Exam AZ-400 topic 1 question 4 discussion

Answer B is correct. However, the explanation is not! Static Code Analysis can be performed in the IDE, but that's not within the scope of the question... Static Code Analysis should be performed in the CI pipeline, so that vulnerabilities are not introduced in the main codebase. Penetration testing and Dynamic code analysis can only be performed over a live environment, and threat modeling is obviously wrong. That is why Static Code Analysis is the correct answer!

B. Static code analysis You can analyse your source code without executing it(during CI phase), detect security weaknesses before integrate your code to the main source code. Penetration testing, typically performed after CI/CD processes, identify vulnerabilities and assess the security, simultating real-attacks Dynamic code analysis, unlike Static code analysis this evaluates the app during runtime (not during CI) Threat modeling, identifies potential threats and vulnerabilities for the app

CI is where Static Code Analysis can be performed.

Static code analysis

Answer is B, static code analysis

The Answer is correct

B pdf page 55

Answer is B

https://docs.microsoft.com/en-us/azure/security/develop/security-code-analysis-overview "With the Microsoft Security Code Analysis extension, teams can add security code analysis to their Azure DevOps continuous integration and delivery (CI/CD) pipelines" Answer is B

Correct, B, build pipeline static code analysis such as SonarQube.

ANSWER B: The Best Static Code Analysis Tools SonarQube. SonarQube sample debugging error message. ... Checkmarx SAST CxSAST. Checkmarx SAST projects scan. ... Synopsis Coverity. Synopsis Coverity sample dashboard. ... Micro Focus Fortify Static Code Analyzer. ... Veracode Static Analysis. ... Snyk Code. ... Reshift Security.