WGU D385 Software Security
and Testing Exam 2024 New
Latest Updated Version with
All Questions and 100%
Correct Answers with
rationales
1. Which of the following is the most effective approach to secure a
software application?
● A) Encrypt all data within the application.
● B) Implement security testing only during the testing phase.
● C) Follow a secure software development lifecycle (SDLC) with security integrated at
every phase.
● D) Use a firewall to protect the application server.
Answer: C) Follow a secure software development lifecycle (SDLC) with security
integrated at every phase.
Rationale: A secure SDLC ensures that security is considered at every stage, from planning to
design, coding, testing, and deployment. This proactive approach reduces vulnerabilities early in
the process, compared to focusing on security only during testing or after deployment.
2. Which type of testing is used to determine how an application behaves
under real-world attack scenarios?
● A) Functional testing
● B) Penetration testing
● C) Unit testing
, ● D) Regression testing
Answer: B) Penetration testing
Rationale: Penetration testing simulates real-world attacks on an application to identify
vulnerabilities that could be exploited by malicious users. Functional, unit, and regression
testing are focused on verifying that the application works as intended, but they do not typically
include security attack simulations.
3. What is the primary objective of fuzz testing in software security?
● A) To ensure code readability.
● B) To identify vulnerabilities by inputting invalid or random data.
● C) To improve performance under load.
● D) To ensure proper encryption of sensitive data.
Answer: B) To identify vulnerabilities by inputting invalid or random data.
Rationale: Fuzz testing involves inputting random, unexpected, or invalid data into a program to
see how it handles such inputs. This can expose vulnerabilities like buffer overflows, crashes, or
other security flaws.
4. Which of the following is a key benefit of using static code analysis
tools?
● A) They simulate real-world attacks.
● B) They review the compiled code during runtime.
● C) They detect vulnerabilities without executing the code.
● D) They are only useful for web applications.
Answer: C) They detect vulnerabilities without executing the code.
Rationale: Static code analysis tools analyze the source code or bytecode for potential security
issues without actually executing the program. This allows early detection of vulnerabilities such
as SQL injection, buffer overflows, and insecure coding practices.
5. Which technique ensures that software modules function securely when
integrated together?
● A) Unit testing
● B) Integration testing
● C) System testing
● D) Black-box testing
,Answer: B) Integration testing
Rationale: Integration testing ensures that individual software modules function together
correctly and securely. It focuses on interactions between modules, which is critical for
identifying vulnerabilities that may not be apparent when modules are tested in isolation.
6. Which of the following is a major weakness of black-box testing in
security testing?
● A) It is time-consuming and expensive.
● B) It requires deep knowledge of the system’s internal code structure.
● C) It does not inspect the internal workings of the application.
● D) It can only test individual units of the application.
Answer: C) It does not inspect the internal workings of the application.
Rationale: Black-box testing focuses on the inputs and outputs of the system without inspecting
the internal code or logic. While this is good for simulating user behavior, it can miss
vulnerabilities inside the code that would be caught by white-box testing, which inspects the
internal structure.
7. What is the primary goal of input validation in software security?
● A) To ensure all inputs are properly formatted.
● B) To prevent unauthorized access to the software.
● C) To protect the software from SQL injection and buffer overflow attacks.
● D) To improve the user experience.
Answer: C) To protect the software from SQL injection and buffer overflow attacks.
Rationale: Input validation ensures that only properly formatted and expected data is processed
by the application, reducing the risk of injection attacks and buffer overflows. It is one of the core
defenses against attacks where attackers manipulate input data to exploit vulnerabilities.
8. In software testing, which method is most useful for identifying memory
leaks?
● A) Unit testing
● B) Load testing
● C) Static code analysis
● D) Dynamic analysis
Answer: D) Dynamic analysis
, Rationale: Dynamic analysis involves monitoring the behavior of the application during runtime,
which is effective for detecting memory leaks, resource mismanagement, and performance
issues. Static code analysis would not catch runtime-specific issues like memory leaks.
9. What is the purpose of a vulnerability scan in software security?
● A) To automatically fix security flaws.
● B) To assess a system for potential vulnerabilities.
● C) To test system performance under stress.
● D) To validate correct software functionality.
Answer: B) To assess a system for potential vulnerabilities.
Rationale: Vulnerability scanning is an automated process used to identify potential security
weaknesses in a system, such as outdated software versions, open ports, or misconfigurations.
It does not fix issues, but it provides a list of vulnerabilities that need to be addressed.
10. Which of the following is an example of a security misconfiguration?
● A) Unencrypted data stored in a database.
● B) Running outdated software versions.
● C) Default credentials left unchanged after installation.
● D) All of the above.
Answer: D) All of the above.
Rationale: Security misconfigurations include a variety of issues such as unencrypted data,
running outdated software with known vulnerabilities, and leaving default credentials active,
which all increase the risk of a security breach.
11. Which of the following is a key principle of least privilege in software
security?
● A) Users should have access to only the resources necessary for their tasks.
● B) Admin users should have access to all system resources.
● C) All users should be granted administrative rights.
● D) Every user should have access to all files in the system.
Answer: A) Users should have access to only the resources necessary for their tasks.
Rationale: The principle of least privilege states that users, processes, or systems should be
granted the minimum level of access or permissions necessary to perform their functions,
reducing the attack surface if a compromise occurs.
and Testing Exam 2024 New
Latest Updated Version with
All Questions and 100%
Correct Answers with
rationales
1. Which of the following is the most effective approach to secure a
software application?
● A) Encrypt all data within the application.
● B) Implement security testing only during the testing phase.
● C) Follow a secure software development lifecycle (SDLC) with security integrated at
every phase.
● D) Use a firewall to protect the application server.
Answer: C) Follow a secure software development lifecycle (SDLC) with security
integrated at every phase.
Rationale: A secure SDLC ensures that security is considered at every stage, from planning to
design, coding, testing, and deployment. This proactive approach reduces vulnerabilities early in
the process, compared to focusing on security only during testing or after deployment.
2. Which type of testing is used to determine how an application behaves
under real-world attack scenarios?
● A) Functional testing
● B) Penetration testing
● C) Unit testing
, ● D) Regression testing
Answer: B) Penetration testing
Rationale: Penetration testing simulates real-world attacks on an application to identify
vulnerabilities that could be exploited by malicious users. Functional, unit, and regression
testing are focused on verifying that the application works as intended, but they do not typically
include security attack simulations.
3. What is the primary objective of fuzz testing in software security?
● A) To ensure code readability.
● B) To identify vulnerabilities by inputting invalid or random data.
● C) To improve performance under load.
● D) To ensure proper encryption of sensitive data.
Answer: B) To identify vulnerabilities by inputting invalid or random data.
Rationale: Fuzz testing involves inputting random, unexpected, or invalid data into a program to
see how it handles such inputs. This can expose vulnerabilities like buffer overflows, crashes, or
other security flaws.
4. Which of the following is a key benefit of using static code analysis
tools?
● A) They simulate real-world attacks.
● B) They review the compiled code during runtime.
● C) They detect vulnerabilities without executing the code.
● D) They are only useful for web applications.
Answer: C) They detect vulnerabilities without executing the code.
Rationale: Static code analysis tools analyze the source code or bytecode for potential security
issues without actually executing the program. This allows early detection of vulnerabilities such
as SQL injection, buffer overflows, and insecure coding practices.
5. Which technique ensures that software modules function securely when
integrated together?
● A) Unit testing
● B) Integration testing
● C) System testing
● D) Black-box testing
,Answer: B) Integration testing
Rationale: Integration testing ensures that individual software modules function together
correctly and securely. It focuses on interactions between modules, which is critical for
identifying vulnerabilities that may not be apparent when modules are tested in isolation.
6. Which of the following is a major weakness of black-box testing in
security testing?
● A) It is time-consuming and expensive.
● B) It requires deep knowledge of the system’s internal code structure.
● C) It does not inspect the internal workings of the application.
● D) It can only test individual units of the application.
Answer: C) It does not inspect the internal workings of the application.
Rationale: Black-box testing focuses on the inputs and outputs of the system without inspecting
the internal code or logic. While this is good for simulating user behavior, it can miss
vulnerabilities inside the code that would be caught by white-box testing, which inspects the
internal structure.
7. What is the primary goal of input validation in software security?
● A) To ensure all inputs are properly formatted.
● B) To prevent unauthorized access to the software.
● C) To protect the software from SQL injection and buffer overflow attacks.
● D) To improve the user experience.
Answer: C) To protect the software from SQL injection and buffer overflow attacks.
Rationale: Input validation ensures that only properly formatted and expected data is processed
by the application, reducing the risk of injection attacks and buffer overflows. It is one of the core
defenses against attacks where attackers manipulate input data to exploit vulnerabilities.
8. In software testing, which method is most useful for identifying memory
leaks?
● A) Unit testing
● B) Load testing
● C) Static code analysis
● D) Dynamic analysis
Answer: D) Dynamic analysis
, Rationale: Dynamic analysis involves monitoring the behavior of the application during runtime,
which is effective for detecting memory leaks, resource mismanagement, and performance
issues. Static code analysis would not catch runtime-specific issues like memory leaks.
9. What is the purpose of a vulnerability scan in software security?
● A) To automatically fix security flaws.
● B) To assess a system for potential vulnerabilities.
● C) To test system performance under stress.
● D) To validate correct software functionality.
Answer: B) To assess a system for potential vulnerabilities.
Rationale: Vulnerability scanning is an automated process used to identify potential security
weaknesses in a system, such as outdated software versions, open ports, or misconfigurations.
It does not fix issues, but it provides a list of vulnerabilities that need to be addressed.
10. Which of the following is an example of a security misconfiguration?
● A) Unencrypted data stored in a database.
● B) Running outdated software versions.
● C) Default credentials left unchanged after installation.
● D) All of the above.
Answer: D) All of the above.
Rationale: Security misconfigurations include a variety of issues such as unencrypted data,
running outdated software with known vulnerabilities, and leaving default credentials active,
which all increase the risk of a security breach.
11. Which of the following is a key principle of least privilege in software
security?
● A) Users should have access to only the resources necessary for their tasks.
● B) Admin users should have access to all system resources.
● C) All users should be granted administrative rights.
● D) Every user should have access to all files in the system.
Answer: A) Users should have access to only the resources necessary for their tasks.
Rationale: The principle of least privilege states that users, processes, or systems should be
granted the minimum level of access or permissions necessary to perform their functions,
reducing the attack surface if a compromise occurs.
