D487 - Secure Software Design Objective Assessment
2026-2027 Test Bank 1 ,2 & 3 \Actual Practice Questions
& Correct Verified Answers\Assured Success\GRADED
A+\WGU D487 Secure Software Design OA Prep Test
The product security incident response team (PSIRT) determined a
reported
vulnerability was credible and of a high enough severity that it needs
to be fixed. What is the response team's next step?
A) Identify resources and schedule the fix
B) Identify the team that owns the product
C) Notify customers that the fix is available
D) Determine how the reporter was able to create the vulnerability
A) Identify resources and schedule the fix
Organizational leadership is considering buying a competitor and has
asked the software security team to develop a plan to ensure the
competitor's point-of-sale system complies with organizational
policies. Which post-release deliverable is being described?
A) Security strategy for M&A products
B) Post-release certifications
C) Security strategy for legacy code
D) Third-party security review
A) Security strategy for M&A products
,The software security team has been tasked with identifying who will
be involved when security vulnerabilities are reported from external
entities. They are creating a RACI
matrix that will identify stakeholders by who is responsible,
accountable, consulted, and informed of any new vulnerabilities.
Which post-release deliverable is being described?
A) External vulnerability disclosure response process
B) Third-party security review
C) Security strategy for legacy code
D) Post-release certifications
A) External vulnerability disclosure response process
After determining a reported vulnerability was a credible claim, the
product security incident response team (PSIRT) worked with
development teams to create and test a patch. The patch is scheduled
to be released at the end of the month. What is the response team's
next step?
A) Notify customers that the fix is available
B) Publish the reasons for closing the case
C) Notify the reporter that the case is going to be closed
D) Identify the team that owns the product
A) Notify customers that the fix is available
,The final security review determined that all security issues identified
in testing have been resolved and all SDL requirements have been met.
What is the result of the final security review?
A) Passed
B) Passed with exceptions
C) Not passed and requires escalation
D) Not passed but does not require escalation
A) Passed
The security team is reviewing all threat models, identified
vulnerabilities, and
documented requirements. They are also performing static and
dynamic analysis on the software product to determine if it is ready
for release. Which activity of the Ship SDL phase is being
performed?
A) Final security review
B) Penetration testing
C) Vulnerability scan
D) Final privacy review
A) Final security review
, The security team is reviewing whether new security requirements,
based on identified threats or changes to organizational guidelines,
can be implemented prior to releasing the new product. Which
activity of the Ship SDL phase is being performed?
A) Policy compliance analysis
B) Penetration testing
C) Final privacy review
D) Open-source licensing review
A) Policy compliance analysis
what is a list of information security vulnerabilities that aims to
provide names for publicly known problems?
A) common computer vulnerabilities and exposures (CVE)
B) SANS institute top cyber security risks
C) bugtraq
D) Carnegie melon computer emergency readiness team (CERT)
A) common computer vulnerabilities and exposures (CVE)
which secure coding best practice uses well-tested, publicly available
algorithms to hide product data from unauthorized access?
A) access control
B) authentication and password management
C) cryptographic practices
D) data protection
C) cryptographic practices
2026-2027 Test Bank 1 ,2 & 3 \Actual Practice Questions
& Correct Verified Answers\Assured Success\GRADED
A+\WGU D487 Secure Software Design OA Prep Test
The product security incident response team (PSIRT) determined a
reported
vulnerability was credible and of a high enough severity that it needs
to be fixed. What is the response team's next step?
A) Identify resources and schedule the fix
B) Identify the team that owns the product
C) Notify customers that the fix is available
D) Determine how the reporter was able to create the vulnerability
A) Identify resources and schedule the fix
Organizational leadership is considering buying a competitor and has
asked the software security team to develop a plan to ensure the
competitor's point-of-sale system complies with organizational
policies. Which post-release deliverable is being described?
A) Security strategy for M&A products
B) Post-release certifications
C) Security strategy for legacy code
D) Third-party security review
A) Security strategy for M&A products
,The software security team has been tasked with identifying who will
be involved when security vulnerabilities are reported from external
entities. They are creating a RACI
matrix that will identify stakeholders by who is responsible,
accountable, consulted, and informed of any new vulnerabilities.
Which post-release deliverable is being described?
A) External vulnerability disclosure response process
B) Third-party security review
C) Security strategy for legacy code
D) Post-release certifications
A) External vulnerability disclosure response process
After determining a reported vulnerability was a credible claim, the
product security incident response team (PSIRT) worked with
development teams to create and test a patch. The patch is scheduled
to be released at the end of the month. What is the response team's
next step?
A) Notify customers that the fix is available
B) Publish the reasons for closing the case
C) Notify the reporter that the case is going to be closed
D) Identify the team that owns the product
A) Notify customers that the fix is available
,The final security review determined that all security issues identified
in testing have been resolved and all SDL requirements have been met.
What is the result of the final security review?
A) Passed
B) Passed with exceptions
C) Not passed and requires escalation
D) Not passed but does not require escalation
A) Passed
The security team is reviewing all threat models, identified
vulnerabilities, and
documented requirements. They are also performing static and
dynamic analysis on the software product to determine if it is ready
for release. Which activity of the Ship SDL phase is being
performed?
A) Final security review
B) Penetration testing
C) Vulnerability scan
D) Final privacy review
A) Final security review
, The security team is reviewing whether new security requirements,
based on identified threats or changes to organizational guidelines,
can be implemented prior to releasing the new product. Which
activity of the Ship SDL phase is being performed?
A) Policy compliance analysis
B) Penetration testing
C) Final privacy review
D) Open-source licensing review
A) Policy compliance analysis
what is a list of information security vulnerabilities that aims to
provide names for publicly known problems?
A) common computer vulnerabilities and exposures (CVE)
B) SANS institute top cyber security risks
C) bugtraq
D) Carnegie melon computer emergency readiness team (CERT)
A) common computer vulnerabilities and exposures (CVE)
which secure coding best practice uses well-tested, publicly available
algorithms to hide product data from unauthorized access?
A) access control
B) authentication and password management
C) cryptographic practices
D) data protection
C) cryptographic practices
