CCNA Application Deployment and Security Questions

17 of 92 questions · Page 2/2 · Application Deployment and Security · Answers revealed

76
MCQhard

During a security audit of a microservices application deployed on Cisco Container Platform, the auditor discovers that some containers are running with privileged access. The development team argues that certain containers need to modify kernel parameters. Which security best practice should be recommended to minimize risk while allowing necessary kernel adjustments?

A.Set the container security context to add only the necessary Linux capabilities, e.g., CAP_SYS_ADMIN
B.Set the container to privileged: false and add the SYS_ADMIN capability only for containers that need it
C.Run the container as root user but remove the CAP_SYS_ADMIN capability
D.Drop all Linux capabilities and run the container as a non-root user
AnswerA

This grants only the required capabilities, reducing the attack surface compared to privileged mode.

Why this answer

Option A is correct because it follows the principle of least privilege by granting only the specific Linux capability (CAP_SYS_ADMIN) needed to modify kernel parameters, rather than full privileged access. In Kubernetes (used by Cisco Container Platform), a security context with `capabilities.add: ['SYS_ADMIN']` allows the container to perform privileged operations like sysctl modifications without exposing the host or other containers to the broader risks of privileged mode.

Exam trap

Cisco often tests the distinction between privileged mode and individual capabilities, where candidates mistakenly think setting `privileged: false` is required alongside capability addition, or that running as root is necessary for kernel modifications.

How to eliminate wrong answers

Option B is wrong because setting `privileged: false` is redundant when adding SYS_ADMIN capability; the security context already defaults to non-privileged, and the phrasing implies a separate privileged flag is needed, which is not the case. Option C is wrong because running as root user with CAP_SYS_ADMIN removed would prevent the container from modifying kernel parameters, directly contradicting the requirement. Option D is wrong because dropping all capabilities and running as non-root would completely block any kernel parameter changes, failing to meet the development team's need.

77
MCQmedium

During a CI/CD pipeline, a security scan reveals that a Docker image contains a vulnerability in a base layer. Which action BEST addresses the issue?

A.Disable the security scanner to avoid false positives.
B.Rebuild the image using an updated base image from a trusted registry.
C.Implement run-time security monitoring to detect exploitation.
D.Add an exception to the vulnerability report.
AnswerB

Fixes the vulnerability by updating the base image.

Why this answer

Option B is correct because the vulnerability exists in the base layer of the Docker image, which is immutable once built. The only way to eliminate the vulnerability is to rebuild the image using an updated base image from a trusted registry (e.g., Docker Hub official images or a private registry with patched images). This ensures the vulnerable packages are replaced with patched versions at the OS or application level, directly addressing the root cause.

Exam trap

Cisco often tests the distinction between detection/monitoring (options C and D) and actual remediation (option B), trapping candidates who think run-time monitoring or ignoring the report is sufficient to address a build-time vulnerability.

How to eliminate wrong answers

Option A is wrong because disabling the security scanner does not fix the vulnerability; it only hides the issue, violating security best practices and potentially leading to exploitation in production. Option C is wrong because run-time security monitoring (e.g., Falco or AppArmor) can detect exploitation attempts but does not remove the vulnerability from the image; the vulnerable base layer remains and can still be exploited if the monitoring fails or is bypassed. Option D is wrong because adding an exception to the vulnerability report ignores the risk; it does not remediate the vulnerability and may violate compliance requirements (e.g., PCI DSS) that mandate patching known vulnerabilities.

78
MCQhard

A developer is writing a Kubernetes Deployment YAML and wants to set a CPU limit of 500 millicores. Which of the following is the correct YAML snippet?

A.spec: containers: - resources: limit: cpu: "500m"
B.spec: containers: - resources: requests: cpu: "500m"
C.spec: containers: - resources: limits: cpu: "500m"
D.spec: containers: - resources: limits: cpu: 500m
AnswerD

Correct syntax: limits under resources, CPU as a string with 'm' suffix without quotes (YAML interprets as string).

Why this answer

Option D is correct because Kubernetes resource limits are specified under the `resources.limits` key, and CPU limits are expressed in millicores using the `m` suffix. The YAML must use correct indentation: `limits:` is a child of `resources:`, and `cpu: 500m` is a valid value (500 millicores = 0.5 CPU cores).

Exam trap

Cisco often tests the distinction between `limits` and `requests`, and the correct YAML indentation hierarchy, tricking candidates who confuse the two or misplace the `limits` key under `resources`.

How to eliminate wrong answers

Option A is wrong because it uses `limit:` (singular) instead of the correct plural `limits:`, and the indentation is incorrect—`limit` should be a child of `resources`, not a sibling. Option B is wrong because it sets a `requests` value, not a `limits` value; requests are for guaranteed minimum resources, not hard limits. Option C is wrong because `limits:` is incorrectly indented at the same level as `resources:`, making it a sibling rather than a child, which is invalid YAML structure.

79
Multi-Selecteasy

A developer is writing a Python script to back up Cisco router configurations via SSH. Which two libraries are appropriate for this task? (Choose two.)

Select 2 answers
A.requests
B.netmiko
C.urllib
D.paramiko
E.flask
AnswersB, D

Netmiko simplifies SSH connections to network devices.

Why this answer

Netmiko is a Python library built on top of Paramiko that simplifies SSH connections to network devices, including Cisco routers. It provides high-level methods for sending commands and retrieving output, making it ideal for automating configuration backups via SSH.

Exam trap

Cisco often tests the distinction between HTTP-focused libraries (requests, urllib) and SSH-focused libraries (paramiko, netmiko), trapping candidates who mistakenly think 'requests' can handle any network protocol or that Flask's 'networking' capabilities extend to SSH.

80
Multi-Selecteasy

Which THREE of the following are common security vulnerabilities listed in the OWASP Top 10? (Choose three.)

Select 3 answers
A.Cross-Site Scripting (XSS)
B.Broken Access Control
C.Multi-Factor Authentication
D.SQL Injection
E.DNS Cache Poisoning
AnswersA, B, D

Included in OWASP Top 10 as an injection issue.

Why this answer

Cross-Site Scripting (XSS) is a common security vulnerability in the OWASP Top 10 because it allows attackers to inject malicious scripts into web pages viewed by other users, typically through input fields that are not properly sanitized. This can lead to session hijacking, defacement, or redirection to malicious sites, exploiting the trust a user has in a legitimate application.

Exam trap

Cisco often tests whether candidates can distinguish between actual vulnerabilities (like XSS, Broken Access Control, SQL Injection) and security controls or network-layer attacks, leading them to mistakenly select Multi-Factor Authentication or DNS Cache Poisoning as OWASP Top 10 items.

81
Multi-Selecteasy

Which TWO are valid methods to secure a REST API? (Choose two.)

Select 2 answers
A.Use HTTPS to encrypt data in transit.
B.Use HTTP with basic authentication.
C.Embed API keys in the URL query string.
D.Implement rate limiting to prevent abuse.
E.Implement OAuth 2.0 for token-based access control.
AnswersA, E

HTTPS encrypts the communication, preventing eavesdropping and tampering.

Why this answer

HTTPS (HTTP over TLS) encrypts the entire HTTP conversation, including headers and payload, using Transport Layer Security (TLS). This prevents eavesdropping, man-in-the-middle attacks, and tampering of data in transit. For a REST API, HTTPS is a fundamental security requirement to protect sensitive data and credentials from being exposed on the network.

Exam trap

Cisco often tests the distinction between mechanisms that provide confidentiality/integrity (HTTPS, OAuth 2.0) versus those that only provide availability or weak authentication (rate limiting, HTTP Basic), leading candidates to mistakenly select rate limiting as a security method.

82
MCQmedium

In a CI/CD pipeline using Jenkins, which plugin is commonly used to integrate with Cisco Container Platform for deploying containers?

A.Docker Pipeline Plugin
B.Cisco Container Platform Plugin
C.Kubernetes CLI Plugin
D.SSH Plugin
AnswerB

The Cisco Container Platform Plugin is designed for CCP integration.

Why this answer

The Cisco Container Platform Plugin is the correct choice because it provides native integration between Jenkins and Cisco Container Platform (CCP), enabling automated deployment of containers directly to CCP clusters. This plugin handles authentication, cluster discovery, and deployment orchestration specific to CCP, which is built on Kubernetes but includes Cisco-specific extensions for policy and networking.

Exam trap

Cisco often tests the distinction between a generic Kubernetes plugin and a platform-specific plugin, so the trap here is that candidates assume any Kubernetes-related plugin (like Kubernetes CLI Plugin) works with Cisco Container Platform, ignoring the need for Cisco-specific API integration and authentication.

How to eliminate wrong answers

Option A (Docker Pipeline Plugin) is wrong because it only provides Docker commands (like build, push, run) within a pipeline, but it does not integrate with Cisco Container Platform or manage deployments to CCP clusters. Option C (Kubernetes CLI Plugin) is wrong because it wraps kubectl commands for generic Kubernetes clusters, but it lacks the Cisco-specific API calls and authentication mechanisms required for CCP. Option D (SSH Plugin) is wrong because it only enables remote command execution over SSH, which is far too low-level and insecure for orchestrating container deployments to a platform like CCP.

83
Multi-Selecthard

Which THREE security measures should be implemented in a CI/CD pipeline to protect against supply chain attacks? (Choose three.)

Select 3 answers
A.Enable verbose logging for all build steps to detect anomalies.
B.Pin dependency versions to specific hashes.
C.Sign all build artifacts with a GPG key.
D.Verify checksums of downloaded dependencies.
E.Use a private registry for container images with vulnerability scanning.
AnswersB, D, E

Version pinning prevents accidental introduction of malicious updates.

Why this answer

Option B is correct because pinning dependency versions to specific hashes (e.g., using `integrity` attributes in npm’s package-lock.json or `sha256` checksums in pip’s requirements.txt) ensures that only the exact, verified content is downloaded. This prevents an attacker from substituting a malicious version of a dependency, even if the version tag remains the same, by validating the cryptographic hash of the artifact against a known good value.

Exam trap

Cisco often tests the distinction between artifact signing (which protects authenticity after build) and dependency integrity verification (which protects against supply chain attacks during the build), causing candidates to mistakenly select signing as a supply chain defense.

84
Multi-Selecteasy

A developer is building a RESTful API with Python Flask. Which TWO are recommended security best practices for exposing the API over HTTPS?

Select 2 answers
A.Use HTTP Basic Authentication for simplicity.
B.Validate and sanitize all user input.
C.Enable CORS for all origins.
D.Store passwords in plaintext in the database.
E.Implement rate limiting to prevent abuse.
AnswersB, E

This prevents injection attacks like SQLi and XSS.

Why this answer

Option B is correct because validating and sanitizing all user input is a fundamental security practice that prevents injection attacks (e.g., SQL injection, cross-site scripting) against the Flask API. Even over HTTPS, encrypted transport does not protect against malicious payloads; input validation must be applied server-side, often using libraries like marshmallow or Flask-WTF to enforce data types and strip dangerous characters.

Exam trap

Cisco often tests the misconception that HTTPS alone makes an API secure, but the trap here is that encryption only protects data in transit, not the application logic—so candidates must remember that input validation and rate limiting are still required server-side defenses.

85
Multi-Selecthard

A DevOps team is securing a CI/CD pipeline that deploys containerized applications to Kubernetes. Which THREE practices enhance security?

Select 3 answers
A.Implementing network policies to restrict pod communication.
B.Allowing containers to run with privileges.
C.Scanning container images for vulnerabilities before deployment.
D.Running containers as root.
E.Using Kubernetes Secrets for sensitive environment variables.
AnswersA, C, E

Limits lateral movement in the cluster.

Why this answer

Network policies in Kubernetes act as a firewall for pods, restricting ingress and egress traffic based on labels, namespaces, or IP blocks. This implements a zero-trust model by default, preventing lateral movement if a container is compromised. Option A is correct because it directly reduces the attack surface within the cluster.

Exam trap

Cisco often tests the misconception that 'containers are inherently isolated'—candidates may think privileges or root access are safe because containers are 'lightweight VMs,' but in reality, they share the host kernel, making privilege escalation a critical risk.

86
MCQeasy

Which of the following is a best practice for securing API keys in a CI/CD pipeline?

A.Share via email
B.Hardcode in Dockerfile
C.Store them in source code
D.Use environment variables in build configuration
AnswerA

Email is not secure for sharing API keys.

Why this answer

Option A is correct because sharing API keys via email is not a best practice; the correct best practice is to use environment variables in the build configuration (Option D). Environment variables keep secrets out of source code, Dockerfiles, and insecure communication channels like email, ensuring they are injected at runtime and not exposed in logs or artifacts.

Exam trap

Cisco often tests the misconception that environment variables in build configuration are a fully secure method, but the trap is that they can still be exposed in logs or pipeline artifacts, whereas a dedicated secrets manager is the true best practice.

How to eliminate wrong answers

Option B is wrong because hardcoding API keys in a Dockerfile embeds secrets in the image layers, making them accessible to anyone who can pull the image and inspect its history. Option C is wrong because storing API keys in source code commits them to version control, exposing them to all repository users and potentially to public repositories. Option D is wrong because while environment variables in build configuration are a step up, they can still leak in build logs or be exposed if the CI/CD system is compromised; the question asks for the best practice, which is to use a dedicated secrets manager or vault (e.g., HashiCorp Vault, AWS Secrets Manager) rather than plain environment variables.

87
MCQhard

Refer to the exhibit. A developer is building a Docker image for a Node.js application. The Dockerfile contains: ``` FROM node:14 WORKDIR /usr/src/app COPY package*.json ./ RUN npm install COPY . . CMD ["node", "app.js"] ``` When building, the error shown occurs. What is the most likely cause?

A.The Dockerfile should use the root user for running npm install.
B.The npm install command should be run with the --unsafe-perm flag.
C.The base image node:14 is outdated and contains a bug.
D.The application is running as a non-root user (e.g., node) that lacks write permission to the working directory.
AnswerD

The node image often uses the node user; if the WORKDIR is owned by root, the node user cannot write to it. The fix is to ensure proper ownership.

Why this answer

The error occurs because the official Node.js Docker image (node:14) runs as a non-root user named 'node' by default. The WORKDIR /usr/src/app is owned by root, so the 'node' user lacks write permission to that directory. When npm install tries to create node_modules or write package-lock.json, it fails with a permission error.

Option D correctly identifies this user-permission mismatch.

Exam trap

Cisco often tests the misconception that npm install always requires root privileges, when in fact the official Node.js image deliberately runs as a non-root user and the fix is to adjust directory ownership, not to escalate privileges.

How to eliminate wrong answers

Option A is wrong because running as root is a security anti-pattern; the official image intentionally uses a non-root user to follow least-privilege principles. Option B is wrong because the --unsafe-perm flag is only relevant when running npm scripts as root (it prevents dropping privileges), not for fixing permission issues with a non-root user. Option C is wrong because the node:14 image is not inherently buggy regarding permissions; the issue is a deliberate design choice to run as a non-root user, not an outdated bug.

88
Drag & Dropmedium

Drag and drop the steps to set up a basic DHCP server on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DHCP configuration on Cisco routers involves creating a pool, defining the network, and setting options like default gateway.

89
MCQeasy

A Python script uses the Cisco Meraki API to list networks in an organization. The API returns HTTP 403 Forbidden. What is the most likely cause?

A.The request was sent over HTTP instead of HTTPS.
B.The network ID specified is incorrect.
C.The API key is invalid or missing.
D.The organization ID was omitted from the request.
AnswerC

The Meraki API returns 403 when the API key is invalid or not provided.

Why this answer

HTTP 403 Forbidden indicates the server understood the request but refuses to authorize it. In the context of the Meraki API, this almost always means the API key (X-Cisco-Meraki-API-Key header) is invalid, expired, or missing from the request. Without a valid API key, the server cannot authenticate the client and returns 403.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (missing or invalid authentication credentials) and 403 Forbidden (authenticated but not authorized); the trap here is that candidates may confuse 403 with a missing parameter (like organization ID) or a wrong resource ID, but 403 specifically indicates the request was understood but authorization failed.

How to eliminate wrong answers

Option A is wrong because using HTTP instead of HTTPS would typically result in a redirect (301/302) or a connection error, not a 403 Forbidden; the Meraki API enforces HTTPS at the transport layer, not as an authorization check. Option B is wrong because an incorrect network ID would cause a 404 Not Found (resource not found) or a 400 Bad Request, not a 403 Forbidden; the 403 is an authorization failure, not a resource identification issue. Option D is wrong because omitting the organization ID would result in a 400 Bad Request (missing required parameter) or a 404 if the endpoint expects it in the path, not a 403; the 403 specifically points to authentication/authorization failure, not a missing parameter.

90
Multi-Selecteasy

Which TWO are valid methods to secure a Docker container?

Select 2 answers
A.Use read-only filesystem
B.Expose all ports
C.Set resource limits
D.Run containers as root
E.Disable network isolation
AnswersA, C

Read-only filesystem prevents container from modifying files.

Why this answer

Option A is correct because mounting the container's filesystem as read-only prevents any process inside the container from writing to the filesystem, which blocks malware persistence, log tampering, and unauthorized configuration changes. This is enforced by the Linux kernel's mount namespace and can be set with the `--read-only` flag in `docker run`. It is a key principle of immutable infrastructure for containers.

Exam trap

Cisco often tests the misconception that 'running as root inside a container is safe because the container is isolated,' but the trap here is that root inside a container is the same UID 0 on the host if the container is not run with a user namespace remapping or `--user` flag, making it a direct privilege escalation vector.

91
MCQeasy

A company wants to implement a zero-trust model for API access between microservices. What is the most effective way to authenticate service-to-service communication?

A.Rely on network segmentation with firewalls.
B.Use a shared secret that all services know.
C.Issue short-lived TLS certificates for each service.
D.Use long-lived API keys.
AnswerC

Provides strong identity verification with mTLS.

Why this answer

Option C is correct because mutual TLS (mTLS) with short-lived certificates validates identity and limits exposure. Options A and D are incorrect because shared secrets and long-lived API keys are less secure. Option B is incorrect because network segmentation is not authentication.

92
MCQmedium

Refer to the exhibit. A developer from subnet 10.10.10.0/24 cannot reach the RESTCONF API on the IOS-XE device. What is the most likely cause?

A.HTTPS is not enabled on the device.
B.The HTTP server is not enabled.
C.Authentication is not configured as local.
D.The 10.10.10.0/24 subnet is not permitted by the access-class.
AnswerD

Access-list 23 permits only 192.168.1.0/24, blocking all other subnets.

Why this answer

The access-class configured under the RESTCONF API restricts incoming connections to specific subnets. Since the developer is on subnet 10.10.10.0/24, which is not listed in the permit statement, all HTTPS requests from that subnet are dropped before reaching the API. This is the most direct cause of the connectivity failure.

Exam trap

Cisco often tests the distinction between HTTP/HTTPS server enablement and access-class filtering, trapping candidates who assume RESTCONF requires the HTTP server or that authentication is the root cause when a subnet is blocked.

How to eliminate wrong answers

Option A is wrong because HTTPS is enabled by default on IOS-XE devices that support RESTCONF, and the exhibit does not indicate it is disabled. Option B is wrong because RESTCONF uses HTTPS (port 443), not the HTTP server (port 80), so the HTTP server being disabled does not affect RESTCONF access. Option C is wrong because authentication can be configured via local, RADIUS, or TACACS+; the error is not about authentication method but about network-layer access control.

← PreviousPage 2 of 2 · 92 questions total

Ready to test yourself?

Try a timed practice session using only Application Deployment and Security questions.