WGU D487 SECURE SOFTWARE DESIGN OBJECTIVE ASSESSMENT VERIFIED QUESTIONS WITH CORRECT DETAILED ANSWERS || 100% GUARANTEED PASS NEWEST VERSION

DFD External Entity - Answer️An outside user/system that interacts with the application. DFD Process - Answer️A component that transforms or handles data. DFD Data Store - Answer️A place where data is stored (database, files, logs). DFD Data Flow - Answer️Movement of data between components. Trust Boundary - Answer️A point where data crosses between different trust/privilege levels. Entry Point - Answer️Any place data enters the system (web form, API, file upload). Exit Point - Answer️Any place data leaves the system (response, export, logs). STRIDE - Answer️A threat category model: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege. Spoofing - Answer️Impersonating another user/system to gain access. Tampering - Answer️Unauthorized modification of data in transit or storage. Repudiation - Answer️Performing actions without traceability or accountability. Information Disclosure - Answer️Leaking sensitive data to unauthorized parties. Denial of Service (DoS) - Answer️Reducing or preventing availability of a service. Elevation of Privilege - Answer️Gaining access beyond intended permissions. Risk Model - Answer️A method to rank risk based on likelihood and impact. Likelihood - Answer️How probable it is that an attack will happen. Impact - Answer️The damage caused if an attack succeeds. Risk = Likelihood x Impact - Answer️Basic formula for prioritizing security work. DREAD - Answer️A risk scoring method using damage, reproducibility, exploitability, affected users, discoverability. Damage Potential (DREAD) - Answer️How harmful the exploit would be. Reproducibility (DREAD) - Answer️How easily the exploit can be repeated. Exploitability (DREAD) - Answer️How easy it is to perform the attack. Affected Users (DREAD) - Answer️How many users are impacted if exploited. Discoverability (DREAD) - Answer️How easy it is to find the vulnerability. Risk Ranking List - Answer️A prioritized list of threats by severity/priority. Risk Mitigation Plan - Answer️The plan to reduce risk using controls or design changes. Mitigate Risk - Answer️Fix or reduce the vulnerability or threat path. Accept Risk - Answer️Formally approve the risk when the cost to fix is too high or impact is low. Transfer Risk - Answer️Shift risk through contracts or insurance. Avoid Risk - Answer️Redesign to remove the risky feature or exposure. Compensating Control - Answer️Alternative control used when full remediation is not possible. Design and Development (A3) - Answer️SDL phase focusing on secure design review and security test planning. Security Test Plan - Answer️A plan that maps tests to requirements and risk priorities. Risk-Based Testing - Answer️Testing driven by threat likelihood and impact rather than only requirements. Requirements-Based Testing - Answer️Testing that verifies stated requirements were implemented correctly. Threat Model Update - Answer️Refreshing threat models when design changes create new risks. Design Security Review - Answer️Security-focused review of design artifacts before heavy coding. Secure Coding Standards - Answer️Rules developers must follow to prevent common vulnerabilities. Secure Design Principles - Answer️Common principles like least privilege, fail-safe defaults, and defense in depth. Saltzer and Schroeder Principles - Answer️Security design principles used to build secure systems. Fail-Safe Defaults - Answer️Deny by default unless explicitly allowed. Economy of Mechanism - Answer️Keep designs simple to reduce mistakes and hidden paths. Complete Mediation - Answer️Check every access request, every time. Separation of Duties - Answer️Require multiple conditions/roles for sensitive actions. Least Common Mechanism - Answer️Avoid shared mechanisms that create hidden channels. Psychological Acceptability - Answer️Security controls must be usable or people will bypass them. Open Design - Answer️Security should not rely on secret designs; rely on strong controls. Weakest Link - Answer️A system's security is only as strong as its weakest component. Privacy Impact Assessment (PIA) - Answer️Review of how software handles personal data and privacy risk. PII (Personally Identifiable Information) - Answer️Data that can identify a person (name, email, ID number). PHI (Protected Health Information) - Answer️Health-related information that must be protected under healthcare rules. Privacy by Design - Answer️Building privacy controls into every SDLC stage. Data Minimization - Answer️Collect only the data that is necessary for business purpose. Notice and Consent - Answer️Telling users what data is collected and getting permission when required. Privacy Impact Rating - Answer️P1 high risk, P2 moderate risk, P3 low risk. P1 Privacy Risk - Answer️Stores/transmits PII, installs software, or changes user settings. P2 Privacy Risk - Answer️One-time anonymous data transfer initiated by user. P3 Privacy Risk - Answer️No personal data behavior that impacts privacy. Design and Development (A4) - Answer️SDL phase focused on executing security tests, tool scans, and remediation. Security Test Case Execution - Answer️Running planned security tests and comparing results to acceptance criteria. Security Testing Acceptance Criteria - Answer️Pass/fail thresholds for security tests and release readiness. Remediation - Answer️Fixing vulnerabilities found during testing. Re-Test - Answer️Testing again after fixes to confirm issues are resolved. Triage - Answer️Sorting findings by severity and verifying false positives. Static Analysis (SAST) - Answer️Testing source code without running it to find vulnerabilities early. Dynamic Analysis (DAST) - Answer️Testing a running application to find runtime vulnerabilities. Fuzz Testing - Answer️Feeding malformed or random input to trigger crashes or abnormal behavior. Fuzzer - Answer️A tool that performs fuzz testing automatically. Smart (Generational) Fuzzing - Answer️Fuzzing that understands protocol format and crafts valid-ish inputs. Dumb (Mutational) Fuzzing - Answer️Fuzzing that mutates data randomly without understanding protocol rules. False Positive - Answer️A tool reports an issue that is not actually exploitable. False Negative - Answer️A real vulnerability that a tool fails to detect. Code Review Process - Answer️Inspecting code to identify security issues and logic flaws. Manual Code Review - Answer️Human review of high-risk code areas for deeper issues tools miss. Automated Scanning - Answer️Tool-based detection for common patterns and known weaknesses. Control Flow Analysis - Answer️Tracing decision paths and branches to find insecure logic. Data Flow Analysis (Code) - Answer️Tracing inputs through code to see where validation is missing. Black Box Testing - Answer️Testing without access to source code or design information. Gray Box Testing - Answer️Testing with limited internal knowledge, often using both code and runtime. White Box Testing - Answer️Testing with full code/design knowledge for deeper analysis. Vulnerability Assessment - Answer️An evaluation to identify weaknesses, often tool-assisted. Vulnerability Scan - Answer️Automated scan for known weaknesses in software and systems. Active Scanner - Answer️Tool that sends attacks/requests to discover vulnerabilities. Passive Scanner - Answer️Tool that observes traffic without sending attacks. External Scan - Answer️Scan performed from outside the network perimeter. Internal Scan - Answer️Scan performed from inside the network. Authenticated Scan - Answer️Scan performed with credentials to detect deeper issues like missing patches. Penetration Testing - Answer️Simulated attack to exploit vulnerabilities and prove real-world impact. Pen Test vs Vulnerability Scan - Answer️Scan finds potential issues; pen test proves exploitability and impact. Code-Assisted Pen Testing - Answer️White-box pen testing that uses code/design knowledge to go deeper. Exploratory Testing - Answer️Security testing that evolves during execution as testers learn. Benchmarks (Testing) - Answer️Tests that establish expected baseline and compare later results. Ship (A5) - Answer️SDL phase where final scans, reviews, and sign-offs determine release readiness. Final Security Review - Answer️Final check of SDL requirements, test results, and unresolved risks. Final Privacy Review - Answer️Final check of privacy controls, disclosures, and changes since earlier reviews. Release Decision Outcomes - Answer️Pass, pass with exceptions, or fail with escalation. Risk Acceptance Documentation - Answer️Formal record that leadership approved remaining risks. Open-Source Licensing Review - Answer️Final check that open-source license terms are being followed. Open-Source Security Review - Answer️Checking OSS dependencies for known vulnerabilities and risk. Customer Engagement Framework - Answer️A defined process for sharing security posture with customers. Open-Source License Compliance - Answer️Following license obligations to avoid legal and operational risk. Mixed Source - Answer️Software that contains both proprietary and open-source components. Post-Release Support (PRSA1-5) - Answer️SDL activities after release for response, monitoring, and long-term risk control. PSIRT (Product Security Incident Response Team) - Answer️Group that manages vulnerability reports and disclosure. Coordinated Vulnerability Disclosure - Answer️A controlled process with researchers to disclose issues responsibly. Zero-Day - Answer️A vulnerability publicly known before a fix is available. Security Bulletin - Answer️Public communication describing vulnerability and remediation guidance. CVSS - Answer️Base scoring framework for vulnerability severity. CVSS Critical - Answer️9.0 to 10.0 severity range. CVSS High - Answer️7.0 to 8.9 severity range. CVSS Medium - Answer️4.0 to 6.9 severity range. CVSS Low - Answer️0.1 to 3.9 severity range. Vulnerability Management (VM) - Answer️Tracking, prioritizing, fixing, and verifying vulnerabilities over time. Patch Management - Answer️Process for releasing safe fixes quickly without breaking systems. Third-Party Security Review - Answer️Independent review used for customer assurance or compliance. Post-Release Certification - Answer️Audit or certification required after release due to new markets/use cases. Legacy Code - Answer️Older code that may contain security technical debt and outdated assumptions. Technical Debt - Answer️Work that should have been done earlier but was postponed. Security Technical Debt - Answer️Unfixed security issues accumulating over time. Mergers and Acquisitions (M&A) Security Review - Answer️Security evaluation of acquired code/products to prevent inherited risk. End-of-Life (EOL) Plan - Answer️Plan to retire software safely and reduce long-term exposure. Agile Methodology - Answer️Iterative development using frequent delivery and change tolerance. Scrum - Answer️Agile method using sprints, backlog, and defined team roles. Extreme Programming (XP) - Answer️Agile approach emphasizing frequent tests, refactoring, and teamwork. Waterfall Methodology - Answer️Linear approach where each phase completes before the next begins. V-Model - Answer️SDLC model mapping each dev phase to a corresponding testing phase. DevOps - Answer️Combines dev and ops for continuous delivery and faster feedback. DevSecOps - Answer️DevOps with security embedded into pipelines and workflows. Digital Enterprise - Answer️Business model heavily driven by software, automation, and fast delivery. OpenSAMM (OWASP SAMM) - Answer️Maturity model used to build and measure secure development practices. BSIMM - Answer️Maturity model based on observed activities in real software organizations. Measurement Model - Answer️A framework to track progress and effectiveness of security practices. Metric Model - Answer️A structure defining what metrics will be measured and reported. OWASP - Answer️Community that publishes guidance like Top 10 risks and testing resources. OWASP Top 10 - Answer️A list of common web app security risks updated periodically. SQL Injection - Answer️Injection attack where untrusted input alters database queries. Cross-Site Scripting (XSS) - Answer️Attack that runs malicious scripts in a victim's browser. OWASP ZAP (Zed Attack Proxy) - Answer️OWASP tool used for web scanning and security testing. Zed Attack Proxy (ZAP) - Answer️Same as OWASP ZAP; tool for web app scanning. Nmap - Answer️Tool used to discover hosts, open ports, and services on networks. NVD (National Vulnerability Database) - Answer️NIST database that expands on CVE details and scoring. NIST - Answer️US standards organization providing security frameworks and guidance. CVE - Answer️Common naming system for known vulnerabilities. CVSS - Answer️Scoring system for vulnerability severity used in reporting and prioritization. SonarQube - Answer️Static analysis tool used to find code quality issues and some security issues. Pull Request - Answer️A proposed code change submitted for review before merging. Requirement Traceability Matrix - Answer️Map showing requirements linked to test cases and validation evidence. Scripts - Answer️Automated sequences used in testing, scanning, or deployment. Functional Testing Scripts - Answer️Step-by-step tests that validate required behavior. Secure Testing Scripts - Answer️Test scripts designed to validate security controls and misuse resistance. Threat Source - Answer️The origin of a threat (attacker, insider, system, environment). Threat Vector - Answer️The method/path used to attack (API, web form, network service). Threat Actor - Answer️The person or group performing the attack. Threat Assessment (TA) - Answer️Process of identifying threats relevant to the system. Intrusive Target Search - Answer️Active probing or testing that may affect system behavior (more aggressive scanning). Target Machine - Answer️The system being tested or scanned. Deployment (OpenSAMM Concept) - Answer️Maturity area focused on safe release and secure operations. Construction (OpenSAMM Concept) - Answer️Maturity area focused on building software securely. Verification (OpenSAMM Concept) - Answer️Maturity area focused on testing and review. Governance (OpenSAMM Concept) - Answer️Maturity area focused on policy, training, and metrics. Secure Architecture - Answer️Design that enforces trust boundaries, strong auth, and minimized exposure. Security Requirements - Answer️Rules defining how the system must protect data and resist attacks. Functional Requirements - Answer️What the system must do for users. Non-Functional Requirements - Answer️Security, performance, reliability, and compliance expectations. Verification - Answer️Confirming requirements were met through testing and evidence. Trike - Answer️A risk-based threat modeling method with structured models for assets and risk. PASTA - Answer️Threat modeling method that connects technical threats to business impact and risk. Application-Centric Threat Modeling - Answer️Approach that focuses on app behavior/flow and misuse cases. Asset-Centric Threat Modeling - Answer️Approach that starts with key assets and what must be protected. Threat Profile vs Threat Model - Answer️Profile describes environment/attackers; model maps threats to system design with mitigations. Abstract Syntax Tree (AST) - Answer️Code structure representation used by analyzers to understand program logic. Spider (Web Scanner) - Answer️A crawler that discovers pages/links to map a web application for testing. Vulnerability Sites - Answer️Public sources that publish vulnerability details (example: NVD, vendor advisories). Third-Party Code - Answer️External code libraries and components that introduce supply chain risk. Virtualization - Answer️Running multiple systems on shared hardware using virtual machines or containers. Hardware - Answer️Physical computing components that run software. SDLC (Software Development Life Cycle) - Answer️The full process to plan, build, test, deploy, and maintain software. SDLC Planning Phase - Answer️Defines scope, goals, cost, timeline, and high-level risks. SDLC Requirements Phase - Answer️Captures what the system must do, including functional and security needs. SDLC Design Phase - Answer️Creates architecture, data flows, and technical design decisions. SDLC Implementation Phase - Answer️Writes and integrates code based on designs and requirements. SDLC Testing Phase - Answer️Validates software behavior, quality, and security through testing. SDLC Deployment Phase - Answer️Releases software into production or a target environment. SDLC Maintenance Phase - Answer️Fixes bugs, patches vulnerabilities, and improves software over time. End-of-Life (EOL) Phase - Answer️The stage where software is retired and no longer supported. SDL (Security Development Lifecycle) - Answer️A security-focused set of activities added to the SDLC to reduce vulnerabilities. SDL Purpose - Answer️Reduce the number of vulnerabilities and reduce the severity of those that remain. Secure by Design - Answer️Building security into the design instead of adding it later as a patch. Security at the Source - Answer️Preventing flaws during development rather than relying only on perimeter defenses. Defense in Depth - Answer️Multiple security layers so one failure does not cause total compromise. Least Privilege - Answer️Give only the minimum access needed to complete a task. Secure Defaults - Answer️Default settings should be the safest option for users and systems. Attack Surface - Answer️All places where an attacker can interact with the system. Attack Surface Reduction - Answer️Removing unnecessary entry points, services, and exposed functionality. Software Security - Answer️Building secure software through design, coding, and testing practices. Application Security - Answer️Protecting software while running, often after release, using operational controls. Quality Code - Answer️Code that is maintainable, reliable, and meets functional requirements. Secure Code - Answer️Code that prevents unauthorized access, misuse, and exploitation. Quality vs Security - Answer️Quality focuses on usability/maintainability; security focuses on protection and resistance to attacks. CIA Triad - Answer️The three core security objectives: confidentiality, integrity, and availability. Confidentiality - Answer️Only authorized users can access sensitive information. Integrity - Answer️Data remains accurate and cannot be altered without authorization. Availability - Answer️System remains accessible and usable when needed. Authentication - Answer️Verifying identity (who you are). Authorization - Answer️Verifying permissions (what you are allowed to do). Nonrepudiation - Answer️Ensuring actions can be traced so users cannot deny them later. Audit Trail - Answer️Log record that proves actions occurred and supports investigations. Defense Mechanism - Answer️A security control that prevents, detects, or limits damage from attacks. Security Assessment (A1) - Answer️SDL phase that defines risk, requirements, regulations, and early security planning. Discovery Meeting - Answer️Early stakeholder meeting to align on security, privacy, and milestones. Product Risk Profile - Answer️Document estimating business risk based on data, exposure, and criticality. Threat Profile - Answer️Document describing likely attackers, attack paths, and environment assumptions. SDL Project Outline - Answer️Schedule mapping SDL activities into the SDLC timeline. Security Objectives Defined - Answer️Setting CIA goals and required protections early. Policy Compliance Analysis (General) - Answer️Checking software against internal policies and external regulations. Applicable Laws and Regulations - Answer️Legal and regulatory requirements that affect security and privacy. Certification Requirements - Answer️Standards or certifications needed (example: FIPS, HIPAA-related needs). Third-Party Software Inventory - Answer️List of external components that introduce security and compliance risk. Metrics Template - Answer️A planned set of measurements used to report SDL progress and outcomes. Architecture (A2) - Answer️SDL phase focused on threat modeling, architecture review, and risk mitigation planning. Application Decomposition - Answer️Breaking a system into components to analyze data flow and threats. Threat Modeling - Answer️A structured method to identify threats, vulnerabilities, and mitigations early. Think Like an Attacker - Answer️Analyzing software the way an adversary would to find weaknesses. Data Flow Diagram (DFD) - Answer️A diagram showing how data moves through a system.