WGU Secure Software Design (D487, KEO1)
Exam questions and answers 2026 latest
update
Question 1
While performing functional testing of a new product from a shared machine, a
QA analyst closed their browser window but did not log out of the application. A
different QA analyst accessed the application an hour later and was not prompted
to log in. They then noticed the previous analyst was still logged into the
application. How should existing security controls be adjusted to prevent this in the
future?
• A. Ensure no sensitive information is stored in plain text in cookies
• B. Ensure user sessions timeout after short intervals
• C. Ensure role-based access control is enforced for access to all resources
• D. Ensure strong password policies are enforced
Correct Answer:-B
Rationale: The issue is an active session remaining after browser closure.
Implementing session timeouts (inactivity and absolute) ensures sessions expire
automatically, preventing unauthorized access from shared machines.
Question 2
Which secure coding practice helps prevent attackers from injecting malicious
SQL statements into application input fields?
• A. Input Validation
• B. Memory Management
• C. Session Management
• D. Data Protection
,Correct Answer:-A
Rationale: Input validation ensures user inputs meet expected formats, preventing
SQL injection. Parameterized queries and stored procedures are key techniques.
Reference: OWASP SQL Injection Prevention Cheat Sheet.
Question 3
A product team (Scrum Master, Business Analyst, two Developers, QA Tester, and
Product Owner) is reviewing a list of work items to determine how many they can
complete within the next two-week iteration. Which Scrum ceremony is the team
participating in?
• A. Daily Scrum
• B. Sprint Planning
• C. Sprint Retrospective
• D. Sprint Review
Correct Answer:-B
Rationale: Sprint Planning determines the work to be done in the upcoming sprint.
The team selects items from the product backlog and defines the sprint goal.
Question 4
What is a countermeasure to the web application security frame (ASF) data
validation/parameter validation threat category?
• A. Inputs enforce type, format, length, and range checks
• B. All administrative activities are logged and audited
• C. Sensitive information is not logged
• D. All exceptions are handled in a structured way
Correct Answer:-A
,Rationale: Data validation/parameter validation threats are mitigated by enforcing
strict checks on input type, format, length, and range, preventing injection and
malformed data attacks.
Question 5
Which secure coding best practice ensures that buffers are allocated correctly and
at the right size, that input strings are truncated to a reasonable length, and that
resources, connections, objects, and file handles are destroyed once the application
no longer needs them?
• A. Input Validation
• B. Memory Management
• C. Session Management
• D. Data Protection
Correct Answer:-B
Rationale: Memory management includes proper buffer allocation, string
truncation, and deallocation of resources to prevent buffer overflows and memory
leaks.
Question 6
Which software development model starts by specifying and implementing just a
part of the software, which is then reviewed and identifies further requirements that
are implemented by repeating the cycle?
• A. Iterative
• B. Implementation
• C. Waterfall
• D. Code and fix
Correct Answer:-A
, Rationale: The iterative model involves repeated cycles (iterations) where each
iteration adds functionality based on feedback. Contrast with Waterfall (linear) and
Code-and-fix (ad hoc).
Question 7
A developer writes code that uses a variable to directly concatenate user input into
a SQL query string. What is the primary vulnerability being introduced?
• A. Cross-Site Scripting (XSS)
• B. SQL Injection
• C. Command Injection
• D. LDAP Injection
Correct Answer:-B
Rationale: Direct concatenation of user input into SQL queries allows attackers to
modify the query structure, leading to SQL injection. Use parameterized queries
instead.
Question 8
An application allows users to upload profile pictures. An attacker uploads a file
named malicious.php but changes the Content-Type header to image/jpeg. The
server accepts the file and stores it in a web-accessible directory. What security
control is missing?
• A. Input validation on file name length
• B. File type validation based on content (not just MIME type)
• C. Anti-virus scanning
• D. Logging of upload attempts
Correct Answer:-B
Rationale: Relying on client-supplied MIME types is insecure. Proper file
validation should inspect file magic bytes or use secure libraries to verify actual
content type.
Exam questions and answers 2026 latest
update
Question 1
While performing functional testing of a new product from a shared machine, a
QA analyst closed their browser window but did not log out of the application. A
different QA analyst accessed the application an hour later and was not prompted
to log in. They then noticed the previous analyst was still logged into the
application. How should existing security controls be adjusted to prevent this in the
future?
• A. Ensure no sensitive information is stored in plain text in cookies
• B. Ensure user sessions timeout after short intervals
• C. Ensure role-based access control is enforced for access to all resources
• D. Ensure strong password policies are enforced
Correct Answer:-B
Rationale: The issue is an active session remaining after browser closure.
Implementing session timeouts (inactivity and absolute) ensures sessions expire
automatically, preventing unauthorized access from shared machines.
Question 2
Which secure coding practice helps prevent attackers from injecting malicious
SQL statements into application input fields?
• A. Input Validation
• B. Memory Management
• C. Session Management
• D. Data Protection
,Correct Answer:-A
Rationale: Input validation ensures user inputs meet expected formats, preventing
SQL injection. Parameterized queries and stored procedures are key techniques.
Reference: OWASP SQL Injection Prevention Cheat Sheet.
Question 3
A product team (Scrum Master, Business Analyst, two Developers, QA Tester, and
Product Owner) is reviewing a list of work items to determine how many they can
complete within the next two-week iteration. Which Scrum ceremony is the team
participating in?
• A. Daily Scrum
• B. Sprint Planning
• C. Sprint Retrospective
• D. Sprint Review
Correct Answer:-B
Rationale: Sprint Planning determines the work to be done in the upcoming sprint.
The team selects items from the product backlog and defines the sprint goal.
Question 4
What is a countermeasure to the web application security frame (ASF) data
validation/parameter validation threat category?
• A. Inputs enforce type, format, length, and range checks
• B. All administrative activities are logged and audited
• C. Sensitive information is not logged
• D. All exceptions are handled in a structured way
Correct Answer:-A
,Rationale: Data validation/parameter validation threats are mitigated by enforcing
strict checks on input type, format, length, and range, preventing injection and
malformed data attacks.
Question 5
Which secure coding best practice ensures that buffers are allocated correctly and
at the right size, that input strings are truncated to a reasonable length, and that
resources, connections, objects, and file handles are destroyed once the application
no longer needs them?
• A. Input Validation
• B. Memory Management
• C. Session Management
• D. Data Protection
Correct Answer:-B
Rationale: Memory management includes proper buffer allocation, string
truncation, and deallocation of resources to prevent buffer overflows and memory
leaks.
Question 6
Which software development model starts by specifying and implementing just a
part of the software, which is then reviewed and identifies further requirements that
are implemented by repeating the cycle?
• A. Iterative
• B. Implementation
• C. Waterfall
• D. Code and fix
Correct Answer:-A
, Rationale: The iterative model involves repeated cycles (iterations) where each
iteration adds functionality based on feedback. Contrast with Waterfall (linear) and
Code-and-fix (ad hoc).
Question 7
A developer writes code that uses a variable to directly concatenate user input into
a SQL query string. What is the primary vulnerability being introduced?
• A. Cross-Site Scripting (XSS)
• B. SQL Injection
• C. Command Injection
• D. LDAP Injection
Correct Answer:-B
Rationale: Direct concatenation of user input into SQL queries allows attackers to
modify the query structure, leading to SQL injection. Use parameterized queries
instead.
Question 8
An application allows users to upload profile pictures. An attacker uploads a file
named malicious.php but changes the Content-Type header to image/jpeg. The
server accepts the file and stores it in a web-accessible directory. What security
control is missing?
• A. Input validation on file name length
• B. File type validation based on content (not just MIME type)
• C. Anti-virus scanning
• D. Logging of upload attempts
Correct Answer:-B
Rationale: Relying on client-supplied MIME types is insecure. Proper file
validation should inspect file magic bytes or use secure libraries to verify actual
content type.
