GSDC Certified DevSecOps EngineerCDSOE Exam, Exams of Technology

The CDSOE Exam validates technical expertise in designing and implementing secure DevOps pipelines. Topics include secure CI/CD, code scanning, container and cloud security, secrets management, vulnerability management, and incident response. Candidates demonstrate the ability to embed security controls across the software lifecycle.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 93

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
GSDC Certified DevSecOps EngineerCDSOE
Exam
**Question 1.** What is the primary difference between DevOps and DevSecOps?
A) DevOps includes security testing, DevSecOps does not.
B) DevSecOps integrates security early and continuously, while DevOps treats security as an
afterthought.
C) DevOps focuses on operations only, DevSecOps focuses on development only.
D) DevSecOps eliminates the need for operations teams.
Answer: B
Explanation: DevSecOps embeds security practices throughout the software lifecycle, shifting
security left, whereas traditional DevOps often adds security later.
**Question 2.** In a “Shift Left” strategy, which activity is moved earlier in the software
development lifecycle?
A) Production monitoring
B) Incident response planning
C) Security testing and threat modeling
D) Postdeployment performance tuning
Answer: C
Explanation: “Shift Left” means performing security activities such as testing and threat
modeling earlier, during design and coding phases.
**Question 3.** Which of the following best describes the “Shift Right” approach?
A) Conducting security audits after the product is retired.
B) Performing continuous security testing in production environments.
C) Deferring all security controls to the operations team.
D) Ignoring security until a breach occurs.
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d

Partial preview of the text

Download GSDC Certified DevSecOps EngineerCDSOE Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. What is the primary difference between DevOps and DevSecOps? A) DevOps includes security testing, DevSecOps does not. B) DevSecOps integrates security early and continuously, while DevOps treats security as an after‑thought. C) DevOps focuses on operations only, DevSecOps focuses on development only. D) DevSecOps eliminates the need for operations teams. Answer: B Explanation: DevSecOps embeds security practices throughout the software lifecycle, shifting security left, whereas traditional DevOps often adds security later. Question 2. In a “Shift Left” strategy, which activity is moved earlier in the software development lifecycle? A) Production monitoring B) Incident response planning C) Security testing and threat modeling D) Post‑deployment performance tuning Answer: C Explanation: “Shift Left” means performing security activities such as testing and threat modeling earlier, during design and coding phases. Question 3. Which of the following best describes the “Shift Right” approach? A) Conducting security audits after the product is retired. B) Performing continuous security testing in production environments. C) Deferring all security controls to the operations team. D) Ignoring security until a breach occurs. Answer: B

Exam

Explanation: “Shift Right” complements “Shift Left” by adding runtime security checks, monitoring, and testing in live environments. Question 4. The “Three Ways” of DevSecOps include Flow, Feedback, and Continuous Learning. Which of these focuses on reducing hand‑offs and bottlenecks? A) Flow B) Feedback C) Continuous Learning D) All of the above Answer: A Explanation: Flow optimizes the value stream, minimizing delays and hand‑offs between teams. Question 5. Which cultural change is most critical for successful DevSecOps adoption? A) Hiring only security specialists. B) Isolating security teams from developers. C) Promoting shared responsibility for security across all roles. D) Eliminating all manual testing. Answer: C Explanation: DevSecOps thrives when development, security, and operations all own security outcomes. Question 6. A “Security Champion” in a development team primarily: A) Writes all security policies for the organization. B) Serves as the point of contact for security questions and advocates secure coding practices. C) Performs only penetration testing. D) Replaces the security operations team.

Exam

B) Data retention policies with secure deletion mechanisms C) Multi‑factor authentication D) Network segmentation Answer: B Explanation: GDPR’s right to be forgotten requires that personal data can be deleted securely, which is achieved via proper retention and deletion controls. Question 10. A “Security User Story” for a payment API should include which of the following acceptance criteria? A) The API must respond within 200 ms. B) All credit‑card numbers must be stored in plaintext. C) The API must reject requests without a valid JWT and log the attempt. D) The API must use HTTP instead of HTTPS. Answer: C Explanation: Acceptance criteria must enforce authentication, authorization, and audit logging, aligning with security requirements. Question 11. Which principle is NOT a core tenet of Zero Trust Architecture (ZTA)? A) Verify explicitly B) Trust but verify C) Assume breach D) Least privileged access Answer: B Explanation: Zero Trust replaces “trust but verify” with “never trust, always verify”; “trust but verify” is contrary to ZTA.

Exam

Question 12. In microservices security, which pattern helps limit blast radius when a service is compromised? A) Monolithic deployment B) Shared database for all services C) Service‑level network segmentation and mutual TLS D) Disabling all logging Answer: C Explanation: Segmentation and mutual TLS isolate services, reducing impact of a breach. Question 13. OWASP Top 10 item “Broken Access Control” primarily concerns which risk? A) Injection of malicious SQL statements. B) Unauthorized users gaining privileges they should not have. C) Exposure of sensitive data over unencrypted channels. D) Cross‑site scripting attacks. Answer: B Explanation: Broken Access Control allows attackers to act beyond their intended permissions. Question 14. Which OWASP Top 10 vulnerability is mitigated by using prepared statements or parameterized queries? A) Security Misconfiguration B) Insecure Deserialization C) SQL Injection D) Using Components with Known Vulnerabilities Answer: C Explanation: Prepared statements separate code from data, preventing malicious SQL from being executed.

Exam

Question 18. Software Composition Analysis (SCA) primarily helps organizations to: A) Optimize CPU usage of applications. B) Detect vulnerable open‑source components and manage license compliance. C) Perform load testing on APIs. D) Encrypt all data in transit. Answer: B Explanation: SCA inventories third‑party libraries, identifying known vulnerabilities and license issues. Question 19. A Software Bill of Materials (SBOM) is useful because it: A) Lists every line of source code in the application. B) Provides a detailed inventory of all components, enabling rapid vulnerability response. C) Encrypts all third‑party libraries. D) Replaces the need for SAST tools. Answer: B Explanation: An SBOM documents component versions, allowing quick identification of affected assets when a vulnerability is disclosed. Question 20. Which CI tool feature is essential for securing the build server itself? A) Unlimited parallel jobs. B) Role‑based access control (RBAC) and credential isolation. C) Automatic version bumping. D) Publicly exposing build logs. Answer: B

Exam

Explanation: RBAC and credential isolation protect the build environment from unauthorized access and secret leakage. Question 21. Automated secret scanning in a Git repository aims to: A) Replace all encryption mechanisms. B) Detect and prevent accidental commits of API keys, passwords, or certificates. C) Automatically generate new secrets for each commit. D) Disable branch protection rules. Answer: B Explanation: Secret scanning tools search for patterns that resemble credentials, preventing their exposure in source control. Question 22. Dynamic Application Security Testing (DAST) differs from SAST because DAST: A) Analyzes source code directly. B) Tests a running application from the outside, simulating attacks. C) Requires no network connectivity. D) Can only be performed on mobile apps. Answer: B Explanation: DAST is a black‑box approach that interacts with the live application to find runtime vulnerabilities. Question 23. Which tool is commonly used for automated DAST in CI pipelines? A) SonarQube B) OWASP ZAP C) Terraform D. Ansible

Exam

C. Selenium D. Grafana Answer: B Explanation: Checkov parses Terraform (and other IaC) files to find misconfigurations such as overly permissive security groups. Question 27. Immutable infrastructure means that: A. Servers are patched in place. B. Once deployed, resources are never modified; changes require new deployments. C. All configuration files are stored in a mutable database. D. The same instance is reused for multiple releases. Answer: B Explanation: Immutable patterns replace resources rather than altering them, ensuring consistency and simplifying rollback. Question 28. Which of the following is a key benefit of using Runtime Application Self‑Protection (RASP)? A. Prevents all vulnerabilities from being introduced during coding. B. Monitors and blocks attacks in real‑time within the running application. C. Generates SBOMs automatically. D. Replaces the need for any static analysis. Answer: B Explanation: RASP instruments the application to detect and block malicious behavior at runtime. Question 29. Cloud Security Posture Management (CSPM) primarily helps to:

Exam

A. Optimize cloud cost. B. Continuously detect and remediate misconfigurations and compliance violations in cloud environments. C. Provide end‑user authentication services. D. Encrypt data at rest. Answer: B Explanation: CSPM tools continuously assess cloud resources for drift and policy violations. Question 30. Which AWS service can automatically detect publicly readable S3 buckets and remediate them? A. AWS GuardDuty B. AWS Config with a rule for S3 public access C. Amazon CloudFront D. AWS Lambda@Edge Answer: B Explanation: AWS Config can evaluate S3 bucket configurations against a rule and trigger remediation. Question 31. In the context of DevSecOps, “shared responsibility model” means: A. The cloud provider handles all security aspects. B. Customers are solely responsible for security. C. Both provider and customer have distinct security duties that must be coordinated. D. Security is outsourced to a third party. Answer: C Explanation: Cloud providers secure the infrastructure, while customers secure what they build and configure.

Exam

Explanation: SAST may flag a potential injection even when the code already uses safe parameterization, resulting in a false positive. Question 35. The OWASP Dependency‑Check tool is primarily used for: A. Scanning container images. B. Detecting vulnerable open‑source libraries in a project. C. Performing DAST on web applications. D. Managing IAM roles. Answer: B Explanation: Dependency‑Check analyzes project dependencies to identify known vulnerabilities. Question 36. Which compliance framework specifically mandates encryption of e‑PHI both at rest and in transit? A. PCI‑DSS B. GDPR C. HIPAA D. ISO 27001 Answer: C Explanation: HIPAA’s Security Rule requires encryption of protected health information during storage and transmission. Question 37. In a CI pipeline, which stage is most appropriate for executing SCA scans? A. Code checkout B. Build artifact creation C. Pre‑deployment testing

Exam

D. Post‑deployment monitoring Answer: C Explanation: Running SCA during pre‑deployment testing ensures vulnerable components are caught before release. Question 38. Which of the following container runtime security tools provides real‑time syscall monitoring and policy enforcement? A. Trivy B. Falco C. Docker Compose D. Helm Answer: B Explanation: Falco monitors system calls and can enforce security policies at runtime. Question 39. A “policy as code” approach in DevSecOps means: A. Writing security policies in natural language only. B. Encoding security rules in version‑controlled files that can be automatically validated. C. Storing policies in a proprietary format. D. Manually reviewing policies after each release. Answer: B Explanation: Policy as code treats security policies like code, enabling automated testing and enforcement. Question 40. Which of the following is a benefit of integrating security checks into pull‑request workflows? A. Eliminates the need for any testing.

Exam

Question 43. Which IaC tool natively supports policy checks via Sentinel? A. Terraform Cloud B. CloudFormation C. Ansible D. Chef Answer: A Explanation: Terraform Cloud includes Sentinel for policy-as-code enforcement during plan and apply phases. Question 44. The “defense‑in‑depth” strategy in DevSecOps recommends: A. Relying on a single firewall. B. Layering multiple security controls at network, host, application, and data levels. C. Disabling all logging to reduce noise. D. Using only static analysis tools. Answer: B Explanation: Multiple overlapping controls provide redundancy and mitigate failures of any single control. Question 45. Which of the following is a recommended practice for handling third‑party API keys in CI pipelines? A. Hard‑coding them in source files. B. Storing them in environment variables encrypted by a secret manager. C. Committing them to the repository in a .env file. D. Exposing them in build logs. Answer: B

Exam

Explanation: Secret managers protect keys and provide controlled access without exposing them in code. Question 46. When using GitHub Actions, the secrets context is used to: A. Store public configuration values. B. Access encrypted secrets that are masked in logs. C. Define workflow schedules. D. Generate random passwords on the fly. Answer: B Explanation: The secrets context provides secure, masked access to encrypted values. Question 47. Which of the following best describes “Infrastructure as Code” (IaC) testing? A. Running performance benchmarks on production servers. B. Validating syntax, policy compliance, and security of IaC templates before deployment. C. Manually inspecting cloud console configurations. D. Disabling version control for IaC files. Answer: B Explanation: IaC testing ensures code that provisions infrastructure is correct, secure, and compliant. Question 48. In the context of CI/CD, “Blue/Green deployment” helps with security by: A. Eliminating the need for monitoring. B. Allowing a quick rollback to a known‑good environment if a security issue is discovered. C. Deploying all changes directly to production without testing. D. Removing all access controls during deployment. Answer: B

Exam

C. It reduces image size. D. It enables automatic secret injection. Answer: B Explanation: The latest tag is mutable; using fixed version tags ensures reproducibility and traceability. Question 52. In a CI pipeline, which step should handle the generation of an SBOM? A. Source checkout. B. Build artifact creation. C. Post‑deployment cleanup. D. Notification sending. Answer: B Explanation: The SBOM is generated from the built artifact, listing all components included. Question 53. Which of the following is NOT a typical feature of a Cloud Access Security Broker (CASB)? A. Shadow IT discovery. B. Encryption of data in motion. C. Directly managing on‑premise firewalls. D. Policy enforcement for SaaS applications. Answer: C Explanation: CASBs focus on cloud services; they do not manage on‑premise network devices. Question 54. Which of the following is a common indicator of a compromised container at runtime? A. Increased CPU usage without corresponding load.

Exam

B. Successful image pull from a trusted registry. C. No network connections opened. D. Container image size reduced. Answer: A Explanation: Unexpected resource consumption can signal malicious activity inside a container. Question 55. Which of the following best describes “security as code” in the context of pipelines? A. Writing security policies in plain English only. B. Embedding security controls (e.g., scans, gates) directly into the CI/CD workflow as automated steps. C. Performing manual security reviews after each release. D. Outsourcing all security tasks to a third party. Answer: B Explanation: Security as code automates security checks within the pipeline, treating them like any other code. Question 56. Which of the following is a primary benefit of using a “policy engine” like Open Policy Agent (OPA) in CI/CD? A. It eliminates the need for any testing. B. It enables declarative, reusable policies that can be evaluated across multiple stages. C. It automatically writes code for developers. D. It disables all network traffic during builds. Answer: B Explanation: OPA allows centralized, version‑controlled policies to be applied consistently.