WGU C706 Secure Software Design OBJECTIVE
ASSESSMENT ACTUAL EXAM STUDY GUIDE 2025/2026
COMPLETE QUESTIONS AND CORRECT DETAILED
ANSWERS WITH RATIONALES || 100% GUARANTEED
PASS
<LATEST VERSION>
1. Security Champion - ANSWER ✓ People who take lead in a project such as
development leadership, or training to enable support and encourage the
adoption of security knowledge and practices through peer leadership,
behavior demonstration, and social encouragement.
2. Software Security Architect (SSA) - ANSWER ✓ The software architect
moves analysis to implementation and analyzes the requirements and use
cases as activities to perform as part of the development process. That
person can also develop class diagrams.
a person who oversees the security aspects of a project, making sure
appropriate countermeasures are in place
3. Software Security Evangelist (SSE) - ANSWER ✓ A training champion of
software security and an advocate for the overall software development
lifecycle process and a proponent for promulgating and enforcing the overall
security program.
promotes software security practices in a team, in a unit, or on a project
4. Software Security Stakeholder (SSS) - ANSWER ✓ A stakeholder has
ownership interest in a program or a project and has a vested interest in the
success of the project functionally and from a security perspective. The head
of HR would be a stakeholder in a payroll project.
,5. Functional Acceptance Criteria - ANSWER ✓ Describes the behavior of the
system as it relates to the systems functionality.
ex: send an email when a condition is met
6. NonFunctional Acceptance Criteria - ANSWER ✓ Form measurable criteria
that can be used to gauge the success of an overall system solution or
product.
Example: Review test results, areas such as efficiency, privacy,
confidentiality, etc
7. Fuzz testing - ANSWER ✓ invalid, unexpected, or random data provided to
inputs.
8. Strategic Attacks - ANSWER ✓ user general targeting against a broad
industry. Highly repeatable.
9. Tactical Attacks - ANSWER ✓ surgical by nature, have highly specific
targeting, and are technologically sophisticated
10.User Specific attacks - ANSWER ✓ can be strategic, tactical, or personal in
nature, and target personal devices that may be either consumer or enterprise
owned.
attacking the user instead of the system.
11.Sociopolitical attacks - ANSWER ✓ intended to elevate awareness of a topic
12.Privacy Impact Assessment (PIA) - ANSWER ✓ The activities for
compliance include ensuring collected information is only used for intended
purposes, information is timely and accurate, and the public is aware of how
the the information is collected and how it is used.
13.PA-DSS (Payment Application Data Security Standard) - ANSWER ✓ PA-
DSS is explicitly focused on payment applications.
PA-DSS is a set of requirements intended to help software vendors develop
secure payment applications for credit cards.
,14.PCI DSS (Payment Card Industry Data Security Standard) - ANSWER ✓ A
set of standards that are intended to ensure that all companies that process,
store, or transmit credit card information maintain a secure environment.
15.PTS DSS (Pin Transaction Security Data Security Standard) - ANSWER ✓
intended to protect all POS devices and terminals, included attended and
unattended terminal devices.
16.Which due diligence activity for supply chain security should occur in the
initiation phase of the software acquisition life cycle? - ANSWER ✓
Developing a request for proposal (RFP) that includes supply chain security
risk management
17.Which due diligence activity for supply chain security investigates the
means by which data sets are shared and assessed? - ANSWER ✓ A
document exchange and review
18.Identification of the entity making the access request
Verification that the request has not changed since its initiation
Application of the appropriate authorization procedures
Reexamination of previously authorized requests by the same entity
Which security design analysis is being described? - ANSWER ✓ Complete
mediation
19.Which software security principle guards against the improper modification
or destruction of information and ensures the nonrepudiation and
authenticity of information? - ANSWER ✓ Integrity
20.What type of functional security requirement involves receiving, processing,
storing, transmitting, and delivering in report form? - ANSWER ✓ Primary
dataflow
21.Which nonfunctional security requirement provides a way to capture
information correctly and a way to store that information to help support
later audits? - ANSWER ✓ Logging
, 22.Which security concept refers to the quality of information that could cause
harm or damage if disclosed? - ANSWER ✓ Sensitivity
23.Which technology would be an example of an injection flaw, according to
the OWASP Top 10? - ANSWER ✓ SQL
24.A company is creating a new software to track customer balance and wants
to design a secure application.
25.Which best practice should be applied? - ANSWER ✓ Create multiple layers
of protection so that a subsequent layer provides protection if a layer is
breached
26.This SDLC role prepares a document plan to verify that the code performs
the functions it was supposed to. - ANSWER ✓ Tester role
27.___ _______ is a code injection technique, used to attack data-driven
applications, in which nefarious SQL statements are inserted into an entry
field for execution. This can be done from any form or place that allows the
attacker to enter any type of information which is somewhat connected to a
database. - ANSWER ✓ SQL injection
28.______ is a classification scheme for characterizing/measuring known
threats/vulnerabilities according to the kinds of exploit that are used (or
motivation of the attacker). It also focuses on the end results of possible
attacks rather than on the identification of each specific attack - ANSWER ✓
STRIDE
29.S in STRIDE stands for... - ANSWER ✓ Spoofing Identity
30.T in STRIDE stands for... - ANSWER ✓ Tampering with Data
31.R in STRIDE stands for... - ANSWER ✓ Repudiation
32.I in STRIDE stands for... - ANSWER ✓ Information Disclosure
33.D in STRIDE stands for... - ANSWER ✓ Denial of Service
ASSESSMENT ACTUAL EXAM STUDY GUIDE 2025/2026
COMPLETE QUESTIONS AND CORRECT DETAILED
ANSWERS WITH RATIONALES || 100% GUARANTEED
PASS
<LATEST VERSION>
1. Security Champion - ANSWER ✓ People who take lead in a project such as
development leadership, or training to enable support and encourage the
adoption of security knowledge and practices through peer leadership,
behavior demonstration, and social encouragement.
2. Software Security Architect (SSA) - ANSWER ✓ The software architect
moves analysis to implementation and analyzes the requirements and use
cases as activities to perform as part of the development process. That
person can also develop class diagrams.
a person who oversees the security aspects of a project, making sure
appropriate countermeasures are in place
3. Software Security Evangelist (SSE) - ANSWER ✓ A training champion of
software security and an advocate for the overall software development
lifecycle process and a proponent for promulgating and enforcing the overall
security program.
promotes software security practices in a team, in a unit, or on a project
4. Software Security Stakeholder (SSS) - ANSWER ✓ A stakeholder has
ownership interest in a program or a project and has a vested interest in the
success of the project functionally and from a security perspective. The head
of HR would be a stakeholder in a payroll project.
,5. Functional Acceptance Criteria - ANSWER ✓ Describes the behavior of the
system as it relates to the systems functionality.
ex: send an email when a condition is met
6. NonFunctional Acceptance Criteria - ANSWER ✓ Form measurable criteria
that can be used to gauge the success of an overall system solution or
product.
Example: Review test results, areas such as efficiency, privacy,
confidentiality, etc
7. Fuzz testing - ANSWER ✓ invalid, unexpected, or random data provided to
inputs.
8. Strategic Attacks - ANSWER ✓ user general targeting against a broad
industry. Highly repeatable.
9. Tactical Attacks - ANSWER ✓ surgical by nature, have highly specific
targeting, and are technologically sophisticated
10.User Specific attacks - ANSWER ✓ can be strategic, tactical, or personal in
nature, and target personal devices that may be either consumer or enterprise
owned.
attacking the user instead of the system.
11.Sociopolitical attacks - ANSWER ✓ intended to elevate awareness of a topic
12.Privacy Impact Assessment (PIA) - ANSWER ✓ The activities for
compliance include ensuring collected information is only used for intended
purposes, information is timely and accurate, and the public is aware of how
the the information is collected and how it is used.
13.PA-DSS (Payment Application Data Security Standard) - ANSWER ✓ PA-
DSS is explicitly focused on payment applications.
PA-DSS is a set of requirements intended to help software vendors develop
secure payment applications for credit cards.
,14.PCI DSS (Payment Card Industry Data Security Standard) - ANSWER ✓ A
set of standards that are intended to ensure that all companies that process,
store, or transmit credit card information maintain a secure environment.
15.PTS DSS (Pin Transaction Security Data Security Standard) - ANSWER ✓
intended to protect all POS devices and terminals, included attended and
unattended terminal devices.
16.Which due diligence activity for supply chain security should occur in the
initiation phase of the software acquisition life cycle? - ANSWER ✓
Developing a request for proposal (RFP) that includes supply chain security
risk management
17.Which due diligence activity for supply chain security investigates the
means by which data sets are shared and assessed? - ANSWER ✓ A
document exchange and review
18.Identification of the entity making the access request
Verification that the request has not changed since its initiation
Application of the appropriate authorization procedures
Reexamination of previously authorized requests by the same entity
Which security design analysis is being described? - ANSWER ✓ Complete
mediation
19.Which software security principle guards against the improper modification
or destruction of information and ensures the nonrepudiation and
authenticity of information? - ANSWER ✓ Integrity
20.What type of functional security requirement involves receiving, processing,
storing, transmitting, and delivering in report form? - ANSWER ✓ Primary
dataflow
21.Which nonfunctional security requirement provides a way to capture
information correctly and a way to store that information to help support
later audits? - ANSWER ✓ Logging
, 22.Which security concept refers to the quality of information that could cause
harm or damage if disclosed? - ANSWER ✓ Sensitivity
23.Which technology would be an example of an injection flaw, according to
the OWASP Top 10? - ANSWER ✓ SQL
24.A company is creating a new software to track customer balance and wants
to design a secure application.
25.Which best practice should be applied? - ANSWER ✓ Create multiple layers
of protection so that a subsequent layer provides protection if a layer is
breached
26.This SDLC role prepares a document plan to verify that the code performs
the functions it was supposed to. - ANSWER ✓ Tester role
27.___ _______ is a code injection technique, used to attack data-driven
applications, in which nefarious SQL statements are inserted into an entry
field for execution. This can be done from any form or place that allows the
attacker to enter any type of information which is somewhat connected to a
database. - ANSWER ✓ SQL injection
28.______ is a classification scheme for characterizing/measuring known
threats/vulnerabilities according to the kinds of exploit that are used (or
motivation of the attacker). It also focuses on the end results of possible
attacks rather than on the identification of each specific attack - ANSWER ✓
STRIDE
29.S in STRIDE stands for... - ANSWER ✓ Spoofing Identity
30.T in STRIDE stands for... - ANSWER ✓ Tampering with Data
31.R in STRIDE stands for... - ANSWER ✓ Repudiation
32.I in STRIDE stands for... - ANSWER ✓ Information Disclosure
33.D in STRIDE stands for... - ANSWER ✓ Denial of Service
