




















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This foundation-level exam introduces security integration within DevOps workflows. It covers DevSecOps principles, secure SDLC, threat modeling, security automation, compliance awareness, and collaboration between development, security, and operations teams. The exam emphasizes building security as a shared responsibility.
Typology: Exams
1 / 92
This page cannot be seen from the preview
Don't miss anything!





















































































Question 1. Which cultural shift is most essential for adopting DevSecOps in an organization? A) Centralizing security decisions in a dedicated team B) Treating security as an after‑release checkpoint C) Embedding security responsibilities within every development squad D) Outsourcing security testing to third‑party vendors Answer: C Explanation: DevSecOps requires “security is everyone’s responsibility,” meaning each team owns security tasks rather than relying on a siloed group. Question 2. In the transition from Waterfall to Agile to DevOps, which phase introduces the greatest opportunity for early security integration? A) Requirements gathering in Waterfall B) Sprint planning in Agile C) Continuous integration in DevOps D) Post‑deployment monitoring in DevOps Answer: C Explanation: Continuous integration enables automated security checks (SAST, SCA) to be run on every code change, allowing security to be addressed early and continuously. Question 3. The “security bottleneck” in traditional DevOps pipelines most commonly occurs during which stage? A) Code commit B) Build automation C) Release approval D) Production monitoring Answer: C
Explanation: Traditional pipelines often place security reviews at the release gate, causing delays and creating a bottleneck. Question 4. Which of the Three Ways of DevOps is most directly aligned with “continuous security feedback”? A) Flow B) Feedback C) Continual learning D) Automation Answer: B Explanation: The Feedback Way emphasizes rapid, looped information flow, which in a security context means immediate alerts from testing tools back to developers. Question 5. A Security Champion program is primarily intended to: A) Replace the security team with developers B) Provide developers with security expertise and advocacy C) Outsource security code reviews to external auditors D) Automate all security testing without human involvement Answer: B Explanation: Security Champions act as liaisons, bringing security knowledge into development teams and promoting best practices. Question 6. Moving from a “gatekeeper” to an “enabler” security model means: A) Removing all security controls from the pipeline B) Allowing developers to bypass security checks C) Providing automated security tools that empower developers to fix issues early D) Shifting all security responsibilities to operations staff
D) Continuous risk‑based governance and metrics Answer: C Explanation: DSOMM Level 3 marks the introduction of automated security testing embedded in CI/CD. Question 10. The Building Security In Maturity Model (BSIMM) measures maturity based on: A) Number of security tools purchased B) Activities performed by organizations, grouped into domains C. Number of security incidents reported per year D. Percentage of code covered by unit tests Answer: B Explanation: BSIMM tracks observed security activities across domains such as Strategy, Deployment, and Verification. Question 11. Which phase of the DevSecOps lifecycle is most appropriate for integrating a Software Composition Analysis (SCA) tool? A) Plan B) Code C) Build D) Deploy Answer: C Explanation: SCA scans dependencies during the build phase when the full dependency graph is assembled. Question 12. A pre‑commit hook that scans for hard‑coded API keys primarily helps to: A) Enforce coding style guidelines
B) Prevent secret leakage into version control C) Optimize build performance D. Automate unit test execution Answer: B Explanation: Pre‑commit secret detection stops credentials from being committed, reducing the risk of exposure. Question 13. Which of the following is a primary benefit of using IDE plugins for secure coding standards? A) They replace the need for any later testing B) They provide real‑time feedback to developers as code is written C) They automatically fix all security bugs D) They generate production‑ready Docker images Answer: B Explanation: IDE plugins can flag insecure patterns instantly, helping developers correct issues before commit. Question 14. Static Application Security Testing (SAST) differs from Dynamic Application Security Testing (DAST) in that SAST: A) Executes the application in a runtime environment B) Analyzes compiled binaries only C) Examines source code without executing the program D) Requires a deployed environment to run Answer: C Explanation: SAST works by scanning source code or binaries statically, without running the application.
Explanation: Hard‑coded secrets in IaC are a frequent security flaw that scanning tools aim to catch. Question 18. The principle of “Immutable Infrastructure” primarily reduces risk by: A. Allowing on‑the‑fly patching of running servers B. Rebuilding servers from scratch rather than modifying them in place C. Storing configuration files in a mutable database D. Disabling all network traffic to production servers Answer: B Explanation: Immutable infrastructure eliminates drift by recreating resources instead of applying incremental changes. Question 19. Which Docker image security practice ensures that only trusted images are deployed? A. Using latest tag for all images B. Signing images with Notary or similar tools and verifying signatures before deployment C. Disabling image scanning to speed up builds D. Allowing any developer to push images to production registry Answer: B Explanation: Image signing and verification guarantee provenance and integrity of container images. Question 20. In Kubernetes, which component enforces fine‑grained access control for API operations? A) ConfigMaps B) ServiceAccounts C) Role‑Based Access Control (RBAC)
D. Ingress Controllers Answer: C Explanation: RBAC defines roles and bindings that control which users or services can perform specific API actions. Question 21. Network Policies in Kubernetes are used to: A) Define storage class parameters B) Restrict pod‑to‑pod communication based on selectors C. Manage secret encryption keys D. Automate rolling updates Answer: B Explanation: Network Policies allow administrators to specify allowed traffic flows between pods. Question 22. Serverless functions introduce a unique security concern known as: A. Container escape B. Function‑level privilege escalation due to overly permissive IAM roles C. Persistent host filesystem exposure D. Unencrypted VM images Answer: B Explanation: Serverless often runs with IAM roles; overly broad permissions can lead to privilege escalation. Question 23. Cloud Security Posture Management (CSPM) tools primarily help organizations by: A. Automating code compilation B. Continuously evaluating cloud configurations against best‑practice benchmarks
B. Scanning, Testing, Reporting, Integration, Deployment, Evaluation C. Secure, Trust, Resilient, Immutable, Deployable, Extensible D. None of the above Answer: A Explanation: STRIDE is a classic threat modeling framework covering those six categories. Question 27. Which stage of the DevSecOps pipeline is most suitable for executing a DAST scan? A. Code B. Build C. Test (against a deployed test environment) D. Deploy (production) Answer: C Explanation: DAST requires a running application, typically in a test environment after deployment. Question 28. A “policy as code” approach in CI/CD pipelines typically stores policies in: A. Binary executable files B. JSON/YAML files version‑controlled alongside source code C. Encrypted vaults only accessible at runtime D. Physical paperwork in the security office Answer: B Explanation: Storing policies as code enables versioning, review, and automated enforcement. Question 29. Which of the following is a key advantage of using Open Policy Agent (OPA) with Rego language for security checks? A. It only works with Kubernetes resources
B. Policies can be written in a declarative, high‑level language and evaluated at runtime C. It automatically patches vulnerabilities without human input D. It replaces all existing security tools Answer: B Explanation: OPA’s Rego language allows expressive, declarative policies that can be evaluated in many contexts. Question 30. When performing a risk‑based prioritization of vulnerabilities, which factor is typically given the highest weight? A. CVSS score alone B. Exploit availability combined with asset criticality C. Number of lines of code affected D. Age of the vulnerability Answer: B Explanation: Prioritization should consider both exploitability and the importance of the affected asset. Question 31. Which of the following best illustrates “continuous learning” within a DevSecOps culture? A. Annual security training sessions only B. Post‑mortem analyses of incidents shared across teams, leading to process improvements C. Ignoring security incidents to maintain speed D. Relying solely on automated tools without human review Answer: B Explanation: Continuous learning involves regular feedback loops, such as post‑mortems, to evolve practices.
Question 35. Which of the following is a primary security concern when using shared Kubernetes clusters for multiple teams? A. Increased resource utilization B. Cross‑namespace privilege escalation if RBAC is misconfigured C. Faster deployment times D. Simplified network configuration Answer: B Explanation: Inadequate RBAC can allow a compromised workload in one namespace to affect others. Question 36. Which of the following best describes “runtime application self‑protection” (RASP)? A. Scanning source code before compilation B. Embedding security logic within the application to detect and block attacks at runtime C. Using firewalls to block all inbound traffic D. Encrypting source code at rest Answer: B Explanation: RASP adds protective controls inside the running application, detecting malicious behavior in real time. Question 37. In a CI pipeline, which tool type would you use to detect license compliance issues in open‑source dependencies? A. SAST scanner B. SCA (Software Composition Analysis) tool C. DAST scanner D. Container runtime scanner
Answer: B Explanation: SCA tools analyze dependency trees for known licenses and vulnerabilities. Question 38. Which of the following is a recommended practice for securing secrets used by CI/CD pipelines? A. Storing them in plain text files in the repository B. Using a secret management solution (e.g., Vault, AWS Secrets Manager) and injecting at runtime C. Hard‑coding them in build scripts D. Disabling encryption for faster access Answer: B Explanation: Central secret stores provide controlled access, auditing, and automatic rotation. Question 39. Which Kubernetes object is most appropriate for defining a set of security policies that apply to a group of pods? A. ConfigMap B. PodSecurityPolicy (deprecated) or its successor, PodSecurity admission standards C. Service D. PersistentVolumeClaim Answer: B Explanation: PodSecurityPolicy (or the newer PodSecurity admission) defines security constraints for pods. Question 40. When implementing “Shift‑Left” testing, which metric is most indicative of early defect detection success? A. Mean time to recovery (MTTR) in production B. Percentage of security tests passed on first commit
A. Gradual deviation of actual configurations from defined security policies due to manual changes B. Automatic scaling of resources C. Increase in network latency over time D. Decrease in storage capacity usage Answer: A Explanation: Policy drift occurs when resources are altered manually, causing them to diverge from compliance baselines. Question 44. What is the main advantage of using a “service mesh” (e.g., Istio) for security in microservice architectures? A. It eliminates the need for any authentication B. It provides centralized, declarative control over traffic encryption and policy enforcement C. It reduces the number of microservices required D. It automatically writes application code Answer: B Explanation: Service meshes enable mutual TLS, traffic policies, and observability without modifying individual services. Question 45. In the context of CI/CD, “artifact signing” primarily provides: A. Faster download speeds B. Assurance that a binary originated from a trusted build pipeline and has not been tampered with C. Automatic version bumping D. Reduced storage costs Answer: B Explanation: Signing creates a cryptographic proof of origin and integrity for build artifacts.
Question 46. Which of the following is a key indicator that a CI pipeline is “security‑enabled” rather than “security‑gated”? A. Builds fail automatically when any security finding is detected, regardless of severity B. Security tools provide actionable findings that developers can address before merge, without blocking the pipeline for low‑risk issues C. Security checks are performed only after production release D. The pipeline includes a manual security approval step before each commit Answer: B Explanation: Security‑enabled pipelines surface findings early and allow developers to fix issues without unnecessary blockages. Question 47. Which of the following is NOT a typical component of a Security Information and Event Management (SIEM) system? A. Log aggregation B. Real‑time correlation and alerting C. Automated code compilation D. Dashboards for incident investigation Answer: C Explanation: SIEM focuses on log processing and analysis, not on building code. Question 48. Which of the following best describes “defense in depth” within a DevSecOps environment? A. Relying on a single firewall to protect all assets B. Implementing multiple overlapping security controls at different layers (network, host, application, data) C. Disabling all security controls to improve performance D. Using only open‑source tools for security
D. To replace unit testing entirely Answer: B Explanation: Scanning catches security issues before images are stored and later deployed. Question 52. Which of the following best illustrates “runtime hardening” of a Java application? A. Enforcing code style guidelines during development B. Enabling the Java Security Manager and configuring a restrictive policy file at launch C. Using a linter to detect unused imports D. Adding more comments to the source code Answer: B Explanation: The Security Manager provides runtime permission checks, hardening the application against unsafe operations. Question 53. Which of the following is a common benefit of adopting “GitOps” practices for infrastructure management? A. Manual configuration of servers on each deployment B. Declarative, version‑controlled infrastructure definitions that can be automatically reconciled, improving auditability and security C. Eliminating the need for any security testing D. Allowing developers to bypass all change‑approval processes Answer: B Explanation: GitOps stores IaC in Git, enabling automated, auditable, and consistent deployments. Question 54. Which of the following security controls is most effective at preventing “SQL injection” attacks at the code level? A. Input validation performed only on the client side
B. Parameterized queries / prepared statements in the data access layer C. Disabling database logging D. Using a firewall to block all inbound traffic Answer: B Explanation: Parameterized queries separate code from data, eliminating injection vectors. Question 55. Which of the following is the primary purpose of a “security champion” within an Agile squad? A. To replace the product owner B. To act as a liaison, promoting secure coding practices and facilitating security tool usage within the team C. To manage the CI/CD server hardware D. To write all unit tests for the team Answer: B Explanation: Security champions embed security expertise directly into development teams. Question 56. Which of the following best describes “code signing” in the context of CI/CD? A. Encrypting source code before committing B. Applying a cryptographic signature to compiled binaries to verify authenticity and integrity C. Adding comments to the code header D. Using a code formatter to standardize style Answer: B Explanation: Code signing provides proof that the artifact originates from a trusted source and has not been altered. Question 57. In a microservices architecture, which attack surface is most effectively reduced by implementing mutual TLS (mTLS) between services?