WGU University WGU-KEO1 Online Practice Questions and Exam Preparation

WGU University WGU-KEO1 Online Questions & Answers

• Question 81:

  Which privacy impact statement requirement type defines processes to keep personal information updated and accurate?

  A. Access requirements
  B. Collection of personal information requirements
  C. Data integrity requirements
  D. Personal information retention requirements
  C. Data integrity requirements

  ---

  Data integrity requirements within a privacy impact statement ensure that personal information is maintained in an accurate and up-to-date manner. This involves establishing processes to regularly review and update personal data, as well as correct any inaccuracies. These requirements are crucial for maintaining the trustworthiness of the data and ensuring that decisions made based on this information are sound and reliable.

  The Office of the Privacy Commissioner of Canada's guide on the Privacy Impact Assessment process emphasizes the importance of accuracy and currency of personal information.

  The European Union's General Data Protection Regulation (GDPR) outlines principles for data processing, including the necessity for data to be accurate and kept up to date.

  The General Data Protection Regulation (GDPR) also includes provisions for data protection impact assessments, which involve documenting processes before starting data processing.

• Question 82:

  The security testing team received a report from one of the contracted penetration testing vendors that details a flaw discovered in the login component of the new software product, along with a recommended fix. Which phase of the penetration testing process is the team in?

  A. Identify
  B. Evaluate and plan
  C. Deploy
  D. Assess
  D. Assess

  ---

  Comprehensive and Detailed From Exact Extract:

  The team is in the Assess phase of penetration testing. This phase involves actively testing the software, identifying vulnerabilities, and documenting findings with recommendations. Receiving a report detailing a discovered flaw confirms that testing has been conducted and results are being evaluated. The Identify (A) phase involves defining scope and targets, Evaluate and Plan (B) covers planning test activities, and Deploy (C) refers to executing the test environment setup. The OWASP Penetration

  Testing Guide and NIST SP 800-115 clarify that assessment includes vulnerability discovery and documentation.

  References:

  OWASP Penetration Testing Guide

  NIST SP 800-115 Technical Guide to Information Security Testing and Assessment

  Microsoft SDL Security Testing Guidance

• Question 83:

  Which category classifies identified threats that do not have defenses in place and expose the application to exploits?

  A. Fully mitigated threat
  B. Threat profile
  C. Unmitigated threats
  D. Partially mitigated threat
  C. Unmitigated threats

  ---

  .The category that classifies identified threats with no defenses in place, exposing the application to exploits, is.Unmitigated Threats. This term refers to vulnerabilities for which no countermeasures or mitigations have been implemented. These threats are critical because they represent actual weaknesses that attackers can exploit. In the context of secure software design, it's essential to identify these threats early in the SDLC to ensure that appropriate security controls can be designed and implemented to

  protect against them.

  Taxonomy of Cyber Threats to Application Security and Applicable Defenses.

  OWASP Foundation's Threat Modeling Process.

  Mitigating Persistent Application Security Threats.

• Question 84:

  Which type of threat exists when an attacker can intercept and manipulate form data after the user clicks the save button but before the request is posted to the API?

  A. Elevation of privilege
  B. Spoofing
  C. Tampering
  D. Information disclosure
  C. Tampering

  ---

  The type of threat described is.Tampering. This threat occurs when an attacker intercepts and manipulates data being sent from the client to the server, such as form data being submitted to an API. The attacker may alter the data to change the intended operation, inject malicious content, or compromise the integrity of the system. Tampering attacks are a significant concern in secure software design because they can lead to unauthorized changes and potentially harmful actions within the application.

  Understanding the different types of API attacks and their prevention.

  Comprehensive guide on API security and threat mitigation.

  Detailed analysis of Man-in-the-Middle (MitM) attacks and their impact on API security.

• Question 85:

  Which SDL security goal is defined as ensuring timely and reliable access to and use of information?

  A. Information security
  B. Confidentiality
  C. Availability
  D. Integrity
  C. Availability

  ---

  The term `availability' in the context of Secure Software Development Lifecycle (SDL) refers to ensuring that systems, applications, and data are accessible to authorized users when needed. This means that the information must be timely and reliable, without undue delays or interruptions. Availability is a critical aspect of security, as it ensures that the software functions correctly and efficiently, providing users with the information they need to perform their tasks.

  The definition of availability as per the National Institute of Standards and Technology (NIST) Glossary.

  The Microsoft Security Development Lifecycle (SDL) which emphasizes the importance of availability in secure software design.

  General principles of Secure Software Development Life Cycle (SSDLC) that include availability as a key security goal.

• Question 86:

  Which secure coding practice requires users to log in to their accounts using an email address and a password they choose?

  A. Access Control
  B. Data Protection
  C. Input Validation
  D. Authentication
  D. Authentication

• Question 87:

  The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards. Which category of secure software best practices is the team performing?

  A. Architecture analysis
  B. Penetration testing
  C. Code review
  D. Training
  B. Penetration testing

  ---

  The practice described is.Code review, which is a part of secure software development best practices. Code reviews are conducted to ensure that the code adheres to accepted coding patterns and meets the team's quality standards. This process involves the examination of source code by a person or a group other than the author to identify bugs, security vulnerabilities, and ensure compliance with coding standards.

  References:

  Fundamental Practices for Secure Software Development - SAFECode1.

  Secure Software Development Framework | CSRC2.

  Secure Software Development Best Practices - Hyperproof3.

• Question 88:

  During a code review, a developer notices that database queries are constructed using string concatenation with user-supplied input. Which secure coding best practice is being violated?

  A. Output encoding
  B. Input validation
  C. Session management
  D. Error handling
  B. Input validation

  ---

  Input validation requires that all user-supplied data be treated as untrusted and validated before use. Constructing database queries through string concatenation with user input exposes the application to injection attacks, such as SQL injection. Proper input validation, combined with parameterized queries, ensures only expected and safe data is processed by the application.

• Question 89:

  Due to positive publicity from the release of the new software product, leadership has decided that it is in the best interests of the company to become ISO 27001 compliant. ISO 27001 is the leading international standard focused on information security. Which security development life cycle deliverable is being described?

  A. External vulnerability disclosure response process
  B. Third-party security review
  C. Security strategy for MandA products
  D. Post-release certifications
  D. Post-release certifications

  ---

  ISO/IEC 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Achieving ISO 27001 certification demonstrates an organization's commitment to information security and provides assurance to customers and stakeholders that security best practices are in place. In the context of the software development life cycle (SDLC), post-release certifications refer to obtaining formal

  certifications, such as ISO 27001, after a product has been developed and released. This process involves a comprehensive assessment of the organization's information security practices to ensure they align with the standards set forth by ISO 27001. The certification process typically includes:

  Gap Analysis: Evaluating existing information security measures against ISO 27001 requirements to identify areas needing improvement.

  Implementation: Addressing identified gaps by implementing necessary policies, procedures, and controls.

  Internal Audit: Conducting internal audits to verify the effectiveness of the ISMS and readiness for external assessment.

  External Audit: Engaging an accredited certification body to perform a thorough evaluation, leading to certification if compliance is demonstrated.

  By pursuing ISO 27001 certification post-release, the company aims to enhance its security posture, comply with international standards, and build trust with its customer base.

  References:

  ISO/IEC 27001:2022 - Information Security Management Systems

• Question 90:

  A public library needs to implement security control on publicly used computers to prevent illegal downloads. Which security control would prevent this threat?

  A. Nonrepudiation
  B. Authentication
  C. Integrity
  D. Availability
  B. Authentication

  ---

  Authentication is the most effective control for the scenario because it directly addresses who is using the public computers:

  User Identification:.Authentication requires users to identify themselves (e.g., library card, login credentials) before accessing the computers. This links actions to specific individuals, making it easier to control unauthorized activity.

  Policy Enforcement:.Combined with other controls (e.g., content filtering), authentication enables the library to implement policies restricting downloads. If users violate the policy, their identities can be used for consequences.

  Deterrent:.Knowing they can be identified discourages users from attempting illegal downloads.