AZ-400 – Question 71

0
0
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You manage a project in Azure DevOps.
You need to prevent the configuration of the project from changing over time.

Q. 1 – Solution: Perform a Subscription Health scan when packages are created.
Does this meet the goal?

A. Yes
B. No

Correct Answer: B 

Instead implement Continuous Assurance for the project.
Note: The Subscription Security health check features in AzSK contains a set of scripts that examines a subscription and flags off security issues, misconfigurations or obsolete artifacts/settings which can put your subscription at higher risk.

Q. 2 – Solution: Add a code coverage step to the build pipelines.
Does this meet the goal?

A. Yes
B. No

Correct Answer: B 

Q. 3 – Solution: Implement Continuous Integration for the project.
Does this meet the goal?

A. Yes
B. No

Correct Answer: B 

Q. 3 – Solution: Implement Continuous Assurance for the project.
Does this meet the goal?

A. Yes
B. No

Correct Answer: A 

The basic idea behind Continuous Assurance (CA) is to setup the ability to check for “drift” from what is considered a secure snapshot of a system. Support for
Continuous Assurance lets us treat security truly as a ‘state’ as opposed to a ‘point in time’ achievement. This is particularly important in today’s context when
‘continuous change’ has become a norm.
There can be two types of drift:
✑ Drift involving ‘baseline’ configuration: This involves settings that have a fixed number of possible states (often pre-defined/statically determined ones). For instance, a SQL DB can have TDE encryption turned ON or OFFג€¦or a Storage Account may have auditing turned ON however the log retention period may be less than 365 days.
✑ Drift involving ‘stateful’ configuration: There are settings which cannot be constrained within a finite set of well-known states. For instance, the IP addresses configured to have access to a SQL DB can be any (arbitrary) set of IP addresses. In such scenarios, usually human judgment is initially required to determine whether a particular configuration should be considered ‘secure’ or not. However, once that is done, it is important to ensure that there is no “stateful drift” from the attested configuration. (E.g., if, in a troubleshooting session, someone adds the IP address of a developer machine to the list, the Continuous Assurance feature should be able to identify the drift and generate notifications/alerts or even trigger ‘auto-remediation’ depending on the severity of the change).
Reference:
https://azsk.azurewebsites.net/04-Continous-Assurance/Readme.html

LEAVE A REPLY

Please enter your comment!
Please enter your name here