Professional Documents
Culture Documents
DevSecOps Study Notes
DevSecOps Study Notes
1. Security + DevOps
2. Security becomes integral part of process
Page 2 of 55
By 2018, 90 percent of infrastructure and operations organizations attempting use DevOps without
specifically addressing their culture foundation will fail
Regardless of the software development and lifecycle management approach, security needs to be built
into the software, not bolted on after the fact.
Practices
Tools
Deliver at high velocity
Evolve and improve
Speed = better served customers
Compete more effectively
Infrastructure as Code : Defining and managing system configuration through code that can be
versioned and tested in advance, to increase the speed of the building systems, and offering efficiencies
at scale.
Continuous Delivery: Using Continuous Integration and test automation to build pipelines from
DEVELOPMENT to TEST and then to PRODUCTION.
Continuous Monitoring and Measurement: Creating feedback loop from production back to engineering,
collecting metrics, and making them visible to everyone to understand how the system is actually used
and using this data to learn and improve
Improved quality
CD is as much a cultural shift as it is a technical one. The biggest shift is from separate teams dealing
with the writing, testing, and deployment of software to a single team that is responsible for the successful
deployment of quality software - albeit one staffed by people who have specialized skills and are tasked
with specific responsibilities.
1. DevOps defined
2. Reason for embracing DevOps
3. Evolution of SDLC
4. Involve security sooner
Paradigm Shifts
1. Transform role of security
2. Give more responsibility to developer
3. Engage security and quality teams both early and often
Page 4 of 55
1. Culture
2. Processes
3. Technologies
Secuirty
Static analysis
Dynamic scanning
Security code reviews
Feedback
Developer training
Threate modeling
Penetration testing
The only way to build security into the software is to introduce security practices as early as
possible
1. Develop
2. Build & Test
3. Static Analysis
4. Check in
5. Build (CI)
6. Static Analysis & Unit Test (CI)
7. Deploy to QA/Stage (CD)
8. Dynamic Analysis & Regression Testing (CD)
Triggers compilation process - Run unit test Run quality tests Runs static analysis tools
Difficult to scale
Limited Resources
Dev and Ops given for security
Training
Principles
Practices
Tools
Avoid unsafe practice
Security becomes frame of mind
Building Case
Page 6 of 55
Involvel security and quality teams in the development process early and often.
When we say “shifting security to the left” mean: To introduce security practice as early as possible
When shifting from a DevOps to DevSecOps workflow, a company must always embed a SME from
security into the development and operation teams. (False)
In this we explore the benefits to the organization that occur when security, development and operations
work together; learn to importance of assembling a team of advocates and champions to bridge the gap
between development and security and discover how successful transformation and cultural change leads
to positive results.
Analyze the benefits to the organization that occur when security, development and operations
work together.
Assemble a team of advocates and champions to bridge the gap between development and
security.
Create positive results towards business goals through successful transformation and cultural
change.
Develpoment
Security
Operations
Traditional Security:
Operational and Engineering
Must yield to risk aversion & protective measure
Security maintained veto power
Yet DevOps and Business
Needed freedom
To drive business forward
Cultural Challenges
Frictions
Page 7 of 55
Resistance
Daily Touchpoints
Wikis, Blogs & Portal
Messaging App
Lunch & Learn
Opportunities to Communicate
Page 8 of 55
DevSecOps
Succeed together
Fail together
BY 2018, 90 percent of infrastructure and operation organizations attempting to use DevOps without
specifically addressing their cultural foundation will fail.
Secuirty consideration are always at odds with those of Development and Operations. (False)
Ease of communication is essential in building a DevSecOps culture. Which of the following can
encourage better and more frequent communication between various groups?
1. Gap Analysis
2. Gain Consensus
Page 9 of 55
Greater satisfaction
Higher performance
Increased throughput
Better outcomes
Higher financial performance
Secuirty champions:
Cultural changes come in the form of integrating teams that historically have been disparate around a
single vision. Technical changes come with automating as much of the development, deployment and
operational environment as possible to more rapidly deliver high-quality and highly secure code.
Place the steps of Garter’s 5-Step Approach to Cultural Challenge in the correct order?
Page 10 of 55
1. Gap Analysis
2. Gain Consensus
3. Small Focused Pilot
4. Incremental Deploy With Feedback Loops
5. Continual Improvments Over Time
Teams must understand and accept that everyone has something to offer
Everyone is responsible for security
Goal = safely distributing security decisions
Multiple teams
Various technologies
Various languages
Code repositories
Open source code libraries
Sophisticated practice for CI/CD
Threat modeling
Attack surface evaluation
Static & dynamic analysis
Penetration testing
Fuzzy testing
Automate Security In
Integrate to Fail Quickly
No False Alarms
Build Security Champions
Keep Operational Visibility
1. Initiate
2. Control
3. Return Results
4. Productized support
Security Incidents
DEV-SEC-OPS
1 Cultural Challenge
2 Frictions
Page 12 of 55
3 Resistances
1. Gap Analysis
2. Gain Consensuses
3. Small, Focused Pilot
4. Incremental Deploy with Feedback Loops
5. Continual Improvements Over Time.
DevOps
Automation
Required to scale
Establishes consistency
Enables confident iteration
Dev[Sec]Ops
People
In this we discuss influencing a shift from traditional security to continuous security, applying sets
of security controls in the application and infrastructure layers of the DevOps Pipeline and how
AppSec Pipelines can be applied to an application security program utilizing the principles of
DevOps and Lean.
Influence a shift from traditional Security to Continuous Security
Apply sets of security controls in the application and infrastructure layers of the DevOps Pipeline
while testing them continuously, in an automated manner.
Discover how AppSec Pipelines take the principles of DevOps and Lean and apply that to an
application security program.
DevOps practitioners believe the SDL model doesn’t fit the bill for fast-paced environments.
DevOps Pipelines
Development Teams
Develop
Test
Release
Cloud Services
Continuous Integration
Continuous Integration
Testing changes
Code integrated daily
Continuous Delivery
Continuous Delivery
Continuous Deployment
Page 15 of 55
Cloud Environments
Knowledge Check
Continuous Integration: Routinely integrating code change into a repository and testing changes.
Continuous Delivery: Building software that can be released to a cloud environment at any time.
Continuous Deployment: Every change that passes all stages of production pipeline is released to
customers. Fully automated.
Cloud Environment: Enable cost reduction of operating infrastructure, rapid elasticity, flexibility.
Continuous Security
1. Plan
2. Code
3. Build
4. Test
5. Release
6. Deploy
7. Operate
8. Monitor
Page 17 of 55
Application Security:
Infrastructure Security
Page 18 of 55
Pipeline Security
Testing Continuously
Page 19 of 55
Test Driven Security (TDS)1, a term coined by Mozilla, is a similar approach to Test DrivenDevelopment
(TDD) which recommends developers to write tests that represent the desired behavior first, then write
the code that implements the tests.
TDS proposes the following:
•• The list of security controls should be established between the Security, Development and IT
Operations teams.
•• The Security teams must clearly state and document what is expected from the application. They are
responsible for organizing a Rapid Risk Assessment (RRA)2 with appropriate stakeholders when the
project is initiated to capture any potential business and technical risks. They also need to write in
conjunction with the Development teams the security tests that represent the desire behavior of the
application. Finally, they are responsible for establishing the tools to be used in the AppSec Pipeline with
the help from IT Ops that will test the software being developed for security vulnerabilities at different
stages of the DevOps Pipeline.
•• The Development teams implement the controls that have been tested by Security and address any
vulnerabilities identified in the AppSec Pipeline.
•• The IT Operations teams write the code/templates that build the infrastructure. They are also
responsible to setup the DevOps and AppSec Pipelines and ensure the corresponding tools are properly
installed and security hardened to prevent any hacks/data breaches
Which of the following choices are security controls in the application and infrastructure layers of DevOps
pipeline. 1) Application Security 2) Infrastructure Security 3) Pipeline Secuirty are the application and
infrastructure layers of a DevOps pipeline.
Put the four steps of an AppSec Pipeline in consecutive order: 1) Intake Process 2) Triage 3) Test 4)
Deliver
The test-driven security test will initially fail. True; It is expected that TDS test will initially fail. Once the
controls are implemented, the TDS tests will pass.
The value of a logging pipeline, importance of getting incident management right, utilizing KPIs to
measure performance.
Discover the value of using a logging pipeline to analyze usage and security incidents in real-
time.
Analyze the importance of getting incident management right.
Construct KPIs to measure the performance of a DevSecOps program.
https://www.csoonline.com/article/3132078/security/devopssec‐secdevops‐devsecops‐whats‐in‐a‐
name.html
Collect: Log events are recorded from various components of the infrastructure.
Stream: Log records are captured and routed to the corresponding Layer.
Analyze; Log records are inspected in order to detect anomalies and raise alerts
Store: Log records are stored in short & long-term storage facilities.
Access: Log administrative console to access and review logs/alerts
Incident Management
1. Preparation: Incident response, Creating documentation, Building tools
2. Detection & Analysis: Analyzes symptoms, Decides next steps,
3. Containment Eradication & Recovery: Tries to contain incident, Recover, Restore data,
processes
4. Post-Incident Activity: Review incident Two goals: 1) Reduce probability of recurrence 2)
Improve incident handling procedures.
Blended Approach to Detection: Static, Synthetic, APM, Logging, Beware of alert fatigue
Business-focused Metrics: Mature DevSecOps teams, Business core metrics, Detect application health,
Expanded view, Additional inputs: social media, news feed
Data-driven Investigations: Mature DevSecOps teams, Clean observation, Testable hypotheses, Clear
success criteria, Iterative approach
Actionable Alerts: Alerts require action, Delivery to appropriate person, Permission and ability to act
ChatOps for Communication: Common, Time-indexed, Searchable record of incidents, Useful records
Page 25 of 55
Runbooks for Remediation: Best runbooks explain: Metrics and alerts, Application or system roles,
Identify upstream and downstream dependencies, Identify an escalation point or Subject Matter Expert,
Enumerate know failure state or symptoms
Adopt Infrastructure as Code (IaC): Rebuilding a system or environment, Quick easy configuration
Metrics
Language of cooperation
Spoken in numbers
Metrics for DevSecOps
Choose the right metrics – Business needs, Compliance requirements
TERMS:
Availability: Amount of uptime/downtime in a given time period in accordance with the service-level
agreement (SLA)
Change Failure: Percentage of production deployments that failed.
Change Lead Time: Time between a code commit and production deployment of that code.
Change Volume: Number of user stories deployed in a given time frame
Customer Issues Resolution Time: Mean time to resolve a customer-reported issue
Customer Issue Volume: Number of issues reported by customers in a given time period
Detect Burn Rate: Amount of time to fix vulnerabilities an application.
Detect Density: The number of bugs identified divided by the codebase of an application
Deployment Frequency: Number of deployments to production in a given time frame
Logging Availabitlity: Amount of uptime/downtime of the logging pipeline in a given time period
Page 26 of 55
Mean Time Between Failures (MTBF): The amount of time that one failure and the next.
Mathematically, this is the sum of MTTF and MTTR, the total time required for a device to fail and that
failure to be repaired.
Mean Time to Failure (MTTF): Time that a system is online between outages or failures
Mean Time to Recovery (MTTR): Time between a failed production deployment to full restoration of
production operations.
Number of False Positives: The number of mistakenly flagged vulnerabilities for an application.
Number of Functional/Acceptance Tests: Number of automated functional acceptance test an
application.
Number of Passed/Failed Security Tests: Number of automated security tests for an application.
Number of Unit/Integration Test: Number of automated unit or integration test for an application
Security Benchmark Deviation: Deviation between security benchmarks applied to an image and
security benchmarks on an instaintated image.
Security Controls: Number of technical security controls partially or fully in place.
Test Coverage: Percentage of code that is covered by automated tests.
Time to Patch: Time between identification of vulnerability in platform or application and successful
production deployment of a patch.
Time to Value: Time between a feature requested (user story creation) and realization of business values
from that feature.
Vulnerability Patching Frequency: How often vulnerability patches are regularly deployed to production.
Vulnerability Patching Lead Time: Time between discovery of a new vulnerability (i.e. its publication) and
patching in productions.
1. Greater ratification
2. Higher Performance
3. Increased throughput
4. Better outcomes
5. Higher financial performance
Security Champions:
Culture changes come in the form of integrating teams that historically have been disparate around a
single vision. Technical changes come with automating as much of the development, deployment, and
operational environemtn as possible to to more rapidly.
Successful
1) Better retention of talent 2) Ability to better respond to change 3) Increased efficiency 4) Savings
from reduction of manual process 4) Reduction of software fixes late in life cycle.
The security teams look at: 1) Product requirements 2) Early designs 3) Add security based on threat
models 4) Architecture is reviewed 5) Security controls proposed.
Can the product withhold a simulated attack? 1) Manual testing 2) Automated tools
DevOps practitioners believe the SDL Model doesn’t fit the bill for the fast-pace envioronments.
Continuous Integration
Continuous Delivery
oSs_64099
Page 29 of 55
Cloud Security Alliance (CSA) CSA Security Guidance for Critical Areas of Focus in Cloud Computing
Treacherous 12 Cloud Computing Top Threats Fore adopting the cloud paradigm
https://www.oreilly.com/ideas/9-tips-for-a-more-secure-continuous-delivery-pipeline
1. Metrics
2. Continuous Monitoring
3. Insight into the types of traffic
4. Application-level security metrics
5. Patterns of malicious activity
6. Stored logs
Loggin pipeline
1) Analyze usage
2) Analyze security incidents
Log management tools Reading & parsing logs Distinguishing unauthorized activity
TERMS: DEFINITION
Availability: Amount of uptime/downtime in a given time period, in accordance with the SLA.
Change Failure: Percentage of production deployments that failed.
Change Lead Time: Time between a code commit and production deployment of that code.
Change Volume: Number of user stories deployed in a given time frame.
Customer Issue Resolution Time: Mean time to resolve a customer-reported issue.
Customer Issue Volume: Number of issues reported by customers in a given time period.
Defect Burn Rate: Amount of time to fix vulnerabilities in an application.
Defect Density: The number of bugs identified divided by the codebase of an application.
Deployment Frequency; Number of deployments to production in a given time frame.
Logging Availability: Amount of uptime/downtime of the logging pipeline in a given time period.
Mean Time Between Failures (MTBF): The amount of time that elapses between one failure and the next.
Mathematically, this is the sum of MTTF and MTTR, the total time required for a device to fail and that
failure to be repaired.
Mean Time to Failure (MTTF): Time that a system is online between outages or failures.
Mean Time to Recovery (MTTR): Time between a failed production deployment to full restoration of
production operations.
Number of False Positives: The number of mistakenly flagged vulnerabilities for an application.
Number of Functional/Acceptance Tests: Number of automated functional or acceptance tests for an
application.
Number of Passed/Failed Security Tests: Number of automated security tests for an application.
Key Performance Indicators
Number of Unit/Integration Tests: Number of automated unit or integration tests for an
Page 32 of 55
application.
Security Benchmark Deviation: Deviation between security benchmarks applied to an image and security
benchmarks on an instantiated image.
Security Controls: Number of technical security controls partially or fully in place.
Test Coverage: Percentage of code that is covered by automated tests.
Time to Patch: Time between identification of a vulnerability in the platform or application and successful
production deployment of a patch.
Time to Value: Time between a feature request (user story creation) and realization of business value
from that feature.
Vulnerability Patching Frequency: How often vulnerability patches are regularly deployed to production.
Vulnerability Patching Lead Time: Time between discovery of a new vulnerability (i.e., its publication) and
patching in production Test Driven Security (TDS)1, a term coined by Mozilla, is a similar approach to
Test Driven Development (TDD) which recommends developers to write tests that represent the desired
behavior first, then write the code that implements the tests.
https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
https://freecontent.manning.com/where-security-meets-devops-test-driven-security/
2. STRIDE: https://en.wikipedia.org/wiki/STRIDE_(security)
3. Waterfall Model: https://en.wikipedia.org/wiki/Waterfall_model
4. Test Driven Security (TDS):
https://freecontent.manning.com/where-security-meets-devops-test-driven-security/
5. Rapid Risk Assessment (RRA):
https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
6. OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
7. OWASP ASVS: https://www.owasp.org/index.php/Category:OWASP_Application_Security_
Verification_Standard_Project
8. 9 tips for a more secure continuous delivery pipeline: https://www.oreilly.com/ideas/9-tips-for-amore-
secure-continuous-delivery-pipeline
9. CSA Treacherous 12: https://downloads.cloudsecurityalliance.org/assets/research/top-threats/
Treacherous-12_Cloud-Computing_Top-Threats.pdf
10. CSA Security Guidance for Critical Areas of Focus in Cloud Computing:
https://cloudsecurityalliance.org/download/security-guidance-v4/
Page 33 of 55
1) Intake Process: Customer request application security service DAST, SAST, manual assessment
2) Triage: Determination mad for applying requested services
3) Test: The heart of pipeline where AppSec tools feed result into repository and check for false
positive
4) Deliver: Result are distributed to appropriated parties. Defects are tracked. Metrics
summarized.
Application Security
Iterative improvement
Incident response Analyzes symptoms Tries to contain incident Review incident Two
goals:
Creating documentation Decides next steps Recover 1. Reduce
probability of
recurrences
Building
Post-Incident Activity
Lose focus
Compliance
requirements
Question 1 options:
Question 2 options:
True
False
Question 3 options:
True
False
oSs_64102
Which of the following describes the percentage of production deployments that failed?
Question 4 options:
Change volume
Change failure
Test coverage
Availability
The amount of uptime/downtime of the logging pipeline in a given time period is called:
Question 5 options:
Logging Availability
oSs_64104
Which of the following is an effective enabler of DevOps because it focuses on small teams continually
delivering high quality code to customers.
Question 6 options:
Waterfall
Agile
Service-oriented architecture
Routinely integrating code change into a repository and testing the changes is called:
Question 7 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment
Agile and DevOps each has its own set of objectives and methods of achieving its goals.
Question 8 options:
True
False
Page 38 of 55
oSs_64107
Building software that can be released to a cloud environment at any time is called:
Question 9 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment
oSs_64108
Question 10 options:
Question 11 (1 point)
True
False
Question 12 options:
Embracing structured development methodologies since software became larger and more
complex
Page 39 of 55
Embracing the waterfall model to meeting the needs of evolving business requirements
Removing much of the latency that has existed for years around software development through
automation.
Question 13 (1 point)
oSs_64111
Question 13 options:
True
False
The time between a feature request and the realization of business value from that feature is called:
Question 14 options:
Deployment Frequency
Time to Value
oSs_64113
Which of the following choices are security controls in the application and infrastructure layers of a
DevOps pipeline? Choose three:
Question 15 options:
Application Security
CSA Security
Page 40 of 55
TSA Security
Infrastructure Security
Pipeline Security
Test-driven Security
Securing a continuous delivery pipeline may involve which of the following? Select all that apply:
Question 16 options:
Strong access control across the entire toolchain and access audits
Protecting (i.e. digitally signing) binaries and other build artifacts against tamper, etc.
Creating a culture conducive to successful DevOps practices requires which of the following? Select all
that apply:
Question 17 options:
Security awareness
Training
DevOps teams rely on a variety of tools to help them deploy code faster. Which of the following types of
tools are used by DevOps teams for that purpose? Select all that apply:
Question 18 options:
Continuous integration tools to ensure that every code change results in a new product build
Page 41 of 55
Automated test tools to verify code quality and provide quick feedback
A successful implementation of DevSecOps will require which of the following? Select all that apply
Question 19 options:
Elimination of silos
DevOps allows an organization to increase its ability to deliver applications and services at high velocity.
Question 20 options:
True
False
What are the five principles for securing DevOps? Select all five principles:
Question 21 options:
Automate security in
No false alarms
Page 42 of 55
oSs_64120
Which of the following is true about security champions? Select all that apply:
Question 22 option
They may help make decisions about when to engage the security team
They may act as the voice of security for a given product or team
They may assist in the triage of security bugs for their team or area
Which of the following is a correct statement in the context of a successful DevSecOps implementation?
Select all that apply:
Question 23 options:
Adopting DevSecOps always results in reduced development costs for a software project
oSs_64122
Below are the four steps of an AppSec pipeline. Which one shows the steps in the correct order?
Question 24 options:
Which KPI measures the amount of time between identification of a vulnerability in the platform or
application and successful production deployment of a patch?
Question 25 options:
Time to Patch
Which of the following enables cost reduction of operating infrastructure, rapid elasticity, and flexibility?
Question 26 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment
Which KPI measures the number of automated security tests for an application?
Question 27 options:
Security Controls
Defect Density
Cloud environments play a central role in DevOps by enabling which of the following? Select all that
apply:
Question 28 options:
Communication tools
Rapid elasticity
Flexibility
Automated archiving
Question 29 options:
Time to value
Defect density
Question 30 options:
Quiz
Top of Form
-1881508120650 7169
5964 78436 1 0
false 0 30
oSs_64099
Question 1
When shifting from a DevOps to DevSecOps workflow, a company must always embed a SME from
security into the development and operations teams.
Question 1 options:
True
False
Question 2
Ease of communication is essential in building a DevSecOps culture. Which of the following can
encourage better and more frequent communication between various groups? Select all that apply:
Question 2 options:
Wikis
Finger pointing
Name calling
Blogs
Page 46 of 55
Question 3
Question 3 options:
Question 4
What would an organization choose to move from a traditional SDLC structure to a DevOps structure?
Select all that apply.
Question 4 options:
Because regulations and privacy laws are forcing them to change their SDLC.
Because DevOps places more emphasis on software security than traditional SDLC.
I wouldn’t advise the change. They should stick with traditional SDLC.
Question 5
Which of the following KPIs communicates to management how a DevSecOps workflow results in higher
customer satisfaction?
Question 5 options:
Page 47 of 55
Change failure
Test coverage
Logging availability
6
Question 6
oSs_64104
Question 6 options:
Streamlining of processes
Question 7
oSs_64105
Agile and DevOps each has its own set of objectives and methods of achieving its goals.
Question 7 options:
True
False
Question 8
8 oSs_64106
Which of the following KPIs could indicate an overall increase in the speed of the software development
life cycle?
Page 48 of 55
Question 8 options:
Deployment frequency
Change failure
Question 9
oSs_64107
What would be the primary reason for an organization to transition from DevOps to DevSecOps at this
point?
Question 9 options:
To bring the development team up to speed with the latest on application security
Question 10
Place the steps of Garter’s 5-Step Approach to Cultural Challenges in the correct order:
Question 10 options:
Gain Consensus
Gap Analysis
Question 11
Page 49 of 55
oSs_64109
The amount of uptime/downtime of the logging pipeline in a given time period is called:
Question 11 options:
Logging Availability
12
Question 12 options:
True
False
Question 13
Question 13 options:
Waterfall
Agile
Service-oriented architecture
14
Question 14
Page 50 of 55
Question 14 options:
Availability
Time to patch
Question 15
15 oSs_64113
Question 15 options:
Question 16
Question 16 options:
True
False
Question 17
Question 17 options:
Page 51 of 55
True
False
Question 18
Building software that can be released to a cloud environment at any time is called:
Question 18 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment
oSs_64117
Question 19
Security considerations are always at odds with those of Development and Operations.
Question 19 options:
True
False
oSs_64118
Question 20
Question 20 options:
21 oSs_64119
Question 21
Which of the following describes the percentage of production deployments that failed?
Question 21 options:
Change volume
Change failure
Test coverage
Availability
Question 22
Routinely integrating code change into a repository and testing the changes is called:
Question 22 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment
oSs_64121
Question 23
Question 23 options:
True
False
oSs_64122
Question 24
Page 53 of 55
Securing a continuous delivery pipeline may involve which of the following? Select all that apply:
Question 24 options:
Strong access control across the entire toolchain and access audits
Protecting (i.e. digitally signing) binaries and other build artifacts against tamper, etc.
Question 25 (1 point)
oSs_64123
Which KPI measures the amount of time between identification of a vulnerability in the platform or
application and successful production deployment of a patch?
Question 25 options:
Time to Patch
Question 26
Which KPI measures the number of automated security tests for an application?
Question 26 options:
Security Controls
Defect Density
oSs_64125
Question 27
Question 27 options:
Time to value
Defect density
Question 28
28 oSs_64126
Below are the four steps of an AppSec pipeline. Which one shows the
steps in the correct order?
Question 28 options:
Question 29
oSs_64127
DevOps teams rely on a variety of tools to help them deploy code faster. Which of the following types of
tools are used by DevOps teams for that purpose? Select all that apply:
Question 29 options:
Page 55 of 55
Continuous integration tools to ensure that every code change results in a new product build
Automated test tools to verify code quality and provide quick feedback
Question 30
Which of the following enables cost reduction of operating infrastructure, rapid elasticity, and flexibility?
Question 30 options:
Continuous integration
Continuous delivery
Continuous deployment
Cloud environment