WGU D487 PRE-ASSESSMENT: SECURE SOFTWARE
DESIGN (KEO1) (PKEO)
A potential threat was discovered during functional testing of a file upload
component when a QA analyst was allowed to upload a shell script. Users should
only be allowed to upload image files.How should existing security controls be
adjusted to prevent this in the future? - ANSWERS-Validate all user input
The final security review determined that all security issues identified in testing
have been resolved and all SDL requirements have been met. What is the result of
the final security review? - ANSWERS-Passed
The security team is reviewing all threat models, identified vulnerabilities, and
documented requirements. They are also performing static and dynamic analysis
on the software product to determine if it is ready for release. Which activity of
the Ship SDL phase is being performed? - ANSWERS-Final security review
The security team is reviewing whether new security requirements, based on
identified threats or changes to organizational guidelines, can be implemented
prior to releasing the new product.Which activity of the Ship SDL phase is being
performed? - ANSWERS-Policy compliance analysis
An organizational security review discovered multiple database instances that
were installed using publicly available default settings, including security and
access. How should the organization remediate this vulnerability? - ANSWERS-
Ensure default accounts and passwords are disabled or removed
, During penetration testing, an analyst discovered a DOM-based (document object
model) cross-site scripting vulnerability within the applications search bar that
could allow an attacker to insert malicious code. How should the organization
remediate this vulnerability? - ANSWERS-Enforce encoding of special characters
Application credentials are stored in the database using simple hashes to store
passwords. An undiscovered credential recovery flaw allowed a security analyst to
download the database and expose passwords using their GPU to crack the simple
encryption. How should the organization remediate this vulnerability? -
ANSWERS-Enforce the use of strong, salted hashing functions when storing
passwords
During functional testing, a QA analyst using a non-admin account caused an
application exception. After the exception was handled, the tester was able to
navigate to the admin section of the application by typing the URL directly into
the browser address bar. They were unable to force the same navigation before
the exception was thrown. How should the organization remediate this
vulnerability? - ANSWERS-Ensure user privileges are restored to the appropriate
level after exceptions
The product security incident response team (PSIRT) determined a reported
vulnerability was credible and of a high enough severity that it needs to be fixed.
What is the response team's next step? - ANSWERS-Identify resources and
schedule the fix
DESIGN (KEO1) (PKEO)
A potential threat was discovered during functional testing of a file upload
component when a QA analyst was allowed to upload a shell script. Users should
only be allowed to upload image files.How should existing security controls be
adjusted to prevent this in the future? - ANSWERS-Validate all user input
The final security review determined that all security issues identified in testing
have been resolved and all SDL requirements have been met. What is the result of
the final security review? - ANSWERS-Passed
The security team is reviewing all threat models, identified vulnerabilities, and
documented requirements. They are also performing static and dynamic analysis
on the software product to determine if it is ready for release. Which activity of
the Ship SDL phase is being performed? - ANSWERS-Final security review
The security team is reviewing whether new security requirements, based on
identified threats or changes to organizational guidelines, can be implemented
prior to releasing the new product.Which activity of the Ship SDL phase is being
performed? - ANSWERS-Policy compliance analysis
An organizational security review discovered multiple database instances that
were installed using publicly available default settings, including security and
access. How should the organization remediate this vulnerability? - ANSWERS-
Ensure default accounts and passwords are disabled or removed
, During penetration testing, an analyst discovered a DOM-based (document object
model) cross-site scripting vulnerability within the applications search bar that
could allow an attacker to insert malicious code. How should the organization
remediate this vulnerability? - ANSWERS-Enforce encoding of special characters
Application credentials are stored in the database using simple hashes to store
passwords. An undiscovered credential recovery flaw allowed a security analyst to
download the database and expose passwords using their GPU to crack the simple
encryption. How should the organization remediate this vulnerability? -
ANSWERS-Enforce the use of strong, salted hashing functions when storing
passwords
During functional testing, a QA analyst using a non-admin account caused an
application exception. After the exception was handled, the tester was able to
navigate to the admin section of the application by typing the URL directly into
the browser address bar. They were unable to force the same navigation before
the exception was thrown. How should the organization remediate this
vulnerability? - ANSWERS-Ensure user privileges are restored to the appropriate
level after exceptions
The product security incident response team (PSIRT) determined a reported
vulnerability was credible and of a high enough severity that it needs to be fixed.
What is the response team's next step? - ANSWERS-Identify resources and
schedule the fix
