Certificate of Cloud Auditing Knowledge (CCAK) — Question 35

Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization’s DevOps pipeline?

Answer options

• A. Verify the inclusion of security gates in the pipeline.
• B. Conduct an architectural assessment.
• C. Review the CI/CD pipeline audit logs.
• D. Verify separation of development and production pipelines.

Correct answer: B

Explanation

Conducting an architectural assessment provides a comprehensive understanding of the DevOps pipeline's structure, identifying potential security vulnerabilities. While verifying security gates, reviewing audit logs, and checking separation are important, they are more effective once the overall architecture is understood. Starting with the architecture lays the foundation for more detailed evaluations.