312-97 EC-Council Certified DevSecOps Engineer (ECDE) Questions and Answers

Build-time checks are designed to enforce security gates within the CI/CD pipeline. When critical vulnerabilities such as SQL injection and cross-site scripting (XSS) are detected during this stage, the correct and expected behavior is tofail the build. Stopping the build process prevents insecure code from progressing to later stages such as testing, deployment, or production. Ignoring issues or merely sending alerts while continuing the pipeline undermines the purpose of shift-left security. Alerts to SIEM systems and issue trackers are typically supplementary actions, but the primary enforcement mechanism at build time is to block the pipeline when severity thresholds are exceeded. This approach reduces remediation costs, limits exposure, and ensures that only secure artifacts move forward in the DevSecOps lifecycle.

========

In Grunt, plugins installed via npm must be explicitly loaded in the Gruntfile to make their tasks available. This is done using the grunt.loadNpmTasks() function, which instructs Grunt to load tasks provided by a specific plugin package. For the grunt-retire plugin, which scans JavaScript libraries for known vulnerabilities, the correct command is grunt.loadNpmTasks('grunt-retire');. Options that omit the dot notation or use the singular form loadNpmTask are syntactically incorrect and will prevent the plugin from loading. Enabling grunt-retire during the Code stage allows developers to identify insecure third-party JavaScript libraries early, supporting software composition analysis and reducing the risk of introducing vulnerable dependencies into the application.

========

AWS Inspector is a managed vulnerability assessment service designed specifically to scan workloads running on Amazon EC2 instances and container images for security vulnerabilities and unintended network exposures. It automatically evaluates instances against known vulnerabilities and security best practices, providing detailed findings and risk severity levels. AWS WAF protects web applications from common web exploits but does not perform host-based vulnerability scanning. AWS Config tracks configuration changes and compliance but does not actively scan workloads for vulnerabilities. Amazon CloudWatch focuses on monitoring logs, metrics, and alarms rather than security scanning. For a Spring Boot microservices application deployed on EC2, AWS Inspector is the correct choice to continuously assess security posture during the Build, Deploy, and Operate phases of the DevSecOps pipeline.

========

The git-multimail tool provides a mechanism to verify whether it has been installed and configured correctly before being relied upon for production notifications. This verification is done using an environment variable namedGIT_MULTIMAIL_CHECK_SETUP. When this variable is set to anon-empty string, git-multimail performs a setup validation and outputs diagnostic information toconfirm that configuration values, hooks, and parameters are correctly defined. This helps prevent silent failures where commits occur but email notifications are not sent. Options that referenceGITHUB_MULTIMAIL_CHECK_SETUPare incorrect because git-multimail is not limited to GitHub and does not use that variable name. Additionally, setting the variable to an empty string does not trigger the setup check. Ensuring proper configuration during the Code stage is important because it supports auditability, traceability, and timely communication among development and security teams. Therefore, Brett must run the environment variableGIT_MULTIMAIL_CHECK_SETUPwith a non-empty value to ensure the tool is set up appropriately.

========

w3af (Web Application Attack and Audit Framework) is aDynamic Application Security Testing (DAST)tool. It analyzes running web applications by sending crafted requests and observing responses to identify vulnerabilities such as SQL injection, cross-site scripting, and authentication flaws. Unlike SAST tools, w3af does not require access to source code and instead operates externally, simulating real-world attack behavior. SCA focuses on third-party dependencies, and IAST requires runtime instrumentation within the application. Since Debra detected vulnerabilities by actively interacting with the application, w3af clearly represents DAST. DAST tools are especially valuable during the Build and Test stage, as they validate application behavior from an attacker’s perspective before deployment.

========

Dynamic Application Security Testing (DAST) and fuzz testing require a running application in order to actively probe for vulnerabilities such as injection flaws, authentication bypasses, and improper input handling. These techniques are therefore performed after the application has been built and deployed to a testing environment, categorizing them astest-time checks. Commit-time and build-time checks rely primarily on static analysis and dependency scanning and do not exercise application behavior at runtime. Deploy-time checks focus on configuration validation rather than aggressive attack simulation. Test-time checks are specifically designed to uncover critical and high-severity vulnerabilities by mimicking real-world attack scenarios. Performing DAST and fuzz testing during this stage allows teams to detect exploitable flaws before production release, significantly strengthening application security.

========

Prisma Cloud leveragesadvanced unsupervised machine learningto establish baselines of normal behavior within a customer’s cloud environment. By analyzing patterns in network traffic, resource interactions, and workload behavior without relying on labeled training data, it can detect anomalies and potential zero-day attacks with minimal false positives. Supervised approaches require predefined labels and known attack patterns, which limits effectiveness against new or unknown threats. Unsupervised data mining alone lacks the adaptive intelligence provided by machine learning models. Using unsupervised machine learning during the Build and Test stage enables continuous, intelligent security analysis across dynamic cloud-native workloads, supporting proactive threat detection in DevSecOps pipelines.

Bundler-Audit is a Software Composition Analysis (SCA) tool designed specifically for Ruby applications. It scans theGemfile and Gemfile.lockto identify all declared dependencies and their resolved versions. The Gemfile specifies which gems the application depends on, while the Gemfile.lock ensures consistent dependency versions across environments. Bundler-Audit compares this dependency information against a database ofknown vulnerabilitiesto identify insecure or outdated gems. It does not rely on the Travis CI configuration file for vulnerability detection, nor does it compare against unknown vulnerabilities. Integrating Bundler-Audit into the Build and Test stage ensures that vulnerable third-party libraries are detected early, allowing developers to remediate issues before the application progresses further in the pipeline. This practice supports shift-left security and reduces the risk of introducing known vulnerabilities into production systems.

========

ThreatSpec is a command-line tool that follows standard Unix-style conventions, where commands are lowercase. To generate a threat model report after annotating source code, the correct command is threatspec report. Commands using incorrect casing or capitalization will fail because the CLI is case-sensitive. Options A, B, and C incorrectly capitalize either the command or the subcommand. Generating threat model reports during the Plan stage allows DevSecOps teams to continuously identify, document, and visualize security threats as the code evolves. This practice embeds threat modeling directly into the development lifecycle, enabling early risk identification and more secure system design decisions.

========

Jenkins plugins are distributed and installed as .hpi files. To manually install a plugin, administrators upload the .hpi file through the Jenkins Plugin Manager using the “Upload Plugin” option. This approach is commonly used in environments with restricted internet access or when custom plugin versions are required. .war files are used for deploying the Jenkins application itself, not plugins, while .zip and .conf files are not recognized plugin formats. Installing the InsightAppSec plugin allows Jenkins pipelines to automatically trigger dynamic application security scans during the Build and Test stage. This integration ensures that web applications are continuously evaluated for vulnerabilities before deployment, supporting proactive security testing and risk reduction.

========

Retire.js is a Software Composition Analysis (SCA) tool designed specifically to identify known vulnerabilities in JavaScript libraries used in web and NodeJS applications. It scans dependencies and compares detected versions against a vulnerability database to identify insecure libraries. Bandit is a static analysis tool for Python, Bundler-Audit is used for Ruby dependencies, and Tenable.io focuses on infrastructure and vulnerability management rather than JavaScript libraries. Using Retire.js during the Code stage allows DevSecOps teams to identify insecure third-party dependencies early, reducing the likelihood of vulnerable libraries being deployed into production. This supports shift-left security and strengthens the application’s overall security posture.

========

Azure resource groups are created using the Azure CLI command az group create. The --name parameter specifies the resource group name, and --location defines the Azure region. Option A uses the correct CLI prefix (az), command group (group create), and valid parameters. Options B, C, and D are incorrect due to invalid command abbreviations or incorrect CLI prefixes (azure instead of az). Creating a resource group is a foundational step in the Release and Deploy stage, as it provides a logical container for AKS clusters, networking components, and related resources, enabling organized, secure, and manageable deployments.

========

To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.

========

Grype is a vulnerability scanning tool used to analyze container images and file systems for known vulnerabilities across operating system and application dependencies. The most effective way to perform a comprehensive scan is by running the grype --scope all-layers command. This ensures that vulnerabilities are detected acrossall layersof the container image, not just the final runtime layer. Containers often inherit vulnerabilities from base images or intermediate layers, making full-layer scanning essential. The packages subcommand is used for listing detected packages rather than performing vulnerability analysis. Running Grype during the Build and Test stage allows DevSecOps teams to identify vulnerable base images and dependencies early, reducing the risk of deploying insecure containers into production and supporting secure container lifecycle management.

========

To inspect mount propagation modes for Docker containers, Rockmond needs to list all container IDs and then inspect their configuration. The docker ps --quiet --all command outputs container IDs only, which are then passed to docker inspect using xargs. The --format option allows extraction of specific fields, such as mount propagation settings. Option C correctly uses valid flags (--quiet --all) and proper formatting syntax. Options A and D incorrectly use single hyphens, and option B omits the equals sign, which is required to display the propagation value. Inspecting mount propagation during the Operate and Monitor stage helps prevent unintended privilege escalation or data modification by other containers, aligning with container hardening best practices.

========

GitMiner is a Python-based tool, and like most Python projects, it manages its dependencies through a requirements file named requirements.txt. The correct way to install all dependencies listed in this file is by using the pip3 install -r requirements.txt command. The -r flag instructs pip to read package names and versions from the specified file and install them accordingly. The other flags shown in the options do not correspond to dependency installation from a requirements file and would result in command errors or unexpected behavior. Installing dependencies correctly is a prerequisite for running GitMiner successfully. During the Code stage, tools like GitMiner help identify hard-coded secrets and sensitive information early, reducing the risk of credential leakage and preventing security incidents later in the DevSecOps pipeline.

Bitbucket provides a cloud-based source code management platform that supports collaboration, CI/CD integration, and secure code hosting. One of the key features offered by Bitbucket isfree unlimited private repositories, particularly beneficial for organizations developing proprietary software such as IoT applications. This allows teams to store source code securely without exposing it publicly while still enabling collaboration features like pull requests, issue tracking, and pipeline automation. The term “limited private repositories” is inaccurate because Bitbucket does not restrict the number of private repositories under its free offering; rather, user count limits apply. While Bitbucket also supports public repositories, the option that best represents its value to enterprise and product-based teams is unlimited private repositories. This capability aligns with DevSecOps practices by ensuring confidentiality of source code while enabling integrated planning, testing, and deployment workflows within a single platform.

========

Conjur policies define access controls, authentication rules, and secret variables, and they must be loaded into the correct policy branch. The conjur policy load command uses the -b flag to specify thepolicy branchand the -f flag to specify thepolicy file. To load a policy into the root branch, the correct command is conjur policy load -b root -f . Options that reverse or misuse these flags are invalid and would either fail or load the policy incorrectly. Loading policies correctly during the Build and Test stage ensures that Jenkins pipelines can securely access secrets at runtime, enforcing centralized secret management, least-privilege access, and compliance with security requirements.

========

Coverity is a well-known Static Application Security Testing (SAST) tool used to analyze source code for security vulnerabilities, coding errors, and quality issues. It integrates with CI/CD pipelines and supports enterprise-scale environments, including cloud-based development on platforms such as Azure. Accurics focuses on Infrastructure as Code security, Tenable.io is a vulnerability management platform for infrastructure and assets, and DevSkim is a lightweight code scanning extension rather than a full SAST platform. Selecting Coverity enables deep static analysis of application code during the Code stage, helping teams detect vulnerabilities early and reduce remediation costs.

========

The practices described—access management, defense in depth, minimizing third-party dependencies, and securing weak links—are all architectural and design-level decisions. These controls are not merely coding techniques or configuration defaults but reflect security being embedded into the system’s blueprint from the earliest stages. This aligns directly with theSecure by Designprinciple, which emphasizes proactively designing systems to resist attacks rather than reacting to vulnerabilities later. Secure by implementation focuses on writing correct and safe code, secure by default focuses on initial configuration settings, and secure by communication addresses trust and confidentiality in communication channels. Orange International’s approach demonstrates a holistic security mindset that anticipates threats and integrates protective measures throughout the system architecture, making Secure by Design the correct choice.

========

To complete Azure Key Vault integration with Jenkins, Kevin must createnew credentialsin Jenkins underGlobal Credentials (unrestricted). These credentials store the Azure client ID, client secret, tenant ID, and subscription details required by the Azure Key Vault plugin to authenticate securely. Modifying old credentials can lead to misconfiguration or credential reuse risks, while restricted credentials may prevent the plugin from accessing secrets across pipelines. Creating new unrestricted credentials ensures proper authentication and controlled access to secrets during the Code stage, supporting secure secret management across CI/CD workflows.

On Debian- and Ubuntu-based systems, ModSecurity for Apache is installed using the package libapache2-mod-security2. The correct command to install this package is sudo apt install libapache2-mod-security2 -y, where the -y flag automatically confirms installation prompts. The other options include invalid flags that are not recognized by the package manager and would result in command failure. Installing ModSecurity during the Operate and Monitor stage provides an additional layer of defense by inspecting incoming HTTP requests and blocking malicious traffic such as SQL injection, cross-site scripting, and protocol violations. A Web Application Firewall helps protect deployed applications from common attack vectors and supports defense-in-depth strategies in production environments.

When configuring Burp Suite scans in Jenkins using an Execute shell build step, environment variables are often set or echoed so that subsequent scan steps can consume them. The echo command is used to output or define values in the shell context. In this case, echo BURP_SCAN_URL = http://target-website.com correctly defines the target URL for Burp Suite scanning. Commands like grep and cat are used for searching or displaying file contents and are not appropriate for setting scan parameters. The sudo command is unnecessary and incorrect in this context. Using the correct shell command ensures that Burp Suite receives the proper target information during the Build and Test stage, enabling accurate dynamic application security testing.

========

SonarLint is a static code analysis tool designed specifically to be used inside developers’ IDEs, where it provides immediate feedback while code is being written. It highlights bugs, security vulnerabilities, and code smells and, importantly, providesclear remediation guidancethat explains why an issue exists and how it can be fixed. This aligns directly with Debra’s requirement to fix issues “before they exist,” meaning before code is committed to the repository. Arachni and OWASP ZAP are dynamic application security testing tools that require a running application and are typically used later in the pipeline. Tenable.io is a vulnerability management platform focused on infrastructure and application scanning rather than real-time developer feedback. By using SonarLint, developers receive continuous guidance during coding, supporting the shift-left security approach in DevSecOps and reducing the cost and effort of fixing vulnerabilities later in the lifecycle.

========

Jenkins exposes a predefined endpoint for receiving GitHub webhook events. This endpoint is /github-webhook/ and must be appended to the Jenkins base URL in the GitHub webhook configuration. Option C correctly matches the required endpoint format. The other options use incorrect casing, separators, or naming conventions that Jenkins does not recognize. Correct webhook configuration ensures that Jenkins jobs are automatically triggered when code changes occur in GitHub repositories. This integration supports continuous integration and immediate feedback during the Code stage of the DevSecOps pipeline.

========

Sqreen provides runtime application self-protection (RASP) capabilities that allow teams to detect and respond to security threats in real time. Sqreen uses a structured automation mechanism called aplaybookto define how security events are handled. A playbook consists of three key components: atriggerthat detects suspicious or malicious behavior, asecurity responsethat defines what action Sqreen should take (such as blocking a request or flagging an attack), and anotificationthat sends alerts to external systems like Slack. The term “cookbook” is not used in Sqreen’s alerting and response model, making options A and B incorrect. Option C incorrectly uses the phrase “Alert a response” instead of “security response,” which does not accurately describe Sqreen’s configuration model. By using playbooks, Sqreen enables automated detection, response, and team notification during the Operate and Monitor stage, ensuring rapid awareness and collaboration when security incidents occur.

========

The CentOS operating system uses theyumpackage manager to install software packages. Inside a CentOS-based Docker container, the correct way to install the Apache HTTP Server is by running yum install httpd. Containers typically run as the root user by default, making the use of sudo unnecessary. Commands such as install-httpd are invalid because yum requires the install keyword followed by the package name separated by a space. Installing required packages inside containers should be done carefully to avoid bloating images and increasing the attack surface. During the Operate and Monitor stage, DevSecOps teams must balance functionality with container hardening best practices by installing only necessary components.

========