The MOST critical concept for managing the building and testing of code in DevOps is:
Answer(s): C
Continuous integration (CI) is the most critical concept for managing the building and testing of code in DevOps. CI is the practice of merging all developers' working copies of code to a shared mainline several times a day. This enables early detection and resolution of bugs, conflicts, and errors, as well as faster and more frequent feedback loops. CI also facilitates the automation of building, testing, and deploying code, which improves the quality, reliability, and security of the software delivery process. CI is a prerequisite for continuous delivery (CD) and continuous deployment (CD), which are the next stages of DevOps maturity that aim to deliver software to customers faster and more frequently.
ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 114-115 Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v.0, 2021, DCS-01: Datacenter Security - Build and TestWhat is Continuous Integration?Continuous Integration vs Continuous Delivery vs Continuous Deployment
What is a sign that an organization has adopted a shift-left concept of code release cycles?
Answer(s): D
The shift-left concept of code release cycles is an approach that moves testing, quality, and performance evaluation early in the development process, often before any code is written. The goal of shift-left testing is to anticipate and resolve software defects, bugs, errors, and vulnerabilities as soon as possible, reducing the cost and time of fixing them later in the production stage. To achieve this, shift-left testing relies on automation tools and techniques that enable continuous integration, continuous delivery, and continuous deployment of code. Automation also facilitates collaboration and feedback among developers, testers, security experts, and other stakeholders throughout the development lifecycle. Therefore, the incorporation of automation to identify and address software code problems early is a sign that an organization has adopted a shift-left concept of code release cycles.
The `Shift Left' Is A Growing Theme For Cloud Cybersecurity In 2022 Shift left vs shift right: A DevOps mystery solvedHow to shift left with continuous integration
Which of the following can be used to determine whether access keys are stored in the source code or any other configuration files during development?
Credential scanning is a technique that can be used to detect and prevent the exposure of access keys and other sensitive information in the source code or any other configuration files during development. Credential scanning tools can scan the code repositories, files, and commits for any hardcoded credentials, such as access keys, passwords, tokens, certificates, and connection strings. They can also alert the developers or security teams of any potential leaks and suggest remediation actions, such as rotating or revoking the compromised keys, removing the credentials from the code, or using secure storage mechanisms like vaults or environment variables. Credential scanning can be integrated into the development pipeline as part of the continuous integration and continuous delivery (CI/CD) process, or performed periodically as a security audit. Credential scanning can help reduce the risk of credential leakage, which can lead to unauthorized access, data breaches, or account compromise.
Protecting Source Code in the Cloud with DSPMBest practices for managing service account keysProtect your code repository
What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?
Answer(s): B
Dynamic application security testing (DAST) is a method of testing the security of an application by simulating attacks from an external source. DAST does not require access to the source code or binaries of the application, unlike static application security testing (SAST), which analyzes the code for vulnerabilities. Therefore, DAST is a black box testing technique, meaning that it does not need any knowledge of the internal structure, design, or implementation of the application. DAST is also programming language agnostic, meaning that it can test applications written in any language, framework, or platform. This makes DAST more flexible and adaptable to different types of applications and environments. However, DAST also has some limitations, such as being slower, less accurate, and more dependent on the availability and configuration of the application.
SAST vs. DAST: What's the Difference?SAST vs DAST: What's the Difference?SAST vs. DAST: Enhancing application security
Post your Comments and Discuss ISACA CCAK exam with other Community members:
ccak commented on June 08, 2023 ccak is hard Anonymous upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the CCAK content, but please register or login to continue.