Special Summer Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > WGU > Courses and Certificates > Secure-Software-Design

Secure-Software-Design WGU Secure Software Design (D487) Exam Question and Answers

Question # 4

A potential threat was discovered during vulnerability testing when an environment configuration file was found that contained the database username and password stored in plain text.

How should existing security controls be adjusted to prevent this in the future?

A.

Enforce Role-Based Authorization

B.

Encrypt Secrets in Storage and Transit

C.

Ensure Strong Password Policies are in Effect

D.

Validate All User Input

Full Access
Question # 5

Which secure coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, connections, objects, and file handles are destroyed once the application no longer needs them?

A.

Input Validation

B.

Memory Management

C.

Session Management

D.

Data Protection

Full Access
Question # 6

The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards.

Which OpenSAMM business function is being assessed?

A.

Verification

B.

Construction

C.

Deployment

D.

Governance

Full Access
Question # 7

Which threat modeling approach concentrates on things the organization wants to protect?

A.

Asset-centric

B.

Server-centric

C.

Attacker-centric

D.

Application-centric

Full Access
Question # 8

Which threat modeling step collects exploitable weaknesses within the product?

A.

Analyze the target

B.

Rate threats

C.

Identify and document threats

D.

Set the scope

Full Access
Question # 9

What is an advantage of using the Agile development methodology?

A.

Customer satisfaction is improved through rapid and continuous delivery of useful software.

B.

Each stage is clearly defined, making it easier to assign clear roles to teams and departments who feed into the project.

C.

The overall plan fits very neatly into a Gantt chart so a project manager can easily view the project timeline.

D.

There is much less predictability throughout the project regarding deliverables.

Full Access
Question # 10

A company is moving forward with a new product. Product scope has been determined, teams have formed, and backlogs have been created. Developers are actively writing code for the new product, with one team concentrating on delivering data via REST services, one Team working on the mobile apps, and a third team writing the web application.

Which phase of the software development lifecycle (SDLC) is being described?

A.

Deployment

B.

Design

C.

Implementation

D.

Requirements

Full Access
Question # 11

What sits between a browser and an internet connection and alters requests and responses in a way the developer did not intend?

A.

Load testing

B.

Input validation

C.

Intercept proxy

D.

Reverse engineering

Full Access
Question # 12

After being notified of a vulnerability in the company’s online payment system, the Product Security Incident Response Team (PSIRT) was unable to recreate the vulnerability in a testing lab.

What is the response team’s next step?

A.

Determine the Severity of the Vulnerability

B.

Notify the Reporter That the Case Is Going to Be Closed

C.

Determine How the Reporter Was Able to Create the Vulnerability

D.

Identify Resources and Schedule the Fix

Full Access
Question # 13

Automated security testing was performed by attempting to log in to the new product with a known username using a collection of passwords. Access was granted after a few hundred attempts.

How should existing security controls be adjusted to prevent this in the future?

A.

Ensure passwords are encrypted when stored in persistent data stores

B.

Ensure authentication controls are resistant to brute force attacks

C.

Ensure strong password policies are enforced

D.

Ensure credentials and authentication tokens are encrypted during transit

Full Access
Question # 14

Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the user authentication component of the company's now product. The base score of the vulnerability was 8.3 and changed to 9.4 after adjusting temporal and environmental metrics.

Which rating would CVSS assign this vulnerability?

A.

High seventy

B.

Critical severity

C.

Medium severity

D.

Low seventy

Full Access
Question # 15

Which secure coding practice uses role-based authentication where department-specific credentials will authorize department-specific functionality?

A.

Access Control

B.

Data Protection

C.

Input Validation

D.

Authentication

Full Access
Question # 16

The organization has contracted with an outside firm to simulate an attack on the new software product and report findings and remediation recommendations.

Which activity of the Ship SDL phase is being performed?

A.

Penetration testing

B.

Policy compliance analysis

C.

Open-source licensing review

D.

Final security review

Full Access
Question # 17

Which threat modeling step assigns a score to discovered threats?

A.

Rate Threats

B.

Analyze the Target

C.

Identify and Document Threats

D.

Set the Scope

Full Access
Question # 18

A recent security review has identified an aging credential recovery/forgotten password component that emails temporary passwords to users who claim to have forgotten their application password.

How should the organization remediate this vulnerability?

A.

Lock a User Account After Multiple Failed Authentication Attempts

B.

Ensure All Authorization Requests Are Logged

C.

Implement Multifactor Authentication

D.

Implement Role-Based Authorization

Full Access
Question # 19

Which security assessment deliverable defines measures that can be periodically reported to management?

A.

Metrics Template

B.

SDL Project Outline

C.

Threat Profile

D.

Product Risk Profile

Full Access
Question # 20

The software security team is performing security testing for a new software product that is close to production release. They are concentrating on integrations between the new product and database servers, web servers, and web services.

Which security testing technique is being used?

A.

Fuzz testing

B.

Dynamic code analysis

C.

Binary fault injection

D.

Binary code analysis

Full Access
Question # 21

Due to positive publicity from the release of the new software product, leadership has decided that it is in the best interests of the company to become ISO 27001 compliant. ISO 27001 is the leading international standard focused on information security.

Which security development life cycle deliverable is being described?

A.

External vulnerability disclosure response process

B.

Third-party security review

C.

Security strategy for M&A products

D.

Post-release certifications

Full Access
Question # 22

What is one of the tour core values of the agile manifesto?

A.

Communication between team members

B.

Individuals and interactions over processes and tools

C.

Business people and developers must work together daily throughout the project.

D.

Teams should have a dedicated and open workspace.

Full Access
Question # 23

Which type of threat exists when an attacker can intercept and manipulate form data after the user clicks the save button but before the request is posted to the API?

A.

Elevation of privilege

B.

Spoofing

C.

Tampering

D.

Information disclosure

Full Access
Question # 24

The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.

Which category of secure software best practices does this represent?

A.

Attack models

B.

Training

C.

Architecture analysis

D.

Code review

Full Access
Question # 25

Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?

A.

Authentication and Password Management

B.

Input Validation

C.

System Configuration

D.

Error Handling and Logging

Full Access
Question # 26

Developers have finished coding, and changes have been peer-reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected.

Which phase of the Software Development Life Cycle (SDLC) is being described?

A.

Requirements

B.

Design

C.

Testing

D.

Deployment

Full Access
Question # 27

Which secure coding best practice says to only use tested and approved components and use task-specific, built-in APIs to conduct operating system functions?

A.

Session Management

B.

Authentication and Password Management

C.

Data Protection

D.

General Coding Practices

Full Access
Question # 28

What refers to the review of software source code by developers other than the original coders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or even experience?

A.

User acceptance testing

B.

Manual peer review

C.

Fault injection

D.

Dynamic code review

Full Access
Question # 29

What is a countermeasure to the web application security frame (ASF) data validation/parameter validation threat category?

A.

Inputs enforce type, format, length, and range checks.

B.

All administrative activities are logged and audited.

C.

Sensitive information is not logged.

D.

All exceptions are handled in a structured way.

Full Access
Question # 30

During fuzz testing of the new product, an exception was thrown on the order entry view, which caused a full stack dump to be displayed in the browser window that included function names from the source code.

How should existing security controls be adjusted to prevent this in the future?

A.

Ensure privileges are restored after application exceptions

B.

Ensure all exceptions are handled in a standardized way

C.

Ensure private information is not logged

D.

Ensure sensitive information is scrubbed from all error messages

Full Access
Question # 31

Which threat modeling methodology involves creating or using collections of similar threats?

A.

Data Flow Diagrams

B.

Attack Libraries

C.

Attack Trees

D.

Security Profile

Full Access
Question # 32

The final security review determined that two low-risk security issues identified in testing are still outstanding. Developers have assured the security team that both issues can be resolved quickly once they have time to fix them. The security team is confident that developers can fix the flaws in the first post-release patch.

What is the result of the final security review?

A.

Not Passed but Does Not Require Escalation

B.

Not Passed and Requires Escalation

C.

Passed with Exceptions

D.

Passed

Full Access
Question # 33

The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.

Which category of secure software best practices is the team performing?

A.

Architecture analysis

B.

Penetration testing

C.

Code review

D.

Training

Full Access