SC-100 Certification Practice Question #44

Question

You have an Azure subscription that contains Azure App Service apps. The apps have the following characteristics:

•	The apps are deployed by using continuous integration and continuous deployment (CI/CD) pipelines in Azure DevOps.
•	The apps are deployed to a test environment first, and then to a production environment.
•	The source code for the apps is stored in Azure Repos.

You plan to implement DevSecOps controls based on the Microsoft Cloud Adoption Framework for Azure.

You need to recommend testing controls to meet the following requirements:

•	All the source code must be tested for security vulnerabilities in Azure Repos before deploying the apps.
•	Once the apps are deployed to the test environment, they must be tested for security vulnerabilities.

Which testing method should you recommend for each stage? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

Accepted Answer

The two requirements map cleanly onto the two complementary testing types in MS Learn. "All source code must be tested for security vulnerabilities in Azure Repos before deploying" describes static analysis of code at rest — Static Application Security Testing (SAST). "Once deployed to the test environment, they must be tested for security vulnerabilities" describes testing a running application — Dynamic Application Security Testing (DAST). MS Learn explicitly contrasts the two: SAST analyzes source code that isn't executing, while DAST tests the application in an operating state after deployment. The lone Highly Voted comment (👍 6) matches this exactly, with no dissent in the thread. High confidence; only docked slightly because no official Suggested Answer is captured in the dump.

More SC-100 practice questions