WGU D487 OA Exam – 100 Questions with 100% Verified
Correct Answers (2026 Version, Secure and Fully Accurate)
1. Which practice in the Ship (A5) phase of the security development cycle
verifies whether the product meets security mandates?
A. Vulnerability scanning
B. Final security review
C. A5 policy compliance analysis
D. Code-assisted penetration testing
Answer: C. A5 policy compliance analysis
Rationale: This activity ensures the product meets required security policies and mandates
before release.
2. Which post-release support activity defines the process to communicate,
identify, and alleviate security threats?
A. Security architectural reviews
B. External vulnerability disclosure response
C. Third-party reviews
D. PSIRT escalation
Answer: B. External vulnerability disclosure response
Rationale: This activity governs how vulnerabilities are reported, communicated, and resolved
after release.
3. What are two core practice areas of the OWASP Security Assurance Maturity
Model (OpenSAMM)?
A. Design and Testing
B. Governance and Construction
C. Verification and Maintenance
D. Operations and Monitoring
Answer: B. Governance and Construction
Rationale: OpenSAMM is organized around four core practice areas, including Governance and
Construction.
,4. Which practice in the Ship (A5) phase uses tools to identify weaknesses in the
product?
A. Policy compliance analysis
B. Final security review
C. Vulnerability scan
D. License compliance
Answer: C. Vulnerability scan
Rationale: Vulnerability scans use automated tools to detect weaknesses in the product.
5. Which post-release support activity should be completed when companies are
joining together?
A. External vulnerability disclosure
B. Third-party reviews
C. Security architectural reviews
D. Penetration testing
Answer: C. Security architectural reviews
Rationale: Mergers or acquisitions require reviewing combined architectures for security risks.
6. Which Ship (A5) deliverable is performed during A5 policy compliance
analysis?
A. White-box security testing
B. License compliance
C. Analyze activities and standards
D. Release and ship
Answer: C. Analyze activities and standards
Rationale: Policy compliance focuses on analyzing activities against defined standards.
7. Which Ship (A5) deliverable is performed during code-assisted penetration
testing?
, A. Vulnerability scan
B. White-box security testing
C. Analyze activities and standards
D. License compliance
Answer: B. White-box security testing
Rationale: Code-assisted penetration testing involves internal knowledge of the code.
8. Which Ship (A5) deliverable is performed during the open-source licensing
review?
A. Analyze activities and standards
B. Release and ship
C. License compliance
D. White-box testing
Answer: C. License compliance
Rationale: This ensures open-source components meet licensing requirements.
9. Which Ship (A5) deliverable is performed during the final security review?
A. Vulnerability scan
B. License compliance
C. Analyze activities and standards
D. Release and ship
Answer: D. Release and ship
Rationale: Final security review confirms readiness for release.
10. How can you establish your own SDL based on Agile development?
A. Continuous integration
B. Iterative development
C. API invocation processes
D. Business enablement
Answer: B. Iterative development
Rationale: Agile relies on iterative cycles that naturally integrate SDL activities.
Correct Answers (2026 Version, Secure and Fully Accurate)
1. Which practice in the Ship (A5) phase of the security development cycle
verifies whether the product meets security mandates?
A. Vulnerability scanning
B. Final security review
C. A5 policy compliance analysis
D. Code-assisted penetration testing
Answer: C. A5 policy compliance analysis
Rationale: This activity ensures the product meets required security policies and mandates
before release.
2. Which post-release support activity defines the process to communicate,
identify, and alleviate security threats?
A. Security architectural reviews
B. External vulnerability disclosure response
C. Third-party reviews
D. PSIRT escalation
Answer: B. External vulnerability disclosure response
Rationale: This activity governs how vulnerabilities are reported, communicated, and resolved
after release.
3. What are two core practice areas of the OWASP Security Assurance Maturity
Model (OpenSAMM)?
A. Design and Testing
B. Governance and Construction
C. Verification and Maintenance
D. Operations and Monitoring
Answer: B. Governance and Construction
Rationale: OpenSAMM is organized around four core practice areas, including Governance and
Construction.
,4. Which practice in the Ship (A5) phase uses tools to identify weaknesses in the
product?
A. Policy compliance analysis
B. Final security review
C. Vulnerability scan
D. License compliance
Answer: C. Vulnerability scan
Rationale: Vulnerability scans use automated tools to detect weaknesses in the product.
5. Which post-release support activity should be completed when companies are
joining together?
A. External vulnerability disclosure
B. Third-party reviews
C. Security architectural reviews
D. Penetration testing
Answer: C. Security architectural reviews
Rationale: Mergers or acquisitions require reviewing combined architectures for security risks.
6. Which Ship (A5) deliverable is performed during A5 policy compliance
analysis?
A. White-box security testing
B. License compliance
C. Analyze activities and standards
D. Release and ship
Answer: C. Analyze activities and standards
Rationale: Policy compliance focuses on analyzing activities against defined standards.
7. Which Ship (A5) deliverable is performed during code-assisted penetration
testing?
, A. Vulnerability scan
B. White-box security testing
C. Analyze activities and standards
D. License compliance
Answer: B. White-box security testing
Rationale: Code-assisted penetration testing involves internal knowledge of the code.
8. Which Ship (A5) deliverable is performed during the open-source licensing
review?
A. Analyze activities and standards
B. Release and ship
C. License compliance
D. White-box testing
Answer: C. License compliance
Rationale: This ensures open-source components meet licensing requirements.
9. Which Ship (A5) deliverable is performed during the final security review?
A. Vulnerability scan
B. License compliance
C. Analyze activities and standards
D. Release and ship
Answer: D. Release and ship
Rationale: Final security review confirms readiness for release.
10. How can you establish your own SDL based on Agile development?
A. Continuous integration
B. Iterative development
C. API invocation processes
D. Business enablement
Answer: B. Iterative development
Rationale: Agile relies on iterative cycles that naturally integrate SDL activities.
