Question 20 - Microsoft Cybersecurity SC-100 Real Exam Questions [Jan 2026 Update]

Q: 20

HOTSPOT You need to recommend a security methodology for a DevOps development process based on the Microsoft Cloud Adoption Framework for Azure. During which stage of a continuous integration and continuous deployment (CI/CD) DevOps process should each security-related task be performed? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point

Your Answer

Correct Answer:

Explanation

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-100/page_112_img_2.jpg

Threat modeling is a security activity performed early in the SDLC to identify and mitigate design-level threats, making the Plan and develop stage the most precise fit. Dynamic application security testing (DAST) involves testing the application while it is running (usually in a test/staging environment), which logically occurs after the build is complete but before deployment, placing it in the Build and test phase. Actionable intelligence refers to the continuous collection and use of real-time security data from the production environment (telemetry, logs) to inform and enhance defenses, which is the definition of a security task in the Operate or monitoring phase of the pipeline.

References

Microsoft. Cloud Adoption Framework for Azure: Secure DevOps (Section: Security activities in the CI/CD pipeline). Retrieved October 2025. (Specifically details Threat Modeling during the 'Plan' phase and DAST during the 'Test' phase).

Microsoft. Azure Security Center documentation: Actionable security recommendations. Retrieved October 2025. (Relates "actionable intelligence" to continuous monitoring and operational security in the post-deployment phase).

OWASP. Software Assurance Maturity Model (SAMM): Design Phase - Threat Modeling. V2.0, Section 3.1. (Threat modeling is defined as a design activity, supporting 'Plan and develop').

Howard, M., & Lipner, S. The Security Development Lifecycle. Microsoft Press, 2006. (Conceptual basis for integrating security into development, where design analysis (Threat Modeling) precedes implementation, and testing (DAST) precedes release).

IEEE Xplore. R. V. K. T. Rajan and M. D. R. Reddy, "Integrating security testing in DevOps with CI/CD pipeline," 2021 International Conference on Advances in Computing and Communications (ICACC), Kochi, India, 2021, pp. 1-6. DOI: 10.1109/ICACC54084.2021.9670067. (Discusses DAST execution after the build stage within the CI/CD test phase, supporting 'Build and test').

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE