GSDC Certified DevSecOps PractitionerCDSOP Exam, Exams of Technology

This exam focuses on applied DevSecOps execution and operations. It covers toolchain integration, security automation, compliance monitoring, continuous risk assessment, and cross-team collaboration. Candidates demonstrate readiness to operationalize DevSecOps in real-world enterprise environments.

Typology: Exams

2025/2026

Available from 01/23/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 114

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
GSDC Certified DevSecOps PractitionerCDSOP
Exam
**Question 1.** Which principle best describes the “Shift Left” philosophy in DevSecOps?
A) Deploying security patches after production release
B) Integrating security testing early in the development lifecycle
C) Moving security responsibilities to the operations team only
D) Deferring compliance audits to the end of the project
Answer: B
Explanation: “Shift Left” means incorporating security checks as early as possible—during
design, coding, and unit testing—to catch defects before they propagate downstream.
**Question 2.** The Rugged Manifesto primarily emphasizes which of the following?
A) Maximizing speed at the expense of security
B) Building resilient systems through continuous learning and adaptation
C) Isolating security teams from developers
D) Using only proprietary security tools
Answer: B
Explanation: The Rugged Manifesto advocates for resilient, adaptable systems that learn from
failures, aligning security with reliability and continuous improvement.
**Question 3.** In the Three Ways of DevSecOps, which way focuses on “feedback loops”?
A) The First Way – Flow of work from left to right
B) The Second Way – Amplify feedback loops
C) The Third Way – Culture of continual experimentation
D) None of the above
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download GSDC Certified DevSecOps PractitionerCDSOP Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which principle best describes the “Shift Left” philosophy in DevSecOps? A) Deploying security patches after production release B) Integrating security testing early in the development lifecycle C) Moving security responsibilities to the operations team only D) Deferring compliance audits to the end of the project Answer: B Explanation: “Shift Left” means incorporating security checks as early as possible—during design, coding, and unit testing—to catch defects before they propagate downstream. Question 2. The Rugged Manifesto primarily emphasizes which of the following? A) Maximizing speed at the expense of security B) Building resilient systems through continuous learning and adaptation C) Isolating security teams from developers D) Using only proprietary security tools Answer: B Explanation: The Rugged Manifesto advocates for resilient, adaptable systems that learn from failures, aligning security with reliability and continuous improvement. Question 3. In the Three Ways of DevSecOps, which way focuses on “feedback loops”? A) The First Way – Flow of work from left to right B) The Second Way – Amplify feedback loops C) The Third Way – Culture of continual experimentation D) None of the above

Exam

Answer: B Explanation: The Second Way emphasizes creating rapid, tight feedback loops so that problems are detected and corrected early. Question 4. Which cultural shift is essential for moving from a “Security Silo” to a shared responsibility model? A) Assigning all security tasks to a single “gatekeeper” role B) Embedding security champions within development squads C) Removing all security controls from the CI pipeline D) Outsourcing security to an external vendor only Answer: B Explanation: Security champions act as liaisons, fostering collaboration and shared responsibility across teams. Question 5. GRC integration in automated workflows primarily helps with which outcome? A) Eliminating the need for any manual security review B) Ensuring continuous compliance and risk visibility C) Replacing all governance policies with AI decisions D) Automating only network configuration Answer: B Explanation: Integrating Governance, Risk, and Compliance automates evidence collection and policy enforcement, maintaining continuous compliance. Question 6. Which tool is commonly used for Policy as Code (PaC) enforcement?

Exam

Answer: B Explanation: SaC treats security controls like any other code, stored in VCS, reviewed, and applied automatically. Question 9. Which of the following is a “user story” format for a security requirement? A) As a developer, I want to push code without any checks. B) As a security auditor, I need all logs encrypted at rest. C) As a user, I want the UI to be colorful. D) As an operations engineer, I want to ignore alerts. Answer: B Explanation: Security user stories capture needs from a stakeholder perspective, such as audit log encryption. Question 10. What is the primary purpose of a pre‑commit hook that runs Gitleaks? A) To format code according to style guides B) To detect hard‑coded secrets before code is committed C) To compile the application D) To deploy the code to production Answer: B Explanation: Gitleaks scans for secrets (API keys, passwords) in the codebase, preventing accidental leakage. Question 11. Which SAST tool is known for providing both static analysis and open‑source vulnerability detection?

Exam

A) Burp Suite B) Snyk C) Trivy D) Falco Answer: B Explanation: Snyk offers static code analysis and scans for vulnerable open‑source dependencies. Question 12. Software Composition Analysis (SCA) primarily helps with which risk? A) Misconfigured DNS records B) Vulnerable third‑party libraries and license compliance C) Weak password policies D) Unpatched operating systems Answer: B Explanation: SCA identifies known vulnerabilities and licensing issues in open‑source components. Question 13. Dynamic Application Security Testing (DAST) differs from SAST because DAST: A) Analyzes source code without executing it B) Scans a running application to find runtime vulnerabilities C) Only works on compiled binaries D) Requires access to the source repository Answer: B

Exam

B) Falco C) Terraform D) SonarQube Answer: B Explanation: Falco watches system calls in containers to detect anomalous behavior in real time. Question 17. In Kubernetes, which resource defines network traffic rules between pods? A) ConfigMap B) NetworkPolicy C) PersistentVolume D) ServiceAccount Answer: B Explanation: NetworkPolicy objects specify allowed ingress and egress traffic for selected pods. Question 18. What does RBAC stand for in Kubernetes security? A) Remote Binary Access Control B) Role‑Based Access Control C) Resource‑Based Authorization Cipher D) Runtime Blocked Access Cache Answer: B Explanation: RBAC assigns permissions to users or service accounts based on roles, limiting what actions they can perform.

Exam

Question 19. Which Kubernetes object enforces the Pod Security Standards (PSS) at the cluster level? A) PodSecurityPolicy (deprecated) B) AdmissionController C) PodSecurityAdmission (PSA) D) HorizontalPodAutoscaler Answer: C Explanation: The PodSecurityAdmission controller applies PSS policies (restricted, baseline, privileged) to pods. Question 20. A common attack surface unique to serverless functions is: A) Insecure container base images B) Over‑privileged execution roles C) Unpatched kernel modules D) Physical hardware tampering Answer: B Explanation: Serverless functions often run with IAM roles; granting excessive permissions expands the attack surface. Question 21. Which of the following is an example of an “interactive” security test that combines SAST and DAST? A) Static analysis only B) Fuzz testing

Exam

Explanation: Auto‑fix scripts automate the update of vulnerable base images to a patched version and rebuild the artifact. Question 24. Which of the following best illustrates “security as code” in a CI pipeline? A) Manually approving each deployment via email B) Storing firewall rules in a version‑controlled JSON file and applying them via automation C) Running a security audit only once a year D) Disabling all security scanning to speed up builds Answer: B Explanation: Codifying security controls (e.g., firewall rules) enables versioning, review, and automated enforcement. Question 25. What is the primary advantage of using Open Policy Agent (OPA) with the Rego language? A) It provides a graphical UI for policy editing B) Policies can be evaluated locally or as a sidecar in any environment C) It replaces all existing CI tools automatically D) It only works with Kubernetes Answer: B Explanation: OPA’s lightweight engine can be embedded anywhere, allowing consistent policy decisions across CI, IaC, and runtime. Question 26. Which compliance framework focuses on protecting credit‑card data? A) HIPAA

Exam

B) PCI‑DSS

C) GDPR

D) SOX

Answer: B Explanation: PCI‑DSS (Payment Card Industry Data Security Standard) specifies security requirements for handling cardholder data. Question 27. In a DevSecOps pipeline, which stage should secret scanning be performed to minimize risk? A) Only during production deployment B) At the pre‑commit stage and again in CI after merge C) After the application is live for a month D) Never, secrets are managed manually Answer: B Explanation: Early detection (pre‑commit) prevents secrets from entering the repository; a second scan in CI catches any that slip through. Question 28. Which of the following is a “policy violation” that OPA could enforce in a Kubernetes cluster? A) Deploying pods with privileged containers B) Using a specific programming language C) Running unit tests on local machines D) Writing documentation in Markdown

Exam

B) Terraform C) Pulumi D) CloudFormation itself Answer: D Explanation: AWS CloudFormation is the native declarative IaC service for provisioning AWS resources. Question 32. When using Sentinel with HashiCorp Terraform, what does a policy typically evaluate? A) The runtime performance of containers B) The configuration plan before resources are provisioned C) The source code style of Python scripts D) Network latency between microservices Answer: B Explanation: Sentinel policies run against the Terraform plan to ensure compliance before changes are applied. Question 33. Which of the following is a recommended practice for managing secrets in CI/CD pipelines? A) Hard‑coding them in source code b) Storing them in plain text files within the repository C) Using a secret management solution like HashiCorp Vault and injecting at runtime D) Sending them via email to developers

Exam

Answer: C Explanation: Central secret stores provide controlled access, audit trails, and dynamic secrets, reducing exposure risk. Question 34. Which of the following is an example of “defense in depth” in a containerized environment? A) Relying solely on host‑based firewall rules B) Using image scanning, runtime monitoring, network policies, and pod‑level security contexts together C) Disabling all logging to improve performance D) Allowing any container to run as root Answer: B Explanation: Combining multiple layers of protection (scanning, runtime, network, pod security) creates a robust defense. Question 35. Which of the following statements about “immutable infrastructure” is true? A) Servers are patched in place frequently B) Once an artifact is built, it never changes; updates are deployed via new instances C) Configuration files are edited directly on running VMs D) All changes are made manually through the console Answer: B Explanation: Immutable infrastructure treats servers as replaceable; updates are delivered by redeploying new, versioned images.

Exam

D) Disabling version control Answer: B Explanation: Automated evidence generation ensures that compliance artifacts are captured continuously, simplifying audits. Question 39. Which of the following is NOT a typical responsibility of a security champion within a development team? A) Conducting peer code reviews for security issues B) Maintaining the CI/CD pipeline’s build speed C) Providing security training to teammates D) Acting as a liaison between security and development Answer: B Explanation: While champions may be aware of pipeline performance, their primary focus is security advocacy, not build optimization. Question 40. In the context of IaC, “drift detection” is the process of: A) Monitoring CPU usage of containers B) Comparing the live infrastructure state against the declared code to find inconsistencies C) Measuring the time taken for a deployment D) Tracking the number of pull requests merged per week Answer: B Explanation: Drift detection identifies mismatches between provisioned resources and the source IaC definitions.

Exam

Question 41. Which of the following is a recommended way to secure secrets used by serverless functions? A) Embedding them directly in the function code B) Storing them in environment variables without encryption C) Retrieving them at runtime from a managed secret store like AWS Secrets Manager D) Hard‑coding them in a Dockerfile Answer: C Explanation: Managed secret stores provide encryption, rotation, and fine‑grained access control for serverless workloads. Question 42. Which OWASP Top 10 category does the vulnerability “SQL Injection” belong to? A) Broken Access Control B) Injection c) Security Misconfiguration d) Sensitive Data Exposure Answer: B Explanation: SQL Injection is a classic example of the “Injection” category in the OWASP Top 10. Question 43. Which of the following is an advantage of using a “policy as code” approach over traditional manual policy enforcement? A) Policies can be versioned, reviewed, and tested automatically b) Policies become immutable and cannot be changed

Exam

Question 46. Which of the following best describes “continuous monitoring” in a cloud‑native environment? A) Performing a manual audit once per quarter b) Real‑time collection and analysis of security telemetry from services and workloads c) Running a single vulnerability scan after each release d) Disabling logging to improve performance Answer: B Explanation: Continuous monitoring gathers logs, metrics, and events continuously to detect anomalies and compliance gaps. Question 47. Which of the following is a key consideration when selecting a container image registry for security? A) The size of the logo on the registry website b) Support for image signing and vulnerability scanning integration c) The number of featured blog posts d) Ability to host static HTML pages Answer: B Explanation: Secure registries support signing (e.g., Notary, Cosign) and integrate scanning to ensure only trusted images are used. Question 48. In a Kubernetes environment, which component is responsible for enforcing admission control policies? a) kube‑scheduler b) kube‑apiserver

Exam

c) kube‑controller‑manager d) kube‑proxy Answer: B Explanation: The API server runs admission controllers that can accept or reject resource creation requests based on policies. Question 49. Which of the following is a primary benefit of “shift‑left” security testing for developers? A) Reducing the number of code reviews required b) Receiving faster feedback on security defects, enabling quicker remediation c) Eliminating the need for any production testing d) Allowing developers to skip unit testing Answer: B Explanation: Early security feedback shortens the remediation cycle and reduces cost of fixing defects later. Question 50. Which of the following is an example of a “security user story” in Agile development? A) As a developer, I want to push code without any checks. b) As a compliance officer, I need audit logs retained for 7 years. c) As a UI designer, I need a dark theme for the app. d) As a tester, I want to run performance benchmarks only. Answer: B