1. False. To securely create and deliver software, the whole process, and especially the pipeline, needs to be secured. Just adding security at the end will not work, as security has to be woven through all different steps of the delivery process.
2. The OWASP Zed Attack Proxy (ZAP) can be used for this type of testing.
3. True. In modern applications, up to 80% of the code can be from open source libraries or frameworks.
4. The correct answers are 1, 2, 4, and 6. There is no such thing as Azure DevOps Secure Variables or Azure DevOps Key Vault.
5. Azure Policy can be used to prohibit or list undesired Azure configurations, often relating to infrastructure provisioning or configuration. Azure Security Center can be used to identify and remediate runtime security risks.