Download Microsoft.AZ-400.Dump4Pass.2023-12-25.149q.vcex

Secure and Manage Open Source Software  Black Duck helps organizations identify and mitigate open source security, license compliance and code-quality risks across application and container portfolios.  Black Duck Hub and its plugin for Team Foundation Server (TFS) allows you to automatically find and fix open source security vulnerabilities during the build process, so you can proactively manage risk. The integration allows you to receive alerts and fail builds when any Black Duck Hub policy violations are met.    Note: There are several versions of this question in the exam. The question has two possible correct answers: Black Duck  WhiteSource Bolt    Other incorrect answer options you may see on the exam include the following: OWASP ZAP  PDM  SourceGear  SourceGear Vault    Reference: https://marketplace.visualstudio.com/items?itemName=black-duck-software.hub-tfs

Box 1: A Build task Trigger a build  You have a Java code provisioned by the Azure DevOps demo generator. You will use WhiteSource Bolt extension to check the vulnerable components present in this code.  1. Go to Builds section under Pipelines tab, select the build definition WhiteSourceBolt and click on Queue to trigger a build.  2. To view the build in progress status, click on ellipsis and select View build results.    Box 2: WhiteSource Bolt WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.    Reference: https://www.azuredevopslabs.com/labs/vstsextend/whitesource/ 

Box 1: Threat modeling - Threat modeling’s motto should be, “The earlier the better, but not too late and never ignore.”    Box 2: Static code analysis - Validation in the CI/CD begins before the developer commits his or her code. Static code analysis tools in the IDE provide the first line of defense to help ensure that security vulnerabilities are not introduced into the CI/CD process.    Box 3: Penetration testing - Once your code quality is verified, and the application is deployed to a lower environment like development or QA, the process should verify that there are not any security vulnerabilities in the running application. This can be accomplished by executing automated penetration test against the running application to scan it for vulnerabilities.    Reference: https://docs.microsoft.com/en-us/azure/devops/articles/security-validation-cicd-pipeline?view=vsts

The Azure Pipelines app uses the OAuth authentication protocol, and requires Third-party application access via OAuth for the organization to be enabled. To enable this setting, navigate to Organization Settings > Security > Policies, and set the Third-party application access via OAuth for the organization setting to On.    Reference: https://docs.microsoft.com/en-us/azure/devops/pipelines/integrations/microsoft-teams

Personal access tokens (PATs) give you access to Azure DevOps and Team Foundation Server (TFS), without using your username and password directly.    Reference: https://docs.microsoft.com/en-us/azure/devops/repos/git/auth-overview

Octopus Deploy is an automated deployment server that makes it easy to automate deployment of ASP.NET web applications, Java applications, NodeJS application and custom scripts to multiple environments.  Octopus can be installed on various platforms including Windows, Mac and Linux. It can also be integrated with most version control tools including VSTS and GIT.    When you deploy software to Windows servers, you need to install Tentacle, a lightweight agent service, on your Windows servers so they can communicate with the Octopus server.    When defining your deployment process, the most common step type will be a package step. This step deploys your packaged application onto one or more deployment targets.  When deploying a package you will need to select the machine role that the package will be deployed to.  Reference: https://octopus.com/docs/deployment-examples/package-deployments   https://explore.emtecinc.com/blog/octopus-for-automated-deployment-in-devops-models

Instead use Octopus Tentacle.    Reference: https://explore.emtecinc.com/blog/octopus-for-automated-deployment-in-devops-models

Instead use Octopus Tentacle.    Reference: https://explore.emtecinc.com/blog/octopus-for-automated-deployment-in-devops-models

B: Jenkins requires a plug-in to connect to TFS and check for updates to a project. Jenkins’ built-in Git Plugin or Team Foundation Server Plugin can poll a Team Services repository every few minutes and queue a job when changes are detected.    C: Use Azure DevOps/ Visual Studio Team Services to create a Personal access token. D: After you have generated credentials using Visual Studio Team Services, you need to use those credentials in Jenkins.   Reference:   http://www.aisoftwarellc.com/blog/post/how-to-setup-automated-builds-using-jenkins-and-visual-studio-team-foundation-server/2044

Use Publish Code Coverage Results task in a build pipeline to publish code coverage results to Azure Pipelines or TFS, which were produced by a build in  Cobertura or JaCoCo format.    Incorrect Answers: A: Bullseye Coverage is used for C++ code, and not for Java.   Note: There are several versions of this question in the exam. The question has two possible correct answers: Cobertura  JaCoCo    Other incorrect answer options you may see on the exam include the following: Coverlet  NUnit  Coverage.py    Reference: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-code-coverage-results