312-97 EC-Council Certified DevSecOps Engineer (ECDE) Questions and Answers

Kubernetes uses namespaces to logically isolate resources such as pods, services, and deployments. When an application like Jenkins is deployed into a specific namespace, the correct way to view the pods running in that namespace is by using the -n (or --namespace) flag with the kubectl get pods command. The command kubectl get pods -n jenkins instructs Kubernetes to list all pods in the “jenkins” namespace. The other options use invalid or unrelated flags that are not supported for namespace selection. Verifying pod status during the Release and Deploy stage is essential to ensure that applications have been deployed successfully and are running as expected before exposing services or proceeding to monitoring. This step supports deployment validation and operational readiness in Kubernetes-based DevSecOps environments.

Docker allows inspection of container runtime configuration using the docker inspect command. To list security-related options such as no_new_privileges for all containers, the correct approach is to first retrieve all container IDs using docker ps --quiet --all and then pass them to docker inspect with a formatted output. The command docker ps --quiet --all | xargs docker inspect --format ': SecurityOpt=' correctly extracts the security options configured for each container. Options that use incorrect flags such as -quiet instead of --quiet, omit required parameters, or misformat the output string are invalid. Inspecting security options during the Operate and Monitor stage helps ensure that privilege escalation protections are enforced consistently, supporting container hardening and compliance with security benchmarks.

========

The DevSec Hardening Framework is commonly implemented usingChef, and it is executed locally using the chef-solo command. The -c flag specifies the configuration file (solo.rb), and the -j flag specifies the JSON attributes file (solo.json). Option A correctly uses both required parameters in the proper format. The other options incorrectly swap or misuse flags that are not supported by Chef-solo. Running this command applies secure configurations, compliance controls, and cryptographic standards to the target system. Executing DevSec Hardening Framework during the Operate and Monitor stage ensures that systems remain secure, compliant, and resilient against misconfiguration-based attacks.

========

The git pull command is used to fetch changes from a remote repository and automatically merge them into the current local branch. In collaborative development environments, especially when multiple developers are committing code to a shared repository, regularly pulling updates is essential to stay synchronized and avoid merge conflicts. The syntax git pull correctly specifies the source of the updates. Commands such as git get and git grabs do not exist in Git, and git push performs the opposite action by sending local changes to the remote repository rather than retrieving updates. Using git pull during the Code stage supports continuous collaboration and ensures that developers integrate the latest changes securely and efficiently.

========

Gauntlt is a security testing framework written in Ruby and distributed as a Ruby gem. The correct way to install a Ruby gem is using the gem install command followed by the lowercase gem name. RubyGems are case-sensitive and standardized to lowercase naming conventions, which makes gem install gauntlt the correct command. The gems command does not exist in Ruby’s package management ecosystem, and using uppercase names such as Gauntlt can lead to installation failures. Installing Gauntlt allows DevSecOps teams to write human-readable security tests and integrate them into CI/CD pipelines, enabling automated and collaborative security validation during the Build and Test stage.

========

Jenkins plugins are distributed and installed as .hpi files. To manually install a plugin, administrators upload the .hpi file through the Jenkins Plugin Manager using the “Upload Plugin” option. This approach is commonly used in environments with restricted internet access or when custom plugin versions are required. .war files are used for deploying the Jenkins application itself, not plugins, while .zip and .conf files are not recognized plugin formats. Installing the InsightAppSec plugin allows Jenkins pipelines to automatically trigger dynamic application security scans during the Build and Test stage. This integration ensures that web applications are continuously evaluated for vulnerabilities before deployment, supporting proactive security testing and risk reduction.

========

The description matches AWSBugBust, which AWS positions as a gamified, team-based bug fixing challenge rather than a classic external “bug bounty” for finding vulnerabilities in AWS itself. The key hints are “fun-based solution for bashing bugs,” “encouraging team building,” and “friendly competition,” along with scoring points and awarding prizes. BugBust focuses on improving code quality by motivating developers to find and fix issues (often via static analysis findings) in languages like Java and Python. Participants earn points for remediations and compete on leaderboards, which aligns directly with Sarah “scored the highest points” and received a cash reward. The other names (BugFixer, BugFinder, BugHunt) are plausible-sounding but do not match the commonly referenced AWS gamified program described. In a DevSecOps context, this type of program supports culture by incentivizing secure coding habits, encouraging shared ownership of quality, and making remediation visible and rewarding across the engineering team.

========

The docker save command exports one or more Docker images to a tar archive by writing the image data to standard output (STDOUT). To redirect this output into a file, the > redirection operator is used. The correct syntax is docker save > .tar. In this scenario, the image repository name is centos, and the desired archive file is centos-all.tar, making option B correct. Options C and D incorrectly use input redirection (<) instead of output redirection. Option A includes a space in the filename (centos all.tar), which would be interpreted as two separate arguments and cause an error unless quoted. Saving images to a tar archive is a common operational task used for backups, transfers between environments, or offline analysis during the Operate and Monitor stage.

========

AWS Inspector is a managed vulnerability assessment service designed specifically to scan workloads running on Amazon EC2 instances and container images for security vulnerabilities and unintended network exposures. It automatically evaluates instances against known vulnerabilities and security best practices, providing detailed findings and risk severity levels. AWS WAF protects web applications from common web exploits but does not perform host-based vulnerability scanning. AWS Config tracks configuration changes and compliance but does not actively scan workloads for vulnerabilities. Amazon CloudWatch focuses on monitoring logs, metrics, and alarms rather than security scanning. For a Spring Boot microservices application deployed on EC2, AWS Inspector is the correct choice to continuously assess security posture during the Build, Deploy, and Operate phases of the DevSecOps pipeline.

========

Azure resource groups are created using the Azure CLI command az group create. The --name parameter specifies the resource group name, and --location defines the Azure region. Option A uses the correct CLI prefix (az), command group (group create), and valid parameters. Options B, C, and D are incorrect due to invalid command abbreviations or incorrect CLI prefixes (azure instead of az). Creating a resource group is a foundational step in the Release and Deploy stage, as it provides a logical container for AKS clusters, networking components, and related resources, enabling organized, secure, and manageable deployments.

========

Burp Suite’sOut-of-band Application Security Testing (OAST)feature is designed to detect vulnerabilities that do not produce immediate or visible responses during standard scanning. OAST works by triggering interactions such as DNS or HTTP callbacks, which occur outside the normal request-response cycle. This capability enables detection of blind vulnerabilities like blind SQL injection and server-side request forgery. Because findings are based on confirmed external interactions, OAST significantly reduces false positives. The other options listed are not valid Burp Suite features. Integrating OAST during the Build and Test stage improves the accuracy of dynamic security testing and ensures deeper coverage of complex and hard-to-detect vulnerability classes before applications are released.

========

w3af (Web Application Attack and Audit Framework) is aDynamic Application Security Testing (DAST)tool. It analyzes running web applications by sending crafted requests and observing responses to identify vulnerabilities such as SQL injection, cross-site scripting, and authentication flaws. Unlike SAST tools, w3af does not require access to source code and instead operates externally, simulating real-world attack behavior. SCA focuses on third-party dependencies, and IAST requires runtime instrumentation within the application. Since Debra detected vulnerabilities by actively interacting with the application, w3af clearly represents DAST. DAST tools are especially valuable during the Build and Test stage, as they validate application behavior from an attacker’s perspective before deployment.

========

When changes are committed to a repository connected to an AWS Pipeline, the pipeline execution is triggered and monitored usingAmazon CloudWatch events. CloudWatch captures pipeline state changes, execution status, and approval notifications, enabling real-time monitoring and alerting. AWS Config tracks resource configuration changes, BinSkim is a binary analysis tool, and Security Hub aggregates security findings but does not directly track pipeline execution events. Integrating SonarQube into AWS Pipeline ensures static code analysis runs automatically upon commits, while CloudWatch provides visibility into pipeline activity. This setup strengthens security automation during the Code stage by ensuring every commit is analyzed and monitored.

========

To clone a repository from GitHub, the correct command is git clone followed by the accurate repository URL. The organization name continuumsecurity and repository name bdd-security must be spelled correctly for the command to succeed. Options using github clone are invalid because github is not a standard Git command-line utility. Options with misspelled organization names will result in errors. Cloning security testing frameworks during the Code stage enables DevSecOps engineers to evaluate, customize, and integrate security automation tools into development workflows, supporting secure application development and testing practices.

The correct installation procedure for the Sqreen PHP microagent involves downloading the installer script and executing it with the organization token and application name. The curl -s option downloads the script silently, while the > redirection operator saves it locally as sqreen-install.sh. The script is then executed using bash, passing the required token and app name as parameters. Options using input redirection (<) are incorrect because they do not save the downloaded script to a file. The -i option includes HTTP headers in the output, which is unnecessary and could corrupt the script. Installing the microagent correctly enables runtime monitoring, attack detection, and automatic blocking, supporting strong runtime security during the Operate and Monitor stage.

========

When working inside an interactive Docker container session, the container continues running as long as its primary foreground process is active. Executing the exit command terminates the shell session, which in turn stops the container if no other foreground processes are running. The kill command requires a process identifier and is not used in this context, while clear simply clears the terminal screen and does not affect container execution. The stop command is not a valid shell command inside a container. Properly stopping containers during the Operate and Monitor stage helps free system resources, prevent unintended service exposure, and maintain a clean runtime environment. This practice aligns with container lifecycle management best practices and reduces operational risk.

========

Publishing a NuGet package to a feed is done using the nuget.exe push command. The -Source parameter specifies the target feed name or URL, and the -ApiKey parameter is required even if the feed ignores its value. The publish verb is not used for NuGet package uploads, and -Destination is not a valid parameter for pushing packages. Therefore, nuget.exe push -Source "" -ApiKey is the correct command. Using command-line publishing supports automation and consistency in DevSecOps workflows, enabling secure and repeatable artifact distribution as part of continuous delivery pipelines.

In a mature DevSecOps pipeline, security controls are enforced asgates, not merely as informational checks. When an SCA tool detects acritical vulnerabilityin a dependency—whether direct or transitive—the correct response at the Build and Test stage is tofail the build. This prevents vulnerable artifacts from moving forward into later stages such as deployment or production, where remediation would be more expensive and risky. Allowing the build to continue, even with notifications, contradicts the shift-left security principle. Ignoring transitive dependencies is also dangerous, as many real-world vulnerabilities originate from indirect libraries. Failing the build forces developers to remediate the issue immediately by upgrading, replacing, or mitigating the vulnerable dependency. This approach reduces attack surface, enforces accountability, and ensures that only secure artifacts are released. Therefore, stopping the pipeline upon detection of critical vulnerabilities reflects a strong DevSecOps maturity model and effective security governance.

Retire.js is a Software Composition Analysis (SCA) tool designed specifically to identify known vulnerabilities in JavaScript libraries used in web and NodeJS applications. It scans dependencies and compares detected versions against a vulnerability database to identify insecure libraries. Bandit is a static analysis tool for Python, Bundler-Audit is used for Ruby dependencies, and Tenable.io focuses on infrastructure and vulnerability management rather than JavaScript libraries. Using Retire.js during the Code stage allows DevSecOps teams to identify insecure third-party dependencies early, reducing the likelihood of vulnerable libraries being deployed into production. This supports shift-left security and strengthens the application’s overall security posture.

========

GitLab CI/CD pipelines are defined using a configuration file namedgitlab-ci.yml, which must be placed in the root directory of the repository. This file controls pipeline stages, jobs, and template inclusions. To integrate Checkmarx SCA using a predefined template, the template reference must be included in the root-level gitlab-ci.yml file so GitLab can load and execute the defined jobs automatically. The other filenames listed in the options are not recognized by GitLab as valid pipeline configuration files. Integrating SCA at the Code stage allows early detection of vulnerable open-source dependencies, reducing remediation cost and preventing insecure components from progressing further in the DevSecOps pipeline.

Terraform provides the terraform destroy command to remove all infrastructure resources defined in the Terraform configuration files. This command safely tears down resources such as virtual machines, networks, and resource groups by consulting the state file and executing destruction in the correct dependency order. Commands like terraform kill, terraform kill-infra, and terraform destroy-infra do not exist in Terraform’s CLI. Using terraform destroy during the Release and Deploy stage allows DevSecOps teams to quickly remediate risk by removing insecure or non-compliant infrastructure, reinforcing the importance of Infrastructure as Code and controlled lifecycle management.

========

Bundler-Audit is an SCA tool designed specifically for Ruby applications. It analyzes the Gemfile and Gemfile.lock to identify dependencies and checks them against known vulnerability databases. Bandit is intended for Python code analysis, Retire.js targets JavaScript libraries, and Tenable.io focuses on infrastructure-level vulnerabilities. By using Bundler-Audit during the Code stage, DevSecOps teams can detect vulnerable Ruby gems early and ensure that only secure dependencies are used. This reduces the risk of exploiting known vulnerabilities in third-party libraries and supports secure dependency management throughout the development lifecycle.

========

Git hooks determine success or failure based on the exit code of the executed script. An exit code of0indicates successful execution, while any non-zero value signals failure and causes Git to abort the commit. In Jordon’s setup, a Bash shell calls a PowerShell script to perform pre-commit checks. If the PowerShell script exits with code 0, Git interprets this as a successful hook execution and allows the commit to proceed. Exit codes such as 1, 2, or 3 indicate errors or policy violations and will block the commit. This mechanism ensures that security or quality checks enforced by the pre-commit hook must pass before code is committed. Using exit codes in this way is a standard and reliable approach in cross-platform DevSecOps automation during the Code stage.

========

In Go-based tool installation, the standard method to download, compile, and install a Go package is using the go get command followed by the repository import path. Since Matt has already ensured that Go version 1.8 or later is installed and that $GOPATH/bin is included in the system PATH, running go get github.com/michenriksen/gitrob will fetch the GitRob source code, build the binary, and place it in the appropriate bin directory. Options B, C, and D are invalid because go get does not accept multiple positional arguments in that manner, and go git is not a valid Go command. Installing GitRob during the Code stage enables DevSecOps teams to scan repositories for accidentally committed credentials, API keys, and other sensitive information, helping prevent data leakage from public repositories.

========

HashiCorp Vault provides a key-value (KV) secrets engine for securely storing sensitive data. To remove a secret from the KV store, the correct command is vault kv del . This command deletes the secret data at the specified path. Options using -delete or -del are syntactically incorrect, and vault kv delete is not a valid Vault CLI command. Proper secret deletion is an essential part of secret lifecycle management, especially when credentials may have been compromised. Performing this action during the Operate and Monitor stage helps contain security incidents, reduce exposure, and ensure that compromised secrets are no longer accessible. Timely deletion of secrets supports effective incident response and strengthens overall security posture.

========

CloudMapper requires read-only access to AWS resources in order to collect metadata, visualize architectures, and perform security analysis without modifying infrastructure. The AWS-managed policySecurityAuditprovides permissions to view security-related configuration across services, whileViewOnlyAccessallows read-only access to AWS resources more broadly. Together, these policies enable CloudMapper to gather comprehensive information about the AWS environment without granting write privileges. The other options either reference invalid policy names, incorrect formatting, or excessive permissions such as AWSLambdaFullAccess, which are unnecessary and violate least-privilege principles. Granting SecurityAudit and ViewOnlyAccess aligns with secure auditing practices during the Operate and Monitor stage.

========

Change lead time measures the duration between a code commit and its successful deployment into production. This metric tracks how efficiently new features, bug fixes, and changes move through development, testing, and release stages. It is a key DevSecOps performance indicator used to assess pipeline efficiency and the effectiveness of automation and security integration. Mean time to recovery focuses on restoring service after incidents, change volume measures the number of changes rather than delivery speed, and time to value is a broader business metric. Change lead time directly reflects how well DevSecOps practices enable rapid yet secure delivery, making it the correct metric for measuring commit-to-production flow across all phases.

========