D487 SECURE SOFTWARE DESIGN
EXAMINATION TEST 2026 VERIFIED QUESTIONS
AND SOLUTIONS ALREADY PASSED
◉ Threat Modeling (Stages). Answer: 1. Identify Assets: Determine
what needs to be protected.
2. Identify Threats: Identify potential threats to those assets.
3. Identify Vulnerabilities: Analyze weaknesses that could be
exploited by threats.
4. Assess Risks: Evaluate the likelihood and impact of identified
threats exploiting vulnerabilities.
5. Mitigate Risks: Implement countermeasures to reduce or
eliminate identified risks
◉ PASTA Stages. Answer: - Define Objectives: Establish goals and
scope of the analysis.
- Create an Application Diagram: Visualize the application and its
components.
- Identify Threat Profiles: Define potential attacker personas and
their motivations.
- Analyze Threats: Assess how attackers could exploit vulnerabilities
to achieve their objectives.
,- Prioritize Threats: Rank threats based on their severity and
likelihood.
- Mitigate Threats: Develop and implement countermeasures to
address identified threats.
◉ Core OpenSAMM activities. Answer: Governance
Construction
Verification
Deployment
◉ static analysis. Answer: Source code of an application is reviewed
manually or with automatic tools without running the code
◉ dynamic analysis. Answer: Analysis and testing of a program
occurs while it is being executed or run
◉ Fuzzing. Answer: Injection of randomized data into a software
program in an attempt to find system failures, memory leaks, error
handling issues, and improper input validation
◉ OWASP ZAP. Answer: -Open-source web application security
scanner-Can be used as a proxy to manipulate traffic running
through it (even https)
, ◉ ISO/IEC 27001. Answer: Specifies requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and
improving a documented information security management system
◉ ISO/IEC 17799. Answer: ISO/EIC is a joint committee that
develops and maintains standards in the IT industry. 17799 is an
international code of practice for information security management.
This section defines confidentiality, integrity and availability
controls.
◉ ISO/IEC 27034. Answer: A standard that provides guidance to
help organizations embed security within their processes that help
secure applications running in the environment, including
application lifecycle processes
◉ Software security champion. Answer: a developer with an interest
in security who helps amplify the security message at the team level
◉ waterfall methodology. Answer: a sequential, activity-based
process in which each phase in the SDLC is performed sequentially
from planning through implementation and maintenance
◉ Agile Development. Answer: A software development
methodology that delivers functionality in rapid iterations,
measured in weeks, requiring frequent communication,
development, testing, and delivery.
EXAMINATION TEST 2026 VERIFIED QUESTIONS
AND SOLUTIONS ALREADY PASSED
◉ Threat Modeling (Stages). Answer: 1. Identify Assets: Determine
what needs to be protected.
2. Identify Threats: Identify potential threats to those assets.
3. Identify Vulnerabilities: Analyze weaknesses that could be
exploited by threats.
4. Assess Risks: Evaluate the likelihood and impact of identified
threats exploiting vulnerabilities.
5. Mitigate Risks: Implement countermeasures to reduce or
eliminate identified risks
◉ PASTA Stages. Answer: - Define Objectives: Establish goals and
scope of the analysis.
- Create an Application Diagram: Visualize the application and its
components.
- Identify Threat Profiles: Define potential attacker personas and
their motivations.
- Analyze Threats: Assess how attackers could exploit vulnerabilities
to achieve their objectives.
,- Prioritize Threats: Rank threats based on their severity and
likelihood.
- Mitigate Threats: Develop and implement countermeasures to
address identified threats.
◉ Core OpenSAMM activities. Answer: Governance
Construction
Verification
Deployment
◉ static analysis. Answer: Source code of an application is reviewed
manually or with automatic tools without running the code
◉ dynamic analysis. Answer: Analysis and testing of a program
occurs while it is being executed or run
◉ Fuzzing. Answer: Injection of randomized data into a software
program in an attempt to find system failures, memory leaks, error
handling issues, and improper input validation
◉ OWASP ZAP. Answer: -Open-source web application security
scanner-Can be used as a proxy to manipulate traffic running
through it (even https)
, ◉ ISO/IEC 27001. Answer: Specifies requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and
improving a documented information security management system
◉ ISO/IEC 17799. Answer: ISO/EIC is a joint committee that
develops and maintains standards in the IT industry. 17799 is an
international code of practice for information security management.
This section defines confidentiality, integrity and availability
controls.
◉ ISO/IEC 27034. Answer: A standard that provides guidance to
help organizations embed security within their processes that help
secure applications running in the environment, including
application lifecycle processes
◉ Software security champion. Answer: a developer with an interest
in security who helps amplify the security message at the team level
◉ waterfall methodology. Answer: a sequential, activity-based
process in which each phase in the SDLC is performed sequentially
from planning through implementation and maintenance
◉ Agile Development. Answer: A software development
methodology that delivers functionality in rapid iterations,
measured in weeks, requiring frequent communication,
development, testing, and delivery.
