D487 SECURE SOFTWARE DESIGN FINAL
PAPER 2026 QUESTIONS WITH VERIFIED
SOLUTIONS GRADED A+
◉ What are the differences between STRIDE and PASTA? How are
the threat methodologies similar? Answer: STRIDE focuses on
categorizing threats, while PASTA is a risk-driven methodology that
focuses on threat modeling through a structured process. Both aim
to identify and mitigate risks, but STRIDE is more focused on attack
types, and PASTA is more process-oriented.
◉ Before you ship a software product, which security factors must
you consider? Why are those factors important? Answer: Using the
SDL, you must consider secure design, threat modeling, secure
coding practices, and testing for vulnerabilities. These ensure your
product is resilient to attacks and meets security standards before
release.
◉ What is Scrum Ceremony 4? Answer: Sprint Retrospective
-after sprint review
- reflection
- lessons learned
◉ What is BSIMM? Answer: Building Security in Maturity Model
,-study of real world software security initiating organized so
companies can measure their initiations and understand how to
evolve
◉ What is CWE-352? Answer: Cross-site request forgery
◉ What is STRIDE used for? Answer: identify common threat types
(categorizing)
◉ What is DREAD used for? Answer: Prioritizing/ranking threats
after ID (scoring)
◉ How to prevent Cross Site Request Forgery (CSRF)? Answer: use
anti-csrf tokens tied to each session
◉ What is input validation? Answer: filter/validate user input to
prevent attacks
◉ What is CWE-79? Answer: Cross Site Scripting (XSS)
◉ Why are hardcoded credentials risky? Answer: exposes sensitive
access if leaked
,◉ What is the SDLC? Answer: Software Development Life Cycle
(High Level overall)
◉ What is the role of the Security Architect? Answer: Lead Secure
design and certify architecture
◉ What is the role of an Software Security Champion? Answer:
Guide Dev team on secure coding and tools
◉ What happens in A1 - Security Assessment? Answer: Define Risk
Profile
identify laws
initiate PIA
◉ What happens in A2 - Architecture? Answer: Threat modeling
trust boundaries
DFD's
secure architecture
◉ What happens in A3- Design and Development? Answer: Secure
code
SAST Tools
test planning
, ◉ What happens in A4 - Verification? Answer: SAST
DAST
Fuzzing
Code review
◉ What happens in A5 - Ship? Answer: Final testing
pen test
license check
release
◉ Every Third Product Update Stays Secure Answer: Post Release
Support (PRSA)
1- External vulnerability response
2- third party reviews
3- post release certifications
4- update reviews
5- strategy for legacy and EOL
◉ What is the goal for PRSA1? Answer: Manage external
vulnerability disclosures
PAPER 2026 QUESTIONS WITH VERIFIED
SOLUTIONS GRADED A+
◉ What are the differences between STRIDE and PASTA? How are
the threat methodologies similar? Answer: STRIDE focuses on
categorizing threats, while PASTA is a risk-driven methodology that
focuses on threat modeling through a structured process. Both aim
to identify and mitigate risks, but STRIDE is more focused on attack
types, and PASTA is more process-oriented.
◉ Before you ship a software product, which security factors must
you consider? Why are those factors important? Answer: Using the
SDL, you must consider secure design, threat modeling, secure
coding practices, and testing for vulnerabilities. These ensure your
product is resilient to attacks and meets security standards before
release.
◉ What is Scrum Ceremony 4? Answer: Sprint Retrospective
-after sprint review
- reflection
- lessons learned
◉ What is BSIMM? Answer: Building Security in Maturity Model
,-study of real world software security initiating organized so
companies can measure their initiations and understand how to
evolve
◉ What is CWE-352? Answer: Cross-site request forgery
◉ What is STRIDE used for? Answer: identify common threat types
(categorizing)
◉ What is DREAD used for? Answer: Prioritizing/ranking threats
after ID (scoring)
◉ How to prevent Cross Site Request Forgery (CSRF)? Answer: use
anti-csrf tokens tied to each session
◉ What is input validation? Answer: filter/validate user input to
prevent attacks
◉ What is CWE-79? Answer: Cross Site Scripting (XSS)
◉ Why are hardcoded credentials risky? Answer: exposes sensitive
access if leaked
,◉ What is the SDLC? Answer: Software Development Life Cycle
(High Level overall)
◉ What is the role of the Security Architect? Answer: Lead Secure
design and certify architecture
◉ What is the role of an Software Security Champion? Answer:
Guide Dev team on secure coding and tools
◉ What happens in A1 - Security Assessment? Answer: Define Risk
Profile
identify laws
initiate PIA
◉ What happens in A2 - Architecture? Answer: Threat modeling
trust boundaries
DFD's
secure architecture
◉ What happens in A3- Design and Development? Answer: Secure
code
SAST Tools
test planning
, ◉ What happens in A4 - Verification? Answer: SAST
DAST
Fuzzing
Code review
◉ What happens in A5 - Ship? Answer: Final testing
pen test
license check
release
◉ Every Third Product Update Stays Secure Answer: Post Release
Support (PRSA)
1- External vulnerability response
2- third party reviews
3- post release certifications
4- update reviews
5- strategy for legacy and EOL
◉ What is the goal for PRSA1? Answer: Manage external
vulnerability disclosures
