







































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The MDSOS Certified DevSecOps Specialist Exam validates knowledge of integrating security into DevOps pipelines. Topics include secure CI/CD practices, automated testing, infrastructure as code security, container and cloud security, and collaboration between development, security, and operations teams. This certification is intended for DevSecOps engineers and cloud-native security professionals.
Typology: Exams
1 / 79
This page cannot be seen from the preview
Don't miss anything!








































































Question 1. What is the primary goal of shift-left security in DevSecOps? A) Increase deployment frequency B) Move security testing earlier in the SDLC C) Centralize security operations D) Reduce the number of developers Answer: B Explanation: Shift-left security aims to identify and remediate vulnerabilities earlier in the software development lifecycle, reducing cost and risk. Question 2. Which DevSecOps maturity model helps organizations assess their security integration? A) OWASP Top 10 B) DSOMM C) PCI DSS D) SDLC Matrix Answer: B Explanation: DSOMM (DevSecOps Maturity Model) provides a framework for evaluating security practices across DevOps pipelines. Question 3. What is a key benefit of integrating security gates in CI/CD pipelines? A) Accelerated code review B) Automated "pass/fail" checks for code security C) Reduced code coverage D) Manual deployment approval Answer: B Explanation: Security gates automate checks for vulnerabilities, ensuring insecure code does not progress through the pipeline.
Question 4. Which tool is commonly used for orchestrating CI/CD pipelines in DevSecOps? A) Puppet B) Jenkins C) MySQL D) Redmine Answer: B Explanation: Jenkins is a popular automation server for building, testing, and deploying code within CI/CD workflows. Question 5. What is the purpose of environment segregation in DevSecOps? A) To allow unrestricted access between environments B) To ensure isolation between Build, Staging, and Production C) To merge all environments into one D) To reduce hardware costs Answer: B Explanation: Segregating environments prevents cross-contamination and limits the impact of security breaches. Question 6. In GitOps, which tool is used for declarative infrastructure delivery? A) Chef B) ArgoCD C) Nginx D) Splunk Answer: B Explanation: ArgoCD is a GitOps tool that manages infrastructure and application deployment through Git-based workflows.
Question 10. Which SAST tool is used for Python code security analysis? A) SonarQube B) Bandit C) ZAP D) Nuclei Answer: B Explanation: Bandit is designed to analyze Python code for security issues during development. Question 11. Why is integrating SAST into the commit phase beneficial? A) It slows down the development process B) Finds code vulnerabilities before merging C) Limits the number of commits D) Increases build time Answer: B Explanation: Running SAST during commits catches security flaws early, reducing the chance of vulnerable code reaching production. Question 12. What is the main function of a DAST tool like OWASP ZAP? A) Static code review B) Runtime security scanning of web applications C) Database encryption D) Container orchestration Answer: B Explanation: DAST tools scan running applications for vulnerabilities such as XSS, SQL injection, and authentication issues.
Question 13. How does automated authenticated scanning improve DAST? A) It ignores authentication B) Finds vulnerabilities in user-restricted areas C) Only scans public endpoints D) Reduces scan coverage Answer: B Explanation: Authenticated scans can test areas behind login, identifying issues inaccessible to unauthenticated scans. Question 14. What is the best practice for IaC security regarding public cloud storage buckets? A) Leave buckets public for easier access B) Always restrict access to sensitive buckets C) Disable bucket versioning D) Use default bucket policies Answer: B Explanation: Restricting access to cloud storage prevents unauthorized data exposure due to misconfigured IaC templates. Question 15. Which tool is used to audit system configuration against CIS Benchmarks? A) Chef InSpec B) Jenkins C) Kubernetes D) Grafana Answer: A Explanation: Chef InSpec automates compliance checks by comparing system states to established security benchmarks.
Question 19. How does license compliance scanning benefit organizations? A) Identifies software bugs B) Ensures use of legally compliant open-source libraries C) Improves UI design D) Automates testing Answer: B Explanation: License compliance scanning helps avoid legal risks by ensuring all software meets regulatory requirements. Question 20. What is the main advantage of using GitHub Actions in CI/CD? A) Manual trigger only B) Native integration with GitHub repositories C) Lack of automation D) No support for workflows Answer: B Explanation: GitHub Actions provide seamless automation for build, test, and deployment directly from the code repository. Question 21. Which method helps reduce the risk of “Poisoned Pipeline” attacks? A) Weak authentication on build servers B) Hardening CI/CD controllers and runners C) Disabling logs D) Avoiding security monitoring Answer: B Explanation: Securing and hardening build infrastructure mitigates risks from malicious code or compromised pipelines.
Question 22. Why is version-controlled infrastructure important in DevSecOps? A) It slows down deployment B) Enables traceability and rollback of changes C) Encourages manual configuration D) Reduces automation Answer: B Explanation: Version control allows tracking of infrastructure changes, facilitating auditability and recovery from errors. Question 23. What does “Security as Code” mean? A) Security policies written manually B) Automating security controls through code C) Security audits only D) Static documentation Answer: B Explanation: Security as Code automates enforcement of policies and controls, increasing consistency and repeatability. Question 24. What is the primary focus of pipeline orchestration? A) Monitoring server performance B) Automating build, test, and deployment processes C) Manual code analysis D) UI design optimization Answer: B Explanation: Orchestration automates the movement of code through stages, ensuring efficiency and security.
A) UI responsiveness B) Vulnerabilities and compliance issues C) Network latency D) Database connectivity Answer: B Explanation: Security gates automate checks for code vulnerabilities and policy violations before progression. Question 29. Which is a key feature of ArgoCD in a GitOps workflow? A) Manual deployments B) Declarative, automated delivery of infrastructure C) Lack of rollback capability D) No integration with version control Answer: B Explanation: ArgoCD uses Git-based definitions for automated, consistent infrastructure and application delivery. Question 30. What is a critical aspect of securing build servers? A) Allowing unrestricted access B) Applying principle of least privilege C) Avoiding patch management D) Disabling monitoring Answer: B Explanation: Limiting access reduces risk of unauthorized changes and potential “Poisoned Pipeline” attacks. Question 31. What is the primary objective of Dependency Scanning?
A) Improving code readability B) Identifying known vulnerabilities in third-party libraries C) Enhancing UI design D) Increasing build speed Answer: B Explanation: Dependency scanning focuses on detecting vulnerable software components to prevent supply chain attacks. Question 32. What is the role of an SBOM in supply chain security? A) Documenting infrastructure only B) Providing a detailed inventory of software components C) Ignoring third-party dependencies D) Avoiding compliance Answer: B Explanation: SBOMs help track all components, aiding vulnerability management and compliance. Question 33. Which tool can automate license compliance checks? A) FOSSA B) Redis C) Docker D) ELK Stack Answer: A Explanation: FOSSA automates the identification of license types and compliance issues in codebases. Question 34. What is the difference between SAST and DAST?
A) Increased deployment speed B) Secrets exposed in code repositories C) Improved logging D) Enhanced version control Answer: B Explanation: Hardcoded secrets can be easily leaked, creating significant security risks. Question 38. Which tool helps manage secrets securely across environments? A) HashiCorp Vault B) Jenkins C) Apache Tomcat D) Grafana Answer: A Explanation: HashiCorp Vault provides secure storage and access to secrets, reducing risk of exposure. Question 39. What does “immutable infrastructure” prevent? A) Automated deployments B) Configuration drift and unauthorized changes C) Consistent image creation D) Infrastructure automation Answer: B Explanation: Immutable infrastructure ensures environments remain unchanged after deployment, enhancing security. Question 40. Which process should be automated to ensure secure code deployments? A) Manual code reviews only
B) Security testing in the CI/CD pipeline C) Disabling build scripts D) Ignoring test failures Answer: B Explanation: Automated security testing ensures all code is checked for vulnerabilities before deployment. Question 41. How does DevSecOps improve incident response? A) By ignoring security events B) By integrating security monitoring into pipelines C) By delaying patching D) By reducing visibility Answer: B Explanation: Integrated monitoring allows faster detection and response to security incidents. Question 42. What is a common mistake in DevSecOps culture? A) Empowering all teams B) Treating security as a separate silo C) Automating security D) Sharing responsibility Answer: B Explanation: Siloed security undermines collaboration and reduces effectiveness. Question 43. What is the benefit of automated vulnerability patching? A) Increased manual effort B) Faster resolution of security issues
D) Lack of auditability Answer: B Explanation: Compliance as code enables consistent and automated checks against standards. Question 47. How does GitOps enhance infrastructure management? A) By avoiding version control B) By enabling declarative, versioned infrastructure definitions C) By manual deployment D) By disabling rollback Answer: B Explanation: GitOps automates infrastructure delivery and maintains audit trails via version control. Question 48. What is the purpose of integrating security into the CI/CD pipeline? A) To slow down deployments B) To detect security flaws early in the process C) To ignore vulnerabilities D) To increase manual work Answer: B Explanation: Early integration reduces risk and improves remediation times. Question 49. Which CI/CD tool supports extensive plugin ecosystems for security? A) Jenkins B) Redis C) Docker D) Nginx
Answer: A Explanation: Jenkins offers numerous plugins for security testing and integration. Question 50. What is a common risk with using outdated software dependencies? A) Improved performance B) Increased vulnerability to known exploits C) Enhanced compliance D) Reduced deployment speed Answer: B Explanation: Old dependencies may contain unpatched vulnerabilities, posing security risks. Question 51. Why is continuous monitoring essential in DevSecOps? A) To ignore security threats B) To detect and respond to security events in real time C) To reduce automation D) To avoid visibility Answer: B Explanation: Continuous monitoring ensures threats are detected and addressed quickly. Question 52. What is the primary function of a CI/CD runner? A) Execute pipeline jobs B) Store secrets C) Manage compliance D) Monitor network traffic Answer: A Explanation: Runners execute tasks defined in CI/CD pipeline configurations.
Question 56. Why is automating authenticated DAST scans important? A) To test only public endpoints B) To identify vulnerabilities behind authentication barriers C) To decrease scan coverage D) To ignore session management Answer: B Explanation: Authenticated scans uncover flaws in user-restricted areas of applications. Question 57. What is the role of compliance as code in regulatory audits? A) Manual reporting B) Automated evidence collection for audits C) Ignoring regulations D) Disabling audit trails Answer: B Explanation: Compliance as code provides automated, auditable reports for regulatory requirements. Question 58. Which security principle should be applied to CI/CD credentials? A) Principle of least privilege B) Granting full access to all users C) Avoiding credential rotation D) Hardcoding credentials Answer: A Explanation: Limiting privileges reduces the risk of credential misuse. Question 59. What is a benefit of using pre-hardened machine images?
A) Increased configuration drift B) Consistent and secure infrastructure deployments C) Manual patching required D) Unpredictable environments Answer: B Explanation: Pre-hardened images ensure all deployments are secure and standardized. Question 60. What is a common feature of modern CI/CD pipeline orchestration tools? A) Manual job triggering only B) Support for automated testing and deployment C) No integration with version control D) Lack of plugin support Answer: B Explanation: Automation and integration are core features of pipeline orchestration tools. Question 61. Why is integrating SCA into the pipeline critical? A) To ignore third-party risks B) To automatically detect and remediate vulnerable dependencies C) To reduce scan coverage D) To delay vulnerability management Answer: B Explanation: SCA integration ensures vulnerabilities are found and addressed before code reaches production. Question 62. What does “shift-left” mean in terms of security testing? A) Testing at the end of the SDLC