and Answers (2026/2027) | Complete Exam
Review Pack | Verified Q&A | A+
• Privacy Compliance Report -✓✓The _________ report should provide progress
against privacy requirements provided in earlier phases. Any outstanding requirement
should be implemented as soon as possible. It is also prudent to assess any changes in
laws/regulations to identify (and put on a roadmap) any new requirements. A4 D&D
• Security Testing Reports -✓✓A findings summary should be prepared for each type of
security testing: manual code review, static analysis, dynamic analysis, penetration
testing, and fuzzing. The reports should provide the type and number of issues
identified and any consistent theme that can be derived from the findings. A4 D&D
• Remediation Report -✓✓A ____ report/dashboard should be prepared and updated
regularly from this stage. The purpose of this report is to showcase the security posture
and risk of the product at a technical level. A4 D&D
• Security Assessment
What are the key activities in the Security Assessment phase of SDL? -✓✓SDL Phase
1 (A1) = SDLC 1 Concept
Software security team is looped in early
Security team hosts a discovery meeting
Software security team discusses project plan
States what further work will be done
Privacy Impact Assessment (PIA) plan is created
• Architecture
What are the key activities in the Architecture phase of SDL? -✓✓SDL Phase 2 (A2) =
SDLC 2 Planning
A2 Policy compliance analysis
SDL policy assessment and scoping
Threat modeling & architecture security analysis
Open-source selection
Privacy information gathering and analysis
• Design & Development
What are the key activities in the Design & Development phase of SDL? -✓✓SDL
Phase 3 (A3) = SDLC 3 Design & Development
A3 Policy compliance analysis
Security test plan composition
,Static analysis updating
Threat modeling analysis & review
Privacy implementation assessment
• Design & Development Cont.
What are the key activities in the Design & Development Cont. phase of SDL? -✓✓SDL
Phase 4 (A4) = SDLC 4 Readiness
A4 Policy compliance analysis
Security test case execution
Static analysis
Fuzz testing
Privacy code review
Privacy validation and remediation
• Ship
What are the key activities in the Ship phase of SDL? -✓✓SDL Phase 5 (A5) = SDLC 5
Release & Launch
A5 Policy compliance analysis
Vulnerability scan
Penetration testing
Open-source licensing review
Final privacy review
• What is the purpose of the Product risk profile deliverable in Security Assessment
(A1)? -✓✓To estimate the actual cost of the product.
• What is the goal of the SDL project outline in Security Assessment (A1)? -✓✓To map
SDL activities to the development schedule.
• Why are Applicable laws and regulations important in Security Assessment (A1)? -
✓✓To obtain formal sign-off from stakeholders on applicable laws.
• What is the purpose of the Threat profile in Security Assessment (A1)? -✓✓To guide
SDL activities to mitigate threats.
• What is the goal of the Certification requirements deliverable in Security Assessment
(A1)? -✓✓To list requirements for product and operations certifications.
• Why is maintaining a List of third-party software important in Security Assessment
(A1)? -✓✓To identify dependence on third-party software.
• What is the purpose of the Metrics template in Security Assessment (A1)? -✓✓To
establish a cadence for regular reporting to executives.
, • What is the purpose of defining Business requirements in A2 Architecture? -✓✓To
establish software requirements, including Confidentiality, Integrity, and Availability
(CIA).
• What are Threat modeling artifacts used for in A2 Architecture? -✓✓They include data
flow diagrams, elements, and threat listings to assess security risks.
• What is the goal of Architecture threat analysis in A2 Architecture? -✓✓To prioritize
threats and risks based on a detailed threat analysis.
• What is a Risk mitigation plan in A2 Architecture? -✓✓A plan to mitigate, accept, or
tolerate risk within the system.
• What does Policy compliance analysis ensure in A2 Architecture? -✓✓It ensures
adherence to company policies and security regulations.
• What is the purpose of Updated threat modeling artifacts in A3 Design &
Development? -✓✓To maintain data flow diagrams, elements, and threat listings for
security analysis.
• What does a Design security review focus on in A3 Design & Development? -✓✓It
includes modifications to the design of software components based on security
assessments.
• What is the purpose of Security test plans in A3 Design & Development? -✓✓To
create a plan to mitigate, accept, or tolerate risk.
• What does Updated policy compliance analysis ensure in A3 Design & Development?
-✓✓It ensures adherence to company policies.
• What are Privacy implementation assessment results used for in A3 Design &
Development? -✓✓They provide recommendations from privacy assessments to
improve compliance.
• What is the purpose of the Security test execution report in A4 Design &
Development? -✓✓To review progress against identified security test cases.
• What does Updated policy compliance analysis ensure in A4 Design & Development?
-✓✓It ensures adherence to company policies.
• What is the Privacy compliance report used for in A4 Design & Development? -✓✓To
validate that recommendations from the privacy assessment have been implemented.