WGU University WGU-KEO1 Online Practice Questions and Exam Preparation

WGU University WGU-KEO1 Online Questions & Answers

• Question 61:

  The software security team is performing security testing for a new software product that is close to production release. They are concentrating on integrations between the new product and database servers, web servers, and web services. Which security testing technique is being used?

  A. Fuzz testing
  B. Dynamic code analysis
  C. Binary fault injection
  D. Binary code analysis
  A. Fuzz testing

  ---

  Fuzz testing is the ideal technique in this scenario. Here's why:

  Focus on Integrations:.The scenario emphasizes testing links between the software, databases, web servers, and web services. Fuzz testing is specifically designed to find vulnerabilities in how software handles data and communication between components.

  Pre-release Testing:.The product being close to release indicates a critical need to identify security flaws before public deployment. Fuzz testing is effective in uncovering unexpected behavior and potential vulnerabilities.

  Fuzz Testing Targets:.Fuzz testing works by injecting invalid or unexpected data into interfaces (like those between databases, web components, etc.) to observe how the software reacts. This helps expose potential security gaps and weaknesses.

• Question 62:

  Which secure coding best practice says to use well-vetted algorithms to ensure that the application uses random identifiers, that identifiers are appropriately restricted to the application, and that user processes are fully terminated on logout?

  A. Output Encoding
  B. Input Validation
  C. Access Control
  D. Session Management
  D. Session Management

• Question 63:

  What is an advantage of using the Agile development methodology?

  A. Customer satisfaction is improved through rapid and continuous delivery of useful software.
  B. Each stage is clearly defined, making it easier to assign clear roles to teams and departments who feed into the project.
  C. The overall plan fits very neatly into a Gantt chart so a project manager can easily view the project timeline.
  D. There is much less predictability throughout the project regarding deliverables.
  A. Customer satisfaction is improved through rapid and continuous delivery of useful software.

• Question 64:

  The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP OpenSAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards. Which OpenSAMM business function is being assessed?

  A. Construction
  B. Deployment
  C. Verification
  D. Governance
  C. Verification

  ---

  The OpenSAMM business function being assessed is Verification. This function involves activities related to reviewing and testing to ensure that the software meets the required security standards and practices. In the context of the question, the software security group's focus on reviewing design artifacts to ensure compliance with organizational security standards falls under the Verification function. This includes tasks such as design review, implementation review, and security testing, which are all aimed at verifying that the security measures and controls are correctly integrated into the software design.

  References: The information is verified as per the OWASP SAMM documentation, which outlines the Verification function as a core business function that encompasses activities like design review, which is directly related to the assessment of design artifacts mentioned in the question.

• Question 65:

  The software security team prepared a report of necessary coding and architecture changes identified during the security assessment. Which design and development deliverable did the team prepare?

  A. Updated threat modeling artifacts
  B. Security test plans
  C. Privacy implementation assessment results
  D. Design security review
  A. Updated threat modeling artifacts

  ---

  In the context of software security, a threat model is a structured representation that identifies potential threats to the system, evaluates their severity, and guides the development of mitigation strategies. When a security assessment reveals vulnerabilities or areas of concern, it's imperative to update the threat modeling artifacts to reflect these findings. This ensures that the threat model remains an accurate and current representation of the system's security posture. By updating the threat modeling artifacts,

  the team documents the identified threats and outlines necessary coding and architectural changes to mitigate these threats. This proactive approach allows for the integration of security considerations early in the design and development phases, reducing the likelihood of vulnerabilities in the deployed system. This practice aligns with the Design business function of the OWASP Software Assurance Maturity Model (SAMM), which emphasizes the importance of incorporating security into the software design

  process. Within this function, the Threat Assessment practice focuses on identifying and evaluating potential threats to inform security requirements and design decisions. Updating threat modeling artifacts is a key activity within this practice, ensuring that security assessments directly influence the system's design and architecture.

  References:

  OWASP SAMM: Design - Threat Assessment

• Question 66:

  A development team is beginning work on a new internal web application that will process employee payroll data. Before any code is written, the security team is asked to identify potential attack vectors and sensitive assets. Which activity is MOST appropriate at this stage of the secure software development lifecycle (SDLC)?

  A. Dynamic security testing
  B. Threat modeling
  C. Penetration testing
  D. Incident response planning
  B. Threat modeling

  ---

  Threat modeling is performed early in the SDLC, typically during the planning or design phase. Its purpose is to identify sensitive assets, possible attack vectors, and potential threats before implementation begins. By understanding where risks may exist, the development team can design appropriate security controls into the application from the start. Dynamic testing and penetration testing occur later, after code exists, while incident response planning is not focused on identifying design-time threats.

• Question 67:

  During penetration testing, an analyst was able to create hundreds of user accounts by executing a script that sent individual requests to the registration endpoint. How should the organization remediate this vulnerability?

  A. Use a Tool Like CAPTCHA to Prevent Batched Registrations and Bots
  B. Enforce Strong Password Complexity Standards
  C. Enforce Idle Time-Outs on Session IDs
  D. Ensure All Data Is Encrypted in Transit
  A. Use a Tool Like CAPTCHA to Prevent Batched Registrations and Bots

• Question 68:

  Which secure coding best practice says to only use tested and approved components and use task-specific, built-in APIs to conduct operating system functions?

  A. Session Management
  B. Authentication and Password Management
  C. Data Protection
  D. General Coding Practices
  D. General Coding Practices

• Question 69:

  Which security assessment deliverable defines measures that can be periodically reported to management?

  A. Metrics Template
  B. SDL Project Outline
  C. Threat Profile
  D. Product Risk Profile
  A. Metrics Template

• Question 70:

  A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this describing?

  A. Access control
  B. Data protection
  C. Input validation
  D. Authentication
  A. Access control

  ---

  The secure coding practice being described is.Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control

  who has access to what data and under what circumstances, which is the essence of access control.

  :

  ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1.

  NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2.

  ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.