WGU D487 SECURE SW DESIGN EXAM 2025 BEYOND 300 REVISION QUESTIONS AND THEIR CORRECT ANSWERS READY FOR GRADE A +

WGU D487 SECURE SW DESIGN EXAM 2025 BEYOND 300 REVISION QUESTIONS AND THEIR CORRECT ANSWERS READY FOR GRADE A + 1. abstract syntax tree - Answer GOOGLE 2. active scanner - Answer Modifies the HTTPS inputs and analyzes the response to identify vulnerabilities 3. Agile methodology - Answer Opposite of waterfall, is good for iterative releases with customer feedback. 4. alpha level testing - Answer Testing done by developer 5. application decomposition - Answer Determines the fundamental functions of an application 6. application security - Answer Creating, testing, and implementing security features to prevent vulnerabilities in applications 7. application-centric threat modeling - Answer Threat models that start with the application being built 8. Architecture (A2) phase - Answer Second phase of SDLC, examines security from a business risk perspective 9. asset-centric threat modeling - Answer Threat models that start with protecting assets and senior management. 10. authenticated scans - Answer A scan with credentials 11. Benchmarks - Answer A set of parameters checked against something. 12. beta level testing - Answer Testing done by user 13. black box testing - Answer Testing done from external source with no knowledge of software 14. Building Security In Maturing Model (BSIMM) - Answer GOOGLE 15. code review - Answer A process done to identify security vulnerabilities in code during SDLC 16. Common Vulnerabilities and Exposures (CVE) - Answer Tracking ID for vulnerabilities 17. Common Vulnerability Scoring System (CVSS) - Answer Scoring system for vulnerabilities 18. control flow analysis - Answer GOOGLE 19. data flow diagrams - Answer How data flows through a application 20. deployment phase - Answer SLDC phase where security is deployed 21. Design and Development (A3) phase - Answer Third phase in SDLC, analyze and test software to determine security and privacy issues 22. design phase - Answer SLDC phase where requirements are outlined for technical design 23. DREAD - Answer Risk modeling approach, stands for Damage, Reproducabilty, Exploitablity, Affected Users, and Discoverability 24. dynamic analysis - Answer Analyzing code as it is running in real time 25. elevation of privilege - Answer Exploiting vulnerabilities to upgrade account privileges on a system 26. end of life phase - Answer When software is no longer receiving security and stability updates 27. external resources - Answer Resources hired on a temporary basis 28. functional requirements - Answer Describes what the system will do/it's purpose 29. functional testing scripts - Answer Instructions for a specific scenario or situation 30. fuzz testing - Answer Throwing random data at a software input to test for t for errors and vulnerabilities 31. gray box testing - Answer GOOGLE 32. hardware - Answer Physical devices 33. information disclosure - Answer Reading a file that one was not granted access to 34. internal resources - Answer Resources within the company 35. internal scans - Answer Scans to identify what vulnerabilities could be exploited when inside the network 36. intrusive target search - Answer Scans that exploit a vulnerability when identified 37. maintenance phase - Answer SLDC phase where ongoing security monitoring is implemented 38. measurement model - Answer A set of data security methods that help protect against vulnerabilities 39. metric model - Answer Measures the effectiveness of security controls 40. National Institute of Standards and Technology (NIST) - Answer Has security standards and best practices and guides for implementing security practices. 41. Nmap - Answer Port scanner 42. non-functional requirements - Answer Requirements that exist but do not impact the core purpose of the system 43. NVD Database - Answer CVE database 44. Open-Source Security Testing Methodology Manual - Answer Templates and standards for developing a software testing strategy 45. Open Web Application Security Project (OWASP) - Answer Framework to build security into SDLC 46. passive scanner - Answer Silently analyzes all HTTPS traffic 47. PASTA - Answer Another threat analysis framework. Includes: Define Objectives, Define Technical Score, Decompositions and analysis, Threat Analysis, vulnerabilities and Weakness Analysis, Modeling and Simulation, and Risk Impact Analysis 48. penetration testing - Answer An external or internal team will act as a malicious actor to attempt to break into a network. 49. planning phase - Answer SLDC phase where vision and next steps are outlined 50. policy and compliance - Answer Internal policy such as incident response, acceptable use policy. Compliance such as NIST, PCI DSS, HIPAA, PII, SOX, GBLA, etc. 51. privacy impact assessment - Answer Evaluates the impact and issues of any PII in the software 52. product risk profile - Answer Helps determine cost of product 53. Product Security Incident Response Team (PSIRT) - Answer Team that receives, investigates, and reports security vulnerabilities 54. pull request - Answer A request to merge your code into another branch 55. requirement phase - Answer SDLC phase where necessary software requirements are outlined 56. requirement traceability matrix - Answer Lists all security requirements 57. risk model - Answer Assess vulnerabilities during the SDLC 58. scripts - Answer Instructions to tell a person or tool what to do during the testing 59. Scrum - Answer Project management approach. Consists of many phases and positions. 60. secure code - Answer Coding security best practices 61. secure testing scripts - Answer Scripts created specifically for the application being tested 62. Security Assessment (A1) phase - Answer First phase of SDL in which risks are identified and security milestones are outlined. 63. security development life cycle (SDL) - Answer A process that outlines security and best practices for software development 64. What is a study of real-world software security initiatives organized so companies can measure their initiatives and understand how to evolve them over time?, - Answer Building Security In Maturity Model (BSIMM) 65. What is the analysis of computer software that is performed without executing programs? - Answer Static analysis 66. Which International Organization for Standardization (ISO) standard is the benchmark for information security today? - Answer ISO/IEC 27001. 67. What is the analysis of computer software that is performed by executing programs on a real or virtual processor in real time?, - Answer Dynamic analysis 68. Which person is responsible for designing, planning, and implementing secure coding practices and security testing methodologies? - Answer Software security architect 69. A company is preparing to add a new feature to its flagship software product. The new feature is similar to features that have been added in previous years, and the requirements are well-documented. The project is expected to last three to four months, at which time the new feature will be released to customers. Project team members will focus solely on the new feature until the project ends. Which software development methodology is being used? - Answer Waterfall 70. A new product will require an administration section for a small number of users. Normal users will be able to view limited customer information and should not see admin functionality within the application. Which concept is being used? - Answer