approach that interacts with the live application to find runtime vulnerabilities. Question 23. Which tool is commonly used for automated DAST in CI pipelines? A) SonarQube B) OWASP ZAP C) Terraform D. Ansible
C. Selenium D. Grafana Answer: B Explanation: Checkov parses Terraform (and other IaC) files to find misconfigurations such as overly permissive security groups. Question 27. Immutable infrastructure means that: A. Servers are patched in place. B. Once deployed, resources are never modified; changes require new deployments. C. All configuration files are stored in a mutable database. D. The same instance is reused for multiple releases. Answer: B Explanation: Immutable patterns replace resources rather than altering them, ensuring consistency and simplifying rollback. Question 28. Which of the following is a key benefit of using Runtime Application Self‑Protection (RASP)? A. Prevents all vulnerabilities from being introduced during coding. B. Monitors and blocks attacks in real‑time within the running application. C. Generates SBOMs automatically. D. Replaces the need for any static analysis. Answer: B Explanation: RASP instruments the application to detect and block malicious behavior at runtime. Question 29. Cloud Security Posture Management (CSPM) primarily helps to:
A. Optimize cloud cost. B. Continuously detect and remediate misconfigurations and compliance violations in cloud environments. C. Provide end‑user authentication services. D. Encrypt data at rest. Answer: B Explanation: CSPM tools continuously assess cloud resources for drift and policy violations. Question 30. Which AWS service can automatically detect publicly readable S3 buckets and remediate them? A. AWS GuardDuty B. AWS Config with a rule for S3 public access C. Amazon CloudFront D. AWS Lambda@Edge Answer: B Explanation: AWS Config can evaluate S3 bucket configurations against a rule and trigger remediation. Question 31. In the context of DevSecOps, “shared responsibility model” means: A. The cloud provider handles all security aspects. B. Customers are solely responsible for security. C. Both provider and customer have distinct security duties that must be coordinated. D. Security is outsourced to a third party. Answer: C Explanation: Cloud providers secure the infrastructure, while customers secure what they build and configure.
Explanation: SAST may flag a potential injection even when the code already uses safe parameterization, resulting in a false positive. Question 35. The OWASP Dependency‑Check tool is primarily used for: A. Scanning container images. B. Detecting vulnerable open‑source libraries in a project. C. Performing DAST on web applications. D. Managing IAM roles. Answer: B Explanation: Dependency‑Check analyzes project dependencies to identify known vulnerabilities. Question 36. Which compliance framework specifically mandates encryption of e‑PHI both at rest and in transit? A. PCI‑DSS B. GDPR C. HIPAA D. ISO 27001 Answer: C Explanation: HIPAA’s Security Rule requires encryption of protected health information during storage and transmission. Question 37. In a CI pipeline, which stage is most appropriate for executing SCA scans? A. Code checkout B. Build artifact creation C. Pre‑deployment testing
D. Post‑deployment monitoring Answer: C Explanation: Running SCA during pre‑deployment testing ensures vulnerable components are caught before release. Question 38. Which of the following container runtime security tools provides real‑time syscall monitoring and policy enforcement? A. Trivy B. Falco C. Docker Compose D. Helm Answer: B Explanation: Falco monitors system calls and can enforce security policies at runtime. Question 39. A “policy as code” approach in DevSecOps means: A. Writing security policies in natural language only. B. Encoding security rules in version‑controlled files that can be automatically validated. C. Storing policies in a proprietary format. D. Manually reviewing policies after each release. Answer: B Explanation: Policy as code treats security policies like code, enabling automated testing and enforcement. Question 40. Which of the following is a benefit of integrating security checks into pull‑request workflows? A. Eliminates the need for any testing.
Question 43. Which IaC tool natively supports policy checks via Sentinel? A. Terraform Cloud B. CloudFormation C. Ansible D. Chef Answer: A Explanation: Terraform Cloud includes Sentinel for policy-as-code enforcement during plan and apply phases. Question 44. The “defense‑in‑depth” strategy in DevSecOps recommends: A. Relying on a single firewall. B. Layering multiple security controls at network, host, application, and data levels. C. Disabling all logging to reduce noise. D. Using only static analysis tools. Answer: B Explanation: Multiple overlapping controls provide redundancy and mitigate failures of any single control. Question 45. Which of the following is a recommended practice for handling third‑party API keys in CI pipelines? A. Hard‑coding them in source files. B. Storing them in environment variables encrypted by a secret manager. C. Committing them to the repository in a .env file. D. Exposing them in build logs. Answer: B
Explanation: Secret managers protect keys and provide controlled access without exposing them in code. Question 46. When using GitHub Actions, the secrets context is used to: A. Store public configuration values. B. Access encrypted secrets that are masked in logs. C. Define workflow schedules. D. Generate random passwords on the fly. Answer: B Explanation: The secrets context provides secure, masked access to encrypted values. Question 47. Which of the following best describes “Infrastructure as Code” (IaC) testing? A. Running performance benchmarks on production servers. B. Validating syntax, policy compliance, and security of IaC templates before deployment. C. Manually inspecting cloud console configurations. D. Disabling version control for IaC files. Answer: B Explanation: IaC testing ensures code that provisions infrastructure is correct, secure, and compliant. Question 48. In the context of CI/CD, “Blue/Green deployment” helps with security by: A. Eliminating the need for monitoring. B. Allowing a quick rollback to a known‑good environment if a security issue is discovered. C. Deploying all changes directly to production without testing. D. Removing all access controls during deployment. Answer: B
C. It reduces image size. D. It enables automatic secret injection. Answer: B Explanation: The latest tag is mutable; using fixed version tags ensures reproducibility and traceability. Question 52. In a CI pipeline, which step should handle the generation of an SBOM? A. Source checkout. B. Build artifact creation. C. Post‑deployment cleanup. D. Notification sending. Answer: B Explanation: The SBOM is generated from the built artifact, listing all components included. Question 53. Which of the following is NOT a typical feature of a Cloud Access Security Broker (CASB)? A. Shadow IT discovery. B. Encryption of data in motion. C. Directly managing on‑premise firewalls. D. Policy enforcement for SaaS applications. Answer: C Explanation: CASBs focus on cloud services; they do not manage on‑premise network devices. Question 54. Which of the following is a common indicator of a compromised container at runtime? A. Increased CPU usage without corresponding load.
B. Successful image pull from a trusted registry. C. No network connections opened. D. Container image size reduced. Answer: A Explanation: Unexpected resource consumption can signal malicious activity inside a container. Question 55. Which of the following best describes “security as code” in the context of pipelines? A. Writing security policies in plain English only. B. Embedding security controls (e.g., scans, gates) directly into the CI/CD workflow as automated steps. C. Performing manual security reviews after each release. D. Outsourcing all security tasks to a third party. Answer: B Explanation: Security as code automates security checks within the pipeline, treating them like any other code. Question 56. Which of the following is a primary benefit of using a “policy engine” like Open Policy Agent (OPA) in CI/CD? A. It eliminates the need for any testing. B. It enables declarative, reusable policies that can be evaluated across multiple stages. C. It automatically writes code for developers. D. It disables all network traffic during builds. Answer: B Explanation: OPA allows centralized, version‑controlled policies to be applied consistently.