Quiz: DevSecOps and the Secure Pipeline

DataField.Dev

Quiz: DevSecOps and the Secure Pipeline

A 26-question self-check covering shift-left, the pipeline scans, pipeline integrity, policy as code, and guardrails versus gates. Questions tagged [Sec+] map to CompTIA Security+ objectives and [CISSP] to the (ISC)² CISSP Software Development Security domain. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] "Shift left" in DevSecOps means: A. moving servers to the left data center B. moving security activities earlier in the SDLC C. delegating security to the operations team D. running scans only at deployment

2. Which scan answers the question "are we running a known-vulnerable version of a third-party library?" A. SAST B. DAST C. SCA (software composition analysis) D. IaC scanning

3. [Sec+] A scan that analyzes Terraform or CloudFormation files for misconfigurations before the infrastructure is created is: A. DAST B. container image scanning C. IaC scanning D. penetration testing

4. [CISSP] The SolarWinds (Sunburst) attack is best characterized as: A. a phishing campaign B. a stolen-password breach C. a build-pipeline compromise that injected malicious code during compilation D. a ransomware attack

5. A valid digital signature on a software artifact proves: A. the software is free of vulnerabilities B. the software came from the signer and was not altered afterward C. the software passed all tests D. the build server was secure

6. [Sec+] A control built into the environment that makes an unsafe action structurally impossible, without inspecting each case, is a: A. gate B. guardrail C. firewall D. honeypot

7. The densest cluster of automated security gates belongs at which SDLC stage, and why? A. requirements, because it is earliest B. operate, because it is closest to real attacks C. build/CI, because it is automated, controlled, and early-but-complete D. design, because no code exists yet

8. [CISSP] "Policy as code" primarily provides which advantages over a written PDF policy? A. it is longer and more detailed B. it is machine-enforced, versioned, testable, and consistent C. it requires no security team D. it eliminates the need for guardrails

9. Secrets scanning belongs both as a pre-commit hook and a CI gate because: A. two scans are always better than one B. pre-commit hooks are advisory and skippable; the CI gate is the unskippable backstop C. the CI gate is faster D. pre-commit hooks cannot detect secrets

10. [Sec+] Which is an example of provenance in the software supply chain? A. a list of a build's CPU usage B. verifiable metadata attesting which source commit and which builder produced an artifact C. the artifact's file size D. the developer's name in the commit

11. Why is risk modeled by failing the build only on high-severity findings rather than on every finding? A. low-severity findings are never real B. a gate that breaks on everything trains developers to ignore or remove it C. scanners cannot rank severity D. it is required by law

12. [CISSP] Which control would have most directly prevented the SolarWinds injection (as opposed to merely detecting it)? A. antivirus on customer machines B. an isolated, ephemeral build environment with reproducible builds C. a longer password policy D. a bigger firewall

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

13. "Because the deploy gate is closest to production, putting all security scans there is the safest design."

14. [Sec+] "Container image scanning is unnecessary if you already do SCA on your application's dependencies."

15. "A guardrail and a gate are the same thing with different names."

16. "If an artifact is signed with the organization's real key, it is safe to deploy."

17. [CISSP] "DevSecOps is a tool you can purchase and install."

18. "Catching a misconfigured S3 bucket with IaC scanning is strictly better than catching it with CSPM, because IaC scanning prevents it from ever being created public."

Section 3 — Fill in the blank (1 pt each)

19. The same defect is far cheaper to fix the earlier it is caught; this principle, which justifies shift-left, is called shift-left __.

20. [Sec+] The property that the software a pipeline produces is exactly what the verified source defines, unaltered from build to deploy, is called pipeline __.

21. A security check embedded in the pipeline that can pass, warn, or fail the build is a security __.

22. In a fail-safe policy-as-code rule, the default decision should be __ (so anything not explicitly allowed is blocked).

23. The mature DevSecOps pattern for resolving the speed-versus-assurance tension is "prefer _, use _ where you must."

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain in two or three sentences why a valid signature is necessary but not sufficient for trusting a build artifact, and name the control that closes the gap SolarWinds exploited.

25. A team adds six security scanners to a pipeline and developers immediately start disabling them. Name three specific changes (from the chapter's "embed without blocking delivery" rules) that would make the gates something developers trust rather than sabotage.

Section 5 — Applied scenario (5 pts)

26. Meridian's pipeline pushes a container to production. The deploy-time policy-as-code check evaluates: the image is signed; its provenance builder is attacker-laptop (not meridian-ci); it has one fixable CRITICAL vulnerability; the secrets scan is clean. (a) Walk through which policy conditions pass and which fail. (b) Should this deploy? State the decision and every reason it is blocked. (c) Which single failing condition is the SolarWinds defense, and what would it mean if only that condition had failed?

Answer Key

Click to reveal answers and explanations

1. **B** — shift left moves security activities earlier in the lifecycle. 2. **C** — SCA inventories dependencies against known-vulnerability feeds. 3. **C** — IaC scanning analyzes infrastructure definitions before they are applied. 4. **C** — malicious code was injected during the Orion build, not in source. 5. **B** — a signature proves origin and integrity, not safety. 6. **B** — a guardrail makes the unsafe action structurally impossible. 7. **C** — CI is automated, controlled, and early-but-complete. 8. **B** — policy as code is machine-enforced, versioned, testable, and consistent. 9. **B** — pre-commit hooks are skippable; the CI gate is the unskippable backstop. 10. **B** — provenance is verifiable build-origin metadata. 11. **B** — a gate that breaks on everything gets ignored or removed. 12. **B** — an isolated, ephemeral, reproducible build prevents and exposes injection. 13. **F** — clustering all scans at deploy recreates the late-stage bottleneck, with cold context and maximal pressure to override; push fast deterministic checks left. 14. **F** — SCA covers application dependencies, but the container also ships OS packages/libraries in its base image that only container image scanning inspects. 15. **F** — a gate inspects and decides (costs time, can be overridden); a guardrail makes the unsafe action impossible (no per-case inspection, cannot be bypassed). 16. **F** — a genuine signature proves origin/integrity but not safety; SolarWinds was correctly signed, so build integrity and provenance are still required. 17. **F** — DevSecOps is a process and culture built from pipeline config, policy, and feedback loops; a scanner is a product, the practice is not. 18. **T** — IaC scanning prevents the public bucket before it exists, whereas CSPM only detects it after it is live and already exposed (though you keep CSPM for infrastructure created outside the scanned pipeline). 19. economics. 20. integrity. 21. gate. 22. deny (deny / "false" / fail-safe default). 23. guardrails; gates. 24. A signature proves the artifact came from the signer unaltered, which is necessary to trust origin; it is not sufficient because if an attacker is inside the signing pipeline the malice is baked in before signing and the signature certifies it as genuine (exactly SolarWinds). The gap is closed by **build isolation plus provenance** — verifiable attestation that the artifact was built by the expected pipeline from reviewed source, verified at deploy. 25. Any three of: fail only on high-confidence, high-severity, actionable findings (not everything); make feedback fast and local (pre-commit hooks + parallel CI); point to the fix (file, line, rule, remediation); baseline pre-existing findings and break only on new ones; relentlessly kill false positives. 26. (a) signed = pass; provenance builder `attacker-laptop` ≠ `meridian-ci` = FAIL; one fixable CRITICAL vuln = FAIL; secrets clean = pass. (b) Do **not** deploy; `default := false` plus two failed conditions means `allow` is false; blocked because (i) it was not built by the approved pipeline and (ii) it carries a fixable critical vulnerability. (c) The `provenance.builder == "meridian-ci"` check is the SolarWinds defense; if *only* that had failed (image signed, no critical vulns, no secrets) the deploy would still be correctly **blocked**, because an artifact that is otherwise pristine but was built by an unknown/attacker builder is precisely the SolarWinds scenario — a well-formed, signed, malicious build. **Topics to review by question:** missed 1, 19 → §31.1; 2, 3, 9, 11, 14, 18 → §31.3; 4, 5, 10, 12, 16, 20, 24 → §31.4; 8, 22 → §31.5; 6, 15, 23 → §31.5 (guardrails vs gates); 7, 13 → §31.2; 17 → §31.1; 25 → §31.3; 26 → §31.4 + §31.5.