ECDE Part 2

Andrew Gerrard has recently joined an IT company that develops software products and applications as a DevSecOps engineer. His team leader asked him to download a jar application from the organization GitHub repository and run the BDD security framework. Andrew successfully downloaded the jar application from the repository and executed the jar application; then, he cloned the BDD security framework. Which of the following commands should Andrew use to execute the authentication feature?. /gradlev -Dcucumber.options=”–tags @authentication –tags @skip”. /gradlew -Dcucumber.options=”–tags @authentication –tags @skip”. ./gradlev -Dcucumber.options=”–tags @authentication –tags ~@skip”. ./gradlew -Dcucumber.options=”–tags @authentication –tags ~@skip”.

George Lennon is working as at InfoWorld Pvt. Solution as a DevSecOps engineer. His colleague, Sarah Mitchell, is a senior software developer. George told her to participate in a bug bounty program conducted by AWS for python and Java code developers. He informed Sarah that the challenge is a fun-based solution for bashing bugs, encouraging team building, and bringing friendly competition to enhance the quality of the code and application performance. Acting on George’s advice, Sarah participated in the bug bounty program and scored the highest points in the challenge, and she received a reward of $10,000. Based on the given information, which of the following bug bounty programs did Sarah participate?. AWS BugFixer. AWS BugFinder. AWS BugHunt. AWS BugBust.

Joyce Vincent has been working as a senior DevSecOps engineer at MazeSoft Solution Pvt. Ltd. She would like to integrate Trend Micro Cloud One RASP tool with Microsoft Azure to secure container-based application by inspecting the traffic, detecting vulnerabilities, and preventing threats. In Microsoft Azure PowerShell, Joyce created the Azure container instance in a resource group (ACI) (named “aci-test-closh”) and loaded the container image to it. She then reviewed the deployment of the container instance. Which of the following commands should Joyce use to get the logging information from the container?. az container logs --resource-group ACI --name aci-test-closh. az container logs -resource-group ACI -name aci-test-closh. azure container logs --resource-group ACI --name aci-test-closh. azure container logs -resource-group ACI -name aci-test-closh.

Kenneth Danziger is a certified DevSecOps engineer, and he recently got a job in an IT company that develops software products related to the healthcare industry. To identify security and compliance issues in the source code and quickly fix them before they impact the source code, Kenneth would like to integrate WhiteSource SCA tool with AWS. Therefore, to integrate WhiteSource SCA Tool in AWS CodeBuild for initiating scanning in the code repository, he built a buildspec.yml file to the source code root directory and added the following command to pre-build phase curl -LJO https://github.com/whitesource/unified-agent-distribution/raw/master/standAlone/wss_agent.sh. Which of the following script files will the above step download in Kenneth organization’s CodeBuild server?. wss_agent.sh. ssw_agent.sh. cbs_agent.sh. aws_agent.sh.

Robert Wheeler has been working as a DevSecOps engineer in an IT company for the past 5 years. His organization develops software products and web applications related to AutoCAD. Rob would like to integrate Rapid7 tCell Next-Gen Cloud WAF and RASP Tool with AWS CloudFront to protect application by identifying suspicious actors, enforcing content security policies (CSPs), and securing against unvalidated HTTP redirections on web applications. How can Rob deploy the tCell agent as a CloudFormation stack into his organization AWS account?. By plugging into CloudFront through Lambda Function. By plugging into CloudFormation through Lambda Function. By plugging into CloudFront through Lambda@Edge. By plugging into CloudFormation through Lambda@Edge.

DWART is an IT company that develops cyber security software and web applications. The organization ensures that all users should be identified and authorized, enforces proper auditing, secures data at rest, ensures that the attacker cannot bypass the security layers, implements multiple layers of defense, maintains proper data integrity, and performs proper input validation for the application. Based on the above-mentioned information, which of the following secure coding principles is achieved by DWART?. Secure by design. Secure by implementation. Secure by default. Secure by communication.

Alex Hales recently joined TAVR Software Solution Pvt. Ltd. As a DevSecOps engineer. To automatically detect security loopholes in the web applications while building and testing them, he integrated OWASP ZAP DAST Plugin with Jenkins. How can Alex uniquely identify every build in the project?. By specifying a file name followed by ${Profile_ID} in Post-build Actions tab. By specifying a file name followed by ${zap_scan} in Post-build Actions tab. By specifying a file name followed by ${ZAPROXY_HOME} in Post-build Actions tab. By specifying a file name followed by ${Build_ID} in Post-build Actions tab.

Helena Luke has been working as a DevSecOps engineer in an IT company located in Denver, Colorado. To seamlessly secure source code during build time and enhance the runtime protection functionalities to the source code, she would like to integrate Jscrambler with GitLab. Therefore, she selected a predefined template and successfully downloaded the Jscrambler configuration file. She then placed the file in the project's root folder and renamed it as .jscramblerrc. To prevent the exposure of sensitive information, she opened the Jscrambler configuration file and removed the access and secret keys from it. In which of the following formats does the Jscrambler configuration file exist?. JSON. XML. YAML. HTML.

GainInsights is an IT company that develops mobile applications software. On February 11, 2022, the organization became a victim of a cyber-attack. The attacker targeted the organization’s application and compromised some important functionality. After the incident, the DevSecOps team of GainInsights identified the cause of the security issue, resolved it, and noted it for future reference. Based on this information, which of the following set of tests was conducted by GainInsights?. Blameless post-mortem. Security acceptance tests. Security smoke tests. White box testing.

Scott Morrison is working as a senior DevSecOps engineer at SUTRE SOFT Pvt. Ltd. His organization develops software and applications for IoT devices. Scott created a user story; he then created abuser stories under the user story. After that, he created threat scenarios under the abuser story, and then he created test cases for the threat scenarios. After defining the YAML, Scott would like to push the user-story driven threat model to the ThreatPlaybook server. Which of the following command Scott should use?. playbook apply feature -f < path to the yaml file > -t test-project. playbook apply feature -y < path to the yaml file > -p test-project. playbook apply feature -f < path to the yaml file > -p test-project. playbook apply feature -p < path to the yaml file > -t test-project.

Maria Howell is working as a senior DevSecOps engineer at Global SoftSec Pvt. Ltd. Her team is currently working on the development of a cybersecurity software. There are 5 developers who are working on code development. Howell’s team is using a private GitHub repository for the source code development. Which of the following commands should Howell use to grab the online updates and merge them with her local work?. $ git pull remotename branchname. $ git get remotename branchname. $ git push remotename branchname. $ git grabs remotename branchname.

William Scott has been working as a senior DevSecOps engineer at GlobalSec Pvt. Ltd. His organization develops software products related to mobile apps. William would like to exploit Jenkins using Metasploit framework; therefore, he downloaded Metasploit. He would like to initiate an Nmap scan by specifying the target IP to find the version of Jenkins running on the machine. Which of the following commands should William use to find the version of Jenkins running on his machine using Nmap?. Nmap -sN -sJ “Target IP”. Nmap -sJ -sN “Target IP”. Nmap -sS -sV “Target IP”. Nmap -sV -sS “Target IP”.

Kevin Williamson has been working as a DevSecOps engineer in an MNC company for the past 5 years. In January of 2017, his organization migrated all the applications and data from on-prem to AWS cloud due to the robust security feature and cost-effective services provided by Amazon. His organization is using Amazon DevOps services to develop software products securely and quickly. To detect errors in the code and to catch bugs in the application code, Kevin integrated PHPStan into the AWS pipeline for static code analysis. What will happen if security issues are detected in the application code?. The integrated PHPStan into the AWS pipeline will invoke AWS CloudFormation to parse and send result to the security hub. The integrated PHPStan into the AWS pipeline will invoke AWS Config to parse and send result to the security hub. The integrated PHPStan into the AWS pipeline will invoke AWS Elastic BeanStalk to parse and send result to the security hub. The integrated PHPStan into the AWS pipeline will invoke the AWS Lambda function to parse and send result to the security hub.

James Harden has been working as a senior DevSecOps engineer in an IT company located in Oakland, California. To detect vulnerabilities and to evaluate attack vectors compromising web applications, he would like to integrate Burp Suite with Jenkins. He downloaded the Burp Suite Jenkins plugins and then uploaded the plugin and successfully integrated Burp Suite with Jenkins. After integration, he would like to scan web application using Burp Suite; therefore, he navigated to Jenkins’ dashboard, opened an existing project, and clicked on Configure. Then, he navigated to the Build tab and selected Execute shell from Add build step. Which of the following commands should James enter under the Execute shell?. sudo BURP_SCAN_URL = http://target-website.com. grep BURP_SCAN_URL = http://target-website.com. cat BURP_SCAN_URL = http://target-website.com. echo BURP_SCAN_URL = http://target-website.com.

Sarah Wheeler is an experienced DevSecOps engineer. She recently joined an IT company that develops software products for customers stretched across the globe. Sarah would like to use a security testing tool that protects the application from false positives, network sniffing, tampering with code, etc. The tool should monitor the incoming traffic to the server and APIs for suspicious activities and help her team in remediating them during runtime. Which of the following tools should Sarah select that will help her team in precisely detecting and remediating the security issues in the application code during runtime?. IAST. SAST. RASP. DAST.

Matt LeBlanc has been working as a DevSecOps engineer in an IT company that develops software products and web applications for IoT devices. His team leader has asked him to use GitRob tool to find sensitive data in the organizational public GitHub repository. To install GitRob, Matt ensured that he has correctly configured Go >= 1.8 environment and that $GOPATH/bin is in his $PATH. The GitHub repository URL from which he is supposed to install the tool is https://github.com/michenriksen/gitrob. Which of the following command should Matt use to install GitRob?. $ go get github.com/michenriksen/gitrob. $ go get gitrob github.com/michenriksen/gitrob. $ go git github.com/michenriksen/gitrob. $ go git gitrob github.com/michenriksen/gitrob.

Lara Grice has been working as a DevSecOps engineer in an IT company located in Denver, Colorado. Her team leader has told her to save all the container images in the centos repository to centos-all.tar. Which of the following is a STDOUT command that Lara can use to save all the container images in the centos repository to centos-all.tar?. # docker save centos > centos all.tar. # docker save centos > centos-all.tar. # docker save centos < centos all.tar. # docker save centos < centos-all.tar.

Jordon Garrett is working as a DevSecOps engineer in an IT company situated in Chicago, Illinois. His team prefers to use PowerShell for utilizing Git hooks because Bash and Windows are not compatible for advanced executions. For calling PowerShell script from Bash shell, Jordon wrote a PowerShell script using pre-commit logic such as pre-commit.ps1 and then executed the following commands #!C:/Program\ Files/Git/usr/bin/sh.exe exec powershell.exe -NoProfile -ExecutionPolicy Bypass -File ".\.git\hooks\pre-commit.ps1" How would Jordon know that the commit is successful?. If the code exits with 0, then the commit is successful. If the code exits with 1, then the commit is successful. If the code exits with 3, then the commit is successful. If the code exits with 2, then the commit is successful.

Curtis Morgan is working as a DevSecOps engineer at Orchid Pvt. Ltd. His organization develops online teaching software. Beth McCarthy is working in a software development team, and she requested Curtis to help her in making pre-commit hooks executable on her local machine. Curtis went through the “repo\.git\hooks” directory and removed the “.sample” extension from “pre-commit.sample” file by using “chmod +x filename” command and made the pre-commit hook executable on Beth’s local machine. On the next day while developing the code for the software product, Beth accidentally committed the code with sensitive information. What will be the result of this commit?. The script will exit with 3. The script will exit with 0. The script will exit with 2. The script will exit with 1.

Andrew Gerrard has recently joined an IT company located in Fairmont, California, as a DevSecOps engineer. Due to robust security and cost-effective service provided by AWS, his organization has migrated all the workloads from on-prem to AWS cloud in January of 2020. Andrew’s team leader has asked him to integrate AWS Secret Manager with Jenkins. To do so, Andrew installed the “AWS Secret Manager Credentials provider” plugin in Jenkins and configured an IAM policy in AWS that allows Jenkins to take secrets from AWS Secret manager. Which of the following file should Andrew edit to add access id and secret key parameters along with the region copied from AWS?. /etc/file/Jenkins. /etc/sysconfig/Jenkins. /etc/sysconfig file/Jenkins. /etc/filebeat/filebeat.yml.

Sofia Coppola has been working as a senior DevSecOps engineer in an MNC company located in Denver, Colorado. In January of 2020, her organization migrated all the workloads from on-prem to AWS cloud environment due to the robust security feature and cost-effective services offered by AWS. Which of the following is an Amazon Web Services-hosted version control tool that Sofia can use to manage and store assets in the AWS cloud?. AWS CodeCommit. AWS CodePipeline. AWS CodeBuilt. AWS CodeDeploy.

Richard Branson has been working as a DevSecOps engineer in an IT company since the past 7 years. He has launched an application in a container one month ago. Recently, he modified the container and would like to commit the changes to a new image. Which of the following commands should Branson use to save the current state of the container as a new image?. container commit. docker push. container push. docker commit.

Peter McCarthy is working in TetraVerse Soft Solution Pvt. Ltd. as a DevSecOps engineer. His organization develops customized software products and web applications. To develop software products quickly and securely, his organization has been using AWS cloud-based services, including AWS DevOps services. Peter would like to use CloudMapper to examine the AWS cloud environment and perform auditing for security issues. Which of the following privileges should Peter possess in order to collect information about the AWS account?. arn:aws:iam::aws:policy/SecurityAudit arn:aws:iam::aws:policy/job-function/ViewOnlyAccess. arn:aws:iam::aws:policy/SecurityCheck arn:aws:iam::aws:policy/job-function/ViewOnlyAccess:: EditOnlyAccess. arn:aws:iam::aws:policy/SecurityAudit::SecurityCheck arn:aws:iam::aws:policy/job-role/ViewOnlyAccess:: EditOnlyAccess. arn:aws:iam::aws:policy/AWSLambdaFullAccess arn:aws:iam::aws:policy/job-role/ViewOnlyAccess.

Jordon Garrett has recently joined a startup IT company located in Chicago, Illinois, as a DevSecOps engineer. His team leader asked him to find a SAST tool that can secure the organization Azure environment. Which of the following is a SAST tool that Jordon can select to secure his organization’s Azure environment?. Coverity. Accurics. Tenable.io. DevSkim.

William Edwards is working as a DevSecOps engineer at SVR Software Solution Pvt. Ltd. His organization develops software products and applications related to digital marketing. William integrated Prisma Cloud with Jenkins to detect threat-intelligence based threat detection. This integration will allow him to scan container images and serverless functions for security issues in the CI/CD pipeline. Which of the following is employed by Prisma Cloud to understand the normal network behavior of each customer’s cloud environment to detect network anomalies and zero-day attacks effectively with minimal false positives?. Advanced unsupervised machine learning. Advanced unsupervised data mining. Advanced supervised data mining. Advanced supervised machine learning.

Allen Smith has been working as a senior DevSecOps engineer for the past 4 years in an IT company that develops software products and applications for retail companies. To detect common security issues in the source code, he would like to integrate Bandit SAST tool with Jenkins. Allen installed Bandit and created a Jenkins job. In the Source Code Management section, he provided repository URL, credentials, and the branch that he wants to analyze. As Bandit is installed on Jenkins' server, he selected Execute shell for the Build step and configure Bandit script. After successfully integrating Bandit SAST tool with Jenkins, in which of the following can Allen detect security issues?. Java code. Ruby code. Python code. C++ code.

Richard Harris carries an experience of 5 years as a DevSecOps engineer. On February 1, 2022, he got the job of senior DevSecOps engineer in an IT company located Raleigh, North Carolina. He would like to trigger scan on each build in Jenkins, run customize scans for some specific vulnerabilities, fail the build process if a particular threat-level is reached, and generate reports automatically by integrating Acunetix DAST Tool with Jenkins. Richard installed Acunetix plugin successfully in Jenkins, after which he restarted Jenkins. He would like to find the path and install the certificate in Linux. Which of the following commands should Richard execute to find out the currently running Java binary in the Jenkins service?. pc - aux | grep Jenkins. as - aux | grep Jenkins. ac - aux | grep Jenkins. ps - aux | grep Jenkins.

Trevor Noah has been working as a DevSecOps engineer in an IT company located in Detroit, Michigan. His team leader asked him to perform continuous threat modeling using ThreatSpec. To do so, Trevor installed and initialized ThreatSpec in the source code repository; he then started annotating the source code with security issues, actions, or concept. Trevor ran ThreatSpec against the application code and he wants to generate the threat model report. Which of the following command Trevor should use to generate the threat model report using ThreatSpec?. $ ThreatSpec report. $ ThreatSpec Report. $ Threatspec Report. $ threatspec report.

Patrick Fisher is a DevSecOps engineer in an IT company that develops software products and web applications. He is using IAST to analyze code for security vulnerabilities and to view real-time reports of the security issues. Patrick is using IAST in development, QA, and production stages to detect the vulnerabilities from the early stage of development, reduce the remediation cost, and keep the application secure. How can IAST perform SAST on every line of code and DAST on every request and response?. Because IAST has access to server and local machine. Because IAST has access to the code and HTTP traffic. Because IAST has access to offline and runtime environment. Because IAST has access to internal and external agents.

David Paymer has been working as a senior DevSecOps engineer in an IT company over the past 5 years. His organization is using Azure DevOps service to produce software products securely and quickly. David’s team leader asked him to publish a NuGet package utilizing a command line. Imagine you are in David’s place; which command would you use to publish NuGet package into the feed?. nuget.exe publish -Source “< YOUR_FEED_NAME >” -ApiKey < ANY_STRING > < PACKAGE_PATH >. nuget.exe push -Destination “< YOUR_FEED_NAME >” -ApiKey < ANY_STRING > < PACKAGE_PATH >. nuget.exe publish -Destination “< YOUR_FEED_NAME >” -ApiKey < ANY_STRING > < PACKAGE_PATH >. nuget.exe push -Source “< YOUR_FEED_NAME >” -ApiKey < ANY_STRING > < PACKAGE_PATH >.

Rachel Maddow has been working at RuizSoft Solution Pvt. Ltd. for the past 7 years as a senior DevSecOps engineer. To develop software products quickly and securely, her organization has been using AWS DevOps services. On January 1, 2022, the software development team of her organization developed a spring boot application with microservices and deployed it in AWS EC2 instance. Which of the following AWS services should Rachel use to scan the AWS workloads in EC2 instance for security issues and unintended network exposures?. AWS Inspector. AWS WAF. AWS Config. Amazon CloudWatch.

Charlotte Flair is a DevSecOps engineer at Egma Soft Solution Pvt. Ltd. Her organization develops software and applications related to supply chain management. Charlotte would like to integrate Sqreen RASP tool with Slack to monitor the application at runtime for malicious activities and block them before they can damage the application. Therefore, she created a Sqreen account and installed Sqreen Microagent. Now, she would like to install the PHP microagent. To do so, she reviewed the PHP microagent’s compatibility, then she signed in to Sqreen account and noted the token in Notepad. Which of the following commands should Charlotte run in the terminal to install the PHP extension and the Sqreen daemon?. curl -s https://download.sqreen.com/php/install.sh > sqreen-install.sh \ && bash sqreen-install.sh [CHARLOTTE’S ORG TOKEN HERE] “[ CHARLOTTE’S APP NAME HERE]”. curl -s https://download.sqreen.com/php/install.sh < sqreen-install.sh \ && bash sqreen-install.sh [CHARLOTTE’S ORG TOKEN HERE] “[ CHARLOTTE’S APP NAME HERE]”. curl -i https://download.sqreen.com/php/install.sh > sqreen-install.sh \ && bash sqreen-install.sh [CHARLOTTE’S ORG TOKEN HERE] “[ CHARLOTTE’S APP NAME HERE]”. curl -i https://download.sqreen.com/php/install.sh < sqreen-install.sh \ && bash sqreen-install.sh [CHARLOTTE’S ORG TOKEN HERE] “[ CHARLOTTE’S APP NAME HERE]”.

Jason Barry has been working as a DevSecOps engineer in an IT company that develops software products and applications for ecommerce companies. During the build-time check, Jason discovered SQL injection and XXS security issues in the application code. What action does the build-time check perform on the application code?. It will ignore the security issue and continue the build process. It will send a message to issue and project management tool and continue with deploy-time check. It will send an alert to SIEM and continue with test-time check. It will stop the build process.

Timothy Dalton has been working as a senior DevSecOps engineer in an IT company located in Auburn, New York. He would like to use Jenkins for CI and Azure Pipelines for CD to deploy a Java-based app to an Azure Container Service (AKS) Kubernetes cluster. Before deploying Azure Kubernetes Service (AKS) Cluster, Timothy wants to create a Resource group named Jenkins in southindia location. Which of the following commands should Timothy run?. az group create --name Jenkins --location southindia. az grp create --n Jenkins --loc southindia. azure group create --name Jenkins --location southindia. azure group create --n Jenkins --loc southindia.

Teresa Wheeler is a DevSecOps engineer at Altschutz Solution Pvt. Ltd. She would like to test the web applications and API’s from outside without accessing the source code using BDD security framework. The framework is a collection of Cucumber-JVM features that are pre-configured with OWASP ZAP, Nessus scanner, SSLyze, and Selenium. Hence, she downloaded and ran the jar application, and then cloned the BDD security framework. Next, she utilized a command for executing the authentication feature. Which of the following commands allows Teresa to execute all the features of BDD security framework, including the OWASP ZAP?. ./gardlew. /gardlev. /gardlew. ./gardlev.

Dustin Hoffman is a DevSecOps engineer at SantSol Pvt. Ltd. His organization develops software products and web applications related to mobile apps. Using Gauntlt, Dustin would like to facilitate testing and communication between teams and create actionable tests that can be hooked in testing and deployment process. Which of the following commands should Dustin use to install Gauntlt?. $ gems install Gauntlt. $ gems install gauntlt. $ gem install gauntlt. $ gem install Gauntlt.

Rockmond Dunbar is a senior DevSecOps engineer in a software development company. His organization develops customized software for retail industries. Rockmond would like to avoid setting mount propagation mode to share until it is required because when a volume is mounted in shared mode, it does not limit other containers to mount and modify that volume. If mounted volume is sensitive to changes, then it would be a serious security concern. Which of the following commands should Rockmond run to list out the propagation mode for mounted volumes?. docker ps -quiet -all | xargs docker inspect -format ': Propagation=’. docker ps --quiet --all | xargs docker inspect --format ': Propagation’. docker ps --quiet --all | xargs docker inspect --format ': Propagation=’. docker ps -quiet -all | xargs docker inspect -format ': Propagation’.

Bruce Altman is a DevSecOps engineer at a web application development company named TechSoft Pvt. Ltd. Due to robust security features provided by Microsoft Azure, in January of 2020, his organization migrated all the workloads from on-prem to Azure. Using Terraform configuration management tool, Bruce created a resource group and virtual machine (VM) in Azure; he then deployed a web application in the VM. Within an hour, Bruce’s team leader informed him that he detected various security issues in the application code and asked him to destroy the infrastructure that he has created in Microsoft Azure using Terraform. Which of the following commands can Bruce use to destroy the infrastructure created using Terraform?. terraform kill. terraform destroy. terraform kill-infra. terraform destroy-infra.

Alexander Hamilton has been working as a senior DevSecOps engineer in an IT company located in Greenville, South Carolina. In January of 2012, his organization because a victim of a cyber security attack and incurred a tremendous loss. Alexander’s organization immediately adopted AWS cloud-based services after the attack to develop robust software products securely and quickly. To detect security issues in code review, Alexander would like to integrate SonarQube with AWS Pipeline; therefore, he created a pipeline in AWS using CloudFormation pipeline template. Then, he selected SonarQube tool from the tools dropdown, provided the required stack parameters, and also provided email address for receiving email notifications of changes in pipeline status and approvals. He deployed the pipeline after entering the required information. What will happen when changes are committed in the application repository?. Cloud Config event is created. BinSkim event is created. CloudWatch event is created. Security Hub event is created.

Kevin Ryan has been working as a DevSecOps engineer in an MNC company that develops various software products and web applications. For easy management of secret credentials in CI/CD pipeline, he would like to integrate Azure Key Vault with Jenkins. Therefore, he created an Azure Key Vault, noted down the credentials displayed on the screen, and created a secret in Azure Key Vault. Then, he used the secret key from the credentials obtained from creating the vault. Kevin went back to Jenkins and installed Azure Key Vault plugin. Then, he navigated to Configure System under Manage Jenkins and added the URL for Azure Key Vault. How can Kevin complete the integration of Azure Key Vault with Jenkins?. By modifying old credentials in Global Credentials (unrestricted). By creating new credentials in Global Credentials (unrestricted). By creating new credentials in Global Credentials (restricted). By modifying old credentials in Global Credentials (restricted).

Dave Allen is working as a DevSecOps engineer in an IT company located in Baltimore, Maryland. His team is working on the development of Ruby on Rails application. He integrated Brakeman with Jenkins to detect security vulnerabilities as soon as they are introduced; he then installed and configured Warnings Next Generation Plugin in Jenkins. What will be the use of Warnings Next Generation Plugin to Dave?. It will inspect TypeScript code for readability, functionality, and maintainability issues. It will gather and manage the results from Brakeman. It will validate Jenkins compiler settings. It will regulate the function of Brakeman.

Debra Aniston has recently joined an MNC company as a DevSecOps engineer. Her organization develops various types of software products and web applications. The DevSecOps team leader provided an application code and asked Debra to detect and mitigate security issues. Debra used w3af tool and detected cross-site scripting and SQL injection vulnerability in the source code. Based on this information, which category of security testing tools is represented by w3af?. IAST. SCA. DAST. SAST.

Victor Garber is a DevSecOps team leader in SanSec Pvt. Ltd. His organization develops various types of software products and web applications. Currently, his team is working on security of Java-based web application product. How can Victor identify vulnerabilities that are missed in pre-production testing activities?. By performing deploy-time checks. By performing test-time checks. By performing commit-time checks. By performing build-time checks.

Joe Adler has recently been offered a job as a DevSecOps engineer in an IT company that develops software products and web applications for the healthcare industry. He would like to implement DevSec Hardening Framework to add a layer into the automation framework that configures operating systems and services and takes care of difficult settings, compliance guidelines, cryptography recommendations, and secure defaults. To apply DevSec Hardening Framework to the machine, he scanned the machine using Nessus scanning tool; he then checked the compliance results before using DevSec Hardening Framework. Which of the following commands should Joe use to run DevSec Hardening Framework?. Chef-solo -c solo.rb -j solo.json. Chef-solo -m solo.rb -h solo.json. Chef-solo -j solo.rb -c solo.json. Chef-solo -h solo.rb -m solo.json.

William O’Neil has been working as a senior DevSecOps engineer in an IT company that develops software products related to ecommerce. At this point in time, his team is working on securing a python-based application. Using GitGraber, William would like to detect sensitive information in real-time in his organizational GitHub repository. Therefore, he downloaded GitGraber and installed the dependencies. Which of the following commands should William use to find secrets using a keyword (assume the keyword is yahoo)?. python3 gitGraber.py -w wordlist/keywordsfile.txt -q “\yahoo\” -s. python3 gitGraber.py -g wordlist/keywordsfile.txt -q “\yahoo\” -s. python3 gitGraber.py -p wordlist/keywordsfile.txt -q “\yahoo\” -s. python3 gitGraber.py -k wordlist/keywordsfile.txt -q “\yahoo\” -s.

Orange International Pvt. Ltd. is an IT company that develops software products and web applications for Android phones. The organization recognizes the importance of secure coding principles and would like to enforce it. Therefore, Orange International Pvt. Ltd. established access management, avoided reinventing the wheel, secured the weak links, implemented in-depth defense, and reduced third-party involvement in the application. Based on the above-mentioned information, which of the following secure coding principles is achieved by the organization?. Secure by implementation. Secure by default. Secure by design. Secure by communication.

Rachel McAdams has been working as a senior DevSecOps engineer in an IT company for the past 5 years. Her organization embraced AWS cloud service due to robust security and cost-effective features offered by it. To take proactive decisions related to the security issues and to minimize the overall security risk, Rachel integrated ThreatModeler with AWS. ThreatModeler utilizes various services in AWS to produce a robust threat model. How can Rachel automatically generate the threat model of her organization’s current AWS environment in ThreatModeler?. By using YAML spec–based orchestration tools. By using Architect. By using STRIDE per Element. By using Accelerator.

Nicholas Cascone has recently been recruited by an IT company from his college as a DevSecOps engineer. His team leader asked him to integrate GitHub Webhooks with Jenkins. To integrate GitHub Webhooks with Jenkins, Nicholas logged in to GitHub account; he then selected Settings > Webhooks > Add Webhook. In the Payload URL field, he is supposed to add Jenkins URL. Which of the following is the final Jenkins URL format that Nicholas should add in Payload URL field of GitHub to configure GitHub Webhooks with Jenkins?. http://address:port/GiHhub-webhook/. http://address:port/github_webhook/. http://address:port/github-webhook/. http://address:port/GitHub.webhook/.

Amy Ryan is a DevSecOps engineer in an IT company that develops software products and web applications related to cyber security. She is using Anchore tool for container vulnerability scanning and Software Bill of Materials (SBOM) generation. It helped her to perform quick scanning and generating a list of known vulnerabilities from an SBOM, container image, or project directory. Which of the following commands should Amy run to include software from all the image layers in the SBOM?. syft packages < image > scope all_layers SBOM. syft packages < image > --scope all-layers Anchore. syft packages < image > scope all_layers. syft packages < image > --scope all-layers.