Agile and DevOps – Multiple Choice Questions With Answers

In today’s fast-paced and rapidly evolving software development landscape, two methodologies have gained immense popularity and prominence: Agile and DevOps. These methodologies have revolutionized the way software is designed, developed, tested, and deployed.

To help you better understand Agile and DevOps, we’ve compiled a list of multiple-choice questions with detailed answers.

1. A design principle to guide the selection of controls for an application to ensure its resilience against different forms of attack, and to reduce the probability of a single point of failure in the security of the system is called:

a) Defense in depth
b) Least privilege
c) Security by obscurity
d) Secure defaults

2. Poor Application Software Security is:

a) A network security problem
b) An operating system security problem
c) A software development and engineering problem
d) A user-caused problem

3. Giving a program the minimal authority to access resources is called:

a) Principle of Keep Security Simple
b) Principle of Least Privilege
c) Principle of Fail Securely
d) Principle of Defense in Depth

4. The paradigm of Building Security In begins with:

a) Analysis phase
b) Design phase
c) Specification phase
d) Development phase

5. Static code scanning should begin:

a) At build/continuous integration time
b) As soon as any code is produced
c) At unit testing time
d) At deployment time

6. Software security is most effective when it’s addressed in which SDLC activity?

a) Design sprint
b) Development sprint
c) Sprint planning
d) All Scrum activities

7. Shifting Left refers to:

a) Beginning security activities as early as possible in the SDLC
b) Focusing on security during the acceptance testing phase
c) Defining security requirements before application features are added to the Product Backlog
d) Addressing security requirements post–design phase activities

8. Effective appsec programs begin with an awareness track for everyone involved in software development to:

a) Provide context
b) Inform everyone about the program and roadmap
c) Provide common understanding and terminology
d) All of the above

9. The strategy for communication meant to overcome apathy to hazards that are significant is called:

a) Outrage management
b) Crisis communication
c) Precaution advocacy
d) Crisis management

10. Specialized appsec training should be stratified across:

a) User groups
b) Development team member role
c) Management group
d) Security champions

11. Anonymity is an aspect of what type of requirements?

a) Authentication requirement
b) Privacy requirement
c) Integrity requirement
d) Identification requirement

12. _____________ mandate the qualities of a system, describing how well the program should do what.

a) Security requirements
b) Nonfunctional requirements
c) Performance requirements
d) Functional requirements

13. The security activity in product backlog development is needed to do which of the following?

a) Map security and privacy needs as guardrails in user story acceptance criteria
b) Develop the software that implements security controls
c) Perform a risk analysis on the intended application
d) Perform peer reviews of the documentation

14. A design principle to guide the selection of controls for an application to ensure its resilience against different forms of attack, and to reduce the probability of a single point of failure in the security of the system is called:

a) Defense in depth
b) Least privilege
c) Security by obscurity
d) Secure defaults

15. Giving a program the minimal authority to access resources is called:

a) Principle of Keep Security Simple
b) Principle of Least Privilege
c) Principle of Fail Securely
d) Principle of Defense in Depth

16. The term that describes all possible entry points that an attacker can use to attack an application or system is called:

a) Security perimeter
b) Attack surface
c) Attack perimeter
d) Gateway

17. Security though obscurity refers to:

a) Hiding design details from development teams
b) Storing secrets in application code
c) Opaque functions
d) Reliance upon secrecy to reduce the chance that weaknesses may be detected and targeted.

18. Threats are identified using a process described by this mnemonic:

a) THREATEXPOSE
b) STRIDE
c) DREAD
d) CAPEC

19. Risk is calculated for each identified threat to prioritize findings and needs for remediation using which technique?

a) RISKCOMPUTE
b) DANGER
c) DREAD
d) THREATORDER

20. Benefits derived from threat modeling include all but which of the following?

a) Identifies threats and compliance requirements and evaluates their risk
b) Defines the need for required controls
c) Balances risks, controls, and usability
d) Guarantees that secure designs are sent for development

21. Cleaning up user’s input is called:

a) Validation
b) Sanitization
c) Normalization
d) Authentication

22. What is the attack technique used to exploit websites by altering backend database queries through inputting manipulated queries?

a) LDAP Injection
b) XML Injection
c) SQL Injection
d) OS Commanding

23. Which attack can execute scripts in the user’s browser and is capable of hijacking user sessions, defacing websites, or redirecting the user to malicious sites?

a) SQL Injection
b) Cross-site scripting (XSS)
c) Malware uploading
d) Man in the middle

24. What is the type of flaw that occurs when untrusted user-entered data is sent to the interpreter as part of a query or command?

a) Insecure Direct Object References
b) Injection
c) Cross Site Request Forgery
d) Insufficient Transport Layer Protection

25. Priority for remediating vulnerabilities should be determined by:

a) Time to fix
b) Complexity of the remediation work
c) Riskiness of leaving the defect untreated
d) Programmer ability to remediate the defect

26. Static code testing can expose all but which of the following?

a) Unvalidated/unsanitized variable used in data flow
b) Use of insecure functions
c) Vulnerable software libraries contained in the application
d) Logic flaws that affect business data

27. The alternative to remediating a defect is called:

a) Augmentation
b) Intensification
c) Mitigation
d) Avoidance

28. Pen testing tests helps an organization to do the following except:

a) Manage vulnerabilities
b) Avoid downtime
c) Preserve the corporation’s good reputation
d) Manage risks

29. Which of the statements below about penetration testing is incorrect?

a) It is an unintentional attack.
b) Pen testing is used for security assessment.
c) Pen testing improves the security of the system.
d) Pen testing discovers security weaknesses.

30. Which of the following are the potential benefits of using tools for testing?
i. Reducing the repetitive work
ii. Increasing consistency and repeatability
iii. Over-reliance on the tool

a) i and ii only
b) ii and iii only
c) i and iii only
d) All i, ii, and iii

31. Which of the following are the success factors for the deployment of the tool within an organization?
i. Assessing whether the benefits will be achieved at a reasonable cost
ii. Adapting and improving processes to fit with the use of the tool
iii. Defining the usage guidelines

a) i and ii only
b) ii and iii only
c) i and iii only
d) All i, ii, and iii

32. What is the latest approach to driving DevOps?

a) Removing much of the latency that has existed for years around software development through automation.
b) Embracing service-oriented architecture to overcome the interoperability and re usability challenges.
c) Embracing the waterfall model to meeting the needs of evolving business requirements.
d) Embracing structured development methodologies since software became larger and more complex.

33. Specify the correct order of The Three Ways:

a) Understand and increase the flow of work, Create a culture that fosters experimentation and learning, Create short feedback loops that enable continuous improvement.
b) Create a culture that fosters experimentation and learning, Understand and increase the flow of work, Create short feedback loops that enable continuous improvement.
c) Understand and increase the flow of work, Create short feedback loops that enable continuous improvement, Create a culture that fosters experimentation and learning.

34. Benefits of a successful implementation of DevSecOps include which of the following:

a) Increased level of automation
b) Accelerated pace of interactions between the development and operations teams
c) Streamlining of processes
d) All the above

35. Which one of the following statements about DevSecOps is incorrect?

a) DevSecOps is only suitable for start-up companies.
b) DevSecOps is suitable for Brownfield software products and services.
c) DevSecOps is suitable for Greenfield software products and services.
d) Some of the most exemplary DevSecOps initiatives started in companies with giant and mature IT organizations.

36. The four core activities of Governance, Construction, Verification, and Deployment are described by:

a) BSIMM
b) CWE
c) OWASP
d) OpenSAMM

37. The Maturity Model you select for your own organization makes no difference so long as your measurement system is:

a) Repeatable
b) Actionable
c) Consistent
d) All the above

38. Which of the following is not characteristic of good security metrics?

a) Quantitatively expressed
b) Objectively expressed
c) Contextually relevant
d) Collected manually

39. When a company wishes to experiment with new technology to determine suitability for widespread use, in which environment should the testing be conducted?

a) Production
b) Sandboxed inside of development
c) QA
d) Development

40. Which of these is the most logical first step in an API development project?

a) Create a functional view of the related application
b) Put API usage monitoring in place
c) Choose either an API proxy or an API gateway
d) None of the above

41. The modern standard that makes the use of application containers during runtime possible is called:

a) Transporter
b) Docker
c) Loader
d) Executor

42. Bitcoin is an example implementation of:

a) Blocklinks
b) Chains of trust
c) Automated hierarchies
d) Blockchains

43. Benefits of preparing for CSSLP certification include all but which of the following:

a) Gauges an individual’s or development team’s competency in the field of application security
b) Provides a valuable blueprint to install or evaluate a security plan in the SDLC
c) Demonstrates commitment to the practice of software security
d) Increases the likelihood of gaining an interview for a secure SDLC position

44. OWASP Flagship project designation is given to projects that have demonstrated strategic value to OWASP and the application security community as a whole.

a) False
b) True

45. Demand for appsec practitioners has been dramatically increasing annually, and in 2021, the projected 5-year growth is estimated to be:

a) 164%
b) 95%
c) 110%
d) 2,000%

You may also like: