Exam AZ-400 topic 4 question 49 discussion

Static code Static code Penetration https://docs.microsoft.com/en-us/azure/devops/migrate/security-validation-cicd-pipeline?view=azure-devops#ide--pull-request

The officially sanctioned practice test for this exam on measureup.com has this question. The answers are Pull Request: Static code analysis CI: package vulnerability CD: Pentest That means that Microsoft recognizes those as the correct answers. If the newest version of the test says package vulnerability instead of threat modeling, choose it.

maybe this could be the explanation of examtopics Threat modeling is typically conducted during the design and planning phases of software development to identify potential security threats and vulnerabilities in a system. While it's not common to perform threat modeling directly within a pull request (PR) itself, the findings from threat modeling activities can certainly inform the development process, including code reviews and pull requests.

According with this documentation I think is static code static code penetration https://learn.microsoft.com/en-us/training/modules/static-analyzers/4-manage-technical-debt-sonarcloud-azure-devops https://www.imperva.com/learn/application-security/penetration-testing/

According with this documentation I think is static code static code penetration https://learn.microsoft.com/en-us/training/modules/static-analyzers/4-manage-technical-debt-sonarcloud-azure-devops

Pull Request: Static code analysis Continuous Integration: Threat modelling Continuous Delivery: Penetration testing

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#static-application-security-testing https://learn.microsoft.com/en-us/azure/devops/pipelines/security/overview?view=azure-devops#ide--pull-request Seems that Box1 should be static code. The other 2 answer options seem to be correct.

Threat modeling is recommended to be done in design & planning stage. according to OWASP some refined measures can also be done in other stages. CI CD should only have automated tools, PR is possible, but if ask a recommendation, it should be done before PR. so it should be Static code Static code Penetration

1. Static code analysis 2. Static code analysis 3. Penetration testing https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls#static-application-security-testing But a team must start somewhere when implementing static code scanning practices. One way is to introduce static code analysis inside of continuous integration. This method verifies security as soon as code changes happen. One example is SonarCloud. It wraps multiple static application security testing (SAST) tools for different languages. SonarCloud assesses and tracks technical debt with a focus on maintainability. It looks at code quality and style and has security-specific checkers. But there are many other commercial and open-source tools available in the market.

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls The given answer is correct. Pull requests are standard in the development process. Part of the pull request process is peer reviews that often reveal undiscovered defects, bugs, or issues related to human mistakes. It's good practice to have a security champion or knowledgeable security teammate who can guide the developer during the peer review process before creating a pull request. Secure coding practice guidelines help developers learn essential secure coding principles and how they should be applied. There are secure coding practices available, such as OWASP secure coding practices to incorporate with general coding practices.

Did a course on Cloud Guru Answer is as follows Pull request ---> static code analysis Continuous Integration ---> static code analysis Continuous delivery ---> Penetration testing

Thread modelling Static code analysis Penetration testing

Given answers are correct. https://www.synopsys.com/blogs/software-security/threat-modeling-sdlc/#:~:text=While%20threat%20modeling%20should%20take,modeling%20within%20the%20support%20cycle. https://docs.microsoft.com/en-us/azure/security/develop/security-code-analysis-overview

Static Static Pen test

Selected during exam. Static code analysis Static code analysis Penetration testing

Static code Threat modeling Penetration

Threat modeling: - It is usually a manual process and done as part of PR review Static code- During the build phase using tools like sonarqube Penetration:- once code is build and ready for deployment we check if the that it is free from web attacks