WGU C706 Secure Software Design
Final Exam Study Guide
Comprehensive Multiple-Choice Question Review
────────────────────────────────────────────────────────────
Western Governors University
College of Information Technology
────────────────────────────────────────────────────────────
Abstract
This study guide is designed as a comprehensive academic resource for students preparing for the
WGU C706 Secure Software Design Final Examination. The document presents 75 carefully curated
multiple-choice questions organized across ten critical security domains, including the Secure
Software Development Life Cycle (SSDLC) and DevSecOps integration, threat modeling and risk
assessment, OWASP Top 10 vulnerabilities, cryptography and key management, authentication and
authorization mechanisms, secure coding practices, security testing methodologies, compliance and
regulatory standards, cloud security design patterns, and scenario-based decision-making. Each
question is accompanied by four answer options, a clearly marked correct answer, and a detailed
rationale that explains the underlying security principles. The content aligns with the NIST Secure
Software Development Framework (SSDF), OWASP guidelines, industry best practices, and the WGU
C706 course competencies. This resource is intended to reinforce conceptual understanding, support
exam preparation, and serve as a reference for secure software design professionals.
Keywords: Secure Software Design, SSDLC, DevSecOps, OWASP Top 10, Cryptography, NIST
SSDF
, WGU C706 Secure Software Design Final Exam — 2026/2027
Table of Contents
Domain 1: SSDLC & DevSecOps Integration (Q1–Q8)
Domain 2: Threat Modeling & Risk Assessment (Q9–Q16)
Domain 3: OWASP Top 10 Vulnerabilities (Q17–Q26)
Domain 4: Cryptography & Key Management (Q27–Q34)
Domain 5: Authentication & Authorization (Q35–Q42)
Domain 6: Secure Coding Practices (Q43–Q50)
Domain 7: Security Testing Methodologies (Q51–Q58)
Domain 8: Compliance & Regulatory Standards (Q59–Q65)
Domain 9: Cloud Security Design Patterns (Q66–Q70)
Domain 10: Scenario-Based Secure Design Decision-Making (Q71–Q75)
2
, WGU C706 Secure Software Design Final Exam — 2026/2027
Domain 1: SSDLC & DevSecOps Integration
Questions Q1–Q8 | 8 Questions
Q1: Which phase of the Secure Software Development Life Cycle (SSDLC) is most
critical for identifying and mitigating security risks before code is written?
A. Deployment
✓ B. Requirements Analysis
C. Maintenance
D. Testing
Rationale: The requirements analysis phase is the optimal stage to embed security
considerations, as defining security requirements early reduces costly remediation efforts later.
NIST SSDF emphasizes shifting security left by establishing security objectives during planning
and requirements gathering.
················································································
Q2: In a DevSecOps pipeline, which practice ensures that security vulnerabilities are
automatically detected during continuous integration?
A. Manual code review at deployment
✓ B. Static Application Security Testing (SAST) in the CI/CD pipeline
C. Annual penetration testing
D. Developer self-certification
Rationale: Integrating SAST tools into the CI/CD pipeline enables automated vulnerability
detection during the build process, aligning with DevSecOps principles of shifting security left.
This approach provides rapid feedback to developers before code reaches production
environments.
················································································
Q3: Which NIST SSDF practice category focuses on preparing an organization to
produce secure software?
A. PO.1 — Define Security Requirements
✓ B. PW.1 — Prepare the Organization
C. PS.1 — Protect the Software
D. RV.1 — Verify Security
Rationale: NIST SP 800-218 organizes the Secure Software Development Framework into four
practice groups. The "Prepare the Organization" (PO) group establishes foundational policies,
roles, and toolchains that enable all subsequent secure development activities.
················································································
Q4: What is the primary benefit of integrating security gates into a CI/CD pipeline?
A. Eliminating the need for penetration testing
✓ B. Preventing vulnerable code from progressing to the next deployment stage
C. Reducing the overall number of developers required
D. Ensuring 100% code coverage
Rationale: Security gates act as automated checkpoints that block code with known
vulnerabilities from advancing through deployment stages. This enforcement mechanism
ensures that security policy compliance is maintained consistently without relying solely on
manual review.
················································································
Q5: Which SSDLC model integrates security activities as continuous parallel processes
throughout every development phase?
3
Final Exam Study Guide
Comprehensive Multiple-Choice Question Review
────────────────────────────────────────────────────────────
Western Governors University
College of Information Technology
────────────────────────────────────────────────────────────
Abstract
This study guide is designed as a comprehensive academic resource for students preparing for the
WGU C706 Secure Software Design Final Examination. The document presents 75 carefully curated
multiple-choice questions organized across ten critical security domains, including the Secure
Software Development Life Cycle (SSDLC) and DevSecOps integration, threat modeling and risk
assessment, OWASP Top 10 vulnerabilities, cryptography and key management, authentication and
authorization mechanisms, secure coding practices, security testing methodologies, compliance and
regulatory standards, cloud security design patterns, and scenario-based decision-making. Each
question is accompanied by four answer options, a clearly marked correct answer, and a detailed
rationale that explains the underlying security principles. The content aligns with the NIST Secure
Software Development Framework (SSDF), OWASP guidelines, industry best practices, and the WGU
C706 course competencies. This resource is intended to reinforce conceptual understanding, support
exam preparation, and serve as a reference for secure software design professionals.
Keywords: Secure Software Design, SSDLC, DevSecOps, OWASP Top 10, Cryptography, NIST
SSDF
, WGU C706 Secure Software Design Final Exam — 2026/2027
Table of Contents
Domain 1: SSDLC & DevSecOps Integration (Q1–Q8)
Domain 2: Threat Modeling & Risk Assessment (Q9–Q16)
Domain 3: OWASP Top 10 Vulnerabilities (Q17–Q26)
Domain 4: Cryptography & Key Management (Q27–Q34)
Domain 5: Authentication & Authorization (Q35–Q42)
Domain 6: Secure Coding Practices (Q43–Q50)
Domain 7: Security Testing Methodologies (Q51–Q58)
Domain 8: Compliance & Regulatory Standards (Q59–Q65)
Domain 9: Cloud Security Design Patterns (Q66–Q70)
Domain 10: Scenario-Based Secure Design Decision-Making (Q71–Q75)
2
, WGU C706 Secure Software Design Final Exam — 2026/2027
Domain 1: SSDLC & DevSecOps Integration
Questions Q1–Q8 | 8 Questions
Q1: Which phase of the Secure Software Development Life Cycle (SSDLC) is most
critical for identifying and mitigating security risks before code is written?
A. Deployment
✓ B. Requirements Analysis
C. Maintenance
D. Testing
Rationale: The requirements analysis phase is the optimal stage to embed security
considerations, as defining security requirements early reduces costly remediation efforts later.
NIST SSDF emphasizes shifting security left by establishing security objectives during planning
and requirements gathering.
················································································
Q2: In a DevSecOps pipeline, which practice ensures that security vulnerabilities are
automatically detected during continuous integration?
A. Manual code review at deployment
✓ B. Static Application Security Testing (SAST) in the CI/CD pipeline
C. Annual penetration testing
D. Developer self-certification
Rationale: Integrating SAST tools into the CI/CD pipeline enables automated vulnerability
detection during the build process, aligning with DevSecOps principles of shifting security left.
This approach provides rapid feedback to developers before code reaches production
environments.
················································································
Q3: Which NIST SSDF practice category focuses on preparing an organization to
produce secure software?
A. PO.1 — Define Security Requirements
✓ B. PW.1 — Prepare the Organization
C. PS.1 — Protect the Software
D. RV.1 — Verify Security
Rationale: NIST SP 800-218 organizes the Secure Software Development Framework into four
practice groups. The "Prepare the Organization" (PO) group establishes foundational policies,
roles, and toolchains that enable all subsequent secure development activities.
················································································
Q4: What is the primary benefit of integrating security gates into a CI/CD pipeline?
A. Eliminating the need for penetration testing
✓ B. Preventing vulnerable code from progressing to the next deployment stage
C. Reducing the overall number of developers required
D. Ensuring 100% code coverage
Rationale: Security gates act as automated checkpoints that block code with known
vulnerabilities from advancing through deployment stages. This enforcement mechanism
ensures that security policy compliance is maintained consistently without relying solely on
manual review.
················································································
Q5: Which SSDLC model integrates security activities as continuous parallel processes
throughout every development phase?
3
