(Peter Dinklage has been working as a senior DevSecOps engineer at SacramentSoft Solution Pvt. Ltd. He has deployed applications in docker containers. His team leader asked him to check the exposure of unnecessary ports. Which of the following commands should Peter use to check all the containers and the exposed ports?)
Answer(s): B
To inspect exposed ports for running Docker containers, the recommended approach is to first retrieve container IDs using docker ps --quiet and then pass them to docker inspect. The --format option allows selective output of container configuration details, including port mappings. The command docker ps --quiet | xargs docker inspect --format ': Ports=' correctly extracts port information for each container. Options that include the --all flag or incorrect formatting are not valid for this inspection use case. Checking exposed ports is an important activity in the Operate and Monitor stage because unnecessary open ports increase the attack surface and may violate container security best practices. Regular inspection helps ensure that only required ports are exposed, supporting secure runtime operations.
(Jason Wylie has been working as a DevSecOps engineer in an IT company located in Sacramento, California. He would like to use Jenkins for CI and Azure Pipelines for CD to deploy a Spring Boot app to an Azure Container Service (AKS) Kubernetes cluster. He created a namespace for deploying the Jenkins in AKS, and then deployed the Jenkins app to the Pod. Which of the following commands should Jason run to see the pods that have been spun up and running?)
Answer(s): C
Kubernetes uses namespaces to logically isolate resources such as pods, services, and deployments.When an application like Jenkins is deployed into a specific namespace, the correct way to view the pods running in that namespace is by using the -n (or --namespace) flag with the kubectl get pods command. The command kubectl get pods -n jenkins instructs Kubernetes to list all pods in the "jenkins" namespace. The other options use invalid or unrelated flags that are not supported for namespace selection. Verifying pod status during the Release and Deploy stage is essential to ensure that applications have been deployed successfully and are running as expected before exposing services or proceeding to monitoring. This step supports deployment validation and operational readiness in Kubernetes-based DevSecOps environments.
(Steven Smith has been working as a DevSecOps engineer in an IT company that develops software products related to the financial sector. His team leader asked him to integrate Conjur with Jenkins to secure the secret credentials. Therefore, Steven downloaded Conjur.hpi file and uploaded it in the Upload Plugin section of Jenkins. He declared host and layers, and declared the variables. Which of the following commands should Steven use to set the value of variables?)
Answer(s): A
In Conjur secret management, variables are first declared in policy files and then populated with actual secret values using the Conjur CLI. The correct command to assign a value to a variable is conjur variable set, where the -i option specifies the fully qualified policy path of the variable name, and the -v option specifies the secret value to be stored securely. This command writes the secret into Conjur's encrypted vault and associates it with the declared variable so that Jenkins jobs can retrieve it securely at runtime. The other options misuse flags or reverse their meanings, which would result in invalid commands or incorrect secret handling. Integrating Conjur with Jenkins during the Build and Test stage ensures that sensitive credentials such as passwords, API keys, and tokens are never hard-coded in pipeline scripts or source code. Instead, secrets are dynamically fetched when required, supporting least-privilege access, auditability, and compliance requirements--critical for financial-sector applications.
(Charles Drew has been working as a DevSecOps team leader in an IT company located in Nashville, Tennessee. He would like to look at the applications from an attacker's perspective and make security a part of the organizations' culture. Imagine, you are working under Charles as a DevSecOps engineer. Charles has asked you to install ThreatPlaybook, which is a unified DevSecOps Framework that allows you to go from iterative, collaborative threat modeling to application security testing orchestration. After installation, you must configure ThreatPlaybook CLI; therefore, you have created a directory for the project and then you go to the current directory where you would like to configure ThreatPlaybook. Which of the following commands will you use to configure ThreatPlaybook? (Here, < your-email > represents your email id; < host info > represents IP address; and < port > represents the nginx port.))
ThreatPlaybook CLI is configured using the ThreatPlaybook configure command, which initializes the CLI with the required connection and user details. The -e option is used to specify the user's email address, the -h option defines the host information such as IP address or hostname, and the -p option specifies the port number. This configuration enables the CLI to securely communicate with the ThreatPlaybook service for orchestrating threat modeling and application security testing workflows. Options that use playbook configure are incorrect because the executable name is explicitly ThreatPlaybook. Options using -u instead of -h do not correctly specify host information. Configuring ThreatPlaybook during the Plan stage helps teams adopt an attacker's mindset early, embedding security into the organization's culture and ensuring threats are identified and addressed before development and deployment activities begin.
(Brett Ryan has been working as a senior DevSecOps engineer in a multinational company that develops web applications. The team leader of the software development team requested Brett to detect insecure JavaScript libraries in the web application code. Brett would like to perform the vulnerability scanning on web application with grunt-retire. Which of the following commands would enable grunt plugin?)
In Grunt, plugins installed via npm must be explicitly loaded in the Gruntfile to make their tasks available. This is done using the grunt.loadNpmTasks() function, which instructs Grunt to load tasks provided by a specific plugin package. For the grunt-retire plugin, which scans JavaScript libraries for known vulnerabilities, the correct command is grunt.loadNpmTasks('grunt-retire');. Options that omit the dot notation or use the singular form loadNpmTask are syntactically incorrect and will prevent the plugin from loading. Enabling grunt-retire during the Code stage allows developers to identify insecure third-party JavaScript libraries early, supporting software composition analysis and reducing the risk of introducing vulnerable dependencies into the application.
(Jayson Smith is working as a DevSecOps engineer in an MNC company located in Tampa, Florida. The senior software developer of his company, Sandra Oliver, has uploaded an application in her GitHub repository that might contain security vulnerabilities and has provided the URL to the DevSecOps team. Jayson would like to analyze the application developed by Sandra to detect and mitigate the security issues in the application code; therefore, he would like to clone Sandra's GitHub repository to his computer. Which of the following commands should Jayson use to clone the repository of another user to his computer?)
Cloning a GitHub repository requires the standard Git command git clone followed by the correct repository URL format. GitHub repositories are structured as https://github.com/USERNAME/REPOSITORY.git, where USERNAME represents the account or organization name and REPOSITORY represents the project name. Option B follows this exact structure. Options using github clone are invalid because github is not a Git CLI command. Options that reverse the order of USERNAME and REPOSITORY do not match GitHub's repository structure and will fail. Cloning repositories during the Code stage allows DevSecOps engineers to run static analysis, dependency scanning, and other security checks locally without modifying the original repository, supporting secure and controlled analysis workflows.
(Patricia Cornwell has been working as a DevSecOps engineer in an IT company that provides custom software solutions. She would like to use GitMiner to mine the secret credentials such as usernames and passwords, API credentials, and other sensitive data from GitHub. Therefore, to start the scanning, she cloned the repo to the local machine by using the git clone http://github.com/UnkL4b/GitMiner command; then, she moved to the current directory using $ cd GitMiner command. Which of the following commands should Patricia use to install the dependencies?)
Answer(s): D
GitMiner is a Python-based tool, and like most Python projects, it manages its dependencies through a requirements file named requirements.txt. The correct way to install all dependencies listed in this file is by using the pip3 install -r requirements.txt command. The -r flag instructs pip to read package names and versions from the specified file and install them accordingly. The other flags shown in the options do not correspond to dependency installation from a requirements file and would result in command errors or unexpected behavior. Installing dependencies correctly is a prerequisite for running GitMiner successfully. During the Code stage, tools like GitMiner help identify hard-coded secrets and sensitive information early, reducing the risk of credential leakage and preventing security incidents later in the DevSecOps pipeline.
(Sandra Oliver joined SinClare Soft Pvt. Ltd. as a DevSecOps engineer in January of 2010. Her organization develops software and web applications related to the healthcare industry. Using IAST runtime security testing technology, she is detecting and diagnosing security issues in applications and APIs. The IAST solution used by Sandra encompasses a web scanner with an agent that works inside the server that hosts the application to provide additional analysis details such as the location of the vulnerability in the application code. Based on the given information, which of the following IAST solutions is Sandra using?)
Interactive Application Security Testing (IAST) solutions are classified based on how they interact with the application and runtime environment. In this scenario, the solution uses a web scanner to actively send requests to the application while also deploying an agent inside the application server to observe runtime behavior and map vulnerabilities directly to source code locations. This combined approach is known as semi-active IAST. It is considered "semi-active" because it actively drives traffic through the application using a scanner, while the agent passively observes execution paths, data flows, and method calls. Passive IAST solutions rely only on observing existing traffic and do not use scanners, while active IAST solutions do not typically rely on deep runtime agents in the same manner. Semi-active IAST significantly reduces false positives and provides precise remediation details, making it highly effective during the Build and Test stage, where applications are actively exercised and security issues can be identified and fixed before release.
Share your comments for EC-Council 312-97 exam with other users:
cosmos db is paas not saas
what is the percentage of common questions in gcp exam compared to 197 dump questions? are they 100% matching with real gcp exam?
not able to see questions
by far one of the best sites for free questions. i have pass 2 exams with the help of this website.
excellent question bank.
it really helped
excelent material
the new versoin of this exam which i downloaded has all the latest questions from the exam. i only saw 3 new questions in the exam which was not in this dump.
question 8 - can cloudtrail be used for storing jobs? based on aws - aws cloudtrail is used for governance, compliance and investigating api usage across all of our aws accounts. every action that is taken by a user or script is an api call so this is logged to [aws] cloudtrail. something seems incorrect here.
question 13 tda - c01 answer : quick table calculation -> percentage of total , compute using table down
pls share teh dump
question 44 answer is user risk
please post the questions for preparation
thanks for the questions
please reopen it now ..its really urgent
these practice exam questions were exactly what i needed. the variety of questions and the realistic exam-like environment they created helped me assess my strengths and weaknesses. i felt more confident and well-prepared on exam day, and i owe it to this exam dumps!
thank u it very instructuf
its helpful?
is this dump still valid???
question 205 answer is b
question 39, should be answer b, directions stated is being sudneted from /21 to a /23. a /23 has 512 ips so 510 hosts. and can make 4 subnets out of the /21
beautiful test engine software and very helpful. questions are same as in the real exam. i passed my paper.
the questions are exactly the same in real exam. just make sure not to answer all them correct or else they suspect you are cheating.
question: 78 the right answer i think is d not a
very helpful
i am writing this exam tomorrow and have dumps
can i have the icdl excel exam
please upload it
hye when will post again the past year question for this h13-311_v3 part since i have to for my test tommorow…thank you very much
on question 22, option b-once per session is also valid.
this website is very helpful
its my first time exam
correct answers are device configuration-enable the automatic installation of webview2 runtime. & policy management- prevent users from submitting feedback.
is this dump still valid? today is 9-july-2023
Keeping this site free takes real effort. We constantly battle automated scraping and unauthorized content copying. A quick account helps us protect the community and keep the site free.
To continue studying for your 312-97, please sign in or create a free account.