WGU D548 AZN1 COMPREHENSIVE STUDY
GUIDE 2026 FULL QUESTIONS AND
SOLUTIONS GRADED A+
◍ Buildup Method.
Answer: Starting at the bottom of the organization and working to the top to
solicit info to determine forecast
◍ What is the purpose of authorization in security?.
Answer: Authorization ensures that only specific users, systems, or APIs can
perform certain operations, preventing unauthorized access.
◍ What is the purpose of the Metrics template in Security Assessment (A1)?.
Answer: To establish a cadence for regular reporting to executives.
◍ What happens in Step 4 of the PSIRT process?.
Answer: The timeframe for remediation is determined.The format for public
reporting (e.g., security bulletin, knowledge base article) is finalized.
◍ What are the four focus areas of OpenSAMM?.
Answer: Governance, Construction, Verification, and Deployment.
◍ When does a PSIRT typically make a public disclosure about a security
vulnerability?.
Answer: When an external post-release discovery event occurs and
includes:Relevant CVSS base and temporal scoresA CVE (Common
Vulnerabilities and Exposures) ID report
◍ What is the role of a PSIRT in post-release security?.
Answer: A PSIRT is responsible for responding to software product security
incidents involving external discoveries of post-release software security
vulnerabilities.
,◍ Durability.
Answer: Ability of a product to function when subjected to hard and
frequent use.
◍ Constraint.
Answer: Any resource whose capacity is less than or equal to demand for
that resource
◍ What is the Building Security In Maturity Model (BSIMM)?.
Answer: BSIMM is a data-driven model that evaluates and benchmarks
software security initiatives (SSIs) in organizations based on observed
practices from multiple companies. It helps organizations assess their
security maturity by comparing their security programs to industry leaders.
◍ Test Markets.
Answer: Conducting a trial run with the product in a market region to
determine forecast
◍ Crosby.
Answer: Used the phrase "Do it right the first time."Wrote a book in 1979
entitled "Quality is Free" Concept of zero defects as a measurable object
Emphasized the importance of considering all costs of quality
◍ Which secure coding best practice says that all information passed to other
systems should be encrypted?.
Answer: Communication SecurityExplanation:Encryption in transit protects
data from eavesdropping and man-in-the-middle (MITM) attacks.Secure
communication protocols like TLS (Transport Layer Security) and HTTPS
ensure confidentiality and integrity.End-to-end encryption prevents
unauthorized access during data exchange between systems.
◍ Juran.
Answer: Focus was on the customer's perception of qualityQuality must be
built on three elements: o Quality planning o Quality control o Quality
improvement.Focused on Fitness for use and Pareto Principle
,◍ In an Agile SDL, which type of requirement includes Remote Procedure
Call (RPC) fuzz testing?.
Answer: Bucket RequirementExplanation:Bucket requirements are security
activities that do not need to be performed every sprint but should be
addressed within a set timeframe (e.g., every quarter, release cycle, or
milestone).RPC fuzz testing is a security testing activity that can be
scheduled periodically, making it a bucket requirement rather than an
every-sprint requirement.Unlike one-time requirements, which are
implemented once and do not repeat, bucket requirements recur on a
structured schedule.
◍ which person is responsible for designing, planning, and implementing
secure coding practices and security testing methodologies?.
Answer: software security architect
◍ Employee Empowerment.
Answer: Defined as involving employees in every step--from product
design, to process design, and system design. Creating a workforce of
empowered employees can improve employee morale, organizational
efficiency, product and service quality, and ultimately lead to higher
customer satisfaction.
◍ What key steps should be included in a privacy response plan?.
Answer: Risk assessmentDetailed diagnosisShort-term & long-term action
planningImplementation of action plansCreating patches or remediation
proceduresResponding to media inquiriesEngaging with external
discoverers
◍ What is the main difference between BSIMM and OpenSAMM?.
Answer: BSIMM is observational and focuses on benchmarking real-world
security practices from top organizations.OpenSAMM is prescriptive,
providing a structured roadmap and guidance on improving security
practices.
◍ Quality.
Answer: the degree to which a specific product conforms to its design
, characteristics or specifications The amount of a specific, desired attribute
The capacity to satisfy customers' needs Consistently meeting or exceeding
the customer's needs and expectations Is everyone's responsibility in the
organization
◍ Just in Time 2 (JIT II).
Answer: Relationships with suppliers are further strengthened beyond
vendor managed inventory in which the supplier places a representative on
the customer's site that is dedicated to the customer's products only.
Although an employee of the supplier, this person is authorized to purchase
material for the customer.
◍ Which Ship SDL phase activity involves reviewing threat models, identified
vulnerabilities, and performing static/dynamic analysis before release?.
Answer: Final Security Review
◍ Which type of requirement specifies that user passwords will require a
minimum of 8 characters and must include at least one uppercase character,
one number, and one special character?.
Answer: Security requirement
◍ Economies of Scope.
Answer: Can be expressed as "economies of scale through product line
diversification." It implies building the volume necessary to cover fixed
costs by producing a variety of products on the same equipment. Requires
flexibility within the organization.
◍ What is PRSA4 in Post-Release Support?.
Answer: PRSA4 refers to the requirement to reapply SDL processes to
software when modifications occur post-release.
◍ What is the purpose of the Customer engagement framework in A5 Ship?.
Answer: It provides a detailed framework to engage customers during
different stages of the product
◍ Project Charter.
Answer: Includes the scope of the project, the problem statement, time
GUIDE 2026 FULL QUESTIONS AND
SOLUTIONS GRADED A+
◍ Buildup Method.
Answer: Starting at the bottom of the organization and working to the top to
solicit info to determine forecast
◍ What is the purpose of authorization in security?.
Answer: Authorization ensures that only specific users, systems, or APIs can
perform certain operations, preventing unauthorized access.
◍ What is the purpose of the Metrics template in Security Assessment (A1)?.
Answer: To establish a cadence for regular reporting to executives.
◍ What happens in Step 4 of the PSIRT process?.
Answer: The timeframe for remediation is determined.The format for public
reporting (e.g., security bulletin, knowledge base article) is finalized.
◍ What are the four focus areas of OpenSAMM?.
Answer: Governance, Construction, Verification, and Deployment.
◍ When does a PSIRT typically make a public disclosure about a security
vulnerability?.
Answer: When an external post-release discovery event occurs and
includes:Relevant CVSS base and temporal scoresA CVE (Common
Vulnerabilities and Exposures) ID report
◍ What is the role of a PSIRT in post-release security?.
Answer: A PSIRT is responsible for responding to software product security
incidents involving external discoveries of post-release software security
vulnerabilities.
,◍ Durability.
Answer: Ability of a product to function when subjected to hard and
frequent use.
◍ Constraint.
Answer: Any resource whose capacity is less than or equal to demand for
that resource
◍ What is the Building Security In Maturity Model (BSIMM)?.
Answer: BSIMM is a data-driven model that evaluates and benchmarks
software security initiatives (SSIs) in organizations based on observed
practices from multiple companies. It helps organizations assess their
security maturity by comparing their security programs to industry leaders.
◍ Test Markets.
Answer: Conducting a trial run with the product in a market region to
determine forecast
◍ Crosby.
Answer: Used the phrase "Do it right the first time."Wrote a book in 1979
entitled "Quality is Free" Concept of zero defects as a measurable object
Emphasized the importance of considering all costs of quality
◍ Which secure coding best practice says that all information passed to other
systems should be encrypted?.
Answer: Communication SecurityExplanation:Encryption in transit protects
data from eavesdropping and man-in-the-middle (MITM) attacks.Secure
communication protocols like TLS (Transport Layer Security) and HTTPS
ensure confidentiality and integrity.End-to-end encryption prevents
unauthorized access during data exchange between systems.
◍ Juran.
Answer: Focus was on the customer's perception of qualityQuality must be
built on three elements: o Quality planning o Quality control o Quality
improvement.Focused on Fitness for use and Pareto Principle
,◍ In an Agile SDL, which type of requirement includes Remote Procedure
Call (RPC) fuzz testing?.
Answer: Bucket RequirementExplanation:Bucket requirements are security
activities that do not need to be performed every sprint but should be
addressed within a set timeframe (e.g., every quarter, release cycle, or
milestone).RPC fuzz testing is a security testing activity that can be
scheduled periodically, making it a bucket requirement rather than an
every-sprint requirement.Unlike one-time requirements, which are
implemented once and do not repeat, bucket requirements recur on a
structured schedule.
◍ which person is responsible for designing, planning, and implementing
secure coding practices and security testing methodologies?.
Answer: software security architect
◍ Employee Empowerment.
Answer: Defined as involving employees in every step--from product
design, to process design, and system design. Creating a workforce of
empowered employees can improve employee morale, organizational
efficiency, product and service quality, and ultimately lead to higher
customer satisfaction.
◍ What key steps should be included in a privacy response plan?.
Answer: Risk assessmentDetailed diagnosisShort-term & long-term action
planningImplementation of action plansCreating patches or remediation
proceduresResponding to media inquiriesEngaging with external
discoverers
◍ What is the main difference between BSIMM and OpenSAMM?.
Answer: BSIMM is observational and focuses on benchmarking real-world
security practices from top organizations.OpenSAMM is prescriptive,
providing a structured roadmap and guidance on improving security
practices.
◍ Quality.
Answer: the degree to which a specific product conforms to its design
, characteristics or specifications The amount of a specific, desired attribute
The capacity to satisfy customers' needs Consistently meeting or exceeding
the customer's needs and expectations Is everyone's responsibility in the
organization
◍ Just in Time 2 (JIT II).
Answer: Relationships with suppliers are further strengthened beyond
vendor managed inventory in which the supplier places a representative on
the customer's site that is dedicated to the customer's products only.
Although an employee of the supplier, this person is authorized to purchase
material for the customer.
◍ Which Ship SDL phase activity involves reviewing threat models, identified
vulnerabilities, and performing static/dynamic analysis before release?.
Answer: Final Security Review
◍ Which type of requirement specifies that user passwords will require a
minimum of 8 characters and must include at least one uppercase character,
one number, and one special character?.
Answer: Security requirement
◍ Economies of Scope.
Answer: Can be expressed as "economies of scale through product line
diversification." It implies building the volume necessary to cover fixed
costs by producing a variety of products on the same equipment. Requires
flexibility within the organization.
◍ What is PRSA4 in Post-Release Support?.
Answer: PRSA4 refers to the requirement to reapply SDL processes to
software when modifications occur post-release.
◍ What is the purpose of the Customer engagement framework in A5 Ship?.
Answer: It provides a detailed framework to engage customers during
different stages of the product
◍ Project Charter.
Answer: Includes the scope of the project, the problem statement, time
