WGU University WGU-KEO1 Online Practice Questions and Exam Preparation

WGU University WGU-KEO1 Online Questions & Answers

• Question 71:

  Which design and development deliverable contains the types of evaluations that were performed, how many times they were performed, and how many times they were re-evaluated?

  A. Privacy compliance report
  B. Remediation report
  C. Security testing reports
  D. Security test execution report
  C. Security testing reports

  ---

  Security testing reports are the most likely deliverables to contain detailed records of evaluations, their frequency, and re-evaluations. Here's why:

  Purpose of Security Testing Reports:.These reports document the results of security testing, including: Types of tests:.Vulnerability scans, penetration tests, code reviews, etc. Frequency:.How.often tests were conducted (e.g., per build, per release cycle). Re-evaluations:.If vulnerabilities were discovered, these reports will track whether and how often those were retested after remediation.

  Focus on Testing:.The question specifically emphasizes evaluations, which aligns with the core content of security testing reports.

• Question 72:

  Which secure coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, connections, objects, and file handles are destroyed once the application no longer needs them?

  A. Input Validation
  B. Memory Management
  C. Session Management
  D. Data Protection
  B. Memory Management

• Question 73:

  Which type of security analysis is performed using automated software tools while an application is running and is most commonly executed during the testing phase of the SDLC?

  A. Dynamic analysis
  B. Manual code review
  C. Static analysis
  D. Fuzz testing
  A. Dynamic analysis

  ---

  Dynamic analysis is a security testing method that involves analyzing the behavior of software while it is running or in execution. It is most commonly executed during the testing phase of the Software Development Life Cycle (SDLC). This type of analysis is used to detect issues that might not be visible in the code's static state, such as runtime errors and memory leaks. Automated tools are employed to perform dynamic analysis, which can simulate attacks on the application and identify vulnerabilities that could be exploited by malicious actors. The information provided here is verified by multiple sources that discuss security automation in the SDLC and the role of dynamic analysis during the testing phase.

• Question 74:

  What is one of the tour core values of the agile manifesto?

  A. Communication between team members
  B. Individuals and interactions over processes and tools
  C. Business people and developers must work together daily throughout the project.
  D. Teams should have a dedicated and open workspace.
  B. Individuals and interactions over processes and tools

  ---

  One of the four core values of the Agile Manifesto is prioritizing "individuals and interactions over processes and tools." This value emphasizes the importance of the human element in software development, advocating for direct communication, collaboration, and the flexibility to adapt to change over strict adherence to rigid processes or reliance on specific tools. It recognizes that while processes and tools are important, they should serve the team and the individuals within it, rather than the other way around.

  References: The Agile Manifesto itself, along with various interpretations and guides such as those provided by Smartsheet1.and LogRocket2, support this value as one of the central tenets of Agile methodologies. These resources offer insights into how this value, along with the other three, guide the Agile approach to efficient and effective software development.

• Question 75:

  Which software development model starts by specifying and implementing just a part of the software, which is then reviewed and identifies further requirements that are implemented by repeating the cycle?

  A. Iterative
  B. Implementation
  C. Waterfall
  D. Code and fix
  A. Iterative

  ---

  Comprehensive and Detailed From Exact Extract:

  The Iterative software development model fits this description. It involves specifying and implementing a portion of the software, reviewing it, gathering feedback, and refining or adding requirements in successive cycles. This approach supports evolving requirements and continuous improvement. Iterative models contrast with Waterfall (C), which is linear and sequential, with no repetition of phases. "Code and fix" (D) is an informal, ad hoc process lacking formal review cycles. Implementation (B) is a phase,

  not a model. The iterative approach is advocated in ISO/IEC 12207 and NIST guidelines for secure development, as it allows early detection and remediation of security issues by incremental design and testing.

  References:

  ISO/IEC 12207 Software Lifecycle Processes NIST SP 800-64 Revision 2: Security Considerations in SDLC Microsoft SDL Documentation

• Question 76:

  Which threat modeling step collects exploitable weaknesses within the product?

  A. Analyze the target
  B. Rate threats
  C. Identify and document threats
  D. Set the scope
  C. Identify and document threats

  ---

  The step in threat modeling that involves collecting exploitable weaknesses within the product is.Identify and document threats. This step is crucial as it directly addresses the identification of potential security issues that could be exploited. It involves a detailed examination of the system to uncover vulnerabilities that could be targeted by threats. The OWASP Foundation's Threat Modeling Process outlines a structured approach where identifying and documenting threats is a key step1.Additionally, various sources on threat modeling agree that the identification of threats is a fundamental aspect of the process, as it allows for the subsequent analysis and mitigation of these threats.

• Question 77:

  The product development team is preparing for the production deployment of recent feature enhancements. One morning, they noticed the amount of test data grew exponentially overnight. Most fields were filled with random characters, but some structured query language was discovered. Which type of security development lifecycle (SDL) tool was likely being used?

  A. Dynamic analysis
  B. Fuzzing
  C. Threat model
  D. Static analysis
  B. Fuzzing

  ---

  The scenario described indicates that the system was subjected to inputs containing random data and some structured query language (SQL) statements, leading to an exponential increase in test data. This behavior is characteristic of fuzzing, a testing technique used to identify vulnerabilities by inputting a wide range of random or unexpected data into the system. Fuzzing aims to discover coding errors and security loopholes by bombarding the application with malformed or unexpected inputs, observing

  how the system responds. The presence of random characters and SQL statements suggests that the fuzzing tool was testing for vulnerabilities such as SQL injection by injecting various payloads into the system. This approach is part of the Verification business function in the OWASP SAMM, specifically within the Security Testing practice. Security testing involves evaluating the software to identify vulnerabilities that could be exploited, and fuzzing is a common technique employed in this practice to ensure

  the robustness and security of the application.

  References:

  OWASP SAMM: Verification - Security Testing

• Question 78:

  Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's customer portal. The base score of the vulnerability was 9.9 and changed to 8.0 after adjusting temporal and environmental metrics. Which rating would CVSS assign this vulnerability?

  A. Medium severity
  B. Critical severity
  C. Low severity
  D. High severity
  D. High severity

  ---

  Comprehensive and Detailed From Exact Extract:

  CVSS scores are classified into severity levels based on numeric ranges. A base score of 9.9 falls within the Critical range (9.0?0.0), but after adjustment for temporal and environmental metrics, the score is 8.0, which falls into the High severity category (7.0?.9). Therefore, the final rating assigned is High severity. Medium severity corresponds to scores between 4.0 and 6.9, and low severity is below 4.0. This scoring methodology is defined by the FIRST Common Vulnerability Scoring System v3.1

  Specification which guides how scores are adjusted to reflect real-world risk contexts.

  References:

  FIRST CVSS v3.1 Specification OWASP Vulnerability Severity Classification NIST National Vulnerability Database (NVD)

• Question 79:

  What is a best practice of secure coding?

  A. Planning
  B. Session management
  C. User acceptance testing
  D. Microservices
  B. Session management

  ---

  Session management is a core component of secure coding, which involves maintaining the state of a user's interaction with a system. Proper session management can help protect against various security vulnerabilities, such as session hijacking and session fixation attacks. It is essential for ensuring that user data is handled securely throughout an application's workflow.

  References: The OWASP Secure Coding Practices guide emphasizes the importance of implementing secure coding standards, which include robust session management1.Additionally, Snyk's secure coding practices highlight the significance of access control, including authentication and authorization, as fundamental to protecting a system2. These resources align with the concept that effective session management is a best practice in secure coding.

• Question 80:

  In which step of the PASTA threat modeling methodology will the team capture infrastructure, application, and software dependencies?

  A. Attack modeling
  B. Define technical scope
  C. Define objectives
  D. Risk and impact analysis
  B. Define technical scope

  ---

  The step of the PASTA threat modeling methodology where the team will capture infrastructure, application, and software dependencies is the.Define technical scope.step. This step involves detailing the technical elements of the project, which includes understanding and documenting the infrastructure, applications, and software dependencies that are critical to the system's operation and security. The PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology is a seven-step process that includes defining the technical scope as a critical step for capturing the necessary technical details of the system being analyzed.