WGU C706 SECURE SOFTWARE DESIGN
CERTIFICATION SCRIPT 2026 QUESTIONS
WITH SOLUTIONS GRADED A+
◍ An application development team is designing and building an application
that interfaces with a back-end database.Which activity should be included
when constructing a threat model for the application?.
Answer: Decompose the application to understand how it interacts with
external entities
◍ SQL injection.
Answer: Inserting SQL statements into an input in the software to alter data
in the database.
◍ STRIDE Threat action aimed to maliciously change/modify persistent data,
such as persistent data in a database, and the alteration of data in transit
between two computers over an open network, such as the
Internet—Integrity is also known as __________________..
Answer: Tampering
◍ A system administrator wants to use physical controls to prevent
unauthorized access to information that belongs to users at a different
security level.Which strategy would prevent this problem?.
Answer: Hardware segmentation
◍ The SDL __________ should outline security milestones based on the
information gained during the previous phase and integrate them into the
overall SDLC schedule to allow proper preparation as changes occur.A
discovery meetingB project planC metricsD impact assessment.
Answer: B
◍ Which attack aims to make web service unavailable or unusable?.
, Answer: Denial-of-service
◍ The metrics to be collected during the Ship (A5) phase of the SDL are
limited to the number, type, and severity of security issues found through
vulnerability scanning and penetration testing. (True or False)A TrueB
False.
Answer: B
◍ Regression Testing.
Answer: Defined as a type of software testing to confirm that a recent
program or code change has not adversely affected existing features.
Nothing but a full or partial selection of already executed test cases that are
re-executed to ensure existing functionalities work fine.
◍ A company is creating a new software to track customer balance and wants
to design a secure application. Which best practice should be applied?.
Answer: Create multiple layers of protection so that a subsequent layer
provides protection if a layer is breached
◍ What is the third step for constructing a threat model for identifying a
spoofing threat?.
Answer: Decompose threats
◍ Which component of the change management process involves new system
deployment testing where the new system and the old system are operating
at the same time?.
Answer: Parallel run
◍ All of the following are countermeasures for session management attacks,
EXCEPT:A Implement pre- and post-validation controls.B Encrypt cookies
that include information about the state of the connection.C Implement time
stamps or time-based validation.D Implement randomized session IDs..
Answer: A
◍ Which form of malicious software hides in the lower levels of an operating
system with privileged access permissions and opens a backdoor on the
system?.
, Answer: Rootkit
◍ Which security concept refers to the quality of information that could cause
harm or damage if disclosed?.
Answer: Sensitivity
◍ Which part of the change management process addresses the needs to
identify, understand, and help leaders manage opposition throughout the
organization?.
Answer: Resistance management
◍ __________ is a white-box security analysis of a software system to
simulate the actions of a hacker, with the objective of uncovering potential
vulnerabilities resulting from coding errors, system configuration faults, or
other operational deployment weaknesses.A Vulnerability scanningB
Penetration testingC Code analysisD Fuzzing.
Answer: B
◍ A system administrator wants to use physical controls to prevent
unauthorized access to information that belongs to users at a different
security level.Which strategy would prevent this problem?.
Answer: Hardware segmentation
◍ Why does privilege creep pose a potential security risk?.
Answer: Users have more privileges than they need and may perform
actions outside their job description.
◍ A bank is developing a new checking account application for customers and
needs to implement a security control that is effective at preventing an
elevation of privilege attack.Which security control is effective at
preventing this threat action?.
Answer: Authorization
◍ The activities for compliance include ensuring collected information is only
used for intended purposes, information is timely and accurate, and the
public is aware of the information collected and how it is used. Which
well-accepted secure development standard is addressed by these activities?.
CERTIFICATION SCRIPT 2026 QUESTIONS
WITH SOLUTIONS GRADED A+
◍ An application development team is designing and building an application
that interfaces with a back-end database.Which activity should be included
when constructing a threat model for the application?.
Answer: Decompose the application to understand how it interacts with
external entities
◍ SQL injection.
Answer: Inserting SQL statements into an input in the software to alter data
in the database.
◍ STRIDE Threat action aimed to maliciously change/modify persistent data,
such as persistent data in a database, and the alteration of data in transit
between two computers over an open network, such as the
Internet—Integrity is also known as __________________..
Answer: Tampering
◍ A system administrator wants to use physical controls to prevent
unauthorized access to information that belongs to users at a different
security level.Which strategy would prevent this problem?.
Answer: Hardware segmentation
◍ The SDL __________ should outline security milestones based on the
information gained during the previous phase and integrate them into the
overall SDLC schedule to allow proper preparation as changes occur.A
discovery meetingB project planC metricsD impact assessment.
Answer: B
◍ Which attack aims to make web service unavailable or unusable?.
, Answer: Denial-of-service
◍ The metrics to be collected during the Ship (A5) phase of the SDL are
limited to the number, type, and severity of security issues found through
vulnerability scanning and penetration testing. (True or False)A TrueB
False.
Answer: B
◍ Regression Testing.
Answer: Defined as a type of software testing to confirm that a recent
program or code change has not adversely affected existing features.
Nothing but a full or partial selection of already executed test cases that are
re-executed to ensure existing functionalities work fine.
◍ A company is creating a new software to track customer balance and wants
to design a secure application. Which best practice should be applied?.
Answer: Create multiple layers of protection so that a subsequent layer
provides protection if a layer is breached
◍ What is the third step for constructing a threat model for identifying a
spoofing threat?.
Answer: Decompose threats
◍ Which component of the change management process involves new system
deployment testing where the new system and the old system are operating
at the same time?.
Answer: Parallel run
◍ All of the following are countermeasures for session management attacks,
EXCEPT:A Implement pre- and post-validation controls.B Encrypt cookies
that include information about the state of the connection.C Implement time
stamps or time-based validation.D Implement randomized session IDs..
Answer: A
◍ Which form of malicious software hides in the lower levels of an operating
system with privileged access permissions and opens a backdoor on the
system?.
, Answer: Rootkit
◍ Which security concept refers to the quality of information that could cause
harm or damage if disclosed?.
Answer: Sensitivity
◍ Which part of the change management process addresses the needs to
identify, understand, and help leaders manage opposition throughout the
organization?.
Answer: Resistance management
◍ __________ is a white-box security analysis of a software system to
simulate the actions of a hacker, with the objective of uncovering potential
vulnerabilities resulting from coding errors, system configuration faults, or
other operational deployment weaknesses.A Vulnerability scanningB
Penetration testingC Code analysisD Fuzzing.
Answer: B
◍ A system administrator wants to use physical controls to prevent
unauthorized access to information that belongs to users at a different
security level.Which strategy would prevent this problem?.
Answer: Hardware segmentation
◍ Why does privilege creep pose a potential security risk?.
Answer: Users have more privileges than they need and may perform
actions outside their job description.
◍ A bank is developing a new checking account application for customers and
needs to implement a security control that is effective at preventing an
elevation of privilege attack.Which security control is effective at
preventing this threat action?.
Answer: Authorization
◍ The activities for compliance include ensuring collected information is only
used for intended purposes, information is timely and accurate, and the
public is aware of the information collected and how it is used. Which
well-accepted secure development standard is addressed by these activities?.
