WGU D487 Secure Software Design – 2025 Objective Exam (Versions A & B) | Verified Questions with 100% Accurate A+ Answers

Privacy compliance report Which design and development deliverable details the progress of personal information requirements created in earlier phases of the security development lifecycle? Updated threat modeling artifacts Which design and development deliverable contains technical and executive-level reports detailing any newly identified vulnerabilities? C++ _______ is highly susceptible to buffer overflow vulnerabilities because it allows direct memory access and pointer arithmetic without built-in safeguards like bounds checking. This makes it a common target for memory corruption attacks. Identify security code review objectives What is the first step of the SDLC/SDL code review process? Functional testing Software testing performed when an analyst executes a series of test cases based on application requirements. Ensure server-side queries are parameterized A method to adjust existing security controls to prevent SQL injection vulnerabilities. Ensure third party libraries are kept up to date and reviewed consistently A measure to adjust existing security controls after discovering a vulnerability in a third-party logging tool. Validate all user input A security control adjustment to prevent unauthorized file uploads. Remediation of database instances Addressing vulnerabilities discovered during an organizational security review of multiple database instances installed with default settings. Default accounts and passwords Ensure default accounts and passwords are disabled or removed Auditing and logging Ensure auditing and logging is enabled on all servers Access to configuration files Ensure access to configuration files is limited to administrators Server information exposure Ensure servers are configured to return as little information as possible to network requests DOM-based cross-site scripting vulnerability Enforce encoding of special characters Data encryption in transit Ensure all data is encrypted in transit Audit trails for sensitive transactions Ensure audit trails exist for all sensitive transactions Principle of least privilege Follow the principle of least privilege for user and system accounts Simple hashes for passwords Enforce the use of strong, salted hashing functions when storing passwords Strong password complexity standards Enforce strong password complexity standards Regular password updates Enforce regular password updates Encryption on credentials in transit Enforce encryption on credentials in transit User privileges after exceptions Ensure user privileges are restored to the appropriate level after exceptions Centralized exception handling Ensure exceptions are handled in a centralized, structured way Error message sensitivity Ensure error messages are scrubbed of any sensitive information Audit log for sensitive transactions Ensure there is an audit log for all sensitive transactions Response to credible vulnerabilities Identify resources and schedule the fix Ownership of product vulnerabilities Identify the team that owns the product Customer notification of fixes Notify customers that the fix is available Vulnerability reporter analysis Determine how the reporter was able to create the vulnerability Security strategy for M&A products Security strategy for M&A products Post-release certifications Post-release certifications Security strategy for legacy code Security strategy for legacy code Third-party security review Third-party security review RACI matrix for vulnerabilities Creating a RACI matrix that will identify stakeholders by who is responsible, accountable, consulted, and informed of any new vulnerabilities External vulnerability disclosure response process The process followed by the product security incident response team (PSIRT) after determining a reported vulnerability was a credible claim, which includes working with development teams to create and test a patch. Notify customers that the fix is available The next step for the response team after a patch has been created and tested. Final security review The activity where the security team determines that all security issues identified in testing have been resolved and all SDL requirements have been met. Passed The result of the final security review when all security issues have been resolved. Policy compliance analysis The activity where the security team reviews whether new security requirements can be implemented prior to releasing the new product. Every-sprint requirement A type of requirement that states all user input values must be validated by type, size, and range. Software security development life cycle (SSDL) touchpoints The BSIMM domain being assessed when the software security group conducts a maturity assessment focused on reviewing security testing results from recent initiatives. Final privacy review An activity that may be performed during the Ship SDL phase to ensure compliance with privacy requirements. Penetration testing An activity that involves testing the software product for vulnerabilities by simulating attacks. Vulnerability scan An automated process to identify vulnerabilities in the software product. Open-source licensing review The process of reviewing open-source components for compliance with licensing requirements. Bucket requirement A type of requirement that groups related security requirements together for better management. One-time requirement A type of requirement that is only needed for a specific instance and not repeated in future iterations. Final security review requirement A type of requirement that must be fulfilled before the final security review can be completed. Remote procedure call (RPC) fuzz testing A specific type of testing that the team must perform as part of their security requirements. Bucket requirement A requirement that is categorized under a specific bucket for organizational purposes. One-time requirement A requirement that is needed only once during the software development process. Every-sprint requirement A requirement that must be fulfilled in every sprint of the software development cycle. Final security review requirement The last requirement to ensure security measures are in place before product release. Building Security in Maturity Model (BSIMM) The study of real-world software security initiatives organized so companies can measure their initiatives and understand how to evolve them over time. Static analysis The analysis of computer software that is performed without executing programs. Fuzzing A testing technique that involves providing invalid, unexpected, or random data to the inputs of a program. Dynamic analysis The analysis of software performed by executing it in a runtime environment. OWASP ZAP An open-source web application security scanner. Database security A secure coding best practice that emphasizes the use of parameterized queries, encrypted connection strings stored in separate configuration files, and strong passwords or multi-factor authentication. Communication security A secure coding best practice that states all information passed to other systems should be encrypted. Agile A software development methodology that emphasizes iterative development and collaboration. Waterfall A software development methodology characterized by a linear and sequential design process. Scrum An agile framework for managing complex projects, typically involving iterative development. Extreme programming An agile software development methodology that emphasizes customer satisfaction and flexibility. POLP Principle of Least Privilege; a concept that restricts user access rights to only what is necessary. Analyzing the target A threat modeling step that involves identifying approaches for input validation, authentication, authorization, and configuration management. Daily scrum A scrum ceremony where team members report their accomplishments, plans, and impediments. Sprint review A scrum ceremony that occurs at the end of a sprint to review the work completed. Sprint retrospective A scrum ceremony that reflects on the past sprint to improve future sprints. Sprint planning A scrum ceremony that involves planning the work to be performed in the upcoming sprint. Software developer A member of the scrum team responsible for writing feature logic and attending sprint ceremonies. Data flow diagrams Visual representations of the flow of data within a system. STRIDE methodology A threat modeling framework that categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Security assessment An evaluation of a system's security measures and vulnerabilities. architecture analysis architecture analysis scrum master The team member responsible for facilitating all scrum ceremonies and ensuring the team communicates freely. communication security The secure coding practice that ensures all traffic must be secure and encrypted. reproducibility The DREAD category based on how easily a threat exploit can be repeated. digital signatures A mitigation technique used to fight against a data tampering threat. Service accounts have no administration capabilities. A countermeasure to the web application security frame (ASF) configuration management threat category. compliance requirement Specifies that file formats the application sends to financial institutions must be certified every four years. Privacy requirement Specifies that credit card numbers displayed in the application will be masked so they only show the last four digits. Security requirement Specifies that user passwords will require a minimum of 8 characters and must include at least one uppercase character, one number, and one special character. Data classification requirement Specifies that credit card numbers are designated as highly sensitive confidential personal information. Privacy control requirements Defines how personal information is protected on devices used by more than a single associate. Vulnerability and weakness analysis The step of the PASTA threat modeling methodology where design flaw analysis takes place. Access requirements Defines who has access to personal information within the product. STRIDE-per-interaction STRIDE-per-element DREAD methodology A classification system for identified exploits based on damage potential, reproducibility, exploitability, affected users, and discoverability. high risk Rating assigned to an exploit after analysis using a ternary ranking scale where high risk = 3 points. mitigate a threat Apply a standard accepted countermeasure. security assessment deliverable Defines milestones that will be met during each phase of the project, merged into the product development schedule. architecture deliverable Identifies whether the product adheres to organization security rules. security testing technique The type of testing performed using the source code and design documentation of the new product. ISO standard The benchmark for information security today. dynamic analysis Analysis of computer software performed by executing programs on a real or virtual processor in real time. software security architect Responsible for designing, planning, and implementing secure coding practices and security testing methodologies. common computer vulnerabilities and exposures (CVE) A list of information security vulnerabilities that aims to provide names for publicly known problems. cryptographic practices Secure coding best practice that uses well-tested, publicly available algorithms to hide product data from unauthorized access. system configuration Secure coding best practice that ensures servers, frameworks, and system components are all running the latest approved versions. Identify internal resources Step of the security test plan where developers and analysts performing product testing are documented. Define the user community Step of the security test plan where the number of users and their roles are documented. Source-code analysis Security testing technique used to identify vulnerabilities in the source code. defense-in-depth Application of multiple layers of protection so that if one layer is breached, the next layer provides protection.