WGU D487 SECURE SW DESIGN | 146 QUESTIONS
| ANSWERED CORRECTLY TO SCORE A+
Introduction
This 146-item simulation mirrors the 2025 WGU D487 Secure Software Design
competency-based examination.
Content spans seven weighted domains: secure-design principles & methodologies,
threat modeling & risk assessment, security patterns & architecture, cryptography &
secure communications, security testing & vulnerability assessment, secure
development lifecycle (SDLC), and security compliance & standards.
Every question is original, scenario-based, and aligned with current OWASP, NIST, IEEE,
and WGU competency standards to support mastery-level performance.
Examination-length set: 146 original questions
Question 1:
A web application stores user preferences in client-side cookies. Which design change
best upholds the principle of least privilege for cookie data?
A. Encrypt cookies with a server-side key and set HttpOnly, Secure, and SameSite=Strict
B. Compress cookies to reduce bandwidth
C. Store cookies in localStorage for faster access
D. Sign cookies with HMAC-SHA256 but skip encryption
Answer: A. Encrypt cookies with a server-side key and set HttpOnly, Secure, and
SameSite=Strict
Solution: Encryption + attribute flags enforces least privilege by preventing client-side
read, XSS exfiltration, cross-site delivery, and insecure transport. Options B and C
increase exposure; D lacks confidentiality.
Question 2:
During threat modeling of a micro-service architecture, teams identify that service-to-
service traffic is unencrypted inside the cluster. Which STRIDE category is most directly
impacted?
A. Tampering
B. Spoofing
C. Repudiation
D. Information Disclosure
Answer: D. Information Disclosure
Solution: Unencrypted traffic allows sniffing of sensitive data, directly mapping to
pg. 1
,Information Disclosure. Tampering requires write-access, Spoofing identity, Repudiation
logging.
Question 3:
Which security pattern best mititates a time-of-check-time-of-use (TOCTOU) race
condition when two users reserve the same conference room?
A. Singleton pattern
B. Resource Lock pattern
C. Factory pattern
D. Observer pattern
Answer: B. Resource Lock pattern
Solution: A pessimistic lock (e.g., DB row lock) serialises check-then-reserve,
eliminating the race. Singleton controls instantiation, Factory creates objects, Observer
notifies events—none solve TOCTOU.
Question 4:
An API uses JWTs signed with RS256. The private key is rotated every 90 days. Which
step is essential to avoid service disruption during rotation?
A. Publish the new public key in a trusted JWKS endpoint
B. Increase JWT lifetime to overlap key validity
C. Switch to HS256 for simplicity
D. Store the old private key in the codebase for fallback
Answer: A. Publish the new public key in a trusted JWKS endpoint
Solution: JWKS allows consumers to fetch current public keys without code changes.
Extending lifetime (B) increases risk, HS256 (C) breaks asymmetric security, hard-
coding keys (D) violates best practices.
Question 5:
A developer proposes using ECB mode for AES-128 encryption of large binary blobs.
Which design principle is most violated?
A. Defense in depth
B. Fail securely
C. Open design
D. Complete mediation
Answer: D. Complete mediation
Solution: ECB leaks pattern information, failing to provide complete confidentiality
mediation. Defense in depth (A) is about layers, Fail securely (B) about error states,
Open design (C) about transparency.
pg. 2
,Question 6:
In a threat-modeling workshop, the team maps a feature that lets users upload XML
files. Which attack is most effectively mitigated by disabling external entity resolution?
A. XPath injection
B. XXE (XML External Entity)
C. XSLT injection
D. SOAP action spoofing
Answer: B. XXE (XML External Entity)
Solution: Disabling DTD/external entities directly blocks XXE. XPath (A) and XSLT (C)
are separate injection vectors; SOAP spoofing (D) targets routing, not entity expansion.
Question 7:
During a design review, architects observe that password-reset tokens are stored in
plaintext in the database and never expire. Which OWASP Top 10 risk category is most
applicable?
A. Cryptographic Failures
B. Identification and Authentication Failures
C. Security Misconfiguration
D. Insecure Design
Answer: B. Identification and Authentication Failures
Solution: Insecure token lifecycle is an authentication failure. Cryptographic failures (A)
would imply weak encryption, Misconfiguration (C) wrong settings, Insecure design (D)
broader flaws.
Question 8:
Which secure-coding practice best supports the principle of psychological acceptability
in a mobile banking app?
A. Require 15-minute re-authentication for every transaction
B. Offer biometric login with fallback to six-digit PIN
C. Disable clipboard functionality entirely
D. Force password changes every seven days
Answer: B. Offer biometric login with fallback to six-digit PIN
Solution: Biometric + PIN balances security and usability. Frequent re-auth (A) and
clipboard disable (C) frustrate users; weekly changes (D) encourage weak passwords.
Question 9:
A web framework automatically escapes output based on context (HTML, JS, CSS, URL).
Which vulnerability is most directly addressed?
A. XXE
B. XSS
pg. 3
, C. CSRF
D. SSRF
Answer: B. XSS
Solution: Contextual escaping neutralises injection of malicious scripts into the browser
(XSS). XXE (A) is XML entity abuse, CSRF (C) cross-site request forgery, SSRF (D) server-
side request forgery.
Question 10:
A system uses HMAC-SHA256 for API request signatures. Which step is critical to
prevent replay attacks?
A. Include a nonce and timestamp in the signature payload
B. Use a 2048-bit RSA key instead of a shared secret
C. Encrypt the HMAC with AES-256
D. Rotate the HMAC key every five years
Answer: A. Include a nonce and timestamp in the signature payload
Solution: Nonce + timestamp allows the server to reject old or duplicate requests. RSA
(B) is asymmetric, encryption (C) unnecessary, five-year rotation (D) too infrequent.
Question 11:
During a code review, auditors find that user-supplied filenames are concatenated
directly into file paths without validation. Which attack is most likely?
A. LDAP injection
B. Path traversal
C. Command injection
D. XPath injection
Answer: B. Path traversal
Solution: Unvalidated filenames enable “../../../etc/passwd” traversal. LDAP (A),
command (C), XPath (D) target other parsers.
Question 12:
Which cryptographic primitive is most appropriate for ensuring that a software-update
package has not been tampered with in transit?
A. ECDSA digital signature
B. AES-256-CBC encryption
C. SHA-256 hash alone
D. HMAC-SHA256 without key rotation
Answer: A. ECDSA digital signature
Solution: Digital signatures provide authenticity and integrity. AES-CBC (B) gives
confidentiality only, SHA-256 (C) lacks authenticity, static HMAC (D) still needs key
management.
pg. 4
| ANSWERED CORRECTLY TO SCORE A+
Introduction
This 146-item simulation mirrors the 2025 WGU D487 Secure Software Design
competency-based examination.
Content spans seven weighted domains: secure-design principles & methodologies,
threat modeling & risk assessment, security patterns & architecture, cryptography &
secure communications, security testing & vulnerability assessment, secure
development lifecycle (SDLC), and security compliance & standards.
Every question is original, scenario-based, and aligned with current OWASP, NIST, IEEE,
and WGU competency standards to support mastery-level performance.
Examination-length set: 146 original questions
Question 1:
A web application stores user preferences in client-side cookies. Which design change
best upholds the principle of least privilege for cookie data?
A. Encrypt cookies with a server-side key and set HttpOnly, Secure, and SameSite=Strict
B. Compress cookies to reduce bandwidth
C. Store cookies in localStorage for faster access
D. Sign cookies with HMAC-SHA256 but skip encryption
Answer: A. Encrypt cookies with a server-side key and set HttpOnly, Secure, and
SameSite=Strict
Solution: Encryption + attribute flags enforces least privilege by preventing client-side
read, XSS exfiltration, cross-site delivery, and insecure transport. Options B and C
increase exposure; D lacks confidentiality.
Question 2:
During threat modeling of a micro-service architecture, teams identify that service-to-
service traffic is unencrypted inside the cluster. Which STRIDE category is most directly
impacted?
A. Tampering
B. Spoofing
C. Repudiation
D. Information Disclosure
Answer: D. Information Disclosure
Solution: Unencrypted traffic allows sniffing of sensitive data, directly mapping to
pg. 1
,Information Disclosure. Tampering requires write-access, Spoofing identity, Repudiation
logging.
Question 3:
Which security pattern best mititates a time-of-check-time-of-use (TOCTOU) race
condition when two users reserve the same conference room?
A. Singleton pattern
B. Resource Lock pattern
C. Factory pattern
D. Observer pattern
Answer: B. Resource Lock pattern
Solution: A pessimistic lock (e.g., DB row lock) serialises check-then-reserve,
eliminating the race. Singleton controls instantiation, Factory creates objects, Observer
notifies events—none solve TOCTOU.
Question 4:
An API uses JWTs signed with RS256. The private key is rotated every 90 days. Which
step is essential to avoid service disruption during rotation?
A. Publish the new public key in a trusted JWKS endpoint
B. Increase JWT lifetime to overlap key validity
C. Switch to HS256 for simplicity
D. Store the old private key in the codebase for fallback
Answer: A. Publish the new public key in a trusted JWKS endpoint
Solution: JWKS allows consumers to fetch current public keys without code changes.
Extending lifetime (B) increases risk, HS256 (C) breaks asymmetric security, hard-
coding keys (D) violates best practices.
Question 5:
A developer proposes using ECB mode for AES-128 encryption of large binary blobs.
Which design principle is most violated?
A. Defense in depth
B. Fail securely
C. Open design
D. Complete mediation
Answer: D. Complete mediation
Solution: ECB leaks pattern information, failing to provide complete confidentiality
mediation. Defense in depth (A) is about layers, Fail securely (B) about error states,
Open design (C) about transparency.
pg. 2
,Question 6:
In a threat-modeling workshop, the team maps a feature that lets users upload XML
files. Which attack is most effectively mitigated by disabling external entity resolution?
A. XPath injection
B. XXE (XML External Entity)
C. XSLT injection
D. SOAP action spoofing
Answer: B. XXE (XML External Entity)
Solution: Disabling DTD/external entities directly blocks XXE. XPath (A) and XSLT (C)
are separate injection vectors; SOAP spoofing (D) targets routing, not entity expansion.
Question 7:
During a design review, architects observe that password-reset tokens are stored in
plaintext in the database and never expire. Which OWASP Top 10 risk category is most
applicable?
A. Cryptographic Failures
B. Identification and Authentication Failures
C. Security Misconfiguration
D. Insecure Design
Answer: B. Identification and Authentication Failures
Solution: Insecure token lifecycle is an authentication failure. Cryptographic failures (A)
would imply weak encryption, Misconfiguration (C) wrong settings, Insecure design (D)
broader flaws.
Question 8:
Which secure-coding practice best supports the principle of psychological acceptability
in a mobile banking app?
A. Require 15-minute re-authentication for every transaction
B. Offer biometric login with fallback to six-digit PIN
C. Disable clipboard functionality entirely
D. Force password changes every seven days
Answer: B. Offer biometric login with fallback to six-digit PIN
Solution: Biometric + PIN balances security and usability. Frequent re-auth (A) and
clipboard disable (C) frustrate users; weekly changes (D) encourage weak passwords.
Question 9:
A web framework automatically escapes output based on context (HTML, JS, CSS, URL).
Which vulnerability is most directly addressed?
A. XXE
B. XSS
pg. 3
, C. CSRF
D. SSRF
Answer: B. XSS
Solution: Contextual escaping neutralises injection of malicious scripts into the browser
(XSS). XXE (A) is XML entity abuse, CSRF (C) cross-site request forgery, SSRF (D) server-
side request forgery.
Question 10:
A system uses HMAC-SHA256 for API request signatures. Which step is critical to
prevent replay attacks?
A. Include a nonce and timestamp in the signature payload
B. Use a 2048-bit RSA key instead of a shared secret
C. Encrypt the HMAC with AES-256
D. Rotate the HMAC key every five years
Answer: A. Include a nonce and timestamp in the signature payload
Solution: Nonce + timestamp allows the server to reject old or duplicate requests. RSA
(B) is asymmetric, encryption (C) unnecessary, five-year rotation (D) too infrequent.
Question 11:
During a code review, auditors find that user-supplied filenames are concatenated
directly into file paths without validation. Which attack is most likely?
A. LDAP injection
B. Path traversal
C. Command injection
D. XPath injection
Answer: B. Path traversal
Solution: Unvalidated filenames enable “../../../etc/passwd” traversal. LDAP (A),
command (C), XPath (D) target other parsers.
Question 12:
Which cryptographic primitive is most appropriate for ensuring that a software-update
package has not been tampered with in transit?
A. ECDSA digital signature
B. AES-256-CBC encryption
C. SHA-256 hash alone
D. HMAC-SHA256 without key rotation
Answer: A. ECDSA digital signature
Solution: Digital signatures provide authenticity and integrity. AES-CBC (B) gives
confidentiality only, SHA-256 (C) lacks authenticity, static HMAC (D) still needs key
management.
pg. 4
