(Curtis Morgan has been working as a software developer in an MNC company. His team has developed a NodeJS application. While doing peer review of the NodeJS application, he observed that there are insecure libraries in the application. Therefore, he approached, Teresa Lisbon, who is working as a DevSecOps engineer, to detect the insecure libraries in the NodeJS application. Teresa used a SCA tool to find known vulnerabilities in JavaScript libraries for Node.JS applications and detected all the insecure libraries in the application. Which of the following tools did Teresa use for detecting insecure libraries in the NodeJS application?)
(Alexander Hamilton has been working as a senior DevSecOps engineer in an IT company located in Greenville, South Carolina. In January of 2012, his organization because a victim of a cyber security attack and incurred a tremendous loss. Alexander’s organization immediately adopted AWS cloud-based services after the attack to develop robust software products securely and quickly. To detect security issues in code review, Alexander would like to integrate SonarQube with AWS Pipeline; therefore, he created a pipeline in AWS using CloudFormation pipeline template. Then, he selected SonarQube tool from the tools dropdown, provided the required stack parameters, and also provided email address for receiving email notifications of changes in pipeline status and approvals. He deployed the pipeline after entering the required information. What will happen when changes are committed in the application repository?.)
(Scott Morrison is working as a senior DevSecOps engineer at SUTRE SOFT Pvt. Ltd. His organization develops software and applications for IoT devices. Scott created a user story; he then created abuser stories under the user story. After that, he created threat scenarios under the abuser story, and then he created test cases for the threat scenarios. After defining the YAML, Scott would like to push the user-story driven threat model to the ThreatPlaybook server. Which of the following command Scott should use?.)
(Andrew Gerrard has recently joined an IT company located in Fairmont, California, as a DevSecOps engineer. Due to robust security and cost-effective service provided by AWS, his organization has migrated all the workloads from on-prem to AWS cloud in January of 2020. Andrew’s team leader has asked him to integrate AWS Secret Manager with Jenkins. To do so, Andrew installed the “AWS Secret Manager Credentials provider” plugin in Jenkins and configured an IAM policy in AWS that allows Jenkins to take secrets from AWS Secret manager. Which of the following file should Andrew edit to add access id and secret key parameters along with the region copied from AWS?.)
(Sandra Oliver joined SinClare Soft Pvt. Ltd. as a DevSecOps engineer in January of 2010. Her organization develops software and web applications related to the healthcare industry. Using IAST runtime security testing technology, she is detecting and diagnosing security issues in applications and APIs. The IAST solution used by Sandra encompasses a web scanner with an agent that works inside the server that hosts the application to provide additional analysis details such as the location of the vulnerability in the application code. Based on the given information, which of the following IAST solutions is Sandra using?)
(Charlotte Flair is a DevSecOps engineer at Egma Soft Solution Pvt. Ltd. Her organization develops software and applications related to supply chain management. Charlotte would like to integrate Sqreen RASP tool with Slack to monitor the application at runtime for malicious activities and block them before they can damage the application. Therefore, she created a Sqreen account and installed Sqreen Microagent. Now, she would like to install the PHP microagent. To do so, she reviewed the PHP microagent’s compatibility, then she signed in to Sqreen account and noted the token in Notepad. Which of the following commands should Charlotte run in the terminal to install the PHP extension and the Sqreen daemon?.)
(Alex Hales recently joined TAVR Software Solution Pvt. Ltd. As a DevSecOps engineer. To automatically detect security loopholes in the web applications while building and testing them, he integrated OWASP ZAP DAST Plugin with Jenkins. How can Alex uniquely identify every build in the project?.)
(Katie Holmes is working as a DevSecOps engineer at SeCSafe Anti-virus. The DevOps team of her organization has developed a distributed application with multiple microservices. Katie deployed all the microservices to the Kubernetes nodes successfully. The DevOps team approached Katie and informed her that the application is not working. Katie wants to check whether the Kubernetes cluster is working or not. Which of the following commands should Katie run step by step to verify that the Kubernetes is working?)
(Rachel McAdams applied for the position of DevSecOps engineer at TetraSoft Pvt. Ltd. She gave her interview on February 23, 2022, and was selected as a DevSecOps engineer. Her team is working on securing Ruby on Rails application. Rachel’s team leader asked her to integrate Brakeman SAST tool with Jenkins. To perform the integration, she navigated to Jenkins Plugin Manager and installed Warnings Next Generation Plugin. To run the tool in Jenkins, she invoked Brakeman as part of an Execute shell build step. In the Execute shell column, she wrote the following commands with brakeman options
bash -l -c ‘
rvm install 3.0.0 && \
rvm use 3.0.0@brakeman –create && \
gem install brakeman && \
brakeman –no-progress –no-pager –no-exit-on-warn -o brakeman-output.json
What is the function of the –no-exit-on-warn option in the above-mentioned command?)
(Jason Barry has been working as a DevSecOps engineer in an IT company that develops software products and applications for ecommerce companies. During the build-time check, Jason discovered SQL injection and XXS security issues in the application code. What action does the build-time check perform on the application code?.)
(Thomas Gibson has been working as a DevSecOps engineer in an IT company that develops software products and web applications related to law enforcement. To automatically execute a scan against the web apps, he would like to integrate InsightAppSec plugin with Jenkins. Therefore, Thomas generated a new API Key in the Insight platform. Now, he wants to install the plugin manually. How can Thomas install the InsightAppSec plugin manually in Jenkins?)
(Rahul Mehta is working as a DevSecOps engineer in an IT company that develops cloud-native web applications. His organization follows a strict DevSecOps practice and wants to ensure that third-party open-source dependencies used in the application do not introduce known security vulnerabilities. Rahul decided to integrate a Software Composition Analysis (SCA) tool into the CI pipeline so that every build is automatically scanned. During one of the builds, the SCA tool detects a critical vulnerability in a transitive dependency. What should ideally happen in a mature DevSecOps pipeline when such a critical vulnerability is detected at build time?.)
(Erica Mena has been working as a DevSecOps engineer in an IT company that provides customize software solutions to various clients across United States. To protect serverless and container applications with RASP, she would like to create an Azure container instance using Azure CLI in Microsoft PowerShell. She created the Azure container instance and loaded the container image to it. She then reviewed the deployment of the container instance. Which of the following commands should Erica run to get the logging information from the Azure container instance? (Assume the resource group name as ACI and container name as aci-test-closh.))
(Orange International Pvt. Ltd. is an IT company that develops software products and web applications for Android phones. The organization recognizes the importance of secure coding principles and would like to enforce it. Therefore, Orange International Pvt. Ltd. established access management, avoided reinventing the wheel, secured the weak links, implemented in-depth defense, and reduced third-party involvement in the application. Based on the above-mentioned information, which of the following secure coding principles is achieved by the organization?.)
(Peter Dinklage has been working as a senior DevSecOps engineer at SacramentSoft Solution Pvt. Ltd. He has deployed applications in docker containers. His team leader asked him to check the exposure of unnecessary ports. Which of the following commands should Peter use to check all the containers and the exposed ports?)
(Kevin Ryan has been working as a DevSecOps engineer in an MNC company that develops various software products and web applications. For easy management of secret credentials in CI/CD pipeline, he would like to integrate Azure Key Vault with Jenkins. Therefore, he created an Azure Key Vault, noted down the credentials displayed on the screen, and created a secret in Azure Key Vault. Then, he used the secret key from the credentials obtained from creating the vault. Kevin went back to Jenkins and installed Azure Key Vault plugin. Then, he navigated to Configure System under Manage Jenkins and added the URL for Azure Key Vault. How can Kevin complete the integration of Azure Key Vault with Jenkins?.)
(Peter Dinklage has been working as a senior DevSecOps engineer at SacramentSoft Solution Pvt. Ltd. He has deployed applications in docker containers. His team leader asked him to check the exposure of unnecessary ports. Which of the following commands should Peter use to check all the containers and the exposed ports?)
(Rachel McAdams has been working as a senior DevSecOps engineer in an IT company for the past 5 years. Her organization embraced AWS cloud service due to robust security and cost-effective features offered by it. To take proactive decisions related to the security issues and to minimize the overall security risk, Rachel integrated ThreatModeler with AWS. ThreatModeler utilizes various services in AWS to produce a robust threat model. How can Rachel automatically generate the threat model of her organization’s current AWS environment in ThreatModeler?.)
(Elizabeth Moss has been working as a DevSecOps engineer in an IT company located in San Diego, California. Due to the robust security and cost-effective service provided by AWS, her organization transferred all the workloads from on-prem to AWS cloud in 2017. Elizabeth would like to prevent committing AWS keys into repositories; therefore, she created a global git-templates directory using command line. Then, she created another directory, named it as hooks, wherein she created a file named pre-commit. In the pre-commit file, Elizabeth pasted the script that would prevent committing AWS keys into the repositories. She would like to ensure that the hook is executable. Which of the following command should Elizabeth run to make sure that the pre-commit hook is executable?)
(Timothy Dalton has been working as a senior DevSecOps engineer in an IT company located in Auburn, New York. He would like to use Jenkins for CI and Azure Pipelines for CD to deploy a Java-based app to an Azure Container Service (AKS) Kubernetes cluster. Before deploying Azure Kubernetes Service (AKS) Cluster, Timothy wants to create a Resource group named Jenkins in southindia location. Which of the following commands should Timothy run?.)
(Thomas McInerney has been working as a senior DevSecOps engineer in an IT company that develops software products and web applications related to the healthcare sector. His organization deployed various applications in Docker containers. Thomas’ team leader would like to prevent a container from gaining new privileges. Therefore, he asked Thomas to set no_new_priv bit, which functions across clone, execve, and fork to prevent a container from gaining new privileges. Which of the following commands should Thomas use to list out security options for all the containers?)
(SNF Pvt. Ltd. is a software development company located in Denver, Colorado. The organization is using pytm, which is a Pythonic Framework for threat modeling, to detect security issues and mitigate them in advance. James Harden has been working as a DevSecOps engineer at SNF Pvt. Ltd. for the past 3 years. He has created a tm.py file that describes an application in which the user logs the app and posts the comments on the applications. These comments are stored by the application server in the database and AWS lambda cleans the database. Which of the following command James can use to generate a sequence diagram?)
(Rockmond Dunbar is a senior DevSecOps engineer in a software development company. His organization develops customized software for retail industries. Rockmond would like to avoid setting mount propagation mode to share until it is required because when a volume is mounted in shared mode, it does not limit other containers to mount and modify that volume. If mounted volume is sensitive to changes, then it would be a serious security concern. Which of the following commands should Rockmond run to list out the propagation mode for mounted volumes?.)
(Joyce Vincent has been working as a senior DevSecOps engineer at MazeSoft Solution Pvt. Ltd. She would like to integrate Trend Micro Cloud One RASP tool with Microsoft Azure to secure container-based application by inspecting the traffic, detecting vulnerabilities, and preventing threats. In Microsoft Azure PowerShell, Joyce created the Azure container instance in a resource group (ACI) (named “aci-test-closh”) and loaded the container image to it. She then reviewed the deployment of the container instance. Which of the following commands should Joyce use to get the logging information from the container?.)
(Michael Rady recently joined an IT company as a DevSecOps engineer. His organization develops software products and web applications related to online marketing. Michael deployed a web application on Apache server. He would like to safeguard the deployed application from diverse types of web attacks by deploying ModSecurity WAF on Apache server. Which of the following command should Michael run to install ModSecurity WAF?)
(Maria Howell is working as a senior DevSecOps engineer at Global SoftSec Pvt. Ltd. Her team is currently working on the development of a cybersecurity software. There are 5 developers who are working on code development. Howell’s team is using a private GitHub repository for the source code development. Which of the following commands should Howell use to grab the online updates and merge them with her local work?.)
(George Lennon is working as at InfoWorld Pvt. Solution as a DevSecOps engineer. His colleague, Sarah Mitchell, is a senior software developer. George told her to participate in a bug bounty program conducted by AWS for python and Java code developers. He informed Sarah that the challenge is a fun-based solution for bashing bugs, encouraging team building, and bringing friendly competition to enhance the quality of the code and application performance. Acting on George’s advice, Sarah participated in the bug bounty program and scored the highest points in the challenge, and she received a reward of $10,000. Based on the given information, which of the following bug bounty programs did Sarah participate?.)
(Robin Tunney has been working as a DevSecOps engineer in an IT company located in Charleston, South Carolina. She would like to build a customized docker image using HashiCorp Packer. Therefore, she installed Packer and created a file docker-ubuntu.pkr.hcl; she then added HCL block to it and saved the file. Which of the following commands should Robin execute to build the Docker image using Packer?)
(Scott Adkins has recently joined an IT company located in New Orleans, Louisiana, as a DevSecOps engineer. He would like to build docker infrastructure using Terraform; therefore, he has created a directory named terraform-docker-container. He then changed into the directory using the command: cd terraform-docker-container. Now, Scott wants to create a file to define the infrastructure. Which of the following commands should Scott use to create a file to define the infrastructure?)
(Richard Harris carries an experience of 5 years as a DevSecOps engineer. On February 1, 2022, he got the job of senior DevSecOps engineer in an IT company located Raleigh, North Carolina. He would like to trigger scan on each build in Jenkins, run customize scans for some specific vulnerabilities, fail the build process if a particular threat-level is reached, and generate reports automatically by integrating Acunetix DAST Tool with Jenkins. Richard installed Acunetix plugin successfully in Jenkins, after which he restarted Jenkins. He would like to find the path and install the certificate in Linux. Which of the following commands should Richard execute to find out the currently running Java binary in the Jenkins service?.)