




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam focuses on applied DevSecOps execution and operations. It covers toolchain integration, security automation, compliance monitoring, continuous risk assessment, and cross-team collaboration. Candidates demonstrate readiness to operationalize DevSecOps in real-world enterprise environments.
Typology: Exams
1 / 114
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which principle best describes the “Shift Left” philosophy in DevSecOps? A) Deploying security patches after production release B) Integrating security testing early in the development lifecycle C) Moving security responsibilities to the operations team only D) Deferring compliance audits to the end of the project Answer: B Explanation: “Shift Left” means incorporating security checks as early as possible—during design, coding, and unit testing—to catch defects before they propagate downstream. Question 2. The Rugged Manifesto primarily emphasizes which of the following? A) Maximizing speed at the expense of security B) Building resilient systems through continuous learning and adaptation C) Isolating security teams from developers D) Using only proprietary security tools Answer: B Explanation: The Rugged Manifesto advocates for resilient, adaptable systems that learn from failures, aligning security with reliability and continuous improvement. Question 3. In the Three Ways of DevSecOps, which way focuses on “feedback loops”? A) The First Way – Flow of work from left to right B) The Second Way – Amplify feedback loops C) The Third Way – Culture of continual experimentation D) None of the above
Answer: B Explanation: The Second Way emphasizes creating rapid, tight feedback loops so that problems are detected and corrected early. Question 4. Which cultural shift is essential for moving from a “Security Silo” to a shared responsibility model? A) Assigning all security tasks to a single “gatekeeper” role B) Embedding security champions within development squads C) Removing all security controls from the CI pipeline D) Outsourcing security to an external vendor only Answer: B Explanation: Security champions act as liaisons, fostering collaboration and shared responsibility across teams. Question 5. GRC integration in automated workflows primarily helps with which outcome? A) Eliminating the need for any manual security review B) Ensuring continuous compliance and risk visibility C) Replacing all governance policies with AI decisions D) Automating only network configuration Answer: B Explanation: Integrating Governance, Risk, and Compliance automates evidence collection and policy enforcement, maintaining continuous compliance. Question 6. Which tool is commonly used for Policy as Code (PaC) enforcement?
Answer: B Explanation: SaC treats security controls like any other code, stored in VCS, reviewed, and applied automatically. Question 9. Which of the following is a “user story” format for a security requirement? A) As a developer, I want to push code without any checks. B) As a security auditor, I need all logs encrypted at rest. C) As a user, I want the UI to be colorful. D) As an operations engineer, I want to ignore alerts. Answer: B Explanation: Security user stories capture needs from a stakeholder perspective, such as audit log encryption. Question 10. What is the primary purpose of a pre‑commit hook that runs Gitleaks? A) To format code according to style guides B) To detect hard‑coded secrets before code is committed C) To compile the application D) To deploy the code to production Answer: B Explanation: Gitleaks scans for secrets (API keys, passwords) in the codebase, preventing accidental leakage. Question 11. Which SAST tool is known for providing both static analysis and open‑source vulnerability detection?
A) Burp Suite B) Snyk C) Trivy D) Falco Answer: B Explanation: Snyk offers static code analysis and scans for vulnerable open‑source dependencies. Question 12. Software Composition Analysis (SCA) primarily helps with which risk? A) Misconfigured DNS records B) Vulnerable third‑party libraries and license compliance C) Weak password policies D) Unpatched operating systems Answer: B Explanation: SCA identifies known vulnerabilities and licensing issues in open‑source components. Question 13. Dynamic Application Security Testing (DAST) differs from SAST because DAST: A) Analyzes source code without executing it B) Scans a running application to find runtime vulnerabilities C) Only works on compiled binaries D) Requires access to the source repository Answer: B
B) Falco C) Terraform D) SonarQube Answer: B Explanation: Falco watches system calls in containers to detect anomalous behavior in real time. Question 17. In Kubernetes, which resource defines network traffic rules between pods? A) ConfigMap B) NetworkPolicy C) PersistentVolume D) ServiceAccount Answer: B Explanation: NetworkPolicy objects specify allowed ingress and egress traffic for selected pods. Question 18. What does RBAC stand for in Kubernetes security? A) Remote Binary Access Control B) Role‑Based Access Control C) Resource‑Based Authorization Cipher D) Runtime Blocked Access Cache Answer: B Explanation: RBAC assigns permissions to users or service accounts based on roles, limiting what actions they can perform.
Question 19. Which Kubernetes object enforces the Pod Security Standards (PSS) at the cluster level? A) PodSecurityPolicy (deprecated) B) AdmissionController C) PodSecurityAdmission (PSA) D) HorizontalPodAutoscaler Answer: C Explanation: The PodSecurityAdmission controller applies PSS policies (restricted, baseline, privileged) to pods. Question 20. A common attack surface unique to serverless functions is: A) Insecure container base images B) Over‑privileged execution roles C) Unpatched kernel modules D) Physical hardware tampering Answer: B Explanation: Serverless functions often run with IAM roles; granting excessive permissions expands the attack surface. Question 21. Which of the following is an example of an “interactive” security test that combines SAST and DAST? A) Static analysis only B) Fuzz testing
Explanation: Auto‑fix scripts automate the update of vulnerable base images to a patched version and rebuild the artifact. Question 24. Which of the following best illustrates “security as code” in a CI pipeline? A) Manually approving each deployment via email B) Storing firewall rules in a version‑controlled JSON file and applying them via automation C) Running a security audit only once a year D) Disabling all security scanning to speed up builds Answer: B Explanation: Codifying security controls (e.g., firewall rules) enables versioning, review, and automated enforcement. Question 25. What is the primary advantage of using Open Policy Agent (OPA) with the Rego language? A) It provides a graphical UI for policy editing B) Policies can be evaluated locally or as a sidecar in any environment C) It replaces all existing CI tools automatically D) It only works with Kubernetes Answer: B Explanation: OPA’s lightweight engine can be embedded anywhere, allowing consistent policy decisions across CI, IaC, and runtime. Question 26. Which compliance framework focuses on protecting credit‑card data? A) HIPAA
Answer: B Explanation: PCI‑DSS (Payment Card Industry Data Security Standard) specifies security requirements for handling cardholder data. Question 27. In a DevSecOps pipeline, which stage should secret scanning be performed to minimize risk? A) Only during production deployment B) At the pre‑commit stage and again in CI after merge C) After the application is live for a month D) Never, secrets are managed manually Answer: B Explanation: Early detection (pre‑commit) prevents secrets from entering the repository; a second scan in CI catches any that slip through. Question 28. Which of the following is a “policy violation” that OPA could enforce in a Kubernetes cluster? A) Deploying pods with privileged containers B) Using a specific programming language C) Running unit tests on local machines D) Writing documentation in Markdown
B) Terraform C) Pulumi D) CloudFormation itself Answer: D Explanation: AWS CloudFormation is the native declarative IaC service for provisioning AWS resources. Question 32. When using Sentinel with HashiCorp Terraform, what does a policy typically evaluate? A) The runtime performance of containers B) The configuration plan before resources are provisioned C) The source code style of Python scripts D) Network latency between microservices Answer: B Explanation: Sentinel policies run against the Terraform plan to ensure compliance before changes are applied. Question 33. Which of the following is a recommended practice for managing secrets in CI/CD pipelines? A) Hard‑coding them in source code b) Storing them in plain text files within the repository C) Using a secret management solution like HashiCorp Vault and injecting at runtime D) Sending them via email to developers
Answer: C Explanation: Central secret stores provide controlled access, audit trails, and dynamic secrets, reducing exposure risk. Question 34. Which of the following is an example of “defense in depth” in a containerized environment? A) Relying solely on host‑based firewall rules B) Using image scanning, runtime monitoring, network policies, and pod‑level security contexts together C) Disabling all logging to improve performance D) Allowing any container to run as root Answer: B Explanation: Combining multiple layers of protection (scanning, runtime, network, pod security) creates a robust defense. Question 35. Which of the following statements about “immutable infrastructure” is true? A) Servers are patched in place frequently B) Once an artifact is built, it never changes; updates are deployed via new instances C) Configuration files are edited directly on running VMs D) All changes are made manually through the console Answer: B Explanation: Immutable infrastructure treats servers as replaceable; updates are delivered by redeploying new, versioned images.
D) Disabling version control Answer: B Explanation: Automated evidence generation ensures that compliance artifacts are captured continuously, simplifying audits. Question 39. Which of the following is NOT a typical responsibility of a security champion within a development team? A) Conducting peer code reviews for security issues B) Maintaining the CI/CD pipeline’s build speed C) Providing security training to teammates D) Acting as a liaison between security and development Answer: B Explanation: While champions may be aware of pipeline performance, their primary focus is security advocacy, not build optimization. Question 40. In the context of IaC, “drift detection” is the process of: A) Monitoring CPU usage of containers B) Comparing the live infrastructure state against the declared code to find inconsistencies C) Measuring the time taken for a deployment D) Tracking the number of pull requests merged per week Answer: B Explanation: Drift detection identifies mismatches between provisioned resources and the source IaC definitions.
Question 41. Which of the following is a recommended way to secure secrets used by serverless functions? A) Embedding them directly in the function code B) Storing them in environment variables without encryption C) Retrieving them at runtime from a managed secret store like AWS Secrets Manager D) Hard‑coding them in a Dockerfile Answer: C Explanation: Managed secret stores provide encryption, rotation, and fine‑grained access control for serverless workloads. Question 42. Which OWASP Top 10 category does the vulnerability “SQL Injection” belong to? A) Broken Access Control B) Injection c) Security Misconfiguration d) Sensitive Data Exposure Answer: B Explanation: SQL Injection is a classic example of the “Injection” category in the OWASP Top 10. Question 43. Which of the following is an advantage of using a “policy as code” approach over traditional manual policy enforcement? A) Policies can be versioned, reviewed, and tested automatically b) Policies become immutable and cannot be changed
Question 46. Which of the following best describes “continuous monitoring” in a cloud‑native environment? A) Performing a manual audit once per quarter b) Real‑time collection and analysis of security telemetry from services and workloads c) Running a single vulnerability scan after each release d) Disabling logging to improve performance Answer: B Explanation: Continuous monitoring gathers logs, metrics, and events continuously to detect anomalies and compliance gaps. Question 47. Which of the following is a key consideration when selecting a container image registry for security? A) The size of the logo on the registry website b) Support for image signing and vulnerability scanning integration c) The number of featured blog posts d) Ability to host static HTML pages Answer: B Explanation: Secure registries support signing (e.g., Notary, Cosign) and integrate scanning to ensure only trusted images are used. Question 48. In a Kubernetes environment, which component is responsible for enforcing admission control policies? a) kube‑scheduler b) kube‑apiserver
c) kube‑controller‑manager d) kube‑proxy Answer: B Explanation: The API server runs admission controllers that can accept or reject resource creation requests based on policies. Question 49. Which of the following is a primary benefit of “shift‑left” security testing for developers? A) Reducing the number of code reviews required b) Receiving faster feedback on security defects, enabling quicker remediation c) Eliminating the need for any production testing d) Allowing developers to skip unit testing Answer: B Explanation: Early security feedback shortens the remediation cycle and reduces cost of fixing defects later. Question 50. Which of the following is an example of a “security user story” in Agile development? A) As a developer, I want to push code without any checks. b) As a compliance officer, I need audit logs retained for 7 years. c) As a UI designer, I need a dark theme for the app. d) As a tester, I want to run performance benchmarks only. Answer: B