WGU University WGU-KEO1 Online Practice Questions and Exam Preparation

WGU University WGU-KEO1 Online Questions & Answers

• Question 101:

  What sits between a browser and an internet connection and alters requests and responses in a way the developer did not intend?

  A. Load testing
  B. Input validation
  C. Intercept proxy
  D. Reverse engineering
  C. Intercept proxy

  ---

  An intercept proxy, also known as a proxy server, sits between a web client (such as a browser) and an external server to filter, monitor, or manipulate the requests and responses passing through it. This can be used for legitimate purposes, such as security testing and user privacy, but it can also be exploited by attackers to alter web traffic in a way that the developer did not intend, potentially leading to security vulnerabilities.

  Understanding of HTTP and HTTPS protocols.

  Definition and role of proxy servers3.

• Question 102:

  The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards. Which OpenSAMM business function is being assessed?

  A. Verification
  B. Construction
  C. Deployment
  D. Governance
  A. Verification

  ---

  The Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) is a framework designed to help organizations assess and improve their software security posture. SAMM is structured around five primary business functions: Governance, Design, Implementation, Verification, and Operations. In this scenario, the focus is on reviewing design artifacts to ensure compliance with organizational security standards. This activity aligns with the Verification business function within

  SAMM. The Verification function encompasses security practices related to assessing and validating the security of software artifacts throughout the development lifecycle. Key practices under this function include:

  Design Review: Evaluating design documents and models to identify potential security issues and ensure that security requirements are adequately addressed.

  Code Review: Analyzing source code to detect security vulnerabilities and ensure adherence to secure coding standards.

  Security Testing: Conducting various testing methodologies, such as penetration testing and vulnerability scanning, to identify and remediate security weaknesses in the software.

  By focusing on the Verification function, the organization aims to proactively identify and address security concerns during the design and development phases, thereby enhancing the overall security posture of their software products.

  References:

  OWASP SAMM - Verification

• Question 103:

  A project team is deciding how to deploy a new application across cloud infrastructure, mobile platforms, and web browsers. Which SDLC phase is primarily being performed?

  A. Requirements
  B. Design
  C. Implementation
  D. Maintenance
  B. Design

  ---

  The design phase focuses on defining system architecture, deployment models, and technology choices. Decisions about how components will be delivered across platforms occur before coding begins and are part of system design activities.

• Question 104:

  In which step of the PASTA threat modeling methodology is vulnerability and exploit analysis performed?

  A. Define technical scope
  B. Attack modeling
  C. Define objectives
  D. Application decomposition
  B. Attack modeling

  ---

  In the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, vulnerability and exploit analysis is performed during the.Attack modeling.step. This step involves identifying potential threats and vulnerabilities within the system and understanding how they could be exploited.

  Attack modeling.is a critical phase where the focus is on simulating attacks based on identified vulnerabilities. It allows for a deep understanding of the threats in the context of the application's architecture and system design.

  During this phase, security analysts use their knowledge of the system's technical scope and application decomposition to simulate how an attacker could exploit the system's vulnerabilities. This helps in prioritizing the risks and planning appropriate mitigation strategies. The goal of attack modeling is not just to identify vulnerabilities but also to understand the potential impact of exploits on the system and the business, which is essential for developing a robust security posture. The information provided is

  aligned with the PASTA methodology as described in resources such as VerSprite1.and the OWASP Foundation2. These sources detail the seven stages of PASTA, with attack modeling being a key component of the process.

• Question 105:

  Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?

  A. Input validation
  B. System configuration
  C. Authentication and password management D. Error handling and logging
  D

  ---

  Preventing the disclosure of sensitive information in application responses is primarily addressed by implementing proper Error Handling and Logging practices.

  When errors occur, applications may inadvertently reveal sensitive data through detailed error messages. To mitigate this risk, error handling mechanisms should be designed to provide generic error messages to end-users, while detailed error information is logged securely for internal review. This approach ensures that sensitive information, such as system configurations, stack traces, or personal data, is not exposed to unauthorized users.

  The OWASP Secure Coding Practices emphasize the importance of error handling and logging to prevent information leakage:

  "Ensure that error messages displayed to users do not reveal sensitive information that can be exploited by attackers."

  References:

  OWASP Secure Coding Practices - Quick Reference Guide

• Question 106:

  Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

  A. Fuzz testing
  B. Dynamic code analysis
  C. Manual code review
  D. Static code analysis
  C. Manual code review

  ---

  Manual code review is a type of security analysis that requires a significant time investment from a highly skilled team member. This process involves a detailed and thorough examination of the source code to identify security vulnerabilities that automated tools might miss. It is labor-intensive because it relies on the expertise of the reviewer to understand the context, logic, and potential security implications of the code. Unlike automated methods like static or dynamic code analysis, manual code review demands a deep understanding of the codebase, which can be time-consuming and requires a high level of skill and experience. The information provided here is based on industry best practices and standards for secure software design and development, as well as my understanding of security analysis methodologies.

• Question 107:

  A tester analyzes a compiled application by interacting with its running interfaces and observing system behavior without access to source code. Which testing approach is being used?

  A. Static analysis
  B. Manual code review
  C. Dynamic analysis
  D. White box testing
  C. Dynamic analysis

  ---

  Dynamic analysis evaluates an application while it is running. The tester interacts with the executable and observes behavior such as crashes, exceptions, or unexpected responses. Unlike static analysis or manual code review, dynamic analysis does not require access to source code and focuses on runtime behavior.

• Question 108:

  Which category classifies identified threats that have defenses in place and do not expose the application to exploits?

  A. Threat Profile
  B. Fully Mitigated Threat
  C. Partially Mitigated Threat
  D. Unmitigated Threats
  B. Fully Mitigated Threat

• Question 109:

  The product team has been tasked with updating the user interface (UI). They will change the layout and also add restrictions to field lengths and what data will be accepted. Which secure coding practice is this?

  A. Input validation
  B. Access control
  C. Communication security
  D. Data protection
  A. Input validation

  ---

  Comprehensive and Detailed From Exact Extract:

  This is an example of Input validation, which involves ensuring all user inputs conform to expected formats, lengths, and content before processing. Restricting field lengths and validating accepted data types prevents injection attacks, buffer overflows, and improper data handling. Access control (B) restricts user permissions, communication security (C) protects data in transit, and data protection (D) focuses on confidentiality and integrity of stored data. OWASP Secure Coding Practices and Microsoft SDL

  emphasize rigorous input validation as a first line of defense against many vulnerabilities.

  References:

  OWASP Secure Coding Practices - Input Validation Microsoft SDL Secure Coding Guidelines NIST SP 800-53: Security and Privacy Controls for Information Systems

• Question 110:

  A product team, consisting of a Scrum Master, a Business Analyst, two Developers, and a Quality Assurance Tester, are on a video call with the Product Owner. The team is reviewing a list of work items to determine how many they feel can be added to their backlog and completed within the next two-week iteration. Which Scrum ceremony is the team participating in?

  A. Daily Scrum
  B. Sprint Planning
  C. Sprint Retrospective
  D. Sprint Review
  B. Sprint Planning