WGU C706 SECURE SOFTWARE DESIGN
EXAMINATION TEST 2026 COMPLETE
QUESTIONS AND SOLUTIONS GRADED A+
⩥ . Answer: The setting of key success factors, or success criteria, for
any SDL phase will make it more effective and will help in performing
post-mortem afterwards to understand what worked and what did not.
⩥ Software security policy. Answer: A policy intended to define what
needs to be protected and how it will be protected, including reviewing
and incorporating policies from outside the SDL that may impact the
development process
⩥ Threat modeling(2). Answer: This exercise requires a special set of
skills, experience, and mindset, and the team must be able to think like
an adversary. A senior software security architect or a seasoned software
security champion typically runs this aspect
⩥ Data flow diagram (DFD). Answer: The first step of the threat
modeling process; to develop a visual representation of the threat flows,
typically drawn during a whiteboard session
⩥ Mixed source. Answer: Draws on the strengths of both open-source
and proprietary software to deliver the highest value at the lowest cost;
becoming a dominant practice in industry
,⩥ Third-party security assessment. Answer: An extensive review that
will be conducted by your software security architect, a third party, or a
combination of both
⩥ Analysis phase. Answer: The phase that determines how PII will be
handled to ensure that it conforms to applicable legal, regulatory, and
policy requirements regarding privacy
⩥ Formal business requirement. Answer: An artifact that lists software
requirements and business risks mapped to the three pillars of
information security: confidentiality, integrity, and availability
⩥ . Answer: Unless the senior leadership of the development
organization and the management team support the SDL, it will likely
fail. It must be driven by a policy that is signed off, promulgated, and
provides support by the software development management team and,
ideally, by the CEO.
⩥ . Answer: Threat modeling requires a special set of skills, experience,
and mindset, and the team must be able to think like an adversary. A
senior software security architect or a seasoned software security
champion typically runs this aspect.
,⩥ . Answer: A formal business requirement is an artifact that lists
software requirements and business risks mapped to the three pillars of
information security: confidentiality, integrity, and availability.
⩥ . Answer: The purpose of a software security policy is to define what
needs to be protected and how it will be protected, including reviewing
and incorporating policies from outside the SDL that may impact the
development process. These might include policies governing software
or applications developed or applied anywhere in the organization.
⩥ . Answer: The diagram produced in this stage of the threat modeling
process is called a data flow diagram or DFD. The focus of the DFD is
on how data moves through the software solution and what happens to
the data as it moves, giving you a better understanding of how the
software works and its underlying architecture by providing a visual
representation of how the software processes data.
⩥ . Answer: The analysis phase:
*determines how PII will be handled to ensure that it conforms to
applicable legal, regulatory, and policy requirements regarding privacy,
*determines the risks and effects of collecting, maintaining, and
disseminating privacy information in identifiable form in the software
and overall system being developed or one that it potentially interfaces
with in a cloud or SaaS environment, and
, *examines and evaluates protections and alternative processes for
handling information to mitigate potential privacy risks.
⩥ . Answer: There has been an increasing trend in the software industry
over the last few years to draw on the strengths of both open-source and
proprietary software to deliver the highest value at the lowest cost. The
blend of both is called "mixed source" and is becoming a dominant
practice in industry.
⩥ . Answer: A security assessment requires an extensive review that will
be conducted by your software security architect, a third party, or a
combination of both.
⩥ A4 Policy Compliance Analysis. Answer: During this phase, any
policy that exists outside the domain of the SDL policy is reviewed (or
reviewed again); this may include policies from outside the development
organization
⩥ Quality assurance (QA). Answer: In a typical SDLC cycle, software
goes through testing that includes unit, performance, system, and
regression testing
⩥ Benchmarks. Answer: These tests are used to compare estimates to
actual results
EXAMINATION TEST 2026 COMPLETE
QUESTIONS AND SOLUTIONS GRADED A+
⩥ . Answer: The setting of key success factors, or success criteria, for
any SDL phase will make it more effective and will help in performing
post-mortem afterwards to understand what worked and what did not.
⩥ Software security policy. Answer: A policy intended to define what
needs to be protected and how it will be protected, including reviewing
and incorporating policies from outside the SDL that may impact the
development process
⩥ Threat modeling(2). Answer: This exercise requires a special set of
skills, experience, and mindset, and the team must be able to think like
an adversary. A senior software security architect or a seasoned software
security champion typically runs this aspect
⩥ Data flow diagram (DFD). Answer: The first step of the threat
modeling process; to develop a visual representation of the threat flows,
typically drawn during a whiteboard session
⩥ Mixed source. Answer: Draws on the strengths of both open-source
and proprietary software to deliver the highest value at the lowest cost;
becoming a dominant practice in industry
,⩥ Third-party security assessment. Answer: An extensive review that
will be conducted by your software security architect, a third party, or a
combination of both
⩥ Analysis phase. Answer: The phase that determines how PII will be
handled to ensure that it conforms to applicable legal, regulatory, and
policy requirements regarding privacy
⩥ Formal business requirement. Answer: An artifact that lists software
requirements and business risks mapped to the three pillars of
information security: confidentiality, integrity, and availability
⩥ . Answer: Unless the senior leadership of the development
organization and the management team support the SDL, it will likely
fail. It must be driven by a policy that is signed off, promulgated, and
provides support by the software development management team and,
ideally, by the CEO.
⩥ . Answer: Threat modeling requires a special set of skills, experience,
and mindset, and the team must be able to think like an adversary. A
senior software security architect or a seasoned software security
champion typically runs this aspect.
,⩥ . Answer: A formal business requirement is an artifact that lists
software requirements and business risks mapped to the three pillars of
information security: confidentiality, integrity, and availability.
⩥ . Answer: The purpose of a software security policy is to define what
needs to be protected and how it will be protected, including reviewing
and incorporating policies from outside the SDL that may impact the
development process. These might include policies governing software
or applications developed or applied anywhere in the organization.
⩥ . Answer: The diagram produced in this stage of the threat modeling
process is called a data flow diagram or DFD. The focus of the DFD is
on how data moves through the software solution and what happens to
the data as it moves, giving you a better understanding of how the
software works and its underlying architecture by providing a visual
representation of how the software processes data.
⩥ . Answer: The analysis phase:
*determines how PII will be handled to ensure that it conforms to
applicable legal, regulatory, and policy requirements regarding privacy,
*determines the risks and effects of collecting, maintaining, and
disseminating privacy information in identifiable form in the software
and overall system being developed or one that it potentially interfaces
with in a cloud or SaaS environment, and
, *examines and evaluates protections and alternative processes for
handling information to mitigate potential privacy risks.
⩥ . Answer: There has been an increasing trend in the software industry
over the last few years to draw on the strengths of both open-source and
proprietary software to deliver the highest value at the lowest cost. The
blend of both is called "mixed source" and is becoming a dominant
practice in industry.
⩥ . Answer: A security assessment requires an extensive review that will
be conducted by your software security architect, a third party, or a
combination of both.
⩥ A4 Policy Compliance Analysis. Answer: During this phase, any
policy that exists outside the domain of the SDL policy is reviewed (or
reviewed again); this may include policies from outside the development
organization
⩥ Quality assurance (QA). Answer: In a typical SDLC cycle, software
goes through testing that includes unit, performance, system, and
regression testing
⩥ Benchmarks. Answer: These tests are used to compare estimates to
actual results
