1. Which BEST represents the goal of DevSecOps?

a. Meet governance, risk and compliance requirements

b. Safely distribute security decisions at speed and scale
c. Automate security policies and audit requirements
d. Embed security practices into software development

2. According to Laloux’s advice process, what must be done by any person making a decision?
a. Seek advice from an expert
b. Seek advice from people who will be impacted
c. Consider the cost
d. Both A and B

3. Which is needed to build meaningful metrics?

a. Data
b. A repeatable approach
c. Context
d. All of the above

4. Which type of tool can be used to limit access to production by automation, orchestration
and configuration management tools?
a. Password management tools
b. Configuration management tools
c. Privileged access management tools
d. GRC tools

5. If Bob Berker establishes a pipeline to deploy software in a fast and continuous manner, which
of the following DevSecOps goals could he be trying to achieve?
a. Bake security in rather than bolt it on
b. The Third Way
c. Quality in checks
d. Rapid time to market

6. Which represents the BEST practices to building KPIs which reflect a responsive DevSecOps
Pipeline?
a. Whitelisting only approved applications and reporting results
b. KPIs are driven by pipeline/application with the ability to threshold and gate at every
stage
c. Allow teams to find their own solutions
d. Focus on meeting the audit team’s information and reporting requirements

7. Which term represents the capability of an environment or organization to tolerate change

and disturbances?
a. Resilience
b. Flexibility
c. Agility
d. Adaptability
©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 2
 8. Which approach can be used to reduce tensions between an organization’s security,
development and operations teams that are caused by a comprehensive security program?
a. Introduce patterns over time so people become used to working in a certain way
b. Set strict gates between dev and ops functions
c. Distribute all security tasks which cause conflict to non-security individuals
d. Implement a Governance, Risk Management and Compliance (GRC) platform

9. Jacqueline establishes a pipeline to expedite her software development and is determined to

implement code-driven, peer-reviewed processes? Which of the following is she attempting
to implement?
a. Shifting security left
b. Data Standards
c. Data Validation
d. Reducing technical debt

10. What is Governance, Risk Management and Compliance (GRC)?

a. A class of tools/platforms
b. A team or practice/program area
c. An executive-level committee
d. Either A or B

11. Which statement about continuous security practices is MOST correct?

a. Represents the addressing of security concerns and testing in the Continuous Delivery
pipeline
b. Software development practice where team members integrate daily
c. Should be fully automated
d. Allows for every change to be processed through a pipeline and put into production

12. In the context of DevSecOps, which is an example of the ‘shift left’ principle?
a. Involve security during application design
b. Automate penetration tests
c. Introduce threat modeling
d. Introduce test-driven development

13. Which characteristic of resilient organizations makes it possible for them to overcome failure?
The ability to…
a. Recover quickly
b. Prevent impact
c. Learn fast
d. Both A and C

©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 3
 14. Planning for a DevSecOps pipeline requires managing the structure through carefully
implementing tools for notification, health and architectures? What type of asset categories
are typically associated with architecture?
a. Virtual Machines, Containers, Platform as a Service
b. Infrastructure as code, Identity as a service, Apache
c. Kafka, Kubernetes, Docker
d. Role-based access control, Supply chain metrics, scrum

15. Which describes the purpose of dynamic application security testing (DAST) tools?
a. Performs vulnerability and weakness analysis on source code
b. Performs vulnerability and weakness analysis on compiled (built) code
c. Checks for libraries or functions that have known vulnerabilities
d. Looks for security weaknesses by gaining access to a system's data

16. Which is a trigger for the incident response process?

a. Log data
b. Threat intelligence
c. Attack response data
d. Both A and B

17. As part of a DevOps experiment, a development team has set up a test environment using
cloud services. The team wants to use best practices to secure the environment. Which is NOT
an IAM best practice?
a. Store root access keys in a vault
b. Assign permissions directly to users
c. Rotate secrets on a cadence
d. Enable MFA authentication for privileged users

18. The term Safety Culture most likely refers to which of the following statements?
a. I feel free to tell my boss bad news
b. All OSHA standards are met and information sheets posted
c. Any incident is investigated and individuals found to be responsible are removed from
the company
d. Incidents are attributed to individuals rather than any breakdown in organizational
policy

19. In your responsive DevSecOps pipeline, which elements should best be used to create a
backlog for new work?
a. Suggestions from your customers
b. Recommended solutions from the C-Suite
c. New vulnerabilities identified by threat intelligence
d. Integration and Output gaps

©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 4
 20. An organization in a heavily-regulated industry is under tremendous pressure to bring its
products to market more quickly. Software developers indicate road blocks put in place by
Security Management to minimize risks are negatively impacting their ability to quickly release
production-ready code. Which DevSecOps principle should this organization consider FIRST to
improve its performance?
a. Invest in security education and awareness
b. Automate a minimum set of security practices
c. Create a shared vision and objectives
d. Measure for desired outcomes

21. An organization has a very limited budget. A team is investigating ways to improve
application security testing. Which testing technique will BEST meet their current needs?
a. Static application security testing
b. Dynamic application security testing
c. Software composition analysis
d. Penetration testing

22. A development team wants to replicate full original production data to conduct a series of
tests. In the context of DevSecOps Engineering, what conditions must be met for this to
happen?
a. Production data should never be used for testing
b. Backup the data prior to testing to mitigate risks
c. Store the data in a fully production-secure environment
d. Mask sensitive data after it is replicated

23. Which testing type compliments an organization’s continuous integration practices?

a. Penetration tests
b. Vulnerability scans
c. Canary tests
d. Static application security tests

24. An organization’s DevOps efforts have stalled due to audit concerns. Which DevSecOps
practices can help alleviate audit’s concerns?
a. Map changes to approved users and change record
b. Authenticate machine-to-machine communication
c. Ensure all access is logged and monitored
d. All of the above

25. Which factors are recommended to consider the potential impact of a threat?
a. Probability, Intent, Capability
b. Size, Activity, Location, Unit Type, Tactics, Equipment
c. Size, Activity, Movement, Doctrine, Operations, Command
d. Confidentiality, Integrity, Availability

©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 5
 26. In the context of DevSecOps, how do you put in place ‘just enough’ security?
a. Invest as much as possible to protect assets
b. Strike a balance between real and perceived exposure
c. Let the business decide based on the value of its data
d. Implement countermeasures for all threats

27. Which practice increases an organization’s risk profile relative to IAM?

a. Enabling MFA
b. Storing secrets outside of vault
c. Identifying high-risk users
d. Regularly auditing policies

28. Which of the following practices support DevSecOps?

a. Implement security as code
b. Leverage automation
c. Involve audit and compliance early
d. All of the above

29. In the context of Westrum’s research, which is NOT a characteristic of a generative

(performance oriented) culture?
a. Failure is viewed as a learning opportunity
b. Cooperation is difficult
c. New ideas are welcomed
d. Risks and responsibilities are shared

30. Mr. Jones works for a large organization with extensive compliance requirements but only a
limited security budget. He has already hired two senior security experts but must provide
routine coverage and integration for 20-30 development teams as well as global operations.
What may be a best practice to extend his security coverage at scale?
a. Divest corporate assets into smaller venture capital considerations
b. Strict approval processes
c. Security champions
d. Policy as Code

31. Which can be used to measure how long a vulnerability or software bug exists before it is
identified?
a. Mean Time to Change (MTTC)
b. Mean Time to Detect (MTTD)
c. Mean Time to Recovery (MTTR)
d. Deployment Frequency

©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 6
 32. Which statement about Emergency Response is INCORRECT?

a. Carefully selects key stakeholders for process inclusion

b. Prefers agile responses over documented plans
c. Functions based on agreed RACI Matrix
d. Maintains high availability for critical assets

33. Application security’s tendency to hand one-off reports to Dev teams outside their normal
operating cycles is a bottleneck in an organization’s software delivery life cycle. In the context
of application security testing, which practice can BEST be used to remove this constraint?
a. Automatically log findings into issue management
b. Automate the transfer of data between GRC and issue management
c. Have Application Support handle high-priority issues
d. Provide developers real-time findings reports

34. What is the first step to understanding the protection metrics associated with DevSecOps?
a. Decompose the application
b. Find the organization’s crown jewels
c. Conduct a source code review
d. Develop telemetry for all processes

35. Friction can arise when auditors don’t understand an organization’s new DevOps practices
and are unable to use their traditional controls. Which practice would most likely NOT alleviate
auditors’ objections and concerns?
a. Integrate auditors into the advice process
b. Direct auditors to the issue management tool
c. Build dashboards for the auditors
d. Provide real-time reporting

36. Which statement about cloud forensics and incident response is INCORRECT?
a. Emphasis is on live response
b. Responsibility of the cloud provider
c. Requires incident response planning
d. Data capture and workflow can be automated

37. After a series of successful pilots, an organization wants to scale its DevSecOps practices
across the enterprise. Which practice should they AVOID?
a. Use pre-blessed security libraries
b. Allocate team time to sit and learn together
c. Automate security testing to promote fast feedback
d. Create and dictate a clear set of security policies

38. Which statement about separation of duties and DevOps is INCORRECT?

a. Auditors must redefine controls
b. DevOps testing helps discover fraud and errors
c. Developers can submit code to testing pipelines rather than production
d. DevOps supports the principle of shared responsibilities
©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 7
 39. Which statement about DevSecOps and business transformation is CORRECT?
a. Security enables transformation by minimizing constraints
b. Security plays no role in transforming the business
c. Security and DevOps practices help change how the business functions
d. Transformation occurs when people make better security decisions

40. The advantage of obtaining a professional certification to validate your learning practice is:
a. Recognized at multiple levels across the profession
b. Long lead time
c. Free drinks at DevOps Days events
d. Personnel experience including Git projects

©
DevOps Institute DSOF v2.1 - Sample Examination 1 with Answer Key Sept2021 8