MDSO Certified DevSecOps Engineer Exam, Exams of Technology

This certification measures expertise in integrating security into DevOps pipelines. Topics include CI/CD security, infrastructure as code (IaC), container security, automation, vulnerability scanning, and policy enforcement. Candidates are evaluated on their ability to embed security into modern software delivery workflows.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 93

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
MDSO Certified DevSecOps Engineer Exam
Question 1. **Which of the following best describes the “Three Ways” in DevOps?**
A) Automation, Monitoring, Scaling
B) Flow, Feedback, Continual Learning
C) Planning, Coding, Deploying
D) Testing, Integration, Release
Answer: B
Explanation: The Three Ways are Flow (optimizing the delivery pipeline), Feedback (shortening
feedback loops), and Continual Learning (creating a culture of experimentation and
improvement).
Question 2. **In a shiftleft strategy, security testing is moved to which stage of the SDLC?**
A) Postproduction monitoring
B) Release management
C) Early development and code commit
D) Incident response
Answer: C
Explanation: Shiftleft means performing security checks as early as possible, typically during
coding and unit testing, to catch defects before they propagate.
Question 3. **Which maturity model is specifically designed for assessing DevSecOps
capabilities?**
A) CMMI
B) OWASP SAMM
C) ITIL
D) COBIT
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d

Partial preview of the text

Download MDSO Certified DevSecOps Engineer Exam and more Exams Technology in PDF only on Docsity!

Question 1. Which of the following best describes the “Three Ways” in DevOps? A) Automation, Monitoring, Scaling B) Flow, Feedback, Continual Learning C) Planning, Coding, Deploying D) Testing, Integration, Release Answer: B Explanation: The Three Ways are Flow (optimizing the delivery pipeline), Feedback (shortening feedback loops), and Continual Learning (creating a culture of experimentation and improvement). Question 2. In a shift‑left strategy, security testing is moved to which stage of the SDLC? A) Post‑production monitoring B) Release management C) Early development and code commit D) Incident response Answer: C Explanation: Shift‑left means performing security checks as early as possible, typically during coding and unit testing, to catch defects before they propagate. Question 3. Which maturity model is specifically designed for assessing DevSecOps capabilities? A) CMMI B) OWASP SAMM C) ITIL D) COBIT Answer: B

Explanation: OWASP Software Assurance Maturity Model (SAMM) provides a framework to evaluate and improve security practices within DevOps. Question 4. When hardening a CI server, which principle ensures that service accounts have only the permissions they need? A) Defense in depth B) Least privilege C) Zero trust D) Role‑based access control Answer: B Explanation: Least privilege restricts CI service accounts to the minimal set of actions required, reducing the blast radius of a compromise. Question 5. Which Git‑based tool can automatically detect secrets that have been committed to a repository’s history? A) Trivy B) Gitleaks C) Checkov D) SonarQube Answer: B Explanation: Gitleaks scans Git repositories for high‑entropy strings and patterns that resemble credentials, helping to prevent secret leakage. Question 6. In a secure CI/CD pipeline, which component is responsible for validating that only approved container images are deployed? A) Image registry B) Binary Authorization C) Docker daemon

B) Checkov C) Gitleaks D) SonarQube Answer: B Explanation: Checkov parses Terraform (and other IaC) files to identify insecure configurations such as open security groups. Question 10. What is the primary purpose of Runtime Application Self‑Protection (RASP)? A) Scan source code at build time B) Enforce network firewalls C) Detect and block attacks within the running application D) Manage secrets in containers Answer: C Explanation: RASP instruments the application to monitor its behavior at runtime and intervene when malicious activity is detected. Question 11. Which open‑source tool is commonly used for dynamic web application scanning within a CI pipeline? A) Snyk B) OWASP ZAP C) Tfsec D) Gitleaks Answer: B Explanation: OWASP ZAP can be automated to perform DAST against deployed web services, identifying runtime vulnerabilities.

Question 12. In the context of secret management, which service provides a centralized vault with dynamic secret generation for cloud workloads? A) HashiCorp Vault B) Docker Hub C) GitHub Packages D) Sonatype Nexus Answer: A Explanation: HashiCorp Vault stores, encrypts, and dynamically generates secrets, reducing the need for static credentials. Question 13. Which compliance‑as‑code framework allows you to write tests in Ruby to verify system configurations? A) OpenSCAP b) InSpec c) Chef Inspec d) Both B and C Answer: D Explanation: InSpec (formerly Chef Inspec) uses Ruby DSL to define compliance controls, enabling automated audits. Question 14. When integrating a container image scanner into a CI pipeline, which stage should the scan be performed? A) After deployment to production B) During the image build step before publishing to registry C) During runtime on the host D) In the source code checkout step Answer: B

d) All of the above Answer: D Explanation: All listed tools allow pipelines to be defined in version‑controlled YAML files, enabling reproducible builds. Question 18. In a zero‑trust network model applied to DevSecOps, which statement is true? A) All internal traffic is trusted by default B) Every request must be authenticated and authorized, regardless of origin C) Firewalls are no longer needed D) Secrets are stored in plain text for speed Answer: B Explanation: Zero‑trust assumes no implicit trust, requiring verification for every connection or request. Question 19. Which metric is most useful for measuring “flow efficiency” in a CI pipeline? A) Mean time to recovery (MTTR) b) Percentage of time work items spend waiting vs. being processed c) Number of commits per day d) Lines of code changed per sprint Answer: B Explanation: Flow efficiency compares active processing time to total lead time, highlighting bottlenecks. Question 20. When generating an SBOM, which format is recommended by the NTIA for interoperability? A) JSON CycloneDX

b) SPDX (Software Package Data Exchange) c) XML Maven POM d) YAML Helm Chart Answer: B Explanation: SPDX is an open standard for SBOMs, widely adopted for sharing component data across tools. Question 21. Which of the following is a primary benefit of integrating security testing into pull‑request workflows? A) Reduces need for code reviews b) Provides immediate feedback to developers before merge c) Eliminates the need for production monitoring d) Guarantees zero vulnerabilities in production Answer: B Explanation: Running SAST/DAST on PRs surfaces issues early, allowing developers to fix them before code is merged. Question 22. Which tool can be used to enforce “policy as code” for Kubernetes admission control? A) OPA Gatekeeper b) Trivy c) SonarQube d) Dependabot Answer: A Explanation: Open Policy Agent (OPA) Gatekeeper evaluates admission requests against defined policies, ensuring compliance before resources are created.

Explanation: Drift detection compares the actual state of infrastructure with the desired state defined in IaC files. Question 26. Which of the following is a recommended practice for managing third‑party open‑source licenses? A) Ignore licenses, focus only on vulnerabilities b) Use an SCA tool to generate license reports and enforce policy c) Manually read each license file d) Only use libraries with MIT license Answer: B Explanation: SCA tools automate detection of license types and can enforce organizational policy to avoid non‑compliant usage. Question 27. What is the primary function of a “web application firewall” (WAF) in a production environment? A) Encrypt traffic between services b) Block known attack patterns at the HTTP layer before they reach the app c) Scan source code for bugs d) Manage container orchestration Answer: B Explanation: A WAF inspects inbound HTTP requests and blocks malicious payloads such as SQL injection or XSS. Question 28. Which of the following is a key advantage of using “immutable infrastructure” in a DevSecOps pipeline? A) Ability to patch running servers live b) Reduces configuration drift and simplifies rollback by replacing rather than modifying instances

c) Eliminates need for version control d) Allows manual configuration on each node Answer: B Explanation: Immutable infrastructure treats servers as disposable; any change results in a new instance, ensuring consistency. Question 29. When configuring a secret in HashiCorp Vault to be accessed by a CI job, which authentication method is most appropriate? A) Username/password b) AppRole with short‑lived token c) SSH key login d) LDAP bind Answer: B Explanation: AppRole provides machines with a role ID and secret ID, allowing CI jobs to obtain short‑lived tokens without human credentials. Question 30. Which of the following best describes “continuous monitoring” in a runtime security context? A) Running unit tests on every commit b) Collecting logs, metrics, and alerts from production systems in near real‑time c) Scanning Dockerfiles before build d) Performing quarterly penetration tests only Answer: B Explanation: Continuous monitoring aggregates telemetry from live environments to detect anomalies and compliance violations promptly. Question 31. Which tool can automatically generate a dependency graph and suggest version upgrades to remediate vulnerabilities?

Question 34. Which of the following is an example of a “policy violation” that could be caught by OPA Gatekeeper in a CI pipeline? A) Use of deprecated API version in a Kubernetes manifest b) Slow unit test execution c) High code coverage percentage d) Successful build artifact generation Answer: A Explanation: Gatekeeper can enforce policies such as disallowing deprecated APIs, ensuring manifests meet organizational standards. Question 35. When performing a “penetration test” on a CI/CD pipeline, which of the following is the most realistic attack vector? A) Modifying the pipeline’s YAML definition to inject malicious commands b) Changing the color of the UI theme c) Renaming the Git repository d) Updating the CI server’s documentation Answer: A Explanation: Tampering with pipeline definitions can introduce malicious steps that execute during builds, representing a high‑impact threat. Question 36. Which of the following statements about “Infrastructure as Code” (IaC) scanning tools is true? A) They only scan compiled binaries b) They can detect hard‑coded credentials in Terraform files c) They replace the need for manual code reviews d) They are ineffective against cloud misconfigurations

Answer: B Explanation: IaC scanners parse configuration files to locate insecure patterns such as hard‑coded access keys. Question 37. What does “SBOM” stand for and why is it important for supply‑chain security? A) Secure Build Output Manifest – ensures binary integrity b) Software Bill of Materials – provides an inventory of components for vulnerability tracking c) System Binary Object Model – defines OS kernel structures d) Service-Based Operational Metrics – monitors performance Answer: B Explanation: An SBOM lists every component, enabling organizations to quickly identify which products are affected by a disclosed vulnerability. Question 38. Which of the following is a recommended practice when using third‑party Docker base images? A) Pull the latest “latest” tag in production without verification b) Scan the image for known CVEs and use a signed, version‑pinned base image c) Disable all security patches in the base image d) Store the image in a public registry for all environments Answer: B Explanation: Scanning and pinning to a specific, signed version reduces the risk of hidden vulnerabilities and supply‑chain attacks. Question 39. In a DevSecOps feedback loop, which metric helps developers understand the impact of a security defect? A) Number of lines of code changed b) Mean time to remediate (MTTR) for security findings

A) Direct manual edits on the cluster are encouraged b) Desired state is stored in Git, enabling versioned, auditable changes and automated reconciliation c) It eliminates the need for CI pipelines d) It bypasses RBAC controls Answer: B Explanation: GitOps treats Git as the single source of truth, allowing automated sync of cluster state and traceability. Question 43. What is the primary purpose of “container image signing” (e.g., using Notary or Cosign)? A) To compress the image size b) To verify the image’s provenance and integrity before deployment c) To improve runtime performance d) To hide the image’s contents from developers Answer: B Explanation: Signed images provide cryptographic proof that the image has not been tampered with and originates from a trusted source. Question 44. Which of the following is a common method for detecting “credential stuffing” attacks at runtime? A) Monitoring failed login attempts and rate‑limiting suspicious IPs b) Scanning source code for hard‑coded passwords c) Using static analysis on Dockerfiles d) Enforcing code style guidelines Answer: A Explanation: Credential stuffing generates many failed logins; detection relies on monitoring authentication failures and applying throttling.

Question 45. When using Trivy to scan a Docker image, which type of vulnerabilities can it detect? A) Only OS package CVEs b) Both OS package CVEs and application library vulnerabilities (SCA) c) Only misconfigured IAM policies d) Only network port exposures Answer: B Explanation: Trivy performs both vulnerability scanning of OS packages and SCA for libraries inside the image. Question 46. Which of the following best describes “continuous compliance” in a DevSecOps context? A) Running a compliance audit once a year b) Embedding compliance checks into the CI/CD pipeline to enforce policy on every change c) Relying on manual security reviews after release d) Ignoring compliance in favor of speed Answer: B Explanation: Continuous compliance automates policy validation during development, ensuring each artifact meets regulatory requirements before release. Question 47. What is the main security benefit of using “ephemeral build agents” in CI pipelines? A) Reduces cost of infrastructure b) Guarantees that no state or secrets persist between builds, limiting attack surface c) Increases build speed dramatically d) Allows developers to access the agent directly

c) To hide source code d) To speed up compilation Answer: B Explanation: Signed binaries allow recipients to verify that the artifact originated from a trusted build process and has not been altered. Question 51. Which of the following best explains the concept of “security as code” (SaC)? A) Writing security policies in natural language only b) Defining security controls (e.g., firewall rules, IAM policies) in version‑controlled code that can be tested and deployed automatically c) Performing manual security reviews after deployment d) Using only open‑source security tools Answer: B Explanation: SaC treats security configurations as code, enabling automation, testing, and auditability. Question 52. When using a “static secret detection” tool on a repository, which type of false positive is most common? A) Detecting a random string that matches a secret pattern but is not a credential b) Missing all real secrets c) Deleting the repository automatically d) Overwriting the .gitignore file Answer: A Explanation: High‑entropy strings (e.g., API keys) can appear in test data or documentation, causing false positives. Question 53. Which of the following is an effective method for limiting the blast radius of a compromised CI runner?

A) Granting the runner admin rights on all cloud accounts b) Running the runner inside a sandboxed VM with network segmentation and minimal IAM permissions c) Storing all secrets on the runner’s filesystem d) Disabling TLS for internal communication Answer: B Explanation: Isolation and least‑privilege reduce the impact if the runner is compromised. Question 54. What does the “principle of least astonishment” suggest when designing security alerts for developers? A) Alerts should be as noisy as possible b) Alerts should be clear, actionable, and not overwhelm developers with irrelevant information c) Alerts should be hidden to avoid distraction d) Alerts should be sent only once a year Answer: B Explanation: Providing concise, relevant alerts improves response time and reduces alert fatigue. Question 55. Which of the following is a common technique to protect against “supply chain attacks” on open‑source libraries? A) Disabling all updates b) Using signed packages and verifying signatures during dependency resolution c) Ignoring license information d) Storing libraries in a public bucket without access control Answer: B Explanation: Signed packages ensure that the code being consumed matches the author’s original intent and has not been tampered with.