WGU D487 – Secure Software Design
Exam | 2025/2026 Actual Exam
(Version A & B) | 100% Correct Verified
Answers | Graded A+
Section 1: Introduction
This comprehensive guide includes both Version A and Version B of the WGU D487 Secure
Software Design Exam, tailored to the 2025/2026 certification cycle. It contains detailed,
accurate questions and verified answers for each version, reflecting the most current
curriculum standards in secure software architecture, threat mitigation, SDLC integration,
and compliance frameworks. The content is designed to help students prepare confidently and
succeed with distinction—each question is paired with a brief rationale for clarity and
mastery.
Section 2: Exam Content and Responses
Version A
1 Question: What is the primary goal of secure software design?
A. Maximize software performance
B. Protect applications from security threats
C. Reduce development time
D. Enhance user interface
Correct Answer: B. Protect applications from security threats
Rationale: Secure design focuses on mitigating vulnerabilities throughout the SDLC.
2 Question: Which SDLC phase is most critical for integrating security?
A. Testing
B. Requirements gathering
C. Deployment
D. Maintenance
Correct Answer: B. Requirements gathering
Rationale: Early integration in requirements ensures security is built-in, per NIST guidelines.
3 Question: What is the purpose of threat modeling in secure software design?
A. Optimize code efficiency
B. Identify potential security risks
C. Increase system uptime
D. Reduce hardware costs
Correct Answer: B. Identify potential security risks
Rationale: Threat modeling, as per OWASP, maps risks to mitigate them proactively.
4 Question: Which principle advocates minimizing attack surfaces?
A. Least privilege
,B. Defense in depth
C. Secure by default
D. Fail secure
Correct Answer: C. Secure by default
Rationale: Secure by default reduces exposed vulnerabilities from the start.
5 Question: What does input validation prevent?
A. System crashes
B. Injection attacks
C. Network latency
D. Data storage issues
Correct Answer: B. Injection attacks
Rationale: Validates data to block malicious inputs, aligning with OWASP Top Ten.
6 Question: Which technique is used to encrypt data at rest?
A. TLS
B. AES
C. HTTPS
D. SHA-256
Correct Answer: B. AES
Rationale: AES is a symmetric encryption standard for data at rest.
7 Question: What is a key benefit of using a secure development lifecycle (SDL)?
A. Faster deployment
B. Reduced security vulnerabilities
C. Lower training costs
D. Simplified testing
Correct Answer: B. Reduced security vulnerabilities
Rationale: SDL embeds security practices to minimize flaws, per Microsoft SDL.
8 Question: Which OWASP Top Ten risk involves exposing sensitive data?
A. Broken authentication
B. Security misconfiguration
C. Insecure deserialization
D. Sensitive data exposure
Correct Answer: D. Sensitive data exposure
Rationale: This risk highlights improper data protection.
9 Question: What is the purpose of a code review in secure software design?
A. Improve performance
B. Detect security flaws
C. Increase user access
D. Reduce memory usage
Correct Answer: B. Detect security flaws
Rationale: Reviews identify vulnerabilities before deployment.
10 Question: Which compliance framework addresses software security?
A. PCI DSS
B. ISO 27001
C. HIPAA
,D. GDPR
Correct Answer: A. PCI DSS
Rationale: PCI DSS includes specific software security requirements.
11 Question: What does the principle of least privilege enforce?
A. Full access for all users
B. Minimal necessary permissions
C. Unlimited resource use
D. Open network access
Correct Answer: B. Minimal necessary permissions
Rationale: Limits access to reduce potential damage.
12 Question: Which tool is commonly used for static code analysis?
A. Wireshark
B. SonarQube
C. Nmap
D. Metasploit
Correct Answer: B. SonarQube
Rationale: Analyzes code without execution to find vulnerabilities.
13 Question: What is a common vulnerability in web applications?
A. Cross-site scripting (XSS)
B. High CPU usage
C. Slow network speed
D. Large file sizes
Correct Answer: A. Cross-site scripting (XSS)
Rationale: XSS injects scripts, per OWASP Top Ten.
14 Question: Which technique mitigates buffer overflow attacks?
A. Input sanitization
B. Data compression
C. Network segmentation
D. User authentication
Correct Answer: A. Input sanitization
Rationale: Prevents excessive data input, a key defense.
15 Question: What is the purpose of a security regression test?
A. Improve UI design
B. Verify fixes don’t reintroduce vulnerabilities
C. Increase processing speed
D. Reduce database size
Correct Answer: B. Verify fixes don’t reintroduce vulnerabilities
Rationale: Ensures security stability post-update.
16 Question: Which protocol secures API communications?
A. HTTP
B. OAuth
C. FTP
D. SMTP
, Correct Answer: B. OAuth
Rationale: OAuth provides secure authorization for APIs.
17 Question: What does defense in depth involve?
A. Single security layer
B. Multiple overlapping controls
C. Reduced monitoring
D. Open access policies
Correct Answer: B. Multiple overlapping controls
Rationale: Layers enhance overall security.
18 Question: Which metric tracks the number of vulnerabilities found?
A. Uptime percentage
B. Vulnerability density
C. Response time
D. Data throughput
Correct Answer: B. Vulnerability density
Rationale: Measures security quality.
19 Question: What is a key benefit of using container security?
A. Reduced deployment time
B. Isolated application environments
C. Simplified user access
D. Lower hardware costs
Correct Answer: B. Isolated application environments
Rationale: Isolation limits breach impact.
20 Question: Which practice prevents SQL injection?
A. Parameterized queries
B. Open database access
C. Unvalidated inputs
D. Direct SQL execution
Correct Answer: A. Parameterized queries
Rationale: Prevents malicious SQL input.
21 Question: What is the purpose of a security champion program?
A. Reduce development costs
B. Promote security awareness in teams
C. Increase system uptime
D. Simplify testing
Correct Answer: B. Promote security awareness in teams
Rationale: Champions embed security culture.
22 Question: Which standard guides secure coding practices?
A. ISO 9001
B. CERT Secure Coding
C. PCI DSS
D. GDPR
Correct Answer: B. CERT Secure Coding
Rationale: Provides coding security standards.
Exam | 2025/2026 Actual Exam
(Version A & B) | 100% Correct Verified
Answers | Graded A+
Section 1: Introduction
This comprehensive guide includes both Version A and Version B of the WGU D487 Secure
Software Design Exam, tailored to the 2025/2026 certification cycle. It contains detailed,
accurate questions and verified answers for each version, reflecting the most current
curriculum standards in secure software architecture, threat mitigation, SDLC integration,
and compliance frameworks. The content is designed to help students prepare confidently and
succeed with distinction—each question is paired with a brief rationale for clarity and
mastery.
Section 2: Exam Content and Responses
Version A
1 Question: What is the primary goal of secure software design?
A. Maximize software performance
B. Protect applications from security threats
C. Reduce development time
D. Enhance user interface
Correct Answer: B. Protect applications from security threats
Rationale: Secure design focuses on mitigating vulnerabilities throughout the SDLC.
2 Question: Which SDLC phase is most critical for integrating security?
A. Testing
B. Requirements gathering
C. Deployment
D. Maintenance
Correct Answer: B. Requirements gathering
Rationale: Early integration in requirements ensures security is built-in, per NIST guidelines.
3 Question: What is the purpose of threat modeling in secure software design?
A. Optimize code efficiency
B. Identify potential security risks
C. Increase system uptime
D. Reduce hardware costs
Correct Answer: B. Identify potential security risks
Rationale: Threat modeling, as per OWASP, maps risks to mitigate them proactively.
4 Question: Which principle advocates minimizing attack surfaces?
A. Least privilege
,B. Defense in depth
C. Secure by default
D. Fail secure
Correct Answer: C. Secure by default
Rationale: Secure by default reduces exposed vulnerabilities from the start.
5 Question: What does input validation prevent?
A. System crashes
B. Injection attacks
C. Network latency
D. Data storage issues
Correct Answer: B. Injection attacks
Rationale: Validates data to block malicious inputs, aligning with OWASP Top Ten.
6 Question: Which technique is used to encrypt data at rest?
A. TLS
B. AES
C. HTTPS
D. SHA-256
Correct Answer: B. AES
Rationale: AES is a symmetric encryption standard for data at rest.
7 Question: What is a key benefit of using a secure development lifecycle (SDL)?
A. Faster deployment
B. Reduced security vulnerabilities
C. Lower training costs
D. Simplified testing
Correct Answer: B. Reduced security vulnerabilities
Rationale: SDL embeds security practices to minimize flaws, per Microsoft SDL.
8 Question: Which OWASP Top Ten risk involves exposing sensitive data?
A. Broken authentication
B. Security misconfiguration
C. Insecure deserialization
D. Sensitive data exposure
Correct Answer: D. Sensitive data exposure
Rationale: This risk highlights improper data protection.
9 Question: What is the purpose of a code review in secure software design?
A. Improve performance
B. Detect security flaws
C. Increase user access
D. Reduce memory usage
Correct Answer: B. Detect security flaws
Rationale: Reviews identify vulnerabilities before deployment.
10 Question: Which compliance framework addresses software security?
A. PCI DSS
B. ISO 27001
C. HIPAA
,D. GDPR
Correct Answer: A. PCI DSS
Rationale: PCI DSS includes specific software security requirements.
11 Question: What does the principle of least privilege enforce?
A. Full access for all users
B. Minimal necessary permissions
C. Unlimited resource use
D. Open network access
Correct Answer: B. Minimal necessary permissions
Rationale: Limits access to reduce potential damage.
12 Question: Which tool is commonly used for static code analysis?
A. Wireshark
B. SonarQube
C. Nmap
D. Metasploit
Correct Answer: B. SonarQube
Rationale: Analyzes code without execution to find vulnerabilities.
13 Question: What is a common vulnerability in web applications?
A. Cross-site scripting (XSS)
B. High CPU usage
C. Slow network speed
D. Large file sizes
Correct Answer: A. Cross-site scripting (XSS)
Rationale: XSS injects scripts, per OWASP Top Ten.
14 Question: Which technique mitigates buffer overflow attacks?
A. Input sanitization
B. Data compression
C. Network segmentation
D. User authentication
Correct Answer: A. Input sanitization
Rationale: Prevents excessive data input, a key defense.
15 Question: What is the purpose of a security regression test?
A. Improve UI design
B. Verify fixes don’t reintroduce vulnerabilities
C. Increase processing speed
D. Reduce database size
Correct Answer: B. Verify fixes don’t reintroduce vulnerabilities
Rationale: Ensures security stability post-update.
16 Question: Which protocol secures API communications?
A. HTTP
B. OAuth
C. FTP
D. SMTP
, Correct Answer: B. OAuth
Rationale: OAuth provides secure authorization for APIs.
17 Question: What does defense in depth involve?
A. Single security layer
B. Multiple overlapping controls
C. Reduced monitoring
D. Open access policies
Correct Answer: B. Multiple overlapping controls
Rationale: Layers enhance overall security.
18 Question: Which metric tracks the number of vulnerabilities found?
A. Uptime percentage
B. Vulnerability density
C. Response time
D. Data throughput
Correct Answer: B. Vulnerability density
Rationale: Measures security quality.
19 Question: What is a key benefit of using container security?
A. Reduced deployment time
B. Isolated application environments
C. Simplified user access
D. Lower hardware costs
Correct Answer: B. Isolated application environments
Rationale: Isolation limits breach impact.
20 Question: Which practice prevents SQL injection?
A. Parameterized queries
B. Open database access
C. Unvalidated inputs
D. Direct SQL execution
Correct Answer: A. Parameterized queries
Rationale: Prevents malicious SQL input.
21 Question: What is the purpose of a security champion program?
A. Reduce development costs
B. Promote security awareness in teams
C. Increase system uptime
D. Simplify testing
Correct Answer: B. Promote security awareness in teams
Rationale: Champions embed security culture.
22 Question: Which standard guides secure coding practices?
A. ISO 9001
B. CERT Secure Coding
C. PCI DSS
D. GDPR
Correct Answer: B. CERT Secure Coding
Rationale: Provides coding security standards.
