WGU University WGU-KEO1 Online Practice Questions and Exam Preparation

WGU University WGU-KEO1 Online Questions & Answers

• Question 51:

  An attacker attempts to overwhelm an API by sending thousands of requests per second from a single client. Which mitigation technique is MOST effective against this threat?

  A. Encryption
  B. Authentication
  C. Throttling
  D. Auditing
  C. Throttling

  ---

  Throttling limits the number of requests a client can make within a defined time window. This control helps protect system availability by preventing resource exhaustion caused by denial-of-service attacks.

• Question 52:

  Which design and development deliverable contains the results of each type of evaluation that was performed and the type and number of vulnerabilities discovered?

  A. Security test execution report
  B. Security testing reports
  C. Privacy compliance report
  D. Remediation report
  B. Security testing reports

  ---

  Security testing reports are the deliverables that typically contain detailed results of the security evaluations performed. These reports include the types of tests conducted, such as static and dynamic analysis, penetration testing, and code reviews, as well as the number and types of vulnerabilities discovered. The purpose of these reports is to document the security posture of the software at the time of testing and to provide a basis for remediation efforts. The information aligns with best practices in secure software development, which emphasize the importance of documenting security requirements and conducting risk analysis during the design phase to identify and mitigate vulnerabilities early in the SDLC.

• Question 53:

  A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET. POST. PUT, and DELETE requests. How should existing security controls be adjusted to prevent this in the future?

  A. Property configure acceptable API requests
  B. Enforce role-based authorization
  C. Use API keys to enforce authorization of every request
  D. Ensure audit logs are in place for sensitive transactions
  A. Property configure acceptable API requests

  ---

  The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to the defined API specifications, including the request method. By doing so, any requests

  using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.

  References:

  OWASP's guidance on error and exception handling emphasizes the importance of managing exceptions in a centralized manner and ensuring that all unexpected behavior is correctly handled within the application.

  Additional best practices for error handling in software development suggest the significance of input validation and the implementation of defensive programming techniques to prevent errors.

  The OWASP Foundation also highlights the principle that all security mechanisms should deny access until specifically granted, which supports the approach of configuring acceptable API requests.

• Question 54:

  While performing functional testing of the new product from a shared machine, a QA analyst closed their browser window but did not logout of the application. A different QA analyst accessed the application an hour later and was not prompted to login. They then noticed the previous analyst was still logged into the application. How should existing security controls be adjusted to prevent this in the future?

  A. Ensure no sensitive information is stored in plain text in cookies
  B. Ensure user sessions timeout after short intervals
  C. Ensure role-based access control is enforced for access to all resources
  D. Ensure strong password policies are enforced
  B. Ensure user sessions timeout after short intervals

  ---

  The issue described involves a session management vulnerability where the user's session remains active even after the browser window is closed, allowing another user on the same machine to access the application without logging in. To prevent this security risk, it's essential to adjust the session management controls to include an automatic timeout feature. This means that after a period of inactivity, or when the browser window is closed, the session should automatically expire, requiring a new login to

  access the application. This adjustment ensures that even if a user forgets to log out, their session won't remain active indefinitely, reducing the risk of unauthorized access.

  Secure SDLC practices emphasize the importance of security at every stage of the software development life cycle, including the implementation of proper session management controls.

  Best practices for access control in security highlight the significance of managing session timeouts to prevent unauthorized access.

  Industry standards and guidelines often recommend session timeouts as a critical security control to protect against unauthorized access.

• Question 55:

  What are the three primary goals of the secure software development process?

  A. Performance, reliability, and maintainability
  B. Cost, speed to market, and profitability
  C. Redundancy, scalability, and portability
  D. Confidentiality, integrity, and availability
  D. Confidentiality, integrity, and availability

  ---

  .The three primary goals of the secure software development process, often referred to as the CIA triad, are.confidentiality,.integrity, and.availability. These principles form the cornerstone of security considerations in the software development life cycle (SDLC).

  Confidentiality.ensures that sensitive information is accessed only by authorized individuals and systems. This involves implementing access controls and encryption to protect data from unauthorized access.

  Integrity.refers to maintaining the accuracy and consistency of data across its lifecycle. This means that the data is not altered or tampered with by unauthorized entities. Techniques like checksums and digital signatures help ensure data integrity.

  Availability.ensures that information and resources are accessible to authorized users when needed. This involves creating resilient systems that can withstand attacks and recover quickly from any disruptions.

  By integrating these security goals into each phase of the SDLC, from planning and design to development, testing, and maintenance, organizations can create more secure software systems that are resilient to cyber threats. The information provided here is verified as per the Secure Software Design documents and best practices in the field, as outlined by sources such as Snyk, GeeksforGeeks, and SAFECode.

• Question 56:

  Which privacy impact statement requirement type defines how personal information will be protected when authorized or independent external entities are involved?

  A. Personal information retention requirements
  B. User controls requirements
  C. Third party requirements
  D. Data integrity requirements
  C. Third party requirements

  ---

  The privacy impact statement requirement that defines how personal information will be protected when authorized or independent external entities are involved is best categorized under.Third party requirements. This aspect of privacy impact assessments ensures that personal data is safeguarded even when it is necessary to involve third parties, which could be service providers, partners, or other entities that might handle personal information on behalf of the primary organization. These requirements typically include stipulations for data handling agreements, security measures, and compliance checks to ensure that third parties maintain the confidentiality and integrity of the personal information they process. Guide to undertaking privacy impact assessments | OAIC1 A guide to Privacy Impact Assessments - Information and Privacy2 Personal Information Protection Law of China: Key Compliance Considerations3 Privacy Impact Assessment - General Data Protection Regulation (GDPR)4 Privacy impact assessment (PIA) - TechTarget5

• Question 57:

  What are the eight phases of the software development lifecycle (SDLC)?

  A. Planning, security analysis, requirement analysis, design, implementation, threat mitigation, testing, maintenance
  B. Planning, requirements, design, implementation, testing, deployment, maintenance, end of life
  C. Plan, gather requirements, identify attack surface, design, write code, perform code reviews, test, deploy
  D. Gather requirements, prototype, perform threat modeling, write code, test, user acceptance testing, deploy, maintain
  B. Planning, requirements, design, implementation, testing, deployment, maintenance, end of life

• Question 58:

  What is the last slop of the SDLOSDL code review process?

  A. Review for security issues unique to the architecture
  B. Identify security code review objectives
  C. Perform preliminary scan
  D. Review code for security issues
  D. Review code for security issues

  ---

  The last step of the SDLC code review process is to review the code for security issues. This involves a detailed examination of the code to identify any potential security vulnerabilities that could be exploited. It's a critical phase where the focus is on ensuring that the code adheres to security best practices and does not contain any flaws that could compromise the security of the application or system. The process typically includes manual inspection as well as automated tools to scan for common security

  issues. The goal is to ensure that the software is as secure as possible before it is deployed.

  References: Mastering the Code Review Process,.Understanding the SDLC,.How Code Reviews Improve Software Quality in SDLC - LinkedIn.

• Question 59:

  A security team evaluates how user data moves from a web form through business logic and into a database during a manual review. Which manual code review technique is being applied?

  A. Control flow analysis
  B. Data flow analysis
  C. Threat analysis
  D. Risk assessment
  B. Data flow analysis

  ---

  Data flow analysis traces how data enters the system, how it is processed, and where it is stored or output. This technique helps identify vulnerabilities related to improper validation, insecure storage, or unintended data exposure.

• Question 60:

  Which DREAD category is based on how easily a threat exploit can be found?

  A. Damage Potential
  B. Affected Users
  C. Discoverability
  D. Reproducibility
  C. Discoverability