DevOps 540

Question 1

CALMS

Answer 1

Culture, automation, lean, measurement, Sharing

Question 2

CI/CD Change frequency

Answer 2

How often are changed deployed to production. Measure the efficiency and the capability of the organisation to make changes

Question 3

Change Failure Ratio

Answer 3

How often do changes introduce a failure. Opposite to Change Success Rate.

Question 4

Change Success Ratio

Answer 4

How often a changes does NOT introduce a failure. Opposite to Change Failure Ratio

Question 5

MTTR

Answer 5

Mean Time to Recovery or Repair from a failure

Question 6

MTTD

Answer 6

Mean Time to Detect a failure

Question 7

MTTF

Answer 7

Mean Time to Failure. Not used in DevOps a lot as expected to have a failure. MTTR/MTTD are the key ones.

Question 8

Change Lead Time

Answer 8

The average time it takes to get a change or fix into production. Also known as Cycle Time.

Question 9

Change Cycle Time

Answer 9

from a change is requested by business until when it is deployed. X = Change request + start dev + end dev + deployment

Question 10

Development change lead time

Answer 10

From where the project starts until is fully deployed. X = start dev + end dev + deployment

Question 11

Deployment Lead time

Answer 11

Development is finished until it is deployed == deployment time. X = end dev + deployment

Question 12

IAST

Answer 12

Interactive Application Security Testing

Question 13

DAST

Answer 13

Dynamic Analysis Security Testing

Question 14

SAST

Answer 14

Static Analysis Security Testing

Question 15

RASP

Answer 15

Runtime Application Security /Safe Protection

Question 16

SDLC

Answer 16

Secure Deployment Life Cycle

Question 17

CSPM

Answer 17

Cloud Security Posture Management

Question 18

CWPP

Answer 18

Cloud Workload Protection Platform

Question 19

CASB

Answer 19

Cloud Access Security Broker

Question 20

CNAPP

Answer 20

Cloud Native Application Protection

Question 21

IDOR

Answer 21

Insecure Direct Object Reference

Question 22

CDN

Answer 22

Content Delivery Network

Question 23

OAI

Answer 23

Origin Access Identity

Question 24

SOP

Answer 24

Same Origin Policy: protocol, port, domain

Question 25

CORS

Answer 25

Cross-Origin Resource Sharing

Question 26

ZTA

Answer 26

Zero Trust Architecture

Question 27

ZTMM

Answer 27

Zero Trust Maturity Model

Question 28

OPA

Answer 28

Open Policy Agent. Language used to apply limitations in containers deployments.

Question 29

OIDC

Answer 29

Open ID Connect

Question 30

JWT

Answer 30

JSON Web Tokens

Question 31

ADFS

Answer 31

Active Directory Federate Services

Question 32

CNCF

Answer 32

Cloud Native Computing Foundation

Question 33

SPIFFE

Answer 33

Secure Production Identify Framework For Everyone

Question 34

CNI

Answer 34

Container Network Interface

Question 35

RBAC

Answer 35

Role Base Access Control

Question 36

CEL

Answer 36

Common Expression Language

Question 37

SCA

Answer 37

Software component analysis. To identify code with known vulnerabilities.

Question 38

Continuous Delivery

Answer 38

Code -> Unit Test -> Integrate -> Acceptance Test -(manual)-> Deploy. If auto it will be continuous deployment

Question 39

Continuous Deployment

Answer 39

Code -> Unit Test -> Integrate -> Acceptance Test -(auto)-> Deploy. If manual will be continuous delivery

Question 40

Acceptance tests

Answer 40

Ensure code can be joined with production. Achieved via stand-up test environments via Puppet/Chef/TF/Docker/etc and run post-deployment asserts/smoke tests

Question 41

IdP

Answer 41

Identity Provider for Oauth/OIDC (against what we authenticate)

Question 42

Service provider in OIDC

Answer 42

Service we try to access to.

Question 43

RRA

Answer 43

Rapid Risk Assessment. 30 min review to understand if the new code will have issues or what level of review will require. Introduced by Firefox.

Question 44

A/B testing

Answer 44

Experiments of a code for a subset of the population

Question 45

SBOM

Answer 45

Software Bill of materials. This is needed to understand the dependencies of an application and hence their vulnerabilities.

Question 46

OWASP: PPE

Answer 46

Poisoned pipeline Execution: manipulating the build process by injecting malicious code or commands into the build pipeline configuration

Question 47

OWASP: PBAC

Answer 47

Pipeline based access control. An attacker could abuse insufficient PBAC to abuse the permissions granted to the pipeline and move laterally to systems services outside the CI/CD

Question 48

SARIF

Answer 48

Static Analysis Results Integration Format. Created by MS, a JSON language of creating one universal format for static analysis tool.

Question 49

SPDX

Answer 49

Software Package Data Exchanges: open source output language for software bills (SBOMs)

Question 50

HCL

Answer 50

Hashicorp Configuration Language

Question 51

Azure NSG

Answer 51

Azure Network Security Group

Question 52

TDD

Answer 52

Test-Driven Development. Automated tests written before the code is changed to prove that changes are implemented correctly

Question 53

DSL

Answer 53

Domain Specific Language. Used in configuration management tools like chef, puppet, ansible, etc

Question 54

OPA

Question 55

Software Provenance

Answer 55

An attestation (metadata) describing how the outputs were produced, including identification of the platform and external parameters

Question 56

Software Attestation

Answer 56

An authenticate statement (metadata) about a software artifact or collection of software artifacts

Question 57

DSSE

Answer 57

Dead Simple Signing Envelope. Store the envelope = statement and signature for the provenance statement to prevent supply chain attacks.

Question 58

OCI

Answer 58

Open Container Initiative

Question 59

SLSA

Answer 59

Supply-chain levels of Software artifacts. Level0 to Level 3: none, provenance showing how the packages were built, signed provenance and generated by a hosted build platform, hardened build platform

Question 60

VEX

Answer 60

Vulnerability Exploitability Exchanged. machine readable attestations format for sharing vulnerability status information.

Question 61

GUAC

Answer 61

Graph for Understanding Artifact Composition. Graph base system that organizes software supply chain security artifacts.

Question 62

CRI

Answer 62

Container Runtime Interface

Question 63

AWS ECR

Answer 63

Elastic Container Registry for container images

Question 64

Google Cloud GCR

Answer 64

Google Container Registry for container images

Question 65

Azure ACR

Answer 65

Azure Container Registry for container images

Question 66

Image Poison Attack in containers

Answer 66

A certified image tag is overwritten with a malicious image using the same tag. This is prevented via Immutable tagging in Cloud container registry

Question 67

Azure CMK

Answer 67

Customer Managed keys used for Azure storage encryption (EKS in Azure)

Question 68

IRSA

Answer 68

AWS IAM Roles for Service Accounts

Question 69

IMDS

Answer 69

AWS Instance Metadata Service

Question 70

K8s CEL

Answer 70

Common Expression Language used for K8s policies

Question 71

Azure OMS

Answer 71

Operational Management Suit. Azure log agent for Linux or EKS

Question 72

Azure MMA

Answer 72

Microsoft Monitoring Agent. Azure log agent for Windows systems