1 | Page
D487 Secure SW Design Questions and Correct
Answers/ Latest Update / Already Graded
Which practice in the Ship (A5) phase of the security development cycle verifies
whether the product meets security mandates?
Ans: A5 policy compliance analysis
Which post-release support activity defines the process to communicate, identify,
and alleviate security threats?
Ans: PRSA1: External vulnerability disclosure response
What are two core practice areas of the OWASP Security Assurance Maturity
Model (OpenSAMM)?
Ans: Governance, Construction
Which practice in the Ship (A5) phase of the security development cycle uses tools
to identify weaknesses in the product?
Ans: Vulnerability scan
Which post-release support activity should be completed when companies are
joining together?
Ans: Security architectural reviews
Which of the Ship (A5) deliverables of the security development cycle are
performed during the A5 policy compliance analysis?
Ans: Analyze activities and standards
Which of the Ship (A5) deliverables of the security development cycle are
performed during the code-assisted penetration testing?
, 2 | Page
Ans: white-box security test
Which of the Ship (A5) deliverables of the security development cycle are
performed during the open-source licensing review?
Ans: license compliance
Which of the Ship (A5) deliverables of the security development cycle are
performed during the final security review?
Ans: Release and ship
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on agile?
Ans: iterative development
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on devops?
Ans: continuous integration and continuous deployments
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on cloud?
Ans: API invocation processes
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on digital enterprise?
Ans: enables and improves business activities
Which phase of penetration testing allows for remediation to be performed?
Ans: Deploy
, 3 | Page
Which key deliverable occurs during post-release support?
Ans: third-party reviews
Which business function of OpenSAMM is associated with governance?
Ans: Policy and compliance
Which business function of OpenSAMM is associated with construction?
Ans: Threat assessment
Which business function of OpenSAMM is associated with verification?
Ans: Code review
Which business function of OpenSAMM is associated with deployment?
Ans: Vulnerability management
What is the product risk profile?
Ans: A security assessment deliverable that estimates the actual cost of the
product.
A software security team member has been tasked with creating a deliverable that
provides details on where and to what degree sensitive customer information is
collected, stored, or created within a new product offering. What does the team
member need to deliver in order to meet the objective?
Ans: Privacy impact assessment
What is the first phase in the security development life cycle?
Ans: A1 Security Assessment
D487 Secure SW Design Questions and Correct
Answers/ Latest Update / Already Graded
Which practice in the Ship (A5) phase of the security development cycle verifies
whether the product meets security mandates?
Ans: A5 policy compliance analysis
Which post-release support activity defines the process to communicate, identify,
and alleviate security threats?
Ans: PRSA1: External vulnerability disclosure response
What are two core practice areas of the OWASP Security Assurance Maturity
Model (OpenSAMM)?
Ans: Governance, Construction
Which practice in the Ship (A5) phase of the security development cycle uses tools
to identify weaknesses in the product?
Ans: Vulnerability scan
Which post-release support activity should be completed when companies are
joining together?
Ans: Security architectural reviews
Which of the Ship (A5) deliverables of the security development cycle are
performed during the A5 policy compliance analysis?
Ans: Analyze activities and standards
Which of the Ship (A5) deliverables of the security development cycle are
performed during the code-assisted penetration testing?
, 2 | Page
Ans: white-box security test
Which of the Ship (A5) deliverables of the security development cycle are
performed during the open-source licensing review?
Ans: license compliance
Which of the Ship (A5) deliverables of the security development cycle are
performed during the final security review?
Ans: Release and ship
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on agile?
Ans: iterative development
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on devops?
Ans: continuous integration and continuous deployments
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on cloud?
Ans: API invocation processes
How can you establish your own SDL to build security into a process appropriate
for your organization's needs based on digital enterprise?
Ans: enables and improves business activities
Which phase of penetration testing allows for remediation to be performed?
Ans: Deploy
, 3 | Page
Which key deliverable occurs during post-release support?
Ans: third-party reviews
Which business function of OpenSAMM is associated with governance?
Ans: Policy and compliance
Which business function of OpenSAMM is associated with construction?
Ans: Threat assessment
Which business function of OpenSAMM is associated with verification?
Ans: Code review
Which business function of OpenSAMM is associated with deployment?
Ans: Vulnerability management
What is the product risk profile?
Ans: A security assessment deliverable that estimates the actual cost of the
product.
A software security team member has been tasked with creating a deliverable that
provides details on where and to what degree sensitive customer information is
collected, stored, or created within a new product offering. What does the team
member need to deliver in order to meet the objective?
Ans: Privacy impact assessment
What is the first phase in the security development life cycle?
Ans: A1 Security Assessment
