312-97 ECCouncil EC-Council Certified DevSecOps Engineer (ECDE) Free Practice Exam Questions (2026 Updated)

The DevSec Hardening Framework is commonly implemented usingChef, and it is executed locally using the chef-solo command. The -c flag specifies the configuration file (solo.rb), and the -j flag specifies the JSON attributes file (solo.json). Option A correctly uses both required parameters in the proper format. The other options incorrectly swap or misuse flags that are not supported by Chef-solo. Running this command applies secure configurations, compliance controls, and cryptographic standards to the target system. Executing DevSec Hardening Framework during the Operate and Monitor stage ensures that systems remain secure, compliant, and resilient against misconfiguration-based attacks.

========

Bitbucket provides a cloud-based source code management platform that supports collaboration, CI/CD integration, and secure code hosting. One of the key features offered by Bitbucket isfree unlimited private repositories, particularly beneficial for organizations developing proprietary software such as IoT applications. This allows teams to store source code securely without exposing it publicly while still enabling collaboration features like pull requests, issue tracking, and pipeline automation. The term “limited private repositories” is inaccurate because Bitbucket does not restrict the number of private repositories under its free offering; rather, user count limits apply. While Bitbucket also supports public repositories, the option that best represents its value to enterprise and product-based teams is unlimited private repositories. This capability aligns with DevSecOps practices by ensuring confidentiality of source code while enabling integrated planning, testing, and deployment workflows within a single platform.

========

The git-multimail tool provides a mechanism to verify whether it has been installed and configured correctly before being relied upon for production notifications. This verification is done using an environment variable namedGIT_MULTIMAIL_CHECK_SETUP. When this variable is set to anon-empty string, git-multimail performs a setup validation and outputs diagnostic information toconfirm that configuration values, hooks, and parameters are correctly defined. This helps prevent silent failures where commits occur but email notifications are not sent. Options that referenceGITHUB_MULTIMAIL_CHECK_SETUPare incorrect because git-multimail is not limited to GitHub and does not use that variable name. Additionally, setting the variable to an empty string does not trigger the setup check. Ensuring proper configuration during the Code stage is important because it supports auditability, traceability, and timely communication among development and security teams. Therefore, Brett must run the environment variableGIT_MULTIMAIL_CHECK_SETUPwith a non-empty value to ensure the tool is set up appropriately.

========

Git hooks must have executable permissions to run automatically during Git operations such as commits. The standard way to make a file executable on Unix-like systems is by using the chmod command with the +x flag. In Elizabeth’s setup, the pre-commit hook is located in the ~/.git-templates/hooks/ directory, so the correct command is chmod a+x ~/.git-templates/hooks/pre-commit. The a+x option grants execute permission to all users, ensuring that the hook runs regardless of the user context. Options using +e are invalid because e is not a recognized permission flag. Ensuring that the hook is executable during the Code stage helps prevent accidental exposure of AWS credentials by enforcing security checks before commits are finalized.

To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.

========

Cloning a GitHub repository requires the standard Git command git clone followed by the correct repository URL format. GitHub repositories are structured as https://github.com/USERNAME/REPOSITORY.git, where USERNAME represents the account or organization name and REPOSITORY represents the project name. Option B follows this exact structure. Options using github clone are invalid because github is not a Git CLI command. Options that reverse the order of USERNAME and REPOSITORY do not match GitHub’s repository structure and will fail. Cloning repositories during the Code stage allows DevSecOps engineers to run static analysis, dependency scanning, and other security checks locally without modifying the original repository, supporting secure and controlled analysis workflows.

========

When integrating security controls at the CDN edge with AWS CloudFront, the typical deployment model usesLambda@Edge, which allows code to execute at CloudFront edge locations on viewer request/response or origin request/response events. Deploying the tCell agent “as a CloudFormation stack” describes packaging the required AWS resources (IAM roles, functions, permissions, and CloudFront associations) into infrastructure-as-code, but the actual attachment point for CloudFront request/response processing is Lambda@Edge. Option C correctly reflects this: “plugging into CloudFront through Lambda@Edge.” Standard Lambda functions run in regional AWS environments and cannot directly run at CloudFront edge locations in the same way; therefore, “CloudFront through Lambda Function” is not the best match for edge enforcement needs like CSP handling and redirect protections. Options that claim “plugging into CloudFormation” misunderstand CloudFormation’s role: it deploys resources, but it is not the runtime integration point. Hence, CloudFront + Lambda@Edge is the correct deployment approach.

Burp Suite’sOut-of-band Application Security Testing (OAST)feature is designed to detect vulnerabilities that do not produce immediate or visible responses during standard scanning. OAST works by triggering interactions such as DNS or HTTP callbacks, which occur outside the normal request-response cycle. This capability enables detection of blind vulnerabilities like blind SQL injection and server-side request forgery. Because findings are based on confirmed external interactions, OAST significantly reduces false positives. The other options listed are not valid Burp Suite features. Integrating OAST during the Build and Test stage improves the accuracy of dynamic security testing and ensures deeper coverage of complex and hard-to-detect vulnerability classes before applications are released.

========

The command shown in the pre-build phase explicitly targets a script namedwss_agent.sh. The curl -LJO flags mean: -L follows redirects, -J honors the server-provided filename in the Content-Disposition header (when present), and -O writes output to a local file using the remote name. Since the requested path ends with wss_agent.sh, the downloaded file on the AWS CodeBuild server will be wss_agent.sh. This script is the WhiteSource (now commonly referred to as Mend in many environments) unified agent shell wrapper used to run SCA scans as part of a CI pipeline. Integrating SCA during the Build and Test stage helps detect vulnerable open-source dependencies and licensing/compliance issues early, when fixes are cheapest. The other filenames (ssw_agent.sh, cbs_agent.sh, aws_agent.sh) are distractors; they are not referenced by the provided command and would not be downloaded by that step.

========

Azure Container Instances (ACI) exposes container logs via the Azure CLI using the az container logs command. To retrieve logs, you must provide the resource group and the container group name using the long-form parameters --resource-group and --name. Option A matches the correct CLI structure and parameter format: az container logs --resource-group ACI --name aci-test-closh. Options B and D incorrectly use single-dash forms (-resource-group and -name), which are not valid for these long option names. Options C and D incorrectly use azure instead of az; the Azure CLI command group is invoked with az, not azure. Getting logs after deployment review is a critical Operate and Monitor activity: it helps confirm the container started correctly, diagnose runtime errors, and validate that runtime protection (such as a RASP/micro-agent) is functioning. This visibility supports faster incident response and helps ensure the containerized workload remains secure and stable in its runtime environment.

========

Ubuntu systems use the Advanced Package Tool (APT) for installing and managing software packages. The correct syntax for installing a package is sudo apt-get install . In this case, the OpenSSH server package required for secure remote access is named openssh-server, makingsudo apt-get install openssh-serverthe correct command. Options using apt.get are invalid because the command syntax is incorrect. Options that include the -s flag only simulate the installation process and do not actually install the package. Installing OpenSSH is often required when integrating Docker Bench with Jenkins, as it enables secure communication and remote execution of compliance checks. Performing this setup during the Build and Test stage ensures that container hosts comply with Docker CIS Benchmark recommendations, helping organizations identify misconfigurations and security weaknesses early in the pipeline.

========

Kubernetes clusters are managed and inspected using the kubectl command-line tool. To verify whether a Kubernetes cluster is functioning correctly, administrators commonly run kubectl version to confirm that both the client and server components are reachable and operational. This is followed by kubectl cluster-info, which displays information about the cluster’s control plane and core services. These commands together confirm API server availability, cluster connectivity, and basic health status. The other options list invalid command names such as kube, kubernetes, or kube-etcd, which are not used for standard cluster validation. Performing these checks during the Operate and Monitor stage helps quickly identify whether application issues stem from cluster-level problems or application-level misconfigurations. This supports faster troubleshooting and more reliable production operations.

========

Jenkins automatically assigns a unique identifier to each build using the environment variableBUILD_ID. When integrating OWASP ZAP with Jenkins, appending ${BUILD_ID} to output filenames or reports ensures that every scan result corresponds to a specific build execution. This avoids overwriting previous reports and allows traceability between build artifacts and security findings. Variables such as ${ZAPROXY_HOME} refer to installation paths, not build uniqueness, while ${Profile_ID} and ${zap_scan} are not standard Jenkins variables for uniquely identifying builds. Using ${BUILD_ID} supports better auditing, historical analysis, and correlation between detected vulnerabilities and the exact build in which they were found, which is critical during the Build and Test stage of a DevSecOps pipeline.

========

To complete Azure Key Vault integration with Jenkins, Kevin must createnew credentialsin Jenkins underGlobal Credentials (unrestricted). These credentials store the Azure client ID, client secret, tenant ID, and subscription details required by the Azure Key Vault plugin to authenticate securely. Modifying old credentials can lead to misconfiguration or credential reuse risks, while restricted credentials may prevent the plugin from accessing secrets across pipelines. Creating new unrestricted credentials ensures proper authentication and controlled access to secrets during the Code stage, supporting secure secret management across CI/CD workflows.

Bandit is a Static Application Security Testing (SAST) tool developed specifically for analyzingPython source code. It scans Python scripts and applications to identify common security issues such as use of weak cryptography, hardcoded passwords, unsafe use of functions like eval, and insecure imports. Bandit works by parsing Python Abstract Syntax Trees (ASTs) and applying a set of security-focused rules. It does not support Java, Ruby, or C++ code, which require different static analysis tools tailored to their respective languages. By integrating Bandit with Jenkins during the Build and Test stage, Allen enables automated detection of Python-specific security flaws as soon as code changes are introduced. This shift-left approach reduces remediation costs, prevents vulnerable code from progressing further in the pipeline, and improves overall application security posture.

========

If a pre-commit hook script does not explicitly detect sensitive information or return a non-zero exit code, Git will treat the hook execution as successful. In this scenario, although the hook was made executable, Beth still managed to commit sensitive information. This implies that the hook either did not contain logic to detect such data or did not fail the commit upon detection. As a result, the script exited with0, allowing the commit to proceed. Exit code 0 always signals success to Git, while non-zero exit codes block commits. This highlights the importance of properly implementing security checks within hooks, not just enabling them. Making a hook executable is necessary, but it must also include correct validation logic to enforce security policies during the Code stage.

========

To identify the version of a service running on a target system, Nmap uses the -sV option, which enables service version detection. The -sS flag specifies a TCP SYN scan, which is a common and efficient scanning method. Combining these two flags allows Nmap to discover open ports and accurately identify the service versions running on those ports, such as Jenkins. Options A and B reference invalid scan types (-sJ) and do not enable version detection. Option C includes the correct flags but places them in a less conventional order; however, the commonly accepted and documented usage is -sV -sS. Running this scan during the Operate and Monitor stage helps security teams understand exposed services and assess potential attack surfaces.

========

To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.

========

AWS CodeCommit is a fully managed, AWS-hosted source control service that allows teams to store and manage source code, binaries, and other digital assets securely in the cloud. It supports Git-based repositories and integrates seamlessly with other AWS DevOps services such as CodeBuild, CodePipeline, and CodeDeploy. CodePipeline orchestrates CI/CD workflows, CodeBuild performs build and test operations, and CodeDeploy automates application deployment—but none of these are version control systems. For organizations migrating from on-prem to AWS, CodeCommit provides fine-grained access control using IAM, encryption at rest and in transit, and high availability without the need to manage infrastructure. Using CodeCommit during the Code stage supports secure collaboration, version tracking, and centralized source control aligned with DevSecOps best practices.

========