It’s commonly accepted that all user-originated inputs are treated as untrusted. Which of the following is least significant to ensure the security of an API’s input data? (Wentz QOTD)
A. Serialization
B. Canonicalization
C. Sanitization
D. Validation

You lead an integrated product team to develop a software solution. Which of the following is incorrect about threat modeling? (Wentz QOTD)
A. Threat modeling emphasizes identifying and addressing design flaws before coding.
B. Ideally, threat modeling is applied as soon as an architecture has been established.
C. Threat modeling should be conducted in the initiation phase as mentioned in the NIST SDLC.
D. The express aim of threat modeling is to identify and eliminate architectural and design issues.

You employ a symmetric cipher to protect data at rest. Which of the following is the most feasible secret key providing the highest level of security? (Wentz QOTD)
A. Fixed 128-bit key
B. Complicated password
C. A key with a length between 2048 and 3072 bits
D. A randomly generated key with the lowest level of entropy

Which of the following is the most crucial concept used to categorize an information system based on the NIST Risk Management Framework? (Wentz QOTD)
A. Scoping
B. Tailoring
C. High watermark
D. System-specific risk assessment

An online store employs a relational database. The store owner is concerned about data integrity. Which of the following best enforces referential integrity? (Wentz QOTD)
A. Lipner Model
B. Elliptic Curve Digital Signature Algorithm (ECDSA)
C. Hash-based message authentication code (HMAC)
D. Clark-Wilson Model

A keystream is a sequence of random or pseudorandom data elements, e.g., bits, that are combined with a plaintext message to produce the ciphertext. Which of the following doesn’t use a keystream? (Wentz QOTD)
A. One-time pad
B. RC4 in Wired Equivalent Privacy (WEP)
C. DES-CTR (Counter mode)
D. AES-CBC (Cipher Block Chaining mode)

As a lead auditor, you lead an audit team to conduct a security audit. Which of the following is the least ideal audience to whom you functionally report? (Wentz QOTD)
A. Chief executive officer (CEO)
B. Chief audit executive (CAE)
C. Audit committee
D. Board of directors

You are conducting a security assessment. Which of the following is not an assessment object? (Wentz QOTD)
A. Specifications
B. Mechanisms
C. Activities
D. Depth and coverage

You are conducting an account management review. Which of the following is not a good practice? (Wentz QOTD)
A. Select all accounts for review
B. Assess the list of carefully selected accounts by system administrators
C. Verify former employees’ accounts
D. Review the paper trail or records for specific accounts

Which of the following is the primary target or fundamental unit that the NIST Risk Management Framework protects? (Wentz QOTD)
A. Common controls
B. Personal data and privacy
C. The information system in question
D. Data processed by the information system