WGU Master’s Course C706
-Secure Software Design Exam (2026) - 400
Questions With Verified Answers And
Rationales Latest Update 2026/2027
|Graded A+
What is a step for constructing a threat model for a project when using practical risk analysis?
A Align your business goals
B Apply engineering methods
C Estimate probability of project time
D Make a list of what you are trying to protect ANSWER D
Which cyber threats are typically surgical by nature, have highly specific targeting, and aretechnologically
sophisticated?
A tactical attacks
B Criminal attacks
C Strategic attacks
D User specific attacks ANSWER A
Which type of cyberattacks are often intended to elevate awareness of a topic?
,A Cyberwarfare
B Tactical attacks
C User specific attacks
D Sociopolitical attacks ANSWER D
What type of attack locks a user's desktop and then requires a payment to unlock it?
A Phishing—
B Keylogger
C Ransomware
D Denial of service ANSWER C
What is a countermeasure against various forms of XML and XML path injection attacks?
A XML name wrapping
B XML unicode encoding
C XML attribute escaping
D.XML distinguished
name escaping ANSWER
C
Which countermeasure is used to mitigate SQL injection attacks?
A SQL Firewall B
Projected bijection
C Query parameterization
D Progressive ColdFusion
ANSWER C
,What is an appropriate countermeasure to an escalation of privilege attacks
A Enforcing strong password policies
B Using standard encryption algorithms and correct key sizes
C C Enabling the auditing and logging of all administration activities
D Restricting access to specific operations through role based access controls ANSWER D
, Which configuration management security countermeasure implements least privilege access control?
A Following strong password policies to restrict access
B Restricting file access to users based on authorization
C Avoiding clear text format for credentials and sensitive data
D Using AES 256 encryption for communications of a sensitive nature ANSWER B
Which phase of the software development life cycle (SDL/SDLC) would be used to determine theminimum set
of privileges required to perform the targeted task and restrict the user to a domain withthose privileges?
A Design B
Deploy
C Development
D Implementation ANSWER A
Which least privilege method is more granular in scope and grants specific processes only the
privilegesnecessary to perform certain required functions, instead of granting them unrestricted access to
thesystem?
A Entitlement privilege B
Separation of privilege C
Aggregation of privileges
D Segregation of responsibilities ANSWER B
Why does privilege creep pose a potential security risk?
A User privileges do not match their job role.
B With more privileges, there are more responsibilities.
C Auditing will show a mismatch between individual responsibilities and their access rights.
D Users have more privileges than they need and may perform actions outside their job description. ANSWER
D
A system developer is implementing a new sales system. The system developer is concerned thatunauthorized
individuals may be able to view sensitive customer financial data.
Which family of nonfunctional requirements should be considered as part of the acceptance criteria?
-Secure Software Design Exam (2026) - 400
Questions With Verified Answers And
Rationales Latest Update 2026/2027
|Graded A+
What is a step for constructing a threat model for a project when using practical risk analysis?
A Align your business goals
B Apply engineering methods
C Estimate probability of project time
D Make a list of what you are trying to protect ANSWER D
Which cyber threats are typically surgical by nature, have highly specific targeting, and aretechnologically
sophisticated?
A tactical attacks
B Criminal attacks
C Strategic attacks
D User specific attacks ANSWER A
Which type of cyberattacks are often intended to elevate awareness of a topic?
,A Cyberwarfare
B Tactical attacks
C User specific attacks
D Sociopolitical attacks ANSWER D
What type of attack locks a user's desktop and then requires a payment to unlock it?
A Phishing—
B Keylogger
C Ransomware
D Denial of service ANSWER C
What is a countermeasure against various forms of XML and XML path injection attacks?
A XML name wrapping
B XML unicode encoding
C XML attribute escaping
D.XML distinguished
name escaping ANSWER
C
Which countermeasure is used to mitigate SQL injection attacks?
A SQL Firewall B
Projected bijection
C Query parameterization
D Progressive ColdFusion
ANSWER C
,What is an appropriate countermeasure to an escalation of privilege attacks
A Enforcing strong password policies
B Using standard encryption algorithms and correct key sizes
C C Enabling the auditing and logging of all administration activities
D Restricting access to specific operations through role based access controls ANSWER D
, Which configuration management security countermeasure implements least privilege access control?
A Following strong password policies to restrict access
B Restricting file access to users based on authorization
C Avoiding clear text format for credentials and sensitive data
D Using AES 256 encryption for communications of a sensitive nature ANSWER B
Which phase of the software development life cycle (SDL/SDLC) would be used to determine theminimum set
of privileges required to perform the targeted task and restrict the user to a domain withthose privileges?
A Design B
Deploy
C Development
D Implementation ANSWER A
Which least privilege method is more granular in scope and grants specific processes only the
privilegesnecessary to perform certain required functions, instead of granting them unrestricted access to
thesystem?
A Entitlement privilege B
Separation of privilege C
Aggregation of privileges
D Segregation of responsibilities ANSWER B
Why does privilege creep pose a potential security risk?
A User privileges do not match their job role.
B With more privileges, there are more responsibilities.
C Auditing will show a mismatch between individual responsibilities and their access rights.
D Users have more privileges than they need and may perform actions outside their job description. ANSWER
D
A system developer is implementing a new sales system. The system developer is concerned thatunauthorized
individuals may be able to view sensitive customer financial data.
Which family of nonfunctional requirements should be considered as part of the acceptance criteria?
