Skip to content

Exam example

This is an example of the types of questions you will find in the exam. In total there will be 10/15 questions. Some of them will be open-ended questions while others will require you to look at come code or pipelines and reason about them.

Analyze and reason about a CI/CD pipeline

stages:
  - build
  - test
  - package
  - security
  - deploy

variables:
  IMAGE_TAG: $CI_COMMIT_SHA
  IMAGE_NAME: registry.example.com/myapp:$CI_COMMIT_SHA

build_app:
  stage: build
  image: node:20
  script:
    - npm install
    - npm run build
  artifacts:
    paths:
      - dist/

unit_tests:
  stage: test
  image: node:20
  script:
    - npm install
    - npm test

build_docker_image:
  stage: package
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker build -t myapp:$IMAGE_TAG .
    - docker tag myapp:$IMAGE_TAG $IMAGE_NAME

scan_container_image:
  stage: security
  image:
    name: aquasec/trivy:latest
    entrypoint: [""]
  script:
    - trivy image $IMAGE_NAME

push_image:
  stage: deploy
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker push $IMAGE_NAME

deploy_kubernetes:
  stage: deploy
  image:
    name: bitnami/kubectl:latest
    entrypoint: [""]
  script:
    - kubectl apply -f deployment.yaml
  only:
    - main

Example Questions

  1. Analyze the CI/CD pipeline above and map each step to its corresponding phase in the software supply chain lifecycle. Justify your mapping.
  2. Identify the security controls you would introduce into this pipeline configuration, and explain the specific threats each control is designed to mitigate.
  3. Identify and analyze potential attack scenarios targeting this CI/CD pipeline. For each scenario, describe the attack vector, the potential impact, and propose appropriate mitigations.

Understand Kubernetes deployment misconfigurations

apiVersion: apps/v1
kind: Deployment
metadata:
  name: payment-api
spec:
  replicas: 2
  selector:
    matchLabels:
      app: payment-api
  template:
    metadata:
      labels:
        app: payment-api
    spec:
      containers:
      - name: api
        image: company/payment-api:latest
        ports:
        - containerPort: 8080
        securityContext:
          privileged: true
        env:
        - name: DB_PASSWORD
          value: SuperSecretPassword123
        volumeMounts:
        - mountPath: /host
          name: host-volume
      volumes:
      - name: host-volume
        hostPath:
          path: /

Example questions

  1. Identify at least three security misconfigurations in the Kubernetes manifest above. For each one, explain its root cause, the security consequences it entails, and the recommended remediation.

Dockerfile Analysis

FROM ubuntu:22.04
RUN apt-get install -y nginx curl
WORKDIR /app
COPY requirements.txt .
RUN mkdir /data && chmod 777 /data
RUN rm requirements.txt
ENV APP_ENV=production

Example questions

  1. For each instruction in the Dockerfile above, indicate whether a new image layer is created and describe the filesystem changes it introduces.
  2. Identify any security or image hygiene issues in the current structure and propose improvements.

Open-Ended Questions

  • What are the conceptual and operational differences between Continuous Integration, Continuous Delivery, and Continuous Deployment?
  • What are the main architectural differences between Docker, Docker Compose, and Kubernetes? Under what circumstances would each be the most appropriate choice?
  • What is the MITRE ATT&CK framework, and how can it be applied to cloud-native and CI/CD environments?
  • Why are open-source ecosystems particularly challenging to secure from a supply chain perspective?
  • What is the role of a Software Bill of Materials (SBOM) in supply chain security, and what are its limitations?
  • What is the SLSA framework, what problems does it address, and how do its levels of assurance differ?