WGU D487 Oa 2025 Test Bank 3 With 420 Questions And
Correct Answers (100% Correct Verified Answers)
Question 1
Which of the following best defines a "threat" in the context of secure
software design?
A) A weakness in the system that could be exploited.
B) An action or event that could compromise the security of a system.
C) The potential harm that results from a security vulnerability.
D) A control implemented to mitigate a risk.
E) The likelihood of an attack occurring.
Correct Answer: B) An action or event that could compromise the security of
a system
Rationale: A threat is a potential for harm or an action that could
exploit a vulnerability, leading to a negative impact on an asset or
system.
Question 2
What is the primary goal of "threat modeling" in the Secure Software
Development Lifecycle (SDL)?
A) To identify and fix all software bugs.
B) To estimate the cost of security incidents.
C) To proactively identify potential threats and vulnerabilities to a system.
D) To test the application's performance under heavy load.
E) To determine the market value of the software.
Correct Answer: C) To proactively identify potential threats and vulnerabilities
to a system
Rationale: Threat modeling is a structured approach to identify
potential threats, assess their severity, and determine appropriate
mitigations early in the development process.
Question 3
Which component of the STRIDE threat modeling methodology focuses on
preventing unauthorized access to data?
,A) Spoofing
B) Tampering
C) Repudiation
D) Information Disclosure
E) Denial of Service
Correct Answer: D) Information Disclosure
Rationale: Information Disclosure threats involve the unauthorized
exposure of information, which directly relates to preventing
unauthorized access to data.
Question 4
In a Data Flow Diagram (DFD), which symbol represents a process where
data is transformed or manipulated?
A) Square (External Entity)
B) Circle or Oval (Process)
C) Open-ended rectangle (Data Store)
D) Arrow (Data Flow)
E) Triangle (Trust Boundary)
Correct Answer: B) Circle or Oval (Process)
Rationale: In DFDs, a circle or oval typically represents a process,
which is an activity that transforms input data into output data.
Question 5
Which phase of the Security Development Lifecycle (SDL) is primarily
focused on identifying security requirements and potential risks early in the
design process?
A) Training
B) Requirements and Design
C) Implementation
D) Verification
E) Release and Response
Correct Answer: B) Requirements and Design
,Rationale: The Requirements and Design phase of the SDL is where
security is integrated from the ground up, including defining
security requirements, conducting threat modeling, and performing
security architecture reviews.
Question 6
Which secure coding principle aims to prevent buffer overflow attacks?
A) Input validation
B) Output encoding
C) Principle of least privilege
D) Secure defaults
E) Cryptographic key management
Correct Answer: A) Input validation
Rationale: Input validation is crucial for preventing buffer overflow
attacks by ensuring that input data does not exceed the size of the
allocated buffer, thus preventing malicious code injection.
Question 7
What is the primary purpose of a "static analysis" security test?
A) To analyze code while the application is running.
B) To identify vulnerabilities in code without executing the application.
C) To simulate real-world attacks by ethical hackers.
D) To verify that security controls are properly configured in a deployed
environment.
E) To measure the performance impact of security features.
Correct Answer: B) To identify vulnerabilities in code without executing the
application
Rationale: Static analysis (SAST) involves analyzing source code,
bytecode, or binary code without executing the program, looking for
coding errors that could lead to security vulnerabilities.
Question 8
Which OWASP Security Assurance Maturity Model (SAMM) domain focuses on
, activities related to managing and overseeing the overall security assurance
program?
A) Governance
B) Design
C) Implementation
D) Verification
E) Deployment
Correct Answer: A) Governance
Rationale: The Governance domain in OWASP SAMM covers activities
such as strategy and metrics, policy and compliance, and education
and guidance, focusing on the overarching management of the
security assurance program.
Question 9
A development team is implementing security requirements in an Agile
environment. When should security requirements be integrated into the
development process?
A) Only during the final testing phase.
B) Only after all functional requirements are complete.
C) Continuously throughout each sprint and iteration.
D) Once a year during a security audit.
E) Only by a dedicated security team at the end of the project.
Correct Answer: C) Continuously throughout each sprint and iteration
Rationale: In Agile, security should be integrated into every sprint
("every sprint requirements") to ensure it's built in from the start,
rather than being a last-minute add-on.
Question 10
Which risk mitigation strategy involves reducing the likelihood or impact of a
potential security threat?
A) Risk acceptance
B) Risk avoidance
Correct Answers (100% Correct Verified Answers)
Question 1
Which of the following best defines a "threat" in the context of secure
software design?
A) A weakness in the system that could be exploited.
B) An action or event that could compromise the security of a system.
C) The potential harm that results from a security vulnerability.
D) A control implemented to mitigate a risk.
E) The likelihood of an attack occurring.
Correct Answer: B) An action or event that could compromise the security of
a system
Rationale: A threat is a potential for harm or an action that could
exploit a vulnerability, leading to a negative impact on an asset or
system.
Question 2
What is the primary goal of "threat modeling" in the Secure Software
Development Lifecycle (SDL)?
A) To identify and fix all software bugs.
B) To estimate the cost of security incidents.
C) To proactively identify potential threats and vulnerabilities to a system.
D) To test the application's performance under heavy load.
E) To determine the market value of the software.
Correct Answer: C) To proactively identify potential threats and vulnerabilities
to a system
Rationale: Threat modeling is a structured approach to identify
potential threats, assess their severity, and determine appropriate
mitigations early in the development process.
Question 3
Which component of the STRIDE threat modeling methodology focuses on
preventing unauthorized access to data?
,A) Spoofing
B) Tampering
C) Repudiation
D) Information Disclosure
E) Denial of Service
Correct Answer: D) Information Disclosure
Rationale: Information Disclosure threats involve the unauthorized
exposure of information, which directly relates to preventing
unauthorized access to data.
Question 4
In a Data Flow Diagram (DFD), which symbol represents a process where
data is transformed or manipulated?
A) Square (External Entity)
B) Circle or Oval (Process)
C) Open-ended rectangle (Data Store)
D) Arrow (Data Flow)
E) Triangle (Trust Boundary)
Correct Answer: B) Circle or Oval (Process)
Rationale: In DFDs, a circle or oval typically represents a process,
which is an activity that transforms input data into output data.
Question 5
Which phase of the Security Development Lifecycle (SDL) is primarily
focused on identifying security requirements and potential risks early in the
design process?
A) Training
B) Requirements and Design
C) Implementation
D) Verification
E) Release and Response
Correct Answer: B) Requirements and Design
,Rationale: The Requirements and Design phase of the SDL is where
security is integrated from the ground up, including defining
security requirements, conducting threat modeling, and performing
security architecture reviews.
Question 6
Which secure coding principle aims to prevent buffer overflow attacks?
A) Input validation
B) Output encoding
C) Principle of least privilege
D) Secure defaults
E) Cryptographic key management
Correct Answer: A) Input validation
Rationale: Input validation is crucial for preventing buffer overflow
attacks by ensuring that input data does not exceed the size of the
allocated buffer, thus preventing malicious code injection.
Question 7
What is the primary purpose of a "static analysis" security test?
A) To analyze code while the application is running.
B) To identify vulnerabilities in code without executing the application.
C) To simulate real-world attacks by ethical hackers.
D) To verify that security controls are properly configured in a deployed
environment.
E) To measure the performance impact of security features.
Correct Answer: B) To identify vulnerabilities in code without executing the
application
Rationale: Static analysis (SAST) involves analyzing source code,
bytecode, or binary code without executing the program, looking for
coding errors that could lead to security vulnerabilities.
Question 8
Which OWASP Security Assurance Maturity Model (SAMM) domain focuses on
, activities related to managing and overseeing the overall security assurance
program?
A) Governance
B) Design
C) Implementation
D) Verification
E) Deployment
Correct Answer: A) Governance
Rationale: The Governance domain in OWASP SAMM covers activities
such as strategy and metrics, policy and compliance, and education
and guidance, focusing on the overarching management of the
security assurance program.
Question 9
A development team is implementing security requirements in an Agile
environment. When should security requirements be integrated into the
development process?
A) Only during the final testing phase.
B) Only after all functional requirements are complete.
C) Continuously throughout each sprint and iteration.
D) Once a year during a security audit.
E) Only by a dedicated security team at the end of the project.
Correct Answer: C) Continuously throughout each sprint and iteration
Rationale: In Agile, security should be integrated into every sprint
("every sprint requirements") to ensure it's built in from the start,
rather than being a last-minute add-on.
Question 10
Which risk mitigation strategy involves reducing the likelihood or impact of a
potential security threat?
A) Risk acceptance
B) Risk avoidance
