Question 17
UnclassifiedFrom the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?
Correct answer: B
Explanation
DevSecOps integrates security into the software delivery pipeline, so it focuses on development standards that address "integration, testing, and deployment issues" across the lifecycle. In a mature cloud program, this means security controls are built into development and operations rather than added after release.
Why each option is right or wrong
A. Process of security integration using automation in software development
B. Development standards for addressing integration, testing, and deployment issues
DevSecOps is the application of security controls within the software delivery lifecycle, aligning with the NIST SSDF in SP 800-218 and the continuous integration/continuous delivery model described in NIST SP 800-204A. In a mature cloud environment, the relevant focus is on development standards that govern how code is integrated, tested, and deployed so security is embedded before release, rather than treated as a separate post-production activity.
C. Operational framework that promotes software consistency through automation
D. Making software development simpler, faster, and easier using automation