WGU D487 Secure
Software Design
(LATEST
UPDATE), ACTUAL
EXAM/TEST
QUESTIONS AND
100% VERIFIED
ANSWERS | A+
GRADE
,Question 1:
What are Security testing reports used for in A5 Ship?
Correct Answer:
They document findings from different types of security testing in this phase of the SDL.
Question 2:
What is the next step after the PSIRT determines a vulnerability is
credible and high severity?
Correct Answer:
Identify resources and schedule the fix
Question 3:
which secure coding best practice uses well-tested, publicly available
algorithms to hide product data from unauthorized access?
Correct Answer:
cryptographic practice
Question 4:
What is the next step for the Product Security Incident Response Team
(PSIRT) after developing and testing a patch?
Correct Answer:
✔ Notify customers that the fix is available
Question 5:
Which type of requirement specifies that user passwords will require a
minimum of 8 characters and must include at least one uppercase
character, one number, and one special character?
Correct Answer:
Privacy requirement
Question 6:
What is the purpose of Updated threat modeling artifacts in A3 Design &
Development?
Correct Answer:
To maintain data flow diagrams, elements, and threat listings for security analysis.
Question 7:
Security Assessment
,What are the key activities in the Security Assessment phase of SDL?
Correct Answer:
SDL Phase 1 (A1) = SDLC 1 Concept
Software security team is looped in early
Security team hosts a discovery meeting
Software security team discusses project plan
States what further work will be done
Privacy Impact Assessment (PIA) plan is created
Question 8:
SSDL BSIMM
Correct Answer:
SSDL Touchpoints in BSIMM focuses on activities directly related to the software security development lifecycle
(SSDL), including security testing, code review, and architecture analysis.
Question 9:
What is the Open-source licensing review report used for in A5 Ship?
Correct Answer:
To review compliance with licensing requirements if open-source software is used.
Question 10:
What does PSIRT use CVSS scoring for?
Correct Answer:
To prioritize responses to externally discovered vulnerabilities
To determine the severity of security incidents
To modify scores based on factors not captured in the standard CVSS model
Question 11:
What is an Every-Sprint Requirement in Agile SDL?
Correct Answer:
✔ Recurring security tasks that must be implemented in each sprint.
✔ Examples: Input validation, threat modeling, static code analysis.
✔ Ensures continuous security integration throughout development.
Question 12:
What are the four severity levels in CVSS scoring?
Correct Answer:
Critical (C) – CVSS base score of 9.0–10.0
High (H) – CVSS base score of 7.0–8.9
, Medium (M) – CVSS base score of 4.0–6.9
Low (L) – CVSS base score of 0.1–3.9
Question 13:
How should software development organizations handle privacy
response plans?
Correct Answer:
They should either:
Develop their own privacy response plans
Modify the Microsoft SDL Privacy Escalation Response Framework to fit their organization’s needs.
Question 14:
Security Testing Reports
Correct Answer:
A findings summary should be prepared for each type of security testing: manual code review, static analysis,
dynamic analysis, penetration testing, and fuzzing. The reports should provide the type and number of issues
identified and any consistent theme that can be derived from the findings. A4 D&D
Question 15:
What are the four focus areas of BSIMM?
Correct Answer:
Governance – Managing security initiatives.
Intelligence – Collecting security knowledge and tools.
SSDL Touchpoints – Applying security to the software development lifecycle.
Deployment – Security controls for operations.
Question 16:
What does the acronym DREAD stand for in Microsoft's risk model?
Correct Answer:
Damage potential, Reproducibility, Exploitability, Affected users, Discoverability
Question 17:
DREAD
Correct Answer:
Software Design
(LATEST
UPDATE), ACTUAL
EXAM/TEST
QUESTIONS AND
100% VERIFIED
ANSWERS | A+
GRADE
,Question 1:
What are Security testing reports used for in A5 Ship?
Correct Answer:
They document findings from different types of security testing in this phase of the SDL.
Question 2:
What is the next step after the PSIRT determines a vulnerability is
credible and high severity?
Correct Answer:
Identify resources and schedule the fix
Question 3:
which secure coding best practice uses well-tested, publicly available
algorithms to hide product data from unauthorized access?
Correct Answer:
cryptographic practice
Question 4:
What is the next step for the Product Security Incident Response Team
(PSIRT) after developing and testing a patch?
Correct Answer:
✔ Notify customers that the fix is available
Question 5:
Which type of requirement specifies that user passwords will require a
minimum of 8 characters and must include at least one uppercase
character, one number, and one special character?
Correct Answer:
Privacy requirement
Question 6:
What is the purpose of Updated threat modeling artifacts in A3 Design &
Development?
Correct Answer:
To maintain data flow diagrams, elements, and threat listings for security analysis.
Question 7:
Security Assessment
,What are the key activities in the Security Assessment phase of SDL?
Correct Answer:
SDL Phase 1 (A1) = SDLC 1 Concept
Software security team is looped in early
Security team hosts a discovery meeting
Software security team discusses project plan
States what further work will be done
Privacy Impact Assessment (PIA) plan is created
Question 8:
SSDL BSIMM
Correct Answer:
SSDL Touchpoints in BSIMM focuses on activities directly related to the software security development lifecycle
(SSDL), including security testing, code review, and architecture analysis.
Question 9:
What is the Open-source licensing review report used for in A5 Ship?
Correct Answer:
To review compliance with licensing requirements if open-source software is used.
Question 10:
What does PSIRT use CVSS scoring for?
Correct Answer:
To prioritize responses to externally discovered vulnerabilities
To determine the severity of security incidents
To modify scores based on factors not captured in the standard CVSS model
Question 11:
What is an Every-Sprint Requirement in Agile SDL?
Correct Answer:
✔ Recurring security tasks that must be implemented in each sprint.
✔ Examples: Input validation, threat modeling, static code analysis.
✔ Ensures continuous security integration throughout development.
Question 12:
What are the four severity levels in CVSS scoring?
Correct Answer:
Critical (C) – CVSS base score of 9.0–10.0
High (H) – CVSS base score of 7.0–8.9
, Medium (M) – CVSS base score of 4.0–6.9
Low (L) – CVSS base score of 0.1–3.9
Question 13:
How should software development organizations handle privacy
response plans?
Correct Answer:
They should either:
Develop their own privacy response plans
Modify the Microsoft SDL Privacy Escalation Response Framework to fit their organization’s needs.
Question 14:
Security Testing Reports
Correct Answer:
A findings summary should be prepared for each type of security testing: manual code review, static analysis,
dynamic analysis, penetration testing, and fuzzing. The reports should provide the type and number of issues
identified and any consistent theme that can be derived from the findings. A4 D&D
Question 15:
What are the four focus areas of BSIMM?
Correct Answer:
Governance – Managing security initiatives.
Intelligence – Collecting security knowledge and tools.
SSDL Touchpoints – Applying security to the software development lifecycle.
Deployment – Security controls for operations.
Question 16:
What does the acronym DREAD stand for in Microsoft's risk model?
Correct Answer:
Damage potential, Reproducibility, Exploitability, Affected users, Discoverability
Question 17:
DREAD
Correct Answer:
