The DevSec Hardening Framework is commonly implemented using Chef , and it is executed locally using the chef-solo command. The -c flag specifies the configuration file (solo.rb), and the -j flag specifies the JSON attributes file (solo.json). Option A correctly uses both required parameters in the proper format. The other options incorrectly swap or misuse flags that are not supported by Chef-solo. Running this command applies secure configurations, compliance controls, and cryptographic standards to the target system. Executing DevSec Hardening Framework during the Operate and Monitor stage ensures that systems remain secure, compliant, and resilient against misconfiguration-based attacks.

========

In Conjur secret management, variables are first declared in policy files and then populated with actual secret values using the Conjur CLI. The correct command to assign a value to a variable is conjur variable set, where the -i option specifies the fully qualified policy path of the variable name , and the -v option specifies the secret value to be stored securely. This command writes the secret into Conjur’s encrypted vault and associates it with the declared variable so that Jenkins jobs can retrieve it securely at runtime. The other options misuse flags or reverse their meanings, which would result in invalid commands or incorrect secret handling. Integrating Conjur with Jenkins during the Build and Test stage ensures that sensitive credentials such as passwords, API keys, and tokens are never hard-coded in pipeline scripts or source code. Instead, secrets are dynamically fetched when required, supporting least-privilege access, auditability, and compliance requirements—critical for financial-sector applications.

========

GitLab CI/CD pipelines are defined using a configuration file named gitlab-ci.yml , which must be placed in the root directory of the repository. This file controls pipeline stages, jobs, and template inclusions. To integrate Checkmarx SCA using a predefined template, the template reference must be included in the root-level gitlab-ci.yml file so GitLab can load and execute the defined jobs automatically. The other filenames listed in the options are not recognized by GitLab as valid pipeline configuration files. Integrating SCA at the Code stage allows early detection of vulnerable open-source dependencies, reducing remediation cost and preventing insecure components from progressing further in the DevSecOps pipeline.

The git pull command is used to fetch changes from a remote repository and automatically merge them into the current local branch. In collaborative development environments, especially when multiple developers are committing code to a shared repository, regularly pulling updates is essential to stay synchronized and avoid merge conflicts. The syntax git pull < remote-name > < branch-name > correctly specifies the source of the updates. Commands such as git get and git grabs do not exist in Git, and git push performs the opposite action by sending local changes to the remote repository rather than retrieving updates. Using git pull during the Code stage supports continuous collaboration and ensures that developers integrate the latest changes securely and efficiently.

========

When configuring Burp Suite scans in Jenkins using an Execute shell build step, environment variables are often set or echoed so that subsequent scan steps can consume them. The echo command is used to output or define values in the shell context. In this case, echo BURP_SCAN_URL = http://target-website.com correctly defines the target URL for Burp Suite scanning. Commands like grep and cat are used for searching or displaying file contents and are not appropriate for setting scan parameters. The sudo command is unnecessary and incorrect in this context. Using the correct shell command ensures that Burp Suite receives the proper target information during the Build and Test stage, enabling accurate dynamic application security testing.

========

Interactive Application Security Testing (IAST) works by instrumenting the application at runtime, allowing it to observe both the source code execution paths and the HTTP requests and responses flowing through the application. Because of this dual visibility, IAST can analyze every executed line of code (similar to SAST) while also monitoring real-time application behavior (similar to DAST). This unique capability enables highly accurate vulnerability detection with fewer false positives. The other options do not correctly explain how IAST achieves this hybrid analysis. Access to both code and HTTP traffic is what allows IAST to bridge static and dynamic testing techniques, making it highly effective across development, QA, and production environments.

========

CloudMapper requires read-only access to AWS resources in order to collect metadata, visualize architectures, and perform security analysis without modifying infrastructure. The AWS-managed policy SecurityAudit provides permissions to view security-related configuration across services, while ViewOnlyAccess allows read-only access to AWS resources more broadly. Together, these policies enable CloudMapper to gather comprehensive information about the AWS environment without granting write privileges. The other options either reference invalid policy names, incorrect formatting, or excessive permissions such as AWSLambdaFullAccess, which are unnecessary and violate least-privilege principles. Granting SecurityAudit and ViewOnlyAccess aligns with secure auditing practices during the Operate and Monitor stage.

========