WGU - D487 OA ACTUL EXAM 2025-2026 MOST TESTED 150 QUIZS
COVERED WITH DETAILED RATIONALES GUARANTEE A+ GRADE
1. Which threat model technique explicitly maps attacker capabilities to system components
and privileges (commonly remembered with an acronym like STRIDE)?
A. PASTA
B. Threat Trees
C. ☑ STRIDE
D. DREAD
Rationale: STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,
Elevation of privilege) is a threat categorization model used in threat modeling.
2. During secure requirements gathering you identify that the application will process
cardholder data. Which compliance consideration should be prioritized early?
A. HIPAA encryption requirements
B. ISO 27017 cloud controls
C. ☑ PCI DSS scoping and network segregation
D. FERPA access controls
Rationale: PCI DSS is specific to cardholder data; scoping and segmentation are early design
concerns to limit scope and risk.
3. Which OWASP Top 10 category best describes flaws that allow an attacker to execute
unintended SQL commands?
A. Broken Authentication
B. Insecure Deserialization
C. ☑ Injection
D. Security Misconfiguration
Rationale: Injection flaws (e.g., SQL injection) occur when untrusted data is interpreted as code
or commands.
4. A REST API uses API keys stored in client-side JavaScript. What is the primary weakness?
A. Strong encryption
B. Rate limiting
C. ☑ Client secrets exposed to public (insecure secret storage)
D. Use of OAuth 2.0
Rationale: Secrets in client-side code are discoverable by anyone; secrets must be kept
confidential on the server.
,5. Which control best defends against Cross-Site Scripting (XSS)?
A. Use of long session timeouts
B. Server-side encryption of data at rest
C. ☑ Proper output encoding (contextual) and input validation
D. Disabling TLS
Rationale: Contextual output encoding prevents untrusted input from being executed in
browser contexts; input validation helps too.
6. Which cryptographic primitive provides non-repudiation for a message?
A. Symmetric encryption
B. Hashing only
C. ☑ Digital signature (asymmetric signing)
D. TLS session resumption
Rationale: Digital signatures bind a signer to a message and provide non-repudiation when keys
are managed properly.
7. In a secure SDLC, at which phase should threat modeling be performed for maximum
benefit?
A. After deployment
B. ☑ During design (and iteratively thereafter)
C. Only during requirements gathering
D. Only after pen test findings
Rationale: Threat modeling during design identifies architecture-level risks early; iterative
updates are needed as system evolves.
8. Which authentication approach reduces risk of stolen passwords being useful to attackers?
A. Static passwords only
B. SMS OTP alone
C. ☑ Multi-factor authentication (MFA) using possession + knowledge or biometrics
D. Security questions only
Rationale: MFA combines independent factors, mitigating compromise of a single factor (like a
password).
9. What is the best immediate mitigation when a critical open-source dependency is reported
with a remote code execution (RCE) vulnerability?
,A. Ignore until next release cycle
B. ☑ Assess the dependency usage, apply vendor fix or upgrade, or implement compensating
controls (e.g., block vulnerable code paths)
C. Remove TLS from communications
D. Reimplement dependency from scratch same day
Rationale: Immediate risk assessment and applying vendor fixes or mitigations is practical; full
rewrites are rarely immediate solutions.
10. Which practice helps prevent secrets (API keys, passwords) from entering source control?
A. Hard-code into environment variables file checked in
B. ☑ Use a secrets manager + environment injection at runtime + gitignore
C. Encrypt secrets and commit them anyway
D. Post secrets to project issue trackers for sharing
Rationale: Secrets managers and runtime injection avoid storing secrets in repos; gitignore
prevents accidental commit of local files.
11. A service uses JWTs (JSON Web Tokens) signed with a symmetric secret. Which design
choice improves security for validating tokens from multiple services?
A. Use the same secret for all microservices permanently
B. ☑ Use asymmetric signing (private/public keys) or rotate symmetric keys and publish
verification keys
C. Store the secret in client-side code
D. Disable token expiration
Rationale: Asymmetric keys let many services verify tokens without exposing signing keys; key
rotation reduces exposure.
12. What is the primary purpose of static application security testing (SAST)?
A. Test runtime endpoints for injection
B. ☑ Analyze source code for vulnerabilities before execution
C. Measure user experience performance
D. Replace manual code review entirely
Rationale: SAST inspects source or bytecode to find insecure patterns early in development.
13. Which is a secure way to implement password storage?
A. Store plain text in the DB
B. SHA-1 hash of the password only
, C. ☑ Salted, adaptive hash (e.g., bcrypt, Argon2) with per-user salt
D. Encrypt passwords with a symmetric key stored in the database
Rationale: Adaptive salted hashes resist brute force; symmetric encryption with DB-stored keys
risks disclosure.
14. A web app accepts file uploads. What measure reduces risk of malicious uploads
executing on the server?
A. Allow any file extension but hide it in UI
B. ☑ Validate file type, store outside webroot, set restrictive permissions, scan for malware
C. Execute uploaded files in restricted environment without checks
D. Trust file metadata from client
Rationale: Server-side validation, safe storage, and malware scanning mitigate file upload
threats.
15. What is the best practice for session management to prevent fixation attacks?
A. Keep session ID constant after login
B. Use predictable session IDs
C. ☑ Regenerate session ID upon privilege elevation (e.g., login) and use secure cookies
D. Store session ID in URL query parameters
Rationale: Regenerating prevents session fixation; secure (HttpOnly, Secure, SameSite) cookies
reduce theft risk.
16. Which control is most effective to detect and investigate runtime attacks in production?
A. Only rely on SAST findings
B. ☑ Centralized logging and SIEM with alerting + retention
C. No logging to protect privacy
D. Only local log files on app servers
Rationale: Centralized logs and SIEM enable correlation, alerting, and forensic analysis.
17. During a secure code review you find user input used in an OS command. What mitigation
should you recommend?
A. Concatenate input directly into commands
B. ☑ Use parameterized APIs, avoid shell invocation, validate and canonicalize input
C. Remove all logging
D. Relay input directly to administrators by email
Rationale: Command injection risks are mitigated by avoiding shell calls and validating input.
COVERED WITH DETAILED RATIONALES GUARANTEE A+ GRADE
1. Which threat model technique explicitly maps attacker capabilities to system components
and privileges (commonly remembered with an acronym like STRIDE)?
A. PASTA
B. Threat Trees
C. ☑ STRIDE
D. DREAD
Rationale: STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,
Elevation of privilege) is a threat categorization model used in threat modeling.
2. During secure requirements gathering you identify that the application will process
cardholder data. Which compliance consideration should be prioritized early?
A. HIPAA encryption requirements
B. ISO 27017 cloud controls
C. ☑ PCI DSS scoping and network segregation
D. FERPA access controls
Rationale: PCI DSS is specific to cardholder data; scoping and segmentation are early design
concerns to limit scope and risk.
3. Which OWASP Top 10 category best describes flaws that allow an attacker to execute
unintended SQL commands?
A. Broken Authentication
B. Insecure Deserialization
C. ☑ Injection
D. Security Misconfiguration
Rationale: Injection flaws (e.g., SQL injection) occur when untrusted data is interpreted as code
or commands.
4. A REST API uses API keys stored in client-side JavaScript. What is the primary weakness?
A. Strong encryption
B. Rate limiting
C. ☑ Client secrets exposed to public (insecure secret storage)
D. Use of OAuth 2.0
Rationale: Secrets in client-side code are discoverable by anyone; secrets must be kept
confidential on the server.
,5. Which control best defends against Cross-Site Scripting (XSS)?
A. Use of long session timeouts
B. Server-side encryption of data at rest
C. ☑ Proper output encoding (contextual) and input validation
D. Disabling TLS
Rationale: Contextual output encoding prevents untrusted input from being executed in
browser contexts; input validation helps too.
6. Which cryptographic primitive provides non-repudiation for a message?
A. Symmetric encryption
B. Hashing only
C. ☑ Digital signature (asymmetric signing)
D. TLS session resumption
Rationale: Digital signatures bind a signer to a message and provide non-repudiation when keys
are managed properly.
7. In a secure SDLC, at which phase should threat modeling be performed for maximum
benefit?
A. After deployment
B. ☑ During design (and iteratively thereafter)
C. Only during requirements gathering
D. Only after pen test findings
Rationale: Threat modeling during design identifies architecture-level risks early; iterative
updates are needed as system evolves.
8. Which authentication approach reduces risk of stolen passwords being useful to attackers?
A. Static passwords only
B. SMS OTP alone
C. ☑ Multi-factor authentication (MFA) using possession + knowledge or biometrics
D. Security questions only
Rationale: MFA combines independent factors, mitigating compromise of a single factor (like a
password).
9. What is the best immediate mitigation when a critical open-source dependency is reported
with a remote code execution (RCE) vulnerability?
,A. Ignore until next release cycle
B. ☑ Assess the dependency usage, apply vendor fix or upgrade, or implement compensating
controls (e.g., block vulnerable code paths)
C. Remove TLS from communications
D. Reimplement dependency from scratch same day
Rationale: Immediate risk assessment and applying vendor fixes or mitigations is practical; full
rewrites are rarely immediate solutions.
10. Which practice helps prevent secrets (API keys, passwords) from entering source control?
A. Hard-code into environment variables file checked in
B. ☑ Use a secrets manager + environment injection at runtime + gitignore
C. Encrypt secrets and commit them anyway
D. Post secrets to project issue trackers for sharing
Rationale: Secrets managers and runtime injection avoid storing secrets in repos; gitignore
prevents accidental commit of local files.
11. A service uses JWTs (JSON Web Tokens) signed with a symmetric secret. Which design
choice improves security for validating tokens from multiple services?
A. Use the same secret for all microservices permanently
B. ☑ Use asymmetric signing (private/public keys) or rotate symmetric keys and publish
verification keys
C. Store the secret in client-side code
D. Disable token expiration
Rationale: Asymmetric keys let many services verify tokens without exposing signing keys; key
rotation reduces exposure.
12. What is the primary purpose of static application security testing (SAST)?
A. Test runtime endpoints for injection
B. ☑ Analyze source code for vulnerabilities before execution
C. Measure user experience performance
D. Replace manual code review entirely
Rationale: SAST inspects source or bytecode to find insecure patterns early in development.
13. Which is a secure way to implement password storage?
A. Store plain text in the DB
B. SHA-1 hash of the password only
, C. ☑ Salted, adaptive hash (e.g., bcrypt, Argon2) with per-user salt
D. Encrypt passwords with a symmetric key stored in the database
Rationale: Adaptive salted hashes resist brute force; symmetric encryption with DB-stored keys
risks disclosure.
14. A web app accepts file uploads. What measure reduces risk of malicious uploads
executing on the server?
A. Allow any file extension but hide it in UI
B. ☑ Validate file type, store outside webroot, set restrictive permissions, scan for malware
C. Execute uploaded files in restricted environment without checks
D. Trust file metadata from client
Rationale: Server-side validation, safe storage, and malware scanning mitigate file upload
threats.
15. What is the best practice for session management to prevent fixation attacks?
A. Keep session ID constant after login
B. Use predictable session IDs
C. ☑ Regenerate session ID upon privilege elevation (e.g., login) and use secure cookies
D. Store session ID in URL query parameters
Rationale: Regenerating prevents session fixation; secure (HttpOnly, Secure, SameSite) cookies
reduce theft risk.
16. Which control is most effective to detect and investigate runtime attacks in production?
A. Only rely on SAST findings
B. ☑ Centralized logging and SIEM with alerting + retention
C. No logging to protect privacy
D. Only local log files on app servers
Rationale: Centralized logs and SIEM enable correlation, alerting, and forensic analysis.
17. During a secure code review you find user input used in an OS command. What mitigation
should you recommend?
A. Concatenate input directly into commands
B. ☑ Use parameterized APIs, avoid shell invocation, validate and canonicalize input
C. Remove all logging
D. Relay input directly to administrators by email
Rationale: Command injection risks are mitigated by avoiding shell calls and validating input.
