312-97 Sample Questions Answers

Ablameless post-mortemis conducted after a security incident to analyze what happened, why it happened, and how similar incidents can be prevented in the future—without assigning individual blame. The key indicators in the scenario are that the team identified the cause, resolved the issue, and documented lessons learned for future reference. Security acceptance tests and smoke tests are pre-release validation activities, while white-box testing focuses on code-level analysis rather than incident review. Blameless post-mortems are a cornerstone of DevSecOps culture, encouraging transparency, continuous learning, and systemic improvement during the Operate and Monitor stage.

========

In AWS-based DevSecOps pipelines, static analysis tools such as PHPStan commonly send their results to AWS services through event-driven processing. When PHPStan detects security issues, the results are typically parsed and processed by anAWS Lambda function, which can transform findings and forward them to AWS Security Hub. CloudFormation is used for infrastructure provisioning, AWS Config evaluates configuration compliance, and Elastic Beanstalk is an application deployment service—none of these are suited for parsing and relaying scan results. Lambda functions provide a scalable and serverless way to handle scan outputs automatically. This integration ensures that security findings are centralized, visible, and actionable, aligning with secure automation practices during the Code stage.

========

In Go-based tool installation, the standard method to download, compile, and install a Go package is using the go get command followed by the repository import path. Since Matt has already ensured that Go version 1.8 or later is installed and that $GOPATH/bin is included in the system PATH, running go get github.com/michenriksen/gitrob will fetch the GitRob source code, build the binary, and place it in the appropriate bin directory. Options B, C, and D are invalid because go get does not accept multiple positional arguments in that manner, and go git is not a valid Go command. Installing GitRob during the Code stage enables DevSecOps teams to scan repositories for accidentally committed credentials, API keys, and other sensitive information, helping prevent data leakage from public repositories.

========

Interactive Application Security Testing (IAST) works by instrumenting the application at runtime, allowing it to observe both thesource code execution pathsand theHTTP requests and responsesflowing through the application. Because of this dual visibility, IAST can analyze every executed line of code (similar to SAST) while also monitoring real-time application behavior (similar to DAST). This unique capability enables highly accurate vulnerability detection with fewer false positives. The other options do not correctly explain how IAST achieves this hybrid analysis. Access to both code and HTTP traffic is what allows IAST to bridge static and dynamic testing techniques, making it highly effective across development, QA, and production environments.

========

Jira usesAtlassian Query Language, commonly referred to as JQL, to search, filter, and manage issues. This query language allows users to create advanced searches using fields such as project, status, assignee, priority, and custom attributes. Although often informally called Jira Query Language, the official name among the given options is Atlassian Query Language. SQL and Java query language are unrelated and not used for issue searching in Jira. Using JQL during the Code stage improves traceability between source code commits, builds, and tracked issues, enabling teams to monitor progress, validate deployment status, and maintain alignment between development and delivery activities.

========

w3af (Web Application Attack and Audit Framework) is aDynamic Application Security Testing (DAST)tool. It analyzes running web applications by sending crafted requests and observing responses to identify vulnerabilities such as SQL injection, cross-site scripting, and authentication flaws. Unlike SAST tools, w3af does not require access to source code and instead operates externally, simulating real-world attack behavior. SCA focuses on third-party dependencies, and IAST requires runtime instrumentation within the application. Since Debra detected vulnerabilities by actively interacting with the application, w3af clearly represents DAST. DAST tools are especially valuable during the Build and Test stage, as they validate application behavior from an attacker’s perspective before deployment.

========

Coverity is a well-known Static Application Security Testing (SAST) tool used to analyze source code for security vulnerabilities, coding errors, and quality issues. It integrates with CI/CD pipelines and supports enterprise-scale environments, including cloud-based development on platforms such as Azure. Accurics focuses on Infrastructure as Code security, Tenable.io is a vulnerability management platform for infrastructure and assets, and DevSkim is a lightweight code scanning extension rather than a full SAST platform. Selecting Coverity enables deep static analysis of application code during the Code stage, helping teams detect vulnerabilities early and reduce remediation costs.

========

CloudMapper requires read-only access to AWS resources in order to collect metadata, visualize architectures, and perform security analysis without modifying infrastructure. The AWS-managed policySecurityAuditprovides permissions to view security-related configuration across services, whileViewOnlyAccessallows read-only access to AWS resources more broadly. Together, these policies enable CloudMapper to gather comprehensive information about the AWS environment without granting write privileges. The other options either reference invalid policy names, incorrect formatting, or excessive permissions such as AWSLambdaFullAccess, which are unnecessary and violate least-privilege principles. Granting SecurityAudit and ViewOnlyAccess aligns with secure auditing practices during the Operate and Monitor stage.

========

HashiCorp Vault enables authentication mechanisms using the vault auth enable command followed by the name of the authentication method. To enable AppRole authentication, the correct command is vault auth enable approle. AppRole is specifically designed for machine-to-machine authentication, making it ideal for CI/CD tools like Jenkins. It allows applications to authenticate securely using role IDs and secret IDs instead of static credentials. The other options do not follow Vault CLI syntax and would result in command errors. Enabling AppRole during the Build and Test stage ensures that secrets are accessed securely and dynamically, supporting least-privilege access control and reducing the risk of credential leakage across the DevSecOps pipeline.

Terraform infrastructure definitions are written in files with the .tf extension, commonly named main.tf. To create a new, empty file where infrastructure code can be added, the correct command is touch main.tf. This command creates the file without adding any content, allowing Scott to begin defining Docker infrastructure using Terraform syntax. The cat command is used to display file contents, not create files. The echo command prints text to standard output and does not create files unless output redirection is used. The command sudo main.tf is invalid and does not create files. Creating Terraform configuration files during the Release and Deploy stage supports Infrastructure as Code practices, enabling version control, repeatability, and security validation of infrastructure deployments. This approach allows DevSecOps teams to define, review, and deploy infrastructure in a consistent and auditable manner.

========

The git-multimail tool provides a mechanism to verify whether it has been installed and configured correctly before being relied upon for production notifications. This verification is done using an environment variable namedGIT_MULTIMAIL_CHECK_SETUP. When this variable is set to anon-empty string, git-multimail performs a setup validation and outputs diagnostic information toconfirm that configuration values, hooks, and parameters are correctly defined. This helps prevent silent failures where commits occur but email notifications are not sent. Options that referenceGITHUB_MULTIMAIL_CHECK_SETUPare incorrect because git-multimail is not limited to GitHub and does not use that variable name. Additionally, setting the variable to an empty string does not trigger the setup check. Ensuring proper configuration during the Code stage is important because it supports auditability, traceability, and timely communication among development and security teams. Therefore, Brett must run the environment variableGIT_MULTIMAIL_CHECK_SETUPwith a non-empty value to ensure the tool is set up appropriately.

========

The BDD Security framework is executed through Gradle wrapper commands, and the correct wrapper script on Unix-like systems is ./gradlew (dot-slash indicates “run the wrapper from the current directory”). Options using /gradlew or /gradlev imply an absolute path at filesystem root and are typically incorrect for a cloned project. Also, the wrapper name isgradlew, notgradlev. For executing only the authentication feature (or scenarios tagged for authentication), Cucumber tag expressions are used through the -Dcucumber.options system property. The command must include --tags @authentication to select authentication-tagged scenarios. To skip scenarios tagged “skip,” the exclusion operator is used as --tags ~@skip (meaning “exclude @skip”). Options A and B incorrectly include --tags @skip which wouldincludeskipped tests rather than exclude them. Therefore, ./gradlew -Dcucumber.options="--tags @authentication --tags ~@skip" is the correct choice to run authentication scenarios while excluding anything marked to skip.

========

On Debian- and Ubuntu-based systems, ModSecurity for Apache is installed using the package libapache2-mod-security2. The correct command to install this package is sudo apt install libapache2-mod-security2 -y, where the -y flag automatically confirms installation prompts. The other options include invalid flags that are not recognized by the package manager and would result in command failure. Installing ModSecurity during the Operate and Monitor stage provides an additional layer of defense by inspecting incoming HTTP requests and blocking malicious traffic such as SQL injection, cross-site scripting, and protocol violations. A Web Application Firewall helps protect deployed applications from common attack vectors and supports defense-in-depth strategies in production environments.

Runtime Application Self-Protection (RASP) operates from within the application runtime environment, monitoring incoming traffic, API calls, and execution behavior in real time. Because it has deep visibility into application logic and execution context, RASP can accurately detect attacks such as injection, tampering, and abnormal behavior while minimizing false positives. SAST analyzes source code statically, DAST tests running applications externally, and IAST combines some runtime insight with testing but does not actively block threats. RASP’s ability to detect and remediate attacks during runtime makes it ideal for protecting applications in production environments, aligning with the Operate and Monitor stage of the DevSecOps pipeline.

Chef InSpec executes compliance tests using the inspec exec command. When testing Azure infrastructure, InSpec requires a target specification using the -t flag with the Azure transport identifier azure://. The correct command is inspec exec inspec-tests/integration/ -t azure://. Options using exe instead of exec are invalid due to incorrect command spelling. Options that use the -it flag misuse command-line parameters that are not intended for target selection. Running InSpec tests in this way allows DevSecOps teams to validate that Azure resources comply with architectural, security, and regulatory requirements. Integrating these checks into the Build and Test stage ensures continuous compliance and reduces the risk of insecure infrastructure reaching production environments.

========

HashiCorp Packer is an image automation tool that uses the packer build command to create machine images from configuration files written in HCL or JSON. When Robin defines her Docker image configuration in the file docker-ubuntu.pkr.hcl, the correct way to initiate the build process is by running packer build docker-ubuntu.pkr.hcl. This command reads the configuration file, initializes required plugins, executes defined builders and provisioners, and produces the final Docker image. The other options are syntactically incorrect because Packer does not support abbreviated flags such as -b or alternative verbs like -build. Building container images during the Build and Test stage ensures that images are reproducible, standardized, and compliant with organizational security requirements before deployment. Using Packer also supports immutability and reduces configuration drift, which are key principles in secure DevSecOps pipelines.

========

The secure communication principle focuses on protecting data as it moves between systems, services, and users. This is achieved by establishing and maintainingsecure trust relationships, which include strong authentication mechanisms, encryption, certificate management, and trusted communication channels. Preventing breaches and reducing attack surface are broader security objectives, not specific to communication security. Balancing default configuration settings relates to secure defaults rather than communication. Secure trust relationships ensure that only authenticated and authorized entities can exchange data and that information remains confidential and tamper-proof during transmission. Embedding this principle into DevOps culture ensures that secure communication practices are consistently applied across all stages of the DevSecOps pipeline.

========

SonarLint is a static code analysis tool designed specifically to be used inside developers’ IDEs, where it provides immediate feedback while code is being written. It highlights bugs, security vulnerabilities, and code smells and, importantly, providesclear remediation guidancethat explains why an issue exists and how it can be fixed. This aligns directly with Debra’s requirement to fix issues “before they exist,” meaning before code is committed to the repository. Arachni and OWASP ZAP are dynamic application security testing tools that require a running application and are typically used later in the pipeline. Tenable.io is a vulnerability management platform focused on infrastructure and application scanning rather than real-time developer feedback. By using SonarLint, developers receive continuous guidance during coding, supporting the shift-left security approach in DevSecOps and reducing the cost and effort of fixing vulnerabilities later in the lifecycle.

========

Bundler-Audit is an SCA tool designed specifically for Ruby applications. It analyzes the Gemfile and Gemfile.lock to identify dependencies and checks them against known vulnerability databases. Bandit is intended for Python code analysis, Retire.js targets JavaScript libraries, and Tenable.io focuses on infrastructure-level vulnerabilities. By using Bundler-Audit during the Code stage, DevSecOps teams can detect vulnerable Ruby gems early and ensure that only secure dependencies are used. This reduces the risk of exploiting known vulnerabilities in third-party libraries and supports secure dependency management throughout the development lifecycle.

========

ThreatPlaybook uses the playbook apply feature command to push user-story–driven threat models to the server. The -f flag specifies the path to the YAML file containing the defined user stories, abuser stories, and threat scenarios, while the -p flag specifies the target project. Option C correctly combines these parameters. The -y flag is invalid in this context, and options that misuse -t instead of -p do not correctly identify the project destination. Executing this command during the Plan stage enables teams to integrate threat modeling early, ensuring security risks are identified and addressed before development and deployment proceed.

GitLab CI/CD pipelines are defined using a configuration file namedgitlab-ci.yml, which must be placed in the root directory of the repository. This file controls pipeline stages, jobs, and template inclusions. To integrate Checkmarx SCA using a predefined template, the template reference must be included in the root-level gitlab-ci.yml file so GitLab can load and execute the defined jobs automatically. The other filenames listed in the options are not recognized by GitLab as valid pipeline configuration files. Integrating SCA at the Code stage allows early detection of vulnerable open-source dependencies, reducing remediation cost and preventing insecure components from progressing further in the DevSecOps pipeline.

Deploy-time checks are designed to identify vulnerabilities that may not surface during earlier stages such as commit-time, build-time, or test-time checks. These checks analyze applications in environments that closely resemble or are part of production, making it possible to detect configuration issues, runtime vulnerabilities, and environment-specific weaknesses. Pre-production testing often cannot fully replicate production conditions, so deploy-time checks act as an additional safety net. Commit-time and build-time checks focus on code quality and static analysis, while test-time checks validate application behavior in controlled environments. Deploy-time checks therefore help Victor uncover vulnerabilities missed earlier, improving overall security assurance before or during deployment.

========

The docker commit command is used to create a new Docker image from the current state of a running or stopped container. This is useful when changes have been made interactively inside a container and need to be preserved as a reusable image. Commands such as docker push are used to upload images to a registry, not to create them, and container commit or container push are not valid Docker CLI commands. While docker commit can be helpful for quick snapshots or debugging, it is generally recommended to use Dockerfiles for reproducible builds in production pipelines. In the Build and Test stage, understanding docker commit helps DevSecOps engineers capture container changes for analysis, testing, or troubleshooting.

========

Bandit is a Static Application Security Testing (SAST) tool developed specifically for analyzingPython source code. It scans Python scripts and applications to identify common security issues such as use of weak cryptography, hardcoded passwords, unsafe use of functions like eval, and insecure imports. Bandit works by parsing Python Abstract Syntax Trees (ASTs) and applying a set of security-focused rules. It does not support Java, Ruby, or C++ code, which require different static analysis tools tailored to their respective languages. By integrating Bandit with Jenkins during the Build and Test stage, Allen enables automated detection of Python-specific security flaws as soon as code changes are introduced. This shift-left approach reduces remediation costs, prevents vulnerable code from progressing further in the pipeline, and improves overall application security posture.

========

ThreatModeler integration with Azure Pipelines is achieved using abidirectional API, which allows automated and continuous interaction between the pipeline and the threat modeling platform. This bidirectional communication enables Azure Pipelines to trigger threat modeling activities while also receiving results, risk scores, and actionable insights back from ThreatModeler. Such feedback loops are critical for proactive security decision-making during the Plan stage of DevSecOps. Unidirectional APIs or UI-based integrations limit automation and do not support continuous feedback, making them unsuitable for pipeline-driven workflows. UI-based approaches also introduce manual steps, which conflict with DevSecOps principles of automation and consistency. By using a bidirectional API, William’s organization can embed threat modeling into the planning process, identify architectural risks early, and ensure security considerations are continuously enforced as part of the pipeline.

========

Change lead time measures the duration between a code commit and its successful deployment into production. This metric tracks how efficiently new features, bug fixes, and changes move through development, testing, and release stages. It is a key DevSecOps performance indicator used to assess pipeline efficiency and the effectiveness of automation and security integration. Mean time to recovery focuses on restoring service after incidents, change volume measures the number of changes rather than delivery speed, and time to value is a broader business metric. Change lead time directly reflects how well DevSecOps practices enable rapid yet secure delivery, making it the correct metric for measuring commit-to-production flow across all phases.

========

In Grunt, plugins installed via npm must be explicitly loaded in the Gruntfile to make their tasks available. This is done using the grunt.loadNpmTasks() function, which instructs Grunt to load tasks provided by a specific plugin package. For the grunt-retire plugin, which scans JavaScript libraries for known vulnerabilities, the correct command is grunt.loadNpmTasks('grunt-retire');. Options that omit the dot notation or use the singular form loadNpmTask are syntactically incorrect and will prevent the plugin from loading. Enabling grunt-retire during the Code stage allows developers to identify insecure third-party JavaScript libraries early, supporting software composition analysis and reducing the risk of introducing vulnerable dependencies into the application.

========