WGU D487 SECURE SW DESIGN OA AND PRE ASSESSMENT EXAM 2025-2026 ACTUAL EXAM COMPLETE ACCURATE EXAM QUESTIONS WITH DETAILED VERIFIED ANSWERS (100% CORRECT ANSWERS) /ALREADY GRADED A+

What is a study of real-world software security initiatives organized so companies can measure their initiatives and understand how to evolve them over time?,

Building Security In Maturity Model (BSIMM)

What is the analysis of computer software that is performed without executing programs?

Static analysis

Which International Organization for Standardization (ISO) standard is the benchmark for information security today?

ISO/IEC 27001.

What is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time?,

Dynamic analysis

Which person is responsible for designing, planning, and implementing secure coding practices and security testing methodologies?

Software security architect

A company is preparing to add a new feature to its flagship software product. The new feature is similar to features that have been added in previous years, and the requirements are well-documented. The project is expected to last three to four months, at which time the new feature will be released to customers. Project team members will focus solely on the new feature until the project ends. Which software development methodology is being used?

Waterfall

A new product will require an administration section for a small number of users. Normal users will be able to view limited customer information and should not see admin functionality within the application. Which concept is being used?

Principle of least privilege

The scrum team is attending their morning meeting, which is scheduled at the beginning of the work day. Each team member reports what they accomplished yesterday, what they plan to accomplish today, and if they have any impediments that may cause them to miss their delivery deadline. Which scrum ceremony is the team participating in?

Daily Scrum

What is a list of information security vulnerabilities that aims to provide names for publicly known problems?

Common computer vulnerabilities and exposures (CVE)

Which secure coding best practice uses well-tested, publicly available algorithms to hide product data from unauthorized access?

Cryptographic practices

Which secure coding best practice uses well-tested, publicly available algorithms to hide product data from unauthorized access?

Cryptographic practices

Which secure coding best practice ensures servers, frameworks, and system components are all running the latest approved versions?

System configuration

Which secure coding best practice says to use parameterized queries, encrypted connection strings stored in separate configuration files, and strong passwords or multi-factor authentication?

Database security

Which secure coding best practice says that all information passed to other systems should be encrypted?

Communication security

eam members are being introduced during sprint zero in the project kickoff meeting. The person being introduced is a member of the scrum team, responsible for writing feature logic and attending sprint ceremonies. Which role is the team member playing?

Software developer

A software security team member has created data flow diagrams, chosen the STRIDE methodology to perform threat reviews, and created the security assessment for the new product. Which category of secure software best practices did the team member perform?

Architecture analysis

Team members are being introduced during sprint zero in the project kickoff meeting. The person being introduced will be a facilitator, will try to remove roadblocks and ensure the team is communicating freely, and will be responsible for facilitating all scrum ceremonies. Which role is the team member playing?

Scrum master

The new product standards state that all traffic must be secure and encrypted. What is the name for this secure coding practice?

Communication security

Which DREAD category is based on how easily a threat exploit can be repeated?

Reproducibility

Which mitigation technique can be used to fight against a data tampering threat?

Digital signatures

What is a countermeasure to the web application security frame (ASF) configuration management threat category?

Compliance requirement

Which type of requirement specifies that file formats the application sends to financial institutions must be certified every four years?

Compliance requirement

Which type of requirement specifies that credit card numbers displayed in the application will be masked so they only show the last four digits?

Privacy requirement

Which type of requirement specifies that user passwords will require a minimum of 8 characters and must include at least one uppercase character, one number, and one special character?

Security requirement

Which type of requirement specifies that credit card numbers are designated as highly sensitive confidential personal information?

Data classification requirement

Which privacy impact statement requirement type defines how personal information is protected on devices used by more than a single associate?

Privacy control requirements

In which step of the PASTA threat modeling methodology does design flaw analysis take place?

Vulnerability and weakness analysis

Which privacy impact statement requirement type defines who has access to personal information within the product?

Access requirements

Which security assessment deliverable defines milestones that will be met during each phase of the project, merged into the product development schedule?

SDL project outline

Which architecture deliverable identifies whether the product adheres to organization security rules?

Policy compliance analysis

Which threat modeling process identifies threats to each individual object in a data flow diagram?

STRIDE-per-element

The DREAD methodology has been used to classify an identified exploit where:

the attacker could log in as an administrator (damage potential)

the attacker could log in at any time (reproducibility)

almost anybody could perform the attack (exploitability)

all system users could be affected (affected users)

any person who knows how to open dev tools in a browser could find the vulnerability (discoverability)

Which rating should be assigned to the exploit after performing an analysis using a ternary ranking scale where high risk = 3 points, medium risk = 2 points, and low risk = 1 point?

High risk

What is the recommended way to mitigate a threat identified during threat modeling?

Apply a standard accepted countermeasure

The organization's testing team has created a catalog of test cases using the source code and design documentation of the new product. Each test case will be executed for each user role in the new product. Which type of security testing technique is being performed?

White-box

Security team members have been instructed to document which developers and analysts will perform product testing and which tools they will use. Which step of the security test plan is being performed?

Identify internal resources

Security team members have been instructed to document how many users will access the new product and what roles those users will play. Which step of the security test plan is being performed?

Define the user community

The project team received a SonarQube report of their most recent stage deployment that contains 15 vulnerabilities that must be fixed before the product may be released to production. Which security testing technique is being used?

Source-code analysis

What is the application of multiple layers of protection so that, if one layer is breached, the next layer provides protection?

Defense in depth

Which design and development deliverable details the progress of personal information requirements created in earlier phases of the security development lifecycle?

Privacy compliance report

Which design and development deliverable contains technical and executive level reports detailing any newly identified vulnerabilities?

Updated threat modeling artifacts

Which programming language is highly susceptible to buffer overflow vulnerabilities?

C++

What is the first step of the SDLC/SDL code review process?

Identify security code review objectives

Which type of software testing is being performed when an analyst executes a series of test cases based on application requirements?

Functional testing

A security tester changed the application URL from www.app.com/account?id='3' to www.app.com/account?id='3 or 1=1', which returned a collection of account information. Database logs showed that the query that was executed was SELECT * FROM ACCOUNTS WHERE accountId=3 or 1=1.How should existing security controls be adjusted to prevent this in the future?

Ensure server-side queries are parameterized

The enterprise security team discovered a vulnerability in a third-party logging tool that could allow unauthorized access to application logs. The vulnerability is fixed in a new release of the third-party product. How should existing security controls be adjusted to prevent this in the future?

Ensure third party libraries are kept up to date and reviewed consistently.

A potential threat was discovered during functional testing of a file upload component when a QA analyst was allowed to upload a shell script. Users should only be allowed to upload image files.How should existing security controls be adjusted to prevent this in the future?

Validate all user input

The final security review determined that all security issues identified in testing have been resolved and all SDL requirements have been met. What is the result of the final security review?

Passed

The security team is reviewing all threat models, identified vulnerabilities, and documented requirements. They are also performing static and dynamic analysis on the software product to determine if it is ready for release. Which activity of the Ship SDL phase is being performed?

Final security review

The security team is reviewing whether new security requirements, based on identified threats or changes to organizational guidelines, can be implemented prior to releasing the new product.Which activity of the Ship SDL phase is being performed?

Policy compliance analysis

An organizational security review discovered multiple database instances that were installed using publicly available default settings, including security and access. How should the organization remediate this vulnerability?

Ensure default accounts and passwords are disabled or removed

During penetration testing, an analyst discovered a DOM-based (document object model) cross-site scripting vulnerability within the applications search bar that could allow an attacker to insert malicious code. How should the organization remediate this vulnerability?

Enforce encoding of special characters

Application credentials are stored in the database using simple hashes to store passwords. An undiscovered credential recovery flaw allowed a security analyst to download the database and expose passwords using their GPU to crack the simple encryption. How should the organization remediate this vulnerability?

Enforce the use of strong, salted hashing functions when storing passwords

During functional testing, a QA analyst using a non-admin account caused an application exception. After the exception was handled, the tester was able to navigate to the admin section of the application by typing the URL directly into the browser address bar. They were unable to force the same navigation before the exception was thrown. How should the organization remediate this vulnerability?

Ensure user privileges are restored to the appropriate level after exceptions

The product security incident response team (PSIRT) determined a reported vulnerability was credible and of a high enough severity that it needs to be fixed. What is the response team's next step?

Identify resources and schedule the fix

Organizational leadership is considering buying a competitor and has asked the software security team to develop a plan to ensure the competitor's point-of-sale system complies with organizational policies. Which post-release deliverable is being described?

Security strategy for M&A products

The software security team has been tasked with identifying who will be involved when security vulnerabilities are reported from external entities. They are creating a RACI matrix that will identify stakeholders by who is responsible, accountable, consulted, and informed of any new vulnerabilities. Which post-release deliverable is being described?

External vulnerability disclosure response process

After determining a reported vulnerability was a credible claim, the product security incident response team (PSIRT) worked with development teams to create and test a patch. The patch is scheduled to be released at the end of the month.What is the response team's next step?

Notify customers that the fix is available

The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that all user input values must be validated by type, size, and range?

Every-sprint requirement

The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing security testing results from recently completed initiatives.Which BSIMM domain is being assessed?

Software security development life cycle (SSDL) touchpoints

The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one-time requirements, bucket requirements, and final security review requirements. Which type of requirement states that the team must perform remote procedure call (RPC) fuzz testing?

Bucket requirement