Eccouncil EC-Council Certified DevSecOps Engineer (ECDE) 312-97 Exam Questions

Answer : D

Jenkins automatically assigns a unique identifier to each build using the environment variable BUILD_ID. When integrating OWASP ZAP with Jenkins, appending ${BUILD_ID} to output filenames or reports ensures that every scan result corresponds to a specific build execution. This avoids overwriting previous reports and allows traceability between build artifacts and security findings. Variables such as ${ZAPROXY_HOME} refer to installation paths, not build uniqueness, while ${Profile_ID} and ${zap_scan} are not standard Jenkins variables for uniquely identifying builds. Using ${BUILD_ID} supports better auditing, historical analysis, and correlation between detected vulnerabilities and the exact build in which they were found, which is critical during the Build and Test stage of a DevSecOps pipeline.

Answer : D

Sqreen provides runtime application self-protection (RASP) capabilities that allow teams to detect and respond to security threats in real time. Sqreen uses a structured automation mechanism called a playbook to define how security events are handled. A playbook consists of three key components: a trigger that detects suspicious or malicious behavior, a security response that defines what action Sqreen should take (such as blocking a request or flagging an attack), and a notification that sends alerts to external systems like Slack. The term ''cookbook'' is not used in Sqreen's alerting and response model, making options A and B incorrect. Option C incorrectly uses the phrase ''Alert a response'' instead of ''security response,'' which does not accurately describe Sqreen's configuration model. By using playbooks, Sqreen enables automated detection, response, and team notification during the Operate and Monitor stage, ensuring rapid awareness and collaboration when security incidents occur.

Answer : A

Git hooks determine success or failure based on the exit code of the executed script. An exit code of 0 indicates successful execution, while any non-zero value signals failure and causes Git to abort the commit. In Jordon's setup, a Bash shell calls a PowerShell script to perform pre-commit checks. If the PowerShell script exits with code 0, Git interprets this as a successful hook execution and allows the commit to proceed. Exit codes such as 1, 2, or 3 indicate errors or policy violations and will block the commit. This mechanism ensures that security or quality checks enforced by the pre-commit hook must pass before code is committed. Using exit codes in this way is a standard and reliable approach in cross-platform DevSecOps automation during the Code stage.

Answer : C

The practices described---access management, defense in depth, minimizing third-party dependencies, and securing weak links---are all architectural and design-level decisions. These controls are not merely coding techniques or configuration defaults but reflect security being embedded into the system's blueprint from the earliest stages. This aligns directly with the Secure by Design principle, which emphasizes proactively designing systems to resist attacks rather than reacting to vulnerabilities later. Secure by implementation focuses on writing correct and safe code, secure by default focuses on initial configuration settings, and secure by communication addresses trust and confidentiality in communication channels. Orange International's approach demonstrates a holistic security mindset that anticipates threats and integrates protective measures throughout the system architecture, making Secure by Design the correct choice.

Answer : C

By default, Brakeman returns a non-zero exit code when security warnings are detected, which can cause Jenkins builds to fail. The --no-exit-on-warn option modifies this behavior by instructing Brakeman to return an exit code of 0 even if warnings are found. This allows the CI pipeline to continue executing while still generating a security report that highlights vulnerabilities. This option is particularly useful when teams are initially integrating SAST tools and want visibility into security issues without immediately blocking builds. During the Build and Test stage, this approach supports gradual adoption of security enforcement, allowing teams to prioritize remediation efforts while maintaining delivery velocity. Over time, organizations can tighten policies by removing this option to enforce stricter build-breaking behavior once security baselines improve.

Answer : D

Change lead time measures the duration between a code commit and its successful deployment into production. This metric tracks how efficiently new features, bug fixes, and changes move through development, testing, and release stages. It is a key DevSecOps performance indicator used to assess pipeline efficiency and the effectiveness of automation and security integration. Mean time to recovery focuses on restoring service after incidents, change volume measures the number of changes rather than delivery speed, and time to value is a broader business metric. Change lead time directly reflects how well DevSecOps practices enable rapid yet secure delivery, making it the correct metric for measuring commit-to-production flow across all phases.

Answer : D

The CentOS operating system uses the yum package manager to install software packages. Inside a CentOS-based Docker container, the correct way to install the Apache HTTP Server is by running yum install httpd. Containers typically run as the root user by default, making the use of sudo unnecessary. Commands such as install-httpd are invalid because yum requires the install keyword followed by the package name separated by a space. Installing required packages inside containers should be done carefully to avoid bloating images and increasing the attack surface. During the Operate and Monitor stage, DevSecOps teams must balance functionality with container hardening best practices by installing only necessary components.