PrepIQ GSDC Certified DevSecOps EngineerCDSOE Ultimate Exam, Exams of Technology

The PrepIQ GSDC Certified DevSecOps EngineerCDSOE Ultimate Exam validates advanced expertise in secure software development, automation security, infrastructure protection, and DevSecOps engineering practices. Candidates gain knowledge in security testing, threat modeling, cloud-native security, compliance monitoring, and operational risk management. The certification prepares professionals for advanced DevSecOps engineering and cybersecurity integration roles.

Typology: Exams

2025/2026

Available from 06/15/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 81

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ GSDC Certified DevSecOps
EngineerCDSOE Ultimate Exam
**Question 1. Which of the following best describes the primary difference between
DevOps and DevSecOps?**
A) DevOps focuses on automation, while DevSecOps eliminates automation.
B) DevOps emphasizes speed, whereas DevSecOps adds security as a shared
responsibility.
C) DevOps requires manual testing, DevSecOps uses only automated testing.
D) DevOps is only for infrastructure, DevSecOps is only for application code.
Answer: B
Explanation: DevSecOps extends DevOps by embedding security practices
throughout the lifecycle, making security a shared responsibility rather than a
separate phase.
**Question 2. In the “Shift Left” approach, security activities are performed:**
A) After production release.
B) During the planning stage only.
C) Early in the development lifecycle, such as during code commit.
D) Exclusively by the operations team.
Answer: C
Explanation: “Shift Left” moves security testing and reviews to earlier phases
(design, coding, CI) to catch issues sooner.
**Question 3. Which of the three ways of DevSecOps focuses on creating fast,
reliable flow of work from idea to production?**
A) Feedback
B) Flow
C) Continuous Learning
D) Governance
Answer: B
Explanation: The first way, Flow, emphasizes smooth, rapid delivery pipelines,
reducing handoffs and bottlenecks.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51

Partial preview of the text

Download PrepIQ GSDC Certified DevSecOps EngineerCDSOE Ultimate Exam and more Exams Technology in PDF only on Docsity!

EngineerCDSOE Ultimate Exam

Question 1. Which of the following best describes the primary difference between DevOps and DevSecOps? A) DevOps focuses on automation, while DevSecOps eliminates automation. B) DevOps emphasizes speed, whereas DevSecOps adds security as a shared responsibility. C) DevOps requires manual testing, DevSecOps uses only automated testing. D) DevOps is only for infrastructure, DevSecOps is only for application code. Answer: B Explanation: DevSecOps extends DevOps by embedding security practices throughout the lifecycle, making security a shared responsibility rather than a separate phase. Question 2. In the “Shift Left” approach, security activities are performed: A) After production release. B) During the planning stage only. C) Early in the development lifecycle, such as during code commit. D) Exclusively by the operations team. Answer: C Explanation: “Shift Left” moves security testing and reviews to earlier phases (design, coding, CI) to catch issues sooner. Question 3. Which of the three ways of DevSecOps focuses on creating fast, reliable flow of work from idea to production? A) Feedback B) Flow C) Continuous Learning D) Governance Answer: B Explanation: The first way, Flow, emphasizes smooth, rapid delivery pipelines, reducing handoffs and bottlenecks.

EngineerCDSOE Ultimate Exam

Question 4. In a shared responsibility model for a cloud-native application, the development team is primarily responsible for: A) Physical security of data centers. B) Patching operating systems on the cloud provider’s hardware. C) Implementing secure coding practices and application-level controls. D) Managing the underlying hypervisor. Answer: C Explanation: Developers own application security, including code, libraries, and application-level configurations; the cloud provider handles infrastructure-level security. Question 5. A “Security Champion” in a development team is expected to: A) Replace the security team entirely. B) Act as a liaison, promote secure coding, and help integrate security tools. C) Write all security policies for the organization. D) Only perform penetration testing. Answer: B Explanation: Security Champions advocate security within their squads, assist peers, and help embed tools and practices. Question 6. During threat modeling, which STRIDE element addresses “Elevation of Privilege”? A) Spoofing B) Tampering C) Repudiation D) Elevation of Privilege Answer: D Explanation: Elevation of Privilege refers to an attacker gaining higher access rights than intended. Question 7. When identifying trust boundaries in a microservices architecture, you should consider:

EngineerCDSOE Ultimate Exam

B) Granting containers only the capabilities they need, using non-root users. C) Allowing containers to share the host network. D) Disabling all security policies for speed. Answer: B Explanation: Least privilege limits container permissions, reducing impact of a compromised container. Question 11. Which OWASP Top 10 vulnerability is directly mitigated by implementing proper output encoding? A) Injection B) Broken Authentication C) Cross-Site Scripting (XSS) D) Security Misconfiguration Answer: C Explanation: Output encoding neutralizes malicious scripts, preventing XSS attacks. Question 12. A developer uses prepared statements with bound parameters in SQL queries. Which OWASP Top 10 risk does this address? A) Sensitive Data Exposure B) SQL Injection C) Broken Access Control D) Using Components with Known Vulnerabilities Answer: B Explanation: Prepared statements separate code from data, eliminating the injection vector. Question 13. Which static analysis tool is specifically designed to detect insecure usage of cryptographic APIs in Java code? A) SonarQube B) FindSecBugs C) Checkmarx

EngineerCDSOE Ultimate Exam

D) Snyk Answer: B Explanation: FindSecBugs (a plugin for SpotBugs) includes rules targeting weak cryptographic practices. Question 14. To reduce false positives in SAST, a team should: A) Disable all low-severity rules. B) Tune rule sets, add suppression comments, and validate findings against a baseline. C) Run SAST only on production code. D) Increase the scan frequency to daily. Answer: B Explanation: Adjusting rule thresholds and using suppressions helps focus on real issues while maintaining coverage. Question 15. Software Composition Analysis (SCA) primarily helps organizations to: A) Detect runtime memory leaks. B) Identify vulnerable open-source components and generate an SBOM. C) Optimize CPU usage. D) Enforce code style guidelines. Answer: B Explanation: SCA scans dependencies for known vulnerabilities and produces a Software Bill of Materials. Question 16. Which of the following statements about a Software Bill of Materials (SBOM) is true? A) It only lists proprietary code. B) It is a complete inventory of all components, including versions and licenses. C) It replaces the need for vulnerability scanning. D) It is optional for compliance with any standard.

EngineerCDSOE Ultimate Exam

Explanation: DAST interacts with a live application, simulating external attacks without source-code knowledge. Question 20. When integrating OWASP ZAP into a CI pipeline, which mode is most suitable for automated regression testing? A) Manual mode B) Spider mode only C) Baseline scan (quick, automated) D) Full authenticated scan with custom scripts Answer: C Explanation: Baseline scan runs quickly and can be automated on each build to detect regressions. Question 21. Which Dockerfile instruction most directly contributes to reducing the attack surface of an image? A) COPY. /app B) RUN apt-get update && apt-get install -y curl C) USER nonrootuser D) EXPOSE 80 Answer: C Explanation: Running containers as a non-root user limits privileges if the container is compromised. Question 22. Image scanning tools like Trivy primarily check for: A) License compliance only. B) Runtime performance metrics. C) Known CVEs in OS packages and application libraries. D. Container orchestration policies. Answer: C Explanation: Trivy scans container layers for vulnerabilities in OS packages and language-specific dependencies.

EngineerCDSOE Ultimate Exam

Question 23. Which IaC security tool can automatically detect hard-coded secrets in Terraform files? A) Terraform fmt B) Checkov C) Terragrunt D) Ansible Lint Answer: B Explanation: Checkov includes policies that flag secrets embedded in IaC code. Question 24. Immutable infrastructure means that: A) Servers are never patched. B) Once deployed, resources are never modified; updates are performed by redeploying new instances. C) Configuration files are stored in mutable databases. D) All infrastructure is coded in a single language. Answer: B Explanation: Immutable infrastructure avoids in-place changes, reducing drift and configuration drift risks. Question 25. Which of the following is a key benefit of using Cloud Security Posture Management (CSPM) tools? A) Real-time user activity monitoring inside containers. B) Automated detection and remediation of misconfigurations across cloud services. C) Encryption of data at rest only. D) Managing DNS records. Answer: B Explanation: CSPM continuously evaluates cloud resources against best-practice policies, correcting misconfigurations. Question 26. In the context of IDS vs. IPS, which statement is accurate?

EngineerCDSOE Ultimate Exam

B) Combine SAST, DAST, secret scanning, and container image scanning at different stages. C) Only run security tests after production release. D) Disable all security gates to speed up delivery. Answer: B Explanation: Layered security checks across the pipeline provide multiple opportunities to catch vulnerabilities. Question 30. In the context of compliance, which control maps directly to PCI-DSS Requirement 6.5 (secure coding practices)? A) Implementing multi-factor authentication for all users. B) Conducting code reviews and using SAST tools to detect insecure coding. C) Encrypting cardholder data in transit. D) Maintaining an audit log of all privileged access. Answer: B Explanation: Requirement 6.5 mandates secure coding and testing, achievable through code reviews and automated analysis. Question 31. Which of the following is a primary advantage of using a “GitOps” workflow for IaC? A) Manual approval of every change. B) Storing desired state in Git, enabling automated, auditable deployments. C) Eliminating the need for version control. D) Deploying only on a weekly schedule. Answer: B Explanation: GitOps treats Git as the source of truth, allowing automated, traceable infrastructure changes. Question 32. During a threat modeling session, the team identifies a “Spoofing” risk on an API endpoint that accepts JWTs without verification. Which mitigation is most appropriate? A) Increase token expiration time.

EngineerCDSOE Ultimate Exam

B) Validate the JWT signature against a trusted key. C) Store tokens in plaintext. D) Disable TLS. Answer: B Explanation: Verifying the JWT signature ensures the token’s authenticity, preventing spoofing. Question 33. Which compliance framework specifically requires the implementation of a “Data Protection Impact Assessment (DPIA)”? A) HIPAA B) PCI-DSS C) GDPR D) ISO 27001 Answer: C Explanation: GDPR mandates DPIAs when processing poses high risk to data subjects. Question 34. In a microservices environment, which pattern helps limit the blast radius of a compromised service? A) Monolithic deployment. B) Service mesh with mutual TLS and fine-grained policies. C) Shared database for all services. D) Running all services as root. Answer: B Explanation: A service mesh enforces mutual TLS and policy controls, isolating services and containing breaches. Question 35. Which of the following is the most effective way to protect secrets used by CI pipelines? A) Hard-code them in the repository. B) Store them in a secret management solution like HashiCorp Vault and inject at runtime.

EngineerCDSOE Ultimate Exam

Answer: B Explanation: Pipeline as code treats the pipeline definition as source-controlled code, enabling review and reproducibility. Question 39. Which of the following is a recommended practice when using SCA tools to manage vulnerable dependencies? A) Ignore all low-severity CVEs. B) Upgrade or replace dependencies with known vulnerabilities, and generate an SBOM for tracking. C) Remove the dependency without checking compatibility. D) Disable SCA after the first scan. Answer: B Explanation: Remediation through upgrades or replacements, combined with SBOM tracking, ensures vulnerabilities are addressed. Question 40. A team wants to enforce “security gates” that must pass before code can be merged to the main branch. Which Git feature best supports this requirement? A) Git rebase B) Pull request (PR) approvals with required status checks. C) Git stash D) Git cherry-pick Answer: B Explanation: PR approvals with required checks ensure that automated security scans succeed before merging. Question 41. Which of the following is an example of a “defense-in-depth” control at the network layer for a cloud-native application? A) Enabling TLS for API traffic. B) Deploying a Web Application Firewall (WAF) in front of the load balancer. C) Using secure coding guidelines. D) Writing unit tests for business logic.

EngineerCDSOE Ultimate Exam

Answer: B Explanation: A WAF provides an additional protective layer against web-based attacks. Question 42. Which of these tools is specifically designed to enforce policy-as- code for Kubernetes resources? A) SonarQube B) OPA (Open Policy Agent) with Gatekeeper C) JUnit D) Selenium Answer: B Explanation: OPA Gatekeeper allows declarative policies to be applied to Kubernetes manifests. Question 43. In a CI pipeline, the “nightly build” job fails due to a newly discovered high-severity vulnerability in a third-party library. What is the most appropriate immediate action? A) Disable the vulnerability scanner. B) Roll back to the previous build and open a ticket to update the library. C) Merge the code anyway; the issue will be fixed later. D) Remove all third-party dependencies. Answer: B Explanation: Rolling back prevents vulnerable code from reaching production while planning remediation. Question 44. Which of the following best describes “runtime drift” in cloud environments? A) Changes made manually to resources that diverge from the IaC-defined state. B) Updating the operating system kernel. C) Adding new users to IAM. D) Deploying a new version of an application. Answer: A

EngineerCDSOE Ultimate Exam

Question 48. Which of the following is a key advantage of using “immutable tags” (e.g., SHA-256 digests) for container images in production? A) Allows on-the-fly modification of images. B) Guarantees that the exact same image is deployed each time, preventing tampering. C) Reduces image size automatically. D) Enables dynamic configuration at runtime. Answer: B Explanation: Immutable digests reference a specific image layer hash, ensuring consistency and integrity. Question 49. A security engineer wants to monitor for “cloud drift” across AWS accounts. Which AWS service provides native drift detection for CloudFormation stacks? A) AWS Config B) AWS GuardDuty C) AWS CloudTrail D) AWS CloudFormation Drift Detection Answer: D Explanation: CloudFormation Drift Detection identifies differences between stack templates and actual resources. Question 50. Which of the following is the most appropriate way to handle a discovered “hard-coded credential” in source code? A) Delete the line, commit, and push. B) Replace it with a reference to a secret stored in a vault, rotate the credential, and scan again. C) Comment out the line. D) Ignore it if the application works. Answer: B Explanation: Replacing with a secure reference and rotating the compromised secret mitigates risk.

EngineerCDSOE Ultimate Exam

Question 51. In the context of CI/CD, what does “continuous compliance” aim to achieve? A) Run compliance checks only before annual audits. B) Embed automated policy checks into the pipeline so every change is validated for compliance. C) Manually review every commit for legal language. D) Disable compliance tools to speed up delivery. Answer: B Explanation: Continuous compliance automates verification of regulatory requirements on each code change. Question 52. Which of the following best describes the purpose of a “security policy as code” repository? A) Store user passwords in plain text. B) Define security standards in a version-controlled, machine-readable format for automated enforcement. C) Host marketing materials. D) Replace all security personnel. Answer: B Explanation: Policy as code enables automated validation and consistent enforcement across environments. Question 53. When using Checkov to scan Terraform files, which category of rule would detect an S3 bucket that allows public read access? A) CKV_AWS_ B) CKV_K8S_ C) CKV_GCP_ D) CKV_AZURE_ Answer: A Explanation: CKV_AWS_20 is the rule that flags S3 buckets with public read permissions.

EngineerCDSOE Ultimate Exam

Question 57. An organization wants to enforce “least privilege” for its AWS Lambda functions. Which IAM construct is most suitable? A) Attach the AdministratorAccess policy. B) Create a custom IAM role with only the specific actions the function needs. C) Use the default execution role for all functions. D) Grant all Lambda functions access to every S3 bucket. Answer: B Explanation: Custom roles limit permissions to exactly what the function requires, embodying least privilege. Question 58. Which of the following is a common indicator that a container image may contain a “malicious backdoor”? A) Presence of a healthcheck instruction. B) Unexpected binaries or scripts in layers that are not part of the application. C) Use of an official base image. D) Inclusion of a .gitignore file. Answer: B Explanation: Hidden or unrelated executables suggest potential malicious insertion. Question 59. In the context of DevSecOps metrics, which KPI best reflects the effectiveness of early vulnerability detection? A) Mean Time to Deploy (MTTD). B) Number of vulnerabilities found in production. C) Percentage of SAST findings resolved before merge. D) Total lines of code written per sprint. Answer: C Explanation: Resolving SAST findings before merge demonstrates early detection and remediation. Question 60. Which of the following best describes “policy drift” in a Kubernetes cluster? A) Pods automatically updating themselves.

EngineerCDSOE Ultimate Exam

B) When the actual runtime configuration diverges from the intended policies defined in Git. C) Changing the cluster’s version number. D) Adding new namespaces without labels. Answer: B Explanation: Policy drift occurs when the live cluster no longer matches the declared policy state. Question 61. Which of the following is the most appropriate way to protect a CI runner that executes untrusted code? A) Run the runner as root on the host OS. B) Isolate the runner in a sandboxed environment (e.g., Docker-in-Docker with limited privileges). C) Disable all network access. D) Store all secrets on the runner’s file system. Answer: B Explanation: Sandboxing limits the impact of malicious code while allowing necessary operations. Question 62. When performing a “penetration test” of a CI/CD pipeline, which phase is most likely to reveal insecure credential handling? A) Post-deployment monitoring. B) Source code review. C) Build agent configuration and environment variables. D) End-user acceptance testing. Answer: C Explanation: Build agents often hold secrets; misconfigurations here can expose credentials. Question 63. Which of the following is a recommended practice for managing “third-party component licenses” in a DevSecOps pipeline? A) Ignore license information.