1|Page
WGU D385 SOFTWARE SECURITY AND TESTING OA
& PRE-OA ACTUAL EXAM PREP 2026 QUESTIONS
AND CORRECT DETAILED ANSWERS WITH
RATIONALES ALREADY A GRADED WITH EXPERT
FEEDBACK |CURRENTLY TESTING | NEW AND
REVISED
1. Which of the following best defines the primary goal of software
security?
A. To increase software performance
B. To ensure compliance with licensing agreements
C. To protect software from unauthorized access and
vulnerabilities
D. To reduce development time
Rationale: Software security focuses on protecting applications
and data from threats, including unauthorized access, data
breaches, and exploitation.
2. In threat modeling, what is the first step in identifying potential
security risks?
A. Implementing security patches
B. Identifying assets and potential threats
C. Conducting penetration testing
D. Writing secure code
Rationale: Effective threat modeling begins by identifying critical
assets and the threats that could compromise them.
3. Which type of testing verifies that individual components of
software operate correctly?
A. System testing
B. Integration testing
C. Unit testing
D. Acceptance testing
,2|Page
Rationale: Unit testing focuses on verifying the functionality of
individual modules or components in isolation.
4. During a code review, which issue would indicate a potential
security vulnerability?
A. Well-documented functions
B. Consistent naming conventions
C. Hard-coded passwords in source code
D. Efficient memory usage
Rationale: Hard-coded credentials are a security risk because
they can be exploited by attackers.
5. What is the main difference between static and dynamic testing?
A. Static testing runs the code to detect runtime errors
B. Static testing analyzes code without execution; dynamic
testing requires execution
C. Dynamic testing only verifies documentation
D. Static testing cannot find logical errors
Rationale: Static testing inspects code or documents without
running the program, while dynamic testing involves executing
the code to observe behavior.
6. Which of the following is an example of a buffer overflow
vulnerability?
A. Encrypting passwords with a hash
B. Writing more data to a memory buffer than it can hold
C. Using strong access controls
D. Validating user input length
Rationale: Buffer overflows occur when input exceeds memory
allocation, potentially allowing arbitrary code execution.
7. What is the primary purpose of regression testing?
A. To verify initial requirements
B. To test system scalability
C. To ensure new changes do not introduce errors in existing
functionality
D. To detect security vulnerabilities
Rationale: Regression testing ensures that modifications, such as
,3|Page
bug fixes or new features, do not break previously working
functionality.
8. In secure software development, which practice helps prevent SQL
injection attacks?
A. Using plaintext passwords
B. Storing sensitive data in cookies
C. Parameterizing SQL queries
D. Disabling firewalls
Rationale: Parameterized queries separate code from user input,
preventing SQL injection attacks.
9. What is the main goal of penetration testing?
A. To improve software usability
B. To implement encryption standards
C. To identify and exploit security weaknesses in a controlled
environment
D. To reduce network latency
Rationale: Penetration testing simulates attacks to discover
vulnerabilities before attackers do.
10. Which of the following is considered a non-functional
requirement in software testing?
A. Login feature
B. Payment processing functionality
C. System response time
D. User registration form
Rationale: Non-functional requirements define system
performance, scalability, security, and usability rather than
specific features.
11. What is the main advantage of automated testing over manual
testing?
A. It requires less initial setup
B. It cannot detect regression errors
C. It can execute repetitive tests quickly and consistently
D. It replaces the need for skilled testers
Rationale: Automated testing improves efficiency, repeatability,
and accuracy in performing routine test cases.
, 4|Page
12. Which security principle ensures that users can only access
resources they are authorized to use?
A. Authentication
B. Authorization
C. Confidentiality
D. Non-repudiation
Rationale: Authorization controls what authenticated users are
allowed to do within a system.
13. In the software development lifecycle, which stage focuses
primarily on identifying potential security requirements?
A. Coding
B. Testing
C. Deployment
D. Requirements analysis
Rationale: Security requirements must be considered early,
during requirements analysis, to ensure proper controls are
designed.
14. What is the purpose of input validation in secure software
design?
A. To improve software speed
B. To bypass user authentication
C. To ensure that user input does not cause unexpected
behavior or security issues
D. To encrypt all output
Rationale: Input validation prevents attacks such as injection
and buffer overflow by ensuring data conforms to expected
formats.
15. Which of the following is an example of a cross-site scripting
(XSS) vulnerability?
A. Storing passwords in plain text
B. Allowing malicious scripts to execute in a user’s browser
C. Using weak encryption
D. Buffer overflow in server code
Rationale: XSS vulnerabilities occur when untrusted input is
executed as code in a web browser, affecting users.
WGU D385 SOFTWARE SECURITY AND TESTING OA
& PRE-OA ACTUAL EXAM PREP 2026 QUESTIONS
AND CORRECT DETAILED ANSWERS WITH
RATIONALES ALREADY A GRADED WITH EXPERT
FEEDBACK |CURRENTLY TESTING | NEW AND
REVISED
1. Which of the following best defines the primary goal of software
security?
A. To increase software performance
B. To ensure compliance with licensing agreements
C. To protect software from unauthorized access and
vulnerabilities
D. To reduce development time
Rationale: Software security focuses on protecting applications
and data from threats, including unauthorized access, data
breaches, and exploitation.
2. In threat modeling, what is the first step in identifying potential
security risks?
A. Implementing security patches
B. Identifying assets and potential threats
C. Conducting penetration testing
D. Writing secure code
Rationale: Effective threat modeling begins by identifying critical
assets and the threats that could compromise them.
3. Which type of testing verifies that individual components of
software operate correctly?
A. System testing
B. Integration testing
C. Unit testing
D. Acceptance testing
,2|Page
Rationale: Unit testing focuses on verifying the functionality of
individual modules or components in isolation.
4. During a code review, which issue would indicate a potential
security vulnerability?
A. Well-documented functions
B. Consistent naming conventions
C. Hard-coded passwords in source code
D. Efficient memory usage
Rationale: Hard-coded credentials are a security risk because
they can be exploited by attackers.
5. What is the main difference between static and dynamic testing?
A. Static testing runs the code to detect runtime errors
B. Static testing analyzes code without execution; dynamic
testing requires execution
C. Dynamic testing only verifies documentation
D. Static testing cannot find logical errors
Rationale: Static testing inspects code or documents without
running the program, while dynamic testing involves executing
the code to observe behavior.
6. Which of the following is an example of a buffer overflow
vulnerability?
A. Encrypting passwords with a hash
B. Writing more data to a memory buffer than it can hold
C. Using strong access controls
D. Validating user input length
Rationale: Buffer overflows occur when input exceeds memory
allocation, potentially allowing arbitrary code execution.
7. What is the primary purpose of regression testing?
A. To verify initial requirements
B. To test system scalability
C. To ensure new changes do not introduce errors in existing
functionality
D. To detect security vulnerabilities
Rationale: Regression testing ensures that modifications, such as
,3|Page
bug fixes or new features, do not break previously working
functionality.
8. In secure software development, which practice helps prevent SQL
injection attacks?
A. Using plaintext passwords
B. Storing sensitive data in cookies
C. Parameterizing SQL queries
D. Disabling firewalls
Rationale: Parameterized queries separate code from user input,
preventing SQL injection attacks.
9. What is the main goal of penetration testing?
A. To improve software usability
B. To implement encryption standards
C. To identify and exploit security weaknesses in a controlled
environment
D. To reduce network latency
Rationale: Penetration testing simulates attacks to discover
vulnerabilities before attackers do.
10. Which of the following is considered a non-functional
requirement in software testing?
A. Login feature
B. Payment processing functionality
C. System response time
D. User registration form
Rationale: Non-functional requirements define system
performance, scalability, security, and usability rather than
specific features.
11. What is the main advantage of automated testing over manual
testing?
A. It requires less initial setup
B. It cannot detect regression errors
C. It can execute repetitive tests quickly and consistently
D. It replaces the need for skilled testers
Rationale: Automated testing improves efficiency, repeatability,
and accuracy in performing routine test cases.
, 4|Page
12. Which security principle ensures that users can only access
resources they are authorized to use?
A. Authentication
B. Authorization
C. Confidentiality
D. Non-repudiation
Rationale: Authorization controls what authenticated users are
allowed to do within a system.
13. In the software development lifecycle, which stage focuses
primarily on identifying potential security requirements?
A. Coding
B. Testing
C. Deployment
D. Requirements analysis
Rationale: Security requirements must be considered early,
during requirements analysis, to ensure proper controls are
designed.
14. What is the purpose of input validation in secure software
design?
A. To improve software speed
B. To bypass user authentication
C. To ensure that user input does not cause unexpected
behavior or security issues
D. To encrypt all output
Rationale: Input validation prevents attacks such as injection
and buffer overflow by ensuring data conforms to expected
formats.
15. Which of the following is an example of a cross-site scripting
(XSS) vulnerability?
A. Storing passwords in plain text
B. Allowing malicious scripts to execute in a user’s browser
C. Using weak encryption
D. Buffer overflow in server code
Rationale: XSS vulnerabilities occur when untrusted input is
executed as code in a web browser, affecting users.
