




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam validates advanced knowledge of security within DevOps workflows. It focuses on secure coding, infrastructure hardening, vulnerability scanning, compliance, and integrating security into CI/CD pipelines. DevOps-SEC ensures that certified professionals can apply “shift-left” security measures across software lifecycles, bridging the gap between development, operations, and cybersecurity.
Typology: Exams
1 / 133
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. What is the primary goal of DevOps in software development? A) To increase manual testing processes B) To improve collaboration between development and operations teams C) To eliminate the need for security measures D) To replace traditional project management methods Answer: B Explanation: DevOps aims to foster collaboration between development and operations teams, enabling faster, more reliable software delivery through automation and continuous feedback. Question 2. Which of the following best describes the core principle of DevSecOps? A) Prioritizing security after deployment B) Integrating security practices into every phase of the DevOps lifecycle C) Eliminating security to speed up delivery D) Using security tools only during testing Answer: B Explanation: DevSecOps emphasizes embedding security controls and
practices throughout the development, build, testing, and deployment phases to ensure security is an integral part of the DevOps process. Question 3. Which role is primarily responsible for automating security checks within a CI/CD pipeline? A) Only the security team B) Developers, DevOps engineers, and security teams collaboratively C) Only the operations team D) External auditors only Answer: B Explanation: Automating security checks requires collaboration among developers, DevOps engineers, and security teams to embed security tools and practices into the pipeline effectively. Question 4. In the context of DevOps, what is the purpose of threat modeling? A) To increase application complexity B) To identify potential vulnerabilities early in development C) To replace code reviews
B) A model where security responsibilities are shared between cloud providers and customers C) A model where only the customer is responsible for security D) A model that eliminates the need for security controls Answer: B Explanation: The shared responsibility model clarifies that cloud providers manage infrastructure security, while customers are responsible for securing their data, applications, and access controls. Question 7. Which of the following best describes the purpose of Infrastructure as Code (IaC)? A) To manually configure infrastructure components B) To automate infrastructure provisioning and configuration using code C) To replace application development D) To prevent automated deployments Answer: B Explanation: IaC enables automated, repeatable provisioning and
management of infrastructure through code, reducing manual errors and increasing consistency. Question 8. Which tool is commonly used for securing infrastructure code in DevOps environments? A) Jenkins B) Terraform C) Selenium D) Nagios Answer: B Explanation: Terraform is an IaC tool that allows defining, provisioning, and managing infrastructure securely through code, with features for validation and versioning. Question 9. What is a common security risk associated with container images? A) They are immutable and cannot be scanned B) They may contain vulnerabilities or outdated packages C) They are always secure by default
B) Collecting, analyzing, and alerting on security events C) Managing user identities D) Building container images Answer: B Explanation: SIEM systems aggregate security logs, analyze data for anomalies, and generate alerts for potential security incidents, supporting threat detection. Question 12. Which cloud security service helps enforce identity and access management policies in Azure? A) Azure Security Center B) Azure AD (Active Directory) C) Azure Blob Storage D) Azure DevOps Answer: B Explanation: Azure AD provides identity management, authentication, and access control services, essential for enforcing IAM policies.
Question 13. Which of the following best describes a security control for container image vulnerability scanning? A) Running static code analysis on source code B) Using tools like Clair or Trivy to scan container images for known vulnerabilities C) Performing manual checks after deployment D) Disabling container security features Answer: B Explanation: Vulnerability scanners like Clair and Trivy analyze container images for known security issues before deployment, reducing risks. Question 14. Which practice enhances security when managing access to cloud resources across multiple cloud providers? A) Using individual accounts for each provider B) Implementing a Cloud Access Security Broker (CASB) C) Avoiding multi-cloud strategies D) Disabling multi-factor authentication Answer: B
C) It removes access controls to simplify processes D) It only applies to network security Answer: B Explanation: Role-Based Access Control (RBAC) assigns permissions based on user roles, ensuring users have appropriate access levels and reducing privilege misuse. Question 17. What is a key benefit of implementing multi-factor authentication (MFA) in DevOps environments? A) It simplifies user access B) It enhances security by requiring multiple forms of verification C) It removes the need for passwords D) It eliminates the need for access controls Answer: B Explanation: MFA adds an extra layer of security by requiring users to provide multiple forms of verification, reducing the risk of unauthorized access. Question 18. Which process is critical for effective incident response in DevOps?
A) Ignoring security alerts B) Establishing an incident response plan and conducting regular drills C) Disabling logging to improve performance D) Relying solely on manual detection Answer: B Explanation: Having a well-defined incident response plan and practicing drills ensure quick, coordinated reactions to security incidents, minimizing impact. Question 19. How does a Cloud Security Posture Management (CSPM) tool assist in cloud security? A) By automating application deployment B) By continuously monitoring cloud configurations for compliance and vulnerabilities C) By managing user identities D) By replacing firewalls Answer: B
Answer: B Explanation: SAST analyzes source code or binary code without executing the application to identify potential security issues early. Question 22. Why is continuous vulnerability scanning important in DevSecOps? A) To slow down the deployment process B) To detect and remediate vulnerabilities promptly throughout development cycles C) To replace security audits D) To eliminate the need for patch management Answer: B Explanation: Continuous scanning identifies vulnerabilities early and frequently, enabling timely mitigation and reducing security risks. Question 23. Which of the following best practices helps prevent misconfigurations in IaC? A) Manual configuration without validation B) Using automated validation tools and code reviews
C) Ignoring security best practices D) Avoiding version control Answer: B Explanation: Automated validation tools and peer reviews help catch misconfigurations early, ensuring infrastructure security and compliance. Question 24. What is the primary purpose of a Security Orchestration, Automation, and Response (SOAR) platform? A) To automate deployment pipelines B) To streamline security incident detection, response, and remediation C) To replace firewalls D) To monitor application performance Answer: B Explanation: SOAR platforms automate security incident response workflows, enabling faster, coordinated action against threats. Question 25. Which cloud provider offers the Security Center service for unified security management? A) AWS
B) By identifying known security vulnerabilities before deployment C) By removing all security checks D) By encrypting container images Answer: B Explanation: Container image scanning detects known vulnerabilities, ensuring only secure images are deployed. Question 28. Which of the following best describes the purpose of a vulnerability management lifecycle? A) To identify, assess, prioritize, and remediate vulnerabilities continuously B) To document vulnerabilities without fixing them C) To delay security updates D) To replace security training Answer: A Explanation: The vulnerability management lifecycle aims to handle vulnerabilities proactively, reducing exposure over time. Question 29. Which tool is commonly used for automating infrastructure provisioning in DevOps?
A) Jenkins B) Ansible C) Terraform D) Nagios Answer: C Explanation: Terraform automates the provisioning and management of cloud and on-premises infrastructure through declarative code. Question 30. Why is role-based access control (RBAC) crucial in a DevOps environment? A) It grants unrestricted access to all users B) It enforces least privilege principle and limits user permissions based on roles C) It removes the need for authentication D) It is only applicable to network devices Answer: B Explanation: RBAC ensures users only have access to resources necessary for their roles, minimizing security risks from excessive permissions.
Explanation: Encryption ensures data stored in cloud storage is protected from unauthorized access, maintaining confidentiality. Question 33. Which phase of the DevOps lifecycle focuses on deploying software into production environments? A) Plan B) Build C) Release and Deploy D) Monitor Answer: C Explanation: The Release and Deploy phase involves deploying the software to production or staging environments for user access. Question 34. What is a common challenge when implementing security in DevOps pipelines? A) Lack of automation tools B) Balancing speed of delivery with security controls C) Excessive manual security checks D) Absence of cloud services
Answer: B Explanation: Achieving rapid deployment while maintaining robust security controls is a key challenge in DevSecOps. Question 35. Which practice helps ensure compliance with GDPR in DevOps workflows? A) Ignoring data privacy B) Implementing data encryption and access controls C) Sharing user data freely D) Disabling logging Answer: B Explanation: Encryption and strict access controls help protect personal data, aligning with GDPR requirements. Question 36. Which tool is used for managing secrets in AWS? A) AWS S B) AWS Secrets Manager C) AWS Lambda D) AWS CloudFormation