D487 SECURE SOFTWARE DESIGN EXAM 2026
COMPLETE VERIFIED QUESTIONS AND
ANSWERS 100% CORRECT
◉ What is Scrum Ceremony 1? Answer: Sprint Planning
-Beginning of each sprint
-planning
-task creation
-sprint goals
◉ What is Scrum Ceremony 2? Answer: Daily Scrum
- every day
- identify blockers
- adjustment
◉ What is Scrum Ceremony 3? Answer: Sprint Review
- End of sprint
- demo
- feedback
-updates
,◉ What is Scrum Ceremony 4? Answer: Sprint Retrospective
-after sprint review
- reflection
- lessons learned
◉ What is BSIMM? Answer: Building Security in Maturity Model
-study of real world software security initiating organized so
companies can measure their initiations and understand how to
evolve
◉ What is CWE-352? Answer: Cross-site request forgery
◉ What is STRIDE used for? Answer: identify common threat types
(categorizing)
◉ What is DREAD used for? Answer: Prioritizing/ranking threats
after ID (scoring)
◉ How to prevent Cross Site Request Forgery (CSRF)? Answer: use
anti-csrf tokens tied to each session
◉ What is input validation? Answer: filter/validate user input to
prevent attacks
,◉ What is CWE-79? Answer: Cross Site Scripting (XSS)
◉ Why are hardcoded credentials risky? Answer: exposes sensitive
access if leaked
◉ What is the SDLC? Answer: Software Development Life Cycle
(High Level overall)
◉ What is the role of the Security Architect? Answer: Lead Secure
design and certify architecture
◉ What is the role of an Software Security Champion? Answer:
Guide Dev team on secure coding and tools
◉ What happens in A1 - Security Assessment? Answer: Define Risk
Profile
identify laws
initiate PIA
◉ What happens in A2 - Architecture? Answer: Threat modeling
trust boundaries
DFD's
, secure architecture
◉ What happens in A3- Design and Development? Answer: Secure
code
SAST Tools
test planning
◉ What happens in A4 - Verification? Answer: SAST
DAST
Fuzzing
Code review
◉ What happens in A5 - Ship? Answer: Final testing
pen test
license check
release
◉ Every Third Product Update Stays Secure Answer: Post Release
Support (PRSA)
1- External vulnerability response
2- third party reviews
3- post release certifications
COMPLETE VERIFIED QUESTIONS AND
ANSWERS 100% CORRECT
◉ What is Scrum Ceremony 1? Answer: Sprint Planning
-Beginning of each sprint
-planning
-task creation
-sprint goals
◉ What is Scrum Ceremony 2? Answer: Daily Scrum
- every day
- identify blockers
- adjustment
◉ What is Scrum Ceremony 3? Answer: Sprint Review
- End of sprint
- demo
- feedback
-updates
,◉ What is Scrum Ceremony 4? Answer: Sprint Retrospective
-after sprint review
- reflection
- lessons learned
◉ What is BSIMM? Answer: Building Security in Maturity Model
-study of real world software security initiating organized so
companies can measure their initiations and understand how to
evolve
◉ What is CWE-352? Answer: Cross-site request forgery
◉ What is STRIDE used for? Answer: identify common threat types
(categorizing)
◉ What is DREAD used for? Answer: Prioritizing/ranking threats
after ID (scoring)
◉ How to prevent Cross Site Request Forgery (CSRF)? Answer: use
anti-csrf tokens tied to each session
◉ What is input validation? Answer: filter/validate user input to
prevent attacks
,◉ What is CWE-79? Answer: Cross Site Scripting (XSS)
◉ Why are hardcoded credentials risky? Answer: exposes sensitive
access if leaked
◉ What is the SDLC? Answer: Software Development Life Cycle
(High Level overall)
◉ What is the role of the Security Architect? Answer: Lead Secure
design and certify architecture
◉ What is the role of an Software Security Champion? Answer:
Guide Dev team on secure coding and tools
◉ What happens in A1 - Security Assessment? Answer: Define Risk
Profile
identify laws
initiate PIA
◉ What happens in A2 - Architecture? Answer: Threat modeling
trust boundaries
DFD's
, secure architecture
◉ What happens in A3- Design and Development? Answer: Secure
code
SAST Tools
test planning
◉ What happens in A4 - Verification? Answer: SAST
DAST
Fuzzing
Code review
◉ What happens in A5 - Ship? Answer: Final testing
pen test
license check
release
◉ Every Third Product Update Stays Secure Answer: Post Release
Support (PRSA)
1- External vulnerability response
2- third party reviews
3- post release certifications
