2025 WGU D487 OA TEST BANK 1 WITH 420
QUESTIONS AND CORRECT ANSWERS
(100% CORRECT ANSWERS) D487 SECURE
SOFTWARE DESIGN OBJECTIVE
ASSESSMENT 2025 TEST BANK V1
A software security team needs to prioritize addressing the most exploitable
weaknesses in their code. They want to reference an established list that
categorizes these vulnerabilities and suggests the most critical areas to focus on.
Which resource should they consult?
A) CWE Top 25
B) OWASP Top 10
C) ISO/IEC 27001
D) SAFECode's Guidelines
A) CWE Top 25
A CEO of a tech company is evaluating the importance of incorporating software
security practices. The CISO presents a report emphasizing that insecure software
poses a high risk, not only from a security perspective but also as a business
decision. Which of the following best describes why software security is critical
for businesses?
A) It enhances user interface design.
B) It mitigates monetary costs and risks associated with insecure software.
C) It increases product features and functionalities.
D) It primarily addresses hardware vulnerabilities.
B) It mitigates monetary costs and risks associated with insecure software.
A software company is discussing the differences between quality code and secure
code. A developer notes that while their application meets quality standards, it
recently experienced a security breach. What is a likely reason for this discrepancy
between quality and secure code?
pg. 1
,A) Quality code ensures security by default, but secure code does not ensure
quality.
B) Quality code focuses on functionality, while secure code focuses on preventing
unauthorized access.
C) Quality code is more expensive to produce than secure code.
D) Secure code generally lacks the usability found in quality code.
B) Quality code focuses on functionality, while secure code focuses on preventing
unauthorized access.
An organization is debating whether to invest in a software security program. The
Chief Technology Officer mentions that software security must be "secure by
design" due to its integration in critical systems. What justifies this need for
secure-by-design software?
A) To support the organization's reputation for innovative features
B) To adhere to customer demand for frequent software updates
C) To reduce the inherent risk in applications used in critical systems
D) To enable faster software release cycles
C) To reduce the inherent risk in applications used in critical systems
A software development company seeks to adopt widely accepted best practices to
improve their secure development lifecycle. They want to learn from real-world
examples of what has proven effective for other industry leaders. Which
organization provides these practical insights and promotes global best practices
for security assurance?
A) OWASP
B) SAFECode
C) NIST
D) BSIMM
B) SAFECode
A development team uses XP and commits to improving the code quality
continuously by regularly restructuring it without changing its functionality. Which
XP practice are they following?
pg. 2
,A) Code refactoring
B) Testing after release
C) Pair programming
D) Static analysis
A) Code refactoring
A stakeholder believes Agile is an unstructured and "do whatever you want"
approach, and thus doubts its effectiveness. What is a common misconception they
have about Agile?
A) Agile is structured and focuses on iterative improvement.
B) Agile emphasizes strict phase-by-phase development.
C) Agile eliminates the need for a project manager.
D) Agile restricts user feedback
A) Agile is structured and focuses on iterative improvement.
A project sponsor assumes that Agile always means there are no deadlines or fixed
project scope. Which Agile misconception does this illustrate?
A) Agile teams avoid fixed project roles.
B) Agile discourages documentation.
C) Agile is entirely unplanned, with no set deadlines.
D) Agile allows for deadlines and scope but includes flexibility for adaptation.
D) Agile allows for deadlines and scope but includes flexibility for adaptation.
The software security group is conducting a maturity assessment using the
Building Security in Maturity Model (BSIMM). They are currently focused on
reviewing security testing results from recently completed initiatives. Which
BSIMM domain is being assessed?
A) Software security development life cycle (SSDL) touchpoints
B) Intelligence
C) Governance
D) Deployment
A) Software security development life cycle (SSDL) touchpoints
pg. 3
, The organization is moving from a waterfall to an agile software development
methodology, so the software security group must adapt the security development
life cycle as well. They have decided to break out security requirements and
deliverables to fit better in the iterative life cycle by defining every-sprint
requirements, one-time requirements, bucket requirements, and final security
review requirements. Which type of requirement states that the team must perform
remote procedure call (RPC) fuzz testing?
A) Bucket requirement
B) One-time requirement
C) Every-sprint requirement
D) Final security review requirement
A) Bucket requirement
The costs to remediate security flaws once a software product is released can run
as much as _______ times the costs to remediate them while still in development:
A) 50
B) 100
C) 500
D) 1500
B) 100
Defective software is:
A) A network security problem
B) An operating system security problem
C) A user-caused problem
D) A software development and engineering problem
D) A software development and engineering problem
The three goals of the security development lifecycle are:
A) Reliability, efficiency, and maintainability
B) Speed, quality, and continuous releases
C) Confidentiality, integrity, and availability
D) Availability, reliability, and portability
pg. 4
QUESTIONS AND CORRECT ANSWERS
(100% CORRECT ANSWERS) D487 SECURE
SOFTWARE DESIGN OBJECTIVE
ASSESSMENT 2025 TEST BANK V1
A software security team needs to prioritize addressing the most exploitable
weaknesses in their code. They want to reference an established list that
categorizes these vulnerabilities and suggests the most critical areas to focus on.
Which resource should they consult?
A) CWE Top 25
B) OWASP Top 10
C) ISO/IEC 27001
D) SAFECode's Guidelines
A) CWE Top 25
A CEO of a tech company is evaluating the importance of incorporating software
security practices. The CISO presents a report emphasizing that insecure software
poses a high risk, not only from a security perspective but also as a business
decision. Which of the following best describes why software security is critical
for businesses?
A) It enhances user interface design.
B) It mitigates monetary costs and risks associated with insecure software.
C) It increases product features and functionalities.
D) It primarily addresses hardware vulnerabilities.
B) It mitigates monetary costs and risks associated with insecure software.
A software company is discussing the differences between quality code and secure
code. A developer notes that while their application meets quality standards, it
recently experienced a security breach. What is a likely reason for this discrepancy
between quality and secure code?
pg. 1
,A) Quality code ensures security by default, but secure code does not ensure
quality.
B) Quality code focuses on functionality, while secure code focuses on preventing
unauthorized access.
C) Quality code is more expensive to produce than secure code.
D) Secure code generally lacks the usability found in quality code.
B) Quality code focuses on functionality, while secure code focuses on preventing
unauthorized access.
An organization is debating whether to invest in a software security program. The
Chief Technology Officer mentions that software security must be "secure by
design" due to its integration in critical systems. What justifies this need for
secure-by-design software?
A) To support the organization's reputation for innovative features
B) To adhere to customer demand for frequent software updates
C) To reduce the inherent risk in applications used in critical systems
D) To enable faster software release cycles
C) To reduce the inherent risk in applications used in critical systems
A software development company seeks to adopt widely accepted best practices to
improve their secure development lifecycle. They want to learn from real-world
examples of what has proven effective for other industry leaders. Which
organization provides these practical insights and promotes global best practices
for security assurance?
A) OWASP
B) SAFECode
C) NIST
D) BSIMM
B) SAFECode
A development team uses XP and commits to improving the code quality
continuously by regularly restructuring it without changing its functionality. Which
XP practice are they following?
pg. 2
,A) Code refactoring
B) Testing after release
C) Pair programming
D) Static analysis
A) Code refactoring
A stakeholder believes Agile is an unstructured and "do whatever you want"
approach, and thus doubts its effectiveness. What is a common misconception they
have about Agile?
A) Agile is structured and focuses on iterative improvement.
B) Agile emphasizes strict phase-by-phase development.
C) Agile eliminates the need for a project manager.
D) Agile restricts user feedback
A) Agile is structured and focuses on iterative improvement.
A project sponsor assumes that Agile always means there are no deadlines or fixed
project scope. Which Agile misconception does this illustrate?
A) Agile teams avoid fixed project roles.
B) Agile discourages documentation.
C) Agile is entirely unplanned, with no set deadlines.
D) Agile allows for deadlines and scope but includes flexibility for adaptation.
D) Agile allows for deadlines and scope but includes flexibility for adaptation.
The software security group is conducting a maturity assessment using the
Building Security in Maturity Model (BSIMM). They are currently focused on
reviewing security testing results from recently completed initiatives. Which
BSIMM domain is being assessed?
A) Software security development life cycle (SSDL) touchpoints
B) Intelligence
C) Governance
D) Deployment
A) Software security development life cycle (SSDL) touchpoints
pg. 3
, The organization is moving from a waterfall to an agile software development
methodology, so the software security group must adapt the security development
life cycle as well. They have decided to break out security requirements and
deliverables to fit better in the iterative life cycle by defining every-sprint
requirements, one-time requirements, bucket requirements, and final security
review requirements. Which type of requirement states that the team must perform
remote procedure call (RPC) fuzz testing?
A) Bucket requirement
B) One-time requirement
C) Every-sprint requirement
D) Final security review requirement
A) Bucket requirement
The costs to remediate security flaws once a software product is released can run
as much as _______ times the costs to remediate them while still in development:
A) 50
B) 100
C) 500
D) 1500
B) 100
Defective software is:
A) A network security problem
B) An operating system security problem
C) A user-caused problem
D) A software development and engineering problem
D) A software development and engineering problem
The three goals of the security development lifecycle are:
A) Reliability, efficiency, and maintainability
B) Speed, quality, and continuous releases
C) Confidentiality, integrity, and availability
D) Availability, reliability, and portability
pg. 4
