Explore fundamental concepts of DevSecOps and security integration within CI/CD pipelines. This quiz covers key practices, risks, and security controls to help reinforce secure software delivery processes.
Why is it important to integrate security checks early in the CI/CD pipeline rather than only at the end?
Explanation: Detecting vulnerabilities early in the CI/CD pipeline helps to address issues before they are deeply embedded, making fixes less costly and time-consuming. Increasing deployment time is not a beneficial goal. Eliminating manual code reviews or only speeding up deployments are not primary reasons for early security integration. Early detection is key for effective security.
What is the main goal of Static Application Security Testing (SAST) in a CI process?
Explanation: SAST analyzes the source code to find vulnerabilities before the application is deployed, preventing issues from reaching production. Monitoring after release is related to runtime, not source code analysis. Testing firewalls is a separate network security activity, and automating delivery focuses on deployment, not code security.
What type of risk is presented by leaking secrets, such as API keys, in version control within CI/CD?
Explanation: Leaking secrets in version control makes them accessible to anyone with access, which can lead to unauthorized access or exploitation. It does not improve performance or reduce costs—on the contrary, it increases risk. Additionally, leaking secrets does not make code more readable; it compromises security.
Implementing the principle of least privilege in CI/CD means which of the following?
Explanation: The principle of least privilege ensures that each user or process has only the permissions required to perform their function, reducing potential security breaches. Granting administrative rights or sharing credentials increases risk. Disabling access controls undermines the security posture and opens up vulnerabilities.
When a vulnerability is detected during automated CI/CD security scans, what should happen next?
Explanation: Fixing vulnerabilities before deployment helps prevent exploitable flaws from reaching production. Ignoring issues undermines security. Closing tickets automatically removes the chance for real remediation. Waiting until after production increases risks and remediation costs.
What is the primary purpose of scanning dependencies in a CI/CD pipeline?
Explanation: Dependency scanning checks for vulnerabilities in libraries and components, which may introduce security risks if left unchecked. Speeding up builds, reducing file size, or removing comments do not address security issues associated with dependencies. Security scanning helps ensure safe use of third-party code.
Why should development, testing, and production environments remain isolated in a secure CI/CD process?
Explanation: Isolating environments limits the impact of unauthorized access or mistakes in lower environments from affecting live systems. Allowing unrestricted access or bypassing checks increases risk, not mitigates it. Simplifying database configurations is unrelated to environmental isolation and does not focus on security.
Which type of security testing examines a running application for vulnerabilities during execution in the CI/CD process?
Explanation: DAST analyzes applications during runtime to uncover security weaknesses while operating. Static code analysis reviews source code, not running applications. Configuration management relates to settings, not live vulnerability scanning. Unit testing checks code logic, not security vulnerabilities during execution.
What is the main function of automated security gates in a CI/CD pipeline?
Explanation: Automated security gates enforce security policies by preventing deployments when issues are found. Manual approvals are time-consuming and not automated. Monitoring server uptime and testing performance do not ensure security requirements are met before delivery.
Which practice helps protect sensitive credentials stored within the CI/CD pipeline?
Explanation: Encrypted environment variables safeguard credentials from exposure during the build and deployment process. Storing secrets in plain text, committing them to public source code, or distributing them via email are insecure practices that greatly increase the risk of leakage or compromise.