Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium WGU Secure-Software-Design Dumps Questions Answers

WGU Secure Software Design (D487) Exam Questions and Answers

Question 1

The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying or adding small snippets of code to see if they can cause unexpected behavior and application failure.

Which security testing technique is being used?

Options:

A.

Source-Code Fault Injection

B.

Dynamic Code Analysis

C.

Fuzz Testing

D.

Binary Fault Injection

Buy Now
Question 2

Credit card numbers are encrypted when stored in the database but are automatically decrypted when data is fetched. The testing tool intercepted the GET response, and testers were able to view credit card numbers as clear text.

How should the organization remediate this vulnerability?

Options:

A.

Never cache sensitive data

B.

Ensure there is an audit trail for all sensitive transactions

C.

Ensure all data in transit is encrypted

D.

Enforce role-based authorization controls in all application layers

Question 3

The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.

Which BSIMM domain is being assessed?

Options:

A.

Governance

B.

Software security development life cycle (SSDL) touchpoints

C.

Intelligence

D.

Deployment

Question 4

Which step in the change management process includes modifying the source code?

Options:

A.

Patch management

B.

Installation management

C.

Privacy implementation assessment

D.

Policy compliance analysis

Question 5

Which design and development deliverable contains the results of each type of evaluation that was performed and the type and number of vulnerabilities discovered?

Options:

A.

Security test execution report

B.

Security testing reports

C.

Privacy compliance report

D.

Remediation report

Question 6

Security testers have completed testing and are documenting the results of vulnerability scans and penetration analysis They are also creating documentation lo share with the organization's largest customers.

Which deliverable is being prepared?

Options:

A.

Open-source licensing review report

B.

Customer engagement framework

C.

Remediation report

D.

Security testing reports

Question 7

A product team, consisting of a Scrum Master, a Business Analyst, two Developers, and a Quality Assurance Tester, are on a video call with the Product Owner. The team is reviewing a list of work items to determine how many they feel can be added to their backlog and completed within the next two-week iteration.

Which Scrum ceremony is the team participating in?

Options:

A.

Daily Scrum

B.

Sprint Planning

C.

Sprint Retrospective

D.

Sprint Review

Question 8

Which secure software design principle states that it is always safer to require agreement of more than one entity to make a decision?

Options:

A.

Least Privilege

B.

Total Mediation

C.

Separation of Privileges

D.

Psychological Acceptability

Question 9

Developers have finished coding, and changes have been peer-reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected.

Which phase of the Software Development Life Cycle (SDLC) is being described?

Options:

A.

Requirements

B.

Design

C.

Testing

D.

Deployment

Question 10

What is a countermeasure to the web application security frame (ASF) authentication threat category?

Options:

A.

Role-based access controls restrict access

B.

Credentials and tokens are encrypted.

C.

Cookies have expiration timestamps.

D.

Sensitive information is scrubbed from error messages

Question 11

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's claims intake component. The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal and environmental metrics.

Which rating would CVSS assign this vulnerability?

Options:

A.

Critical severity

B.

High severity

C.

Low severity

D.

Medium severity

Question 12

Which secure coding best practice says to assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?

Options:

A.

General coding practices

B.

Input validation

C.

Session management

D.

System configuration

Question 13

What is an advantage of using the Agile development methodology?

Options:

A.

Customer satisfaction is improved through rapid and continuous delivery of useful software.

B.

Each stage is clearly defined, making it easier to assign clear roles to teams and departments who feed into the project.

C.

The overall plan fits very neatly into a Gantt chart so a project manager can easily view the project timeline.

D.

There is much less predictability throughout the project regarding deliverables.

Question 14

Which category classifies identified threats that have some defenses in place and expose the application to limited exploits?

Options:

A.

Fully Mitigated Threat

B.

Unmitigated Threats

C.

Threat Profile

D.

Partially Mitigated Threat

Question 15

The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards.

Which OpenSAMM business function is being assessed?

Options:

A.

Verification

B.

Construction

C.

Deployment

D.

Governance

Question 16

What is the privacy impact rating of an application that stores personally identifiable information, monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user?

Options:

A.

P1 high privacy risk

B.

P2 moderate privacy risk

C.

P3 low privacy risk

D.

P4 no privacy risk

Question 17

Which secure software design principle assumes attackers have the source code and specifications of the product?

Options:

A.

Open Design

B.

Psychological Acceptability

C.

Total Mediation

D.

Separation of Privileges

Question 18

Which security assessment deliverable identities possible security vulnerabilities in the product?

Options:

A.

SDL project outline

B.

Metrics template

C.

Threat profile

D.

List of third-party software

Question 19

What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category?

Options:

A.

Inputs enforce type, format, length, and range checks.

B.

All administrative activities are logged and audited.

C.

Sensitive information is not logged.

D.

All exceptions are handled in a structured way.

Question 20

Senior IT staff has determined that a new product will be hosted in the cloud and will support web and mobile users. Developers will need to deliver secure REST services. Android and IOS mobile apps. and a web application. Developers are currently determining how to deliver each part of the overall product.

Which phase of the software development lifecycle (SDLC) is being described?

Options:

A.

Maintenance

B.

End of life

C.

Deployment

D.

Design

Question 21

Which concept is demonstrated when every module in a particular abstraction layer of a computing environment can only access the information and resources that are necessary for its legitimate purpose?

Options:

A.

Privacy

B.

Principle of Least Privilege

C.

Elevation of Privilege

D.

Confidentiality

Question 22

Which threat modeling step identifies the assets that need to be protected?

Options:

A.

Set the Scope

B.

Analyze the Target

C.

Rate Threats

D.

Identify and Document Threats

Question 23

Which type of security analysis is performed by reviewing source code line-by-line after other security analysis techniques have been executed?

Options:

A.

Dynamic Analysis

B.

Static Analysis

C.

Manual Code Review

D.

Fuzz Testing

Question 24

Company leadership has discovered an untapped revenue stream within its customer base and wants to meet with IT to share its vision for the future and determine whether to move forward.

Which phase of the software development lifecycle (SDLC) is being described?

Options:

A.

Implementation

B.

Design

C.

Planning

D.

Requirements

Question 25

What are the eight phases of the software development lifecycle (SDLC)?

Options:

A.

Planning, security analysis, requirement analysis, design, implementation, threat mitigation, testing, maintenance

B.

Planning, requirements, design, implementation, testing, deployment, maintenance, end of life

C.

Plan, gather requirements, identify attack surface, design, write code, perform code reviews, test, deploy

D.

Gather requirements, prototype, perform threat modeling, write code, test, user acceptance testing, deploy, maintain

Question 26

The security team is identifying technical resources that will be needed to perform the final product security review.

Which step of the final product security review process are they in?

Options:

A.

Release and Ship

B.

Identify Feature Eligibility

C.

Evaluate and Plan for Remediation

D.

Assess Resource Availability

Question 27

Which mitigation technique is used to fight against an identity spoofing threat?

Options:

A.

Require user authorization

B.

Filtering

C.

Audit trails

D.

Encryption

Question 28

Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

Options:

A.

White box testing

B.

Reasonableness testing

C.

Black box testing

D.

Dynamic testing

Question 29

The software security team has been tasked with assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies.

Which post-release deliverable is being described?

Options:

A.

Security strategy tor M&A products

B.

Security strategy for legacy code

C.

Post-release certifications

D.

External vulnerability disclosure response process

Question 30

Which SDL security goal is defined as ensuring timely and reliable access to and use of information?

Options:

A.

Information security

B.

Confidentiality

C.

Availability

D.

Integrity

Question 31

Which secure coding practice requires users to log in to their accounts using an email address and a password they choose?

Options:

A.

Access Control

B.

Data Protection

C.

Input Validation

D.

Authentication

Question 32

Which threat modeling step collects exploitable weaknesses within the product?

Options:

A.

Analyze the target

B.

Rate threats

C.

Identify and document threats

D.

Set the scope

Question 33

Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?

Options:

A.

Fuzzing

B.

Static analysis

C.

Dynamic analysis

D.

Bugtraq