Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Go to Exam

Question 15

A security engineer thinks the development team has been hard-coding sensitive environment variables in its code.

Which of the following would BEST secure the company's CI/CD pipeline?

Utilizing a trusted secrets manager

Performing DAST on a weekly basis

Introducing the use of container orchestration

Deploying instance tagging

Correct Answer: A

Reference:

https://about.gitlab.com/blog/2021/04/09/demystifying-ci-cd-variables/

Discussion

[Removed]Option: A

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

koala_layOption: A

Secrets management to secure CI/CD pipelines https://www.cyberark.com/what-is/secrets-management/

dgfhyjfghfgfkfhdOption: A

https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

BiteSizeOption: A

A secrets manager is a platform like a password vault that contains all the secrets. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Bross

I think it might be B, would anyone else agree ?

dgfhyjfghfgfkfhd

Agreed, DAST.

dgfhyjfghfgfkfhd

I take this back. I believe it's A. DAST examines an application at runtime, and this would do nothing for hardcoded variables.

Mr_BuCk3th34D

It can't be B, DAST. Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front-end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the “outside in” by attacking an application like a malicious user would. The question asks for code analysis, a better answer would be SAST, but since this alternative does not exist, Secret Manager makes more sense in order to protect the sensitive data being stored on the app code.

Mr_BuCk3th34D

As a reference: "Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code" from AWS: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

23169fdOption: A

Secrets management: A secrets manager securely stores, manages, and accesses sensitive information such as environment variables, API keys, passwords, and other credentials. By using a trusted secrets manager, the development team can avoid hard-coding sensitive data in the codebase. Automated access: Secrets managers integrate with CI/CD pipelines to automatically provide the necessary secrets at runtime without exposing them in the code or configuration files. Auditing and rotation: They also provide auditing capabilities and support for rotating secrets, enhancing the overall security of the pipeline.

Delab202Option: A

To best secure the company's CI/CD pipeline and address the concern of hard-coded sensitive environment variables, the most appropriate option is: A. Utilizing a trusted secrets manager