WGU D487 OA TEST BANK 3 2026 | Questions and 100%
Correct Verified Answers | D487 Secure Software Design
Objective Assessment | 2026/2027 Version 3 | Pass
Guaranteed - A+ Graded
Competency 1: Secure Software Development Lifecycle (SDL) - 12 Questions
Q1: During the requirements phase of the SDL, a team is analyzing whether their
payment processing application must comply with PCI-DSS. Which security activity is
most critical to perform during this phase to ensure compliance requirements are
properly captured?
A. Automated dynamic application security testing (DAST)
B. Security requirements gathering and compliance mapping
C. Penetration testing of the production environment
D. Code review using static analysis tools
Correct Answer: B
Rationale: The requirements phase focuses on identifying what the system must do,
including security and compliance requirements. PCI-DSS compliance requirements
must be translated into specific, measurable security requirements during this phase.
Option A (DAST) and D (static analysis) occur during implementation/verification
phases. Option C (penetration testing) occurs during verification or post-deployment.
NIST SP 800-64 emphasizes security requirements engineering as a foundational SDL
activity. Compliance frameworks like PCI-DSS require specific controls that must be
designed into the system from the beginning, not bolted on later.
,Q2: A development team implements automated security testing gates in their CI/CD
pipeline that block deployment if critical vulnerabilities are detected. This practice best
represents which DevSecOps principle?
A. Shift-left security with automated enforcement
B. Manual security review approval processes
C. Security testing only in pre-production environments
D. Outsourced security validation
Correct Answer: A
Rationale: DevSecOps integrates security practices into the CI/CD pipeline through
automation, enabling "shift-left" security where testing occurs early and frequently.
Automated gates enforce security policies without manual intervention. Option B
contradicts DevSecOps automation principles. Option C represents the traditional
"bolt-on" security approach that DevSecOps seeks to replace. Option D contradicts the
embedded security team model. According to OWASP and NIST, shift-left security
reduces remediation costs by identifying vulnerabilities when they are cheapest to
fix—during development rather than post-deployment.
Q3: Which of the following represents a quantitative risk assessment methodology?
(Select all that apply)
A. Assigning risk ratings of High, Medium, Low based on expert judgment
B. Calculating Annualized Loss Expectancy (ALE) using Single Loss Expectancy ×
Annualized Rate of Occurrence
C. Using Monte Carlo simulations to model potential breach costs
D. Determining risk priority through qualitative stakeholder consensus
Correct Answer: B, C
Rationale: Quantitative risk assessment uses numerical values and statistical methods.
B represents classic quantitative risk analysis (ALE = SLE × ARO) used in FAIR and
,traditional risk management. C uses probabilistic modeling with numerical outputs.
Options A and D are qualitative methods using categorical ratings and subjective
judgment. NIST SP 800-30 describes quantitative methods as those producing
numerical risk ratings, while qualitative methods use ordinal scales
(High/Medium/Low). Quantitative methods enable cost-benefit analysis for security
controls.
Q4: Arrange the following SDL phases in the correct chronological order:
1. Release
2. Design
3. Response
4. Requirements
5. Verification
6. Implementation
A. 4, 2, 6, 5, 1, 3
B. 4, 2, 6, 1, 5, 3
C. 2, 4, 6, 5, 1, 3
D. 4, 6, 2, 5, 1, 3
Correct Answer: A
Rationale: The correct SDL sequence per Microsoft SDL and NIST SP 800-64 is:
Requirements (4) → Design (2) → Implementation (6) → Verification (5) → Release (1)
→ Response (3). Requirements establish security needs; Design creates architecture
and threat models; Implementation writes secure code; Verification tests security;
Release deploys with final checks; Response handles post-deployment incidents. Option
B incorrectly places Release before Verification. Option C starts with Design before
Requirements. Option D places Implementation before Design, which would result in
coding without architectural security planning.
, Q5: An organization measures their security practices against the Building Security In
Maturity Model (BSIMM). Which statement accurately describes BSIMM's approach?
A. It prescribes specific security controls that all organizations must implement
B. It observes and measures existing software security initiatives across industry
C. It certifies organizations as compliant with secure development standards
D. It focuses exclusively on automated security testing tools
Correct Answer: B
Rationale: BSIMM is an observation-based model that measures software security
activities actually performed by organizations. It describes "what is" rather than "what
should be," providing a maturity measurement based on real-world data from
participating organizations. Unlike prescriptive frameworks (Option A) or certification
schemes (Option C), BSIMM creates scorecards based on 121 activities across 12
practices. Option D is incorrect because BSIMM covers the full spectrum of SDL
activities, not just testing. BSIMM helps organizations understand their relative maturity
and identify improvement opportunities based on industry benchmarks.
Q6: A company establishes a Security Champions program where developers receive
specialized security training and act as security liaisons within their teams. What is the
primary benefit of this approach?
A. Eliminating the need for dedicated security teams
B. Scaling security expertise across development teams without 1:1 security-to-dev
ratios
C. Replacing automated security testing with manual reviews
D. Centralizing all security decisions with senior developers
Correct Answer: B
Rationale: Security Champions programs scale security knowledge by embedding
trained developers within teams who can identify security issues early and escalate
appropriately. This addresses the common challenge of limited security personnel
Correct Verified Answers | D487 Secure Software Design
Objective Assessment | 2026/2027 Version 3 | Pass
Guaranteed - A+ Graded
Competency 1: Secure Software Development Lifecycle (SDL) - 12 Questions
Q1: During the requirements phase of the SDL, a team is analyzing whether their
payment processing application must comply with PCI-DSS. Which security activity is
most critical to perform during this phase to ensure compliance requirements are
properly captured?
A. Automated dynamic application security testing (DAST)
B. Security requirements gathering and compliance mapping
C. Penetration testing of the production environment
D. Code review using static analysis tools
Correct Answer: B
Rationale: The requirements phase focuses on identifying what the system must do,
including security and compliance requirements. PCI-DSS compliance requirements
must be translated into specific, measurable security requirements during this phase.
Option A (DAST) and D (static analysis) occur during implementation/verification
phases. Option C (penetration testing) occurs during verification or post-deployment.
NIST SP 800-64 emphasizes security requirements engineering as a foundational SDL
activity. Compliance frameworks like PCI-DSS require specific controls that must be
designed into the system from the beginning, not bolted on later.
,Q2: A development team implements automated security testing gates in their CI/CD
pipeline that block deployment if critical vulnerabilities are detected. This practice best
represents which DevSecOps principle?
A. Shift-left security with automated enforcement
B. Manual security review approval processes
C. Security testing only in pre-production environments
D. Outsourced security validation
Correct Answer: A
Rationale: DevSecOps integrates security practices into the CI/CD pipeline through
automation, enabling "shift-left" security where testing occurs early and frequently.
Automated gates enforce security policies without manual intervention. Option B
contradicts DevSecOps automation principles. Option C represents the traditional
"bolt-on" security approach that DevSecOps seeks to replace. Option D contradicts the
embedded security team model. According to OWASP and NIST, shift-left security
reduces remediation costs by identifying vulnerabilities when they are cheapest to
fix—during development rather than post-deployment.
Q3: Which of the following represents a quantitative risk assessment methodology?
(Select all that apply)
A. Assigning risk ratings of High, Medium, Low based on expert judgment
B. Calculating Annualized Loss Expectancy (ALE) using Single Loss Expectancy ×
Annualized Rate of Occurrence
C. Using Monte Carlo simulations to model potential breach costs
D. Determining risk priority through qualitative stakeholder consensus
Correct Answer: B, C
Rationale: Quantitative risk assessment uses numerical values and statistical methods.
B represents classic quantitative risk analysis (ALE = SLE × ARO) used in FAIR and
,traditional risk management. C uses probabilistic modeling with numerical outputs.
Options A and D are qualitative methods using categorical ratings and subjective
judgment. NIST SP 800-30 describes quantitative methods as those producing
numerical risk ratings, while qualitative methods use ordinal scales
(High/Medium/Low). Quantitative methods enable cost-benefit analysis for security
controls.
Q4: Arrange the following SDL phases in the correct chronological order:
1. Release
2. Design
3. Response
4. Requirements
5. Verification
6. Implementation
A. 4, 2, 6, 5, 1, 3
B. 4, 2, 6, 1, 5, 3
C. 2, 4, 6, 5, 1, 3
D. 4, 6, 2, 5, 1, 3
Correct Answer: A
Rationale: The correct SDL sequence per Microsoft SDL and NIST SP 800-64 is:
Requirements (4) → Design (2) → Implementation (6) → Verification (5) → Release (1)
→ Response (3). Requirements establish security needs; Design creates architecture
and threat models; Implementation writes secure code; Verification tests security;
Release deploys with final checks; Response handles post-deployment incidents. Option
B incorrectly places Release before Verification. Option C starts with Design before
Requirements. Option D places Implementation before Design, which would result in
coding without architectural security planning.
, Q5: An organization measures their security practices against the Building Security In
Maturity Model (BSIMM). Which statement accurately describes BSIMM's approach?
A. It prescribes specific security controls that all organizations must implement
B. It observes and measures existing software security initiatives across industry
C. It certifies organizations as compliant with secure development standards
D. It focuses exclusively on automated security testing tools
Correct Answer: B
Rationale: BSIMM is an observation-based model that measures software security
activities actually performed by organizations. It describes "what is" rather than "what
should be," providing a maturity measurement based on real-world data from
participating organizations. Unlike prescriptive frameworks (Option A) or certification
schemes (Option C), BSIMM creates scorecards based on 121 activities across 12
practices. Option D is incorrect because BSIMM covers the full spectrum of SDL
activities, not just testing. BSIMM helps organizations understand their relative maturity
and identify improvement opportunities based on industry benchmarks.
Q6: A company establishes a Security Champions program where developers receive
specialized security training and act as security liaisons within their teams. What is the
primary benefit of this approach?
A. Eliminating the need for dedicated security teams
B. Scaling security expertise across development teams without 1:1 security-to-dev
ratios
C. Replacing automated security testing with manual reviews
D. Centralizing all security decisions with senior developers
Correct Answer: B
Rationale: Security Champions programs scale security knowledge by embedding
trained developers within teams who can identify security issues early and escalate
appropriately. This addresses the common challenge of limited security personnel
