WGU D487 SECURE SOFTWARE DESIGN EXAM
QUESTIONS AND CORRECT ANSWERS WITH
RATIONALES GRADED A+ LATEST
1. Which of the following best describes the principle of least privilege?
A. Users can access all resources but must authenticate first
B. Applications are granted only the permissions necessary to perform their tasks
C. Developers should have admin access to simplify testing
D. Only privileged users can perform security testing
Correct Answer: B
Rationale: Least privilege limits access rights for users and applications to only
what is strictly necessary to perform their tasks, reducing the attack surface.
2. In a threat model, which step comes first?
A. Identifying mitigations
B. Defining the system and boundaries
C. Running penetration tests
D. Reviewing compliance requirements
Correct Answer: B
Rationale: Threat modeling begins with defining the system, its boundaries, data
flows, and trust levels before identifying threats or mitigations.
,3. A web application stores user passwords using SHA-256 without a salt.
What is the primary risk?
A. Data cannot be decrypted
B. Passwords can be easily reversed using rainbow tables
C. It violates PCI DSS
D. It prevents hashing collisions
Correct Answer: B
Rationale: Unsalted hashes are vulnerable to rainbow table attacks because
identical passwords produce identical hashes, allowing attackers to precompute
common passwords.
4. Which of the following is the most secure method for storing session
identifiers?
A. In local storage
B. In cookies with HttpOnly and Secure flags
C. In a hidden form field
D. In the URL query string
Correct Answer: B
Rationale: Cookies with HttpOnly and Secure flags protect against XSS and
ensure transmission only over HTTPS, making them the most secure option.
5. A developer is designing an API that handles sensitive medical records.
Which security control should be implemented first?
A. Rate limiting
B. Input validation
C. Encryption in transit and at rest
D. Logging
Correct Answer: C
Rationale: Protecting sensitive medical data requires encryption both in transit and
at rest as a foundational control before additional protections.
,6. What is the purpose of a Web Application Firewall (WAF)?
A. Encrypts all application data
B. Detects and blocks malicious HTTP traffic
C. Manages user authentication
D. Automatically patches vulnerabilities
Correct Answer: B
Rationale: A WAF filters, monitors, and blocks HTTP traffic to protect web
applications from attacks like SQL injection and XSS.
7. Which of the following best describes “defense in depth”?
A. Using one strong security control
B. Layering multiple security controls
C. Relying solely on perimeter defenses
D. Encrypting data only at rest
Correct Answer: B
Rationale: Defense in depth uses multiple layers of security controls so if one
fails, others still protect the system.
8. Which type of testing is most appropriate for identifying insecure direct
object references (IDOR)?
A. Static code analysis
B. Dynamic application security testing
C. Manual authorization testing
D. Unit testing
Correct Answer: C
Rationale: Manual authorization testing is the most effective way to detect IDOR
by attempting access to resources without proper permissions.
, 9. Scenario: A company must comply with GDPR. What is the most important
security design concept to include?
A. Data minimization
B. Open-source components
C. Frequent backups
D. Centralized logging
Correct Answer: A
Rationale: GDPR requires minimizing personal data collection and storage. Data
minimization reduces risk and ensures compliance.
10. Which of the following is the best way to prevent SQL injection?
A. Escaping user input
B. Using prepared statements and parameterized queries
C. Disabling database logs
D. Encrypting the database
Correct Answer: B
Rationale: Prepared statements ensure user input is treated as data, not executable
SQL, which prevents SQL injection.
11. What is the primary purpose of input validation?
A. To reduce network latency
B. To ensure user input is safe and expected
C. To encrypt user data
D. To generate session tokens
Correct Answer: B
Rationale: Input validation ensures data conforms to expected format and content,
preventing injection and other attacks.
QUESTIONS AND CORRECT ANSWERS WITH
RATIONALES GRADED A+ LATEST
1. Which of the following best describes the principle of least privilege?
A. Users can access all resources but must authenticate first
B. Applications are granted only the permissions necessary to perform their tasks
C. Developers should have admin access to simplify testing
D. Only privileged users can perform security testing
Correct Answer: B
Rationale: Least privilege limits access rights for users and applications to only
what is strictly necessary to perform their tasks, reducing the attack surface.
2. In a threat model, which step comes first?
A. Identifying mitigations
B. Defining the system and boundaries
C. Running penetration tests
D. Reviewing compliance requirements
Correct Answer: B
Rationale: Threat modeling begins with defining the system, its boundaries, data
flows, and trust levels before identifying threats or mitigations.
,3. A web application stores user passwords using SHA-256 without a salt.
What is the primary risk?
A. Data cannot be decrypted
B. Passwords can be easily reversed using rainbow tables
C. It violates PCI DSS
D. It prevents hashing collisions
Correct Answer: B
Rationale: Unsalted hashes are vulnerable to rainbow table attacks because
identical passwords produce identical hashes, allowing attackers to precompute
common passwords.
4. Which of the following is the most secure method for storing session
identifiers?
A. In local storage
B. In cookies with HttpOnly and Secure flags
C. In a hidden form field
D. In the URL query string
Correct Answer: B
Rationale: Cookies with HttpOnly and Secure flags protect against XSS and
ensure transmission only over HTTPS, making them the most secure option.
5. A developer is designing an API that handles sensitive medical records.
Which security control should be implemented first?
A. Rate limiting
B. Input validation
C. Encryption in transit and at rest
D. Logging
Correct Answer: C
Rationale: Protecting sensitive medical data requires encryption both in transit and
at rest as a foundational control before additional protections.
,6. What is the purpose of a Web Application Firewall (WAF)?
A. Encrypts all application data
B. Detects and blocks malicious HTTP traffic
C. Manages user authentication
D. Automatically patches vulnerabilities
Correct Answer: B
Rationale: A WAF filters, monitors, and blocks HTTP traffic to protect web
applications from attacks like SQL injection and XSS.
7. Which of the following best describes “defense in depth”?
A. Using one strong security control
B. Layering multiple security controls
C. Relying solely on perimeter defenses
D. Encrypting data only at rest
Correct Answer: B
Rationale: Defense in depth uses multiple layers of security controls so if one
fails, others still protect the system.
8. Which type of testing is most appropriate for identifying insecure direct
object references (IDOR)?
A. Static code analysis
B. Dynamic application security testing
C. Manual authorization testing
D. Unit testing
Correct Answer: C
Rationale: Manual authorization testing is the most effective way to detect IDOR
by attempting access to resources without proper permissions.
, 9. Scenario: A company must comply with GDPR. What is the most important
security design concept to include?
A. Data minimization
B. Open-source components
C. Frequent backups
D. Centralized logging
Correct Answer: A
Rationale: GDPR requires minimizing personal data collection and storage. Data
minimization reduces risk and ensures compliance.
10. Which of the following is the best way to prevent SQL injection?
A. Escaping user input
B. Using prepared statements and parameterized queries
C. Disabling database logs
D. Encrypting the database
Correct Answer: B
Rationale: Prepared statements ensure user input is treated as data, not executable
SQL, which prevents SQL injection.
11. What is the primary purpose of input validation?
A. To reduce network latency
B. To ensure user input is safe and expected
C. To encrypt user data
D. To generate session tokens
Correct Answer: B
Rationale: Input validation ensures data conforms to expected format and content,
preventing injection and other attacks.
