1
WGU D487 SECURE SOFTWARE DESIGN 2026/2027 | OA &
Pre-Assessment Exam | Complete Verified Answers | A+
Grade | Pass Guaranteed
[Section 1: Secure Software Design Principles & Threat Modeling (Q1-18)]
Q1. A software system is designed so that if a component fails, it defaults to a state
where no unauthorized access is possible. Which secure design principle is being
applied?
A. Least privilege
B. Defense in depth
C. Fail securely [CORRECT]
D. Open design
Rationale: Fail secure means the system defaults to a secure state when failures
occur. Least privilege limits access rights, defense in depth uses multiple layers of
security, and open design means security does not depend on secrecy of the design.
Correct Answer: C
Q2. A banking application requires both a password and a hardware token for high-
value transactions. Which secure design principle does this demonstrate?
A. Separation of privilege [CORRECT]
B. Least common mechanism
C. Economy of mechanism
D. Psychological acceptability
Rationale: Separation of privilege requires multiple conditions to complete a sensitive
operation (e.g., password + hardware token). Least common mechanism avoids
shared resources, economy of mechanism keeps design simple, and psychological
acceptability ensures security is user-friendly.
Correct Answer: A
Q3. In threat modeling, an attacker is able to modify the contents of a database
record without authorization. Which STRIDE threat category does this represent?
,2
A. Spoofing
B. Tampering [CORRECT]
C. Repudiation
D. Information Disclosure
Rationale: Tampering involves unauthorized modification of data or systems.
Spoofing is impersonation, repudiation is denying an action, and information
disclosure is unauthorized data access. Database record modification is the classic
definition of tampering.
Correct Answer: B
Q4. A web application logs all user actions including timestamps, user IDs, and IP
addresses but does not protect the log files from deletion. Which STRIDE threat
category is present?
A. Spoofing
B. Tampering [CORRECT]
C. Denial of Service
D. Elevation of Privilege
Rationale: Unprotected log files susceptible to deletion represent tampering
(unauthorized modification/deletion of data). While this could also enable
repudiation, the immediate threat is tampering of the audit trail. Spoofing involves
identity, DoS involves availability, and elevation involves privilege escalation.
Correct Answer: B
Q5. A threat modeler assigns a risk score to a SQL injection vulnerability using the
DREAD model. The scores are: Damage 9, Reproducibility 8, Exploitability 7, Affected
Users 9, Discoverability 8. What is the calculated DREAD score?
A. 8.0
B. 8.2 [CORRECT]
C. 7.5
D. 9.0
Rationale: DREAD score = (Damage + Reproducibility + Exploitability + Affected
Users + Discoverability) / 5 = (9 + 8 + 7 + 9 + 8) / 5 = = 8.2. The formula
averages all five components on a 1-10 scale.
,3
Correct Answer: B
Q6. A development team is performing threat modeling on a new e-commerce
application. They identify all external interfaces, data entry points, and trust
boundaries. Which threat modeling methodology focuses on this structured
approach with data flow diagrams?
A. PASTA
B. STRIDE
C. Microsoft SDL Threat Modeling (using DFDs) [CORRECT]
D. Trike
Rationale: The Microsoft SDL approach uses data flow diagrams (DFDs) to identify
system components, data flows, and trust boundaries, then applies STRIDE to identify
threats. PASTA is risk-centric, STRIDE is a threat taxonomy (not a methodology), and
Trike focuses on asset-centric risk assessment.
Correct Answer: C
Q7. A system is designed so that no single user can complete a critical financial
transaction alone—two authorized users must approve it. Which principle is being
applied?
A. Least privilege
B. Separation of privilege [CORRECT]
C. Defense in depth
D. Complete mediation
Rationale: Separation of privilege (also called separation of duties) requires multiple
conditions or persons to complete a sensitive operation. Least privilege limits
individual access, defense in depth uses multiple security layers, and complete
mediation ensures every access is checked.
Correct Answer: B
Q8. An application uses a complex, proprietary encryption algorithm that the
development team believes is secure because its design is secret. Which principle is
being violated?
A. Open design [CORRECT]
B. Economy of mechanism
, 4
C. Fail securely
D. Least common mechanism
Rationale: Open design states that security should not depend on the secrecy of the
design or implementation. "Security through obscurity" violates this principle.
Economy of mechanism advocates simplicity, fail securely addresses failure states,
and least common mechanism avoids shared resources.
Correct Answer: A
Q9. In the PASTA threat modeling methodology, which phase involves mapping
identified threats to business objectives and technical scope?
A. Phase 1: Definition of objectives
B. Phase 2: Definition of technical scope
C. Phase 3: Application decomposition
D. Phase 4: Threat analysis [CORRECT]
Rationale: PASTA Phase 4 (Threat Analysis) maps threats to business objectives and
technical scope using threat libraries and attack trees. Phase 1 defines objectives,
Phase 2 defines scope, and Phase 3 decomposes the application into components
and data flows.
Correct Answer: D
Q10. A system validates every access request to protected resources, regardless of
whether the same user previously accessed the resource moments ago. Which
principle is being applied?
A. Complete mediation [CORRECT]
B. Least privilege
C. Separation of privilege
D. Defense in depth
Rationale: Complete mediation requires that every access to every object be checked
for authority. Caching previous authorization decisions would violate this principle.
Least privilege limits rights, separation of privilege requires multiple conditions, and
defense in depth uses multiple layers.
Correct Answer: A
WGU D487 SECURE SOFTWARE DESIGN 2026/2027 | OA &
Pre-Assessment Exam | Complete Verified Answers | A+
Grade | Pass Guaranteed
[Section 1: Secure Software Design Principles & Threat Modeling (Q1-18)]
Q1. A software system is designed so that if a component fails, it defaults to a state
where no unauthorized access is possible. Which secure design principle is being
applied?
A. Least privilege
B. Defense in depth
C. Fail securely [CORRECT]
D. Open design
Rationale: Fail secure means the system defaults to a secure state when failures
occur. Least privilege limits access rights, defense in depth uses multiple layers of
security, and open design means security does not depend on secrecy of the design.
Correct Answer: C
Q2. A banking application requires both a password and a hardware token for high-
value transactions. Which secure design principle does this demonstrate?
A. Separation of privilege [CORRECT]
B. Least common mechanism
C. Economy of mechanism
D. Psychological acceptability
Rationale: Separation of privilege requires multiple conditions to complete a sensitive
operation (e.g., password + hardware token). Least common mechanism avoids
shared resources, economy of mechanism keeps design simple, and psychological
acceptability ensures security is user-friendly.
Correct Answer: A
Q3. In threat modeling, an attacker is able to modify the contents of a database
record without authorization. Which STRIDE threat category does this represent?
,2
A. Spoofing
B. Tampering [CORRECT]
C. Repudiation
D. Information Disclosure
Rationale: Tampering involves unauthorized modification of data or systems.
Spoofing is impersonation, repudiation is denying an action, and information
disclosure is unauthorized data access. Database record modification is the classic
definition of tampering.
Correct Answer: B
Q4. A web application logs all user actions including timestamps, user IDs, and IP
addresses but does not protect the log files from deletion. Which STRIDE threat
category is present?
A. Spoofing
B. Tampering [CORRECT]
C. Denial of Service
D. Elevation of Privilege
Rationale: Unprotected log files susceptible to deletion represent tampering
(unauthorized modification/deletion of data). While this could also enable
repudiation, the immediate threat is tampering of the audit trail. Spoofing involves
identity, DoS involves availability, and elevation involves privilege escalation.
Correct Answer: B
Q5. A threat modeler assigns a risk score to a SQL injection vulnerability using the
DREAD model. The scores are: Damage 9, Reproducibility 8, Exploitability 7, Affected
Users 9, Discoverability 8. What is the calculated DREAD score?
A. 8.0
B. 8.2 [CORRECT]
C. 7.5
D. 9.0
Rationale: DREAD score = (Damage + Reproducibility + Exploitability + Affected
Users + Discoverability) / 5 = (9 + 8 + 7 + 9 + 8) / 5 = = 8.2. The formula
averages all five components on a 1-10 scale.
,3
Correct Answer: B
Q6. A development team is performing threat modeling on a new e-commerce
application. They identify all external interfaces, data entry points, and trust
boundaries. Which threat modeling methodology focuses on this structured
approach with data flow diagrams?
A. PASTA
B. STRIDE
C. Microsoft SDL Threat Modeling (using DFDs) [CORRECT]
D. Trike
Rationale: The Microsoft SDL approach uses data flow diagrams (DFDs) to identify
system components, data flows, and trust boundaries, then applies STRIDE to identify
threats. PASTA is risk-centric, STRIDE is a threat taxonomy (not a methodology), and
Trike focuses on asset-centric risk assessment.
Correct Answer: C
Q7. A system is designed so that no single user can complete a critical financial
transaction alone—two authorized users must approve it. Which principle is being
applied?
A. Least privilege
B. Separation of privilege [CORRECT]
C. Defense in depth
D. Complete mediation
Rationale: Separation of privilege (also called separation of duties) requires multiple
conditions or persons to complete a sensitive operation. Least privilege limits
individual access, defense in depth uses multiple security layers, and complete
mediation ensures every access is checked.
Correct Answer: B
Q8. An application uses a complex, proprietary encryption algorithm that the
development team believes is secure because its design is secret. Which principle is
being violated?
A. Open design [CORRECT]
B. Economy of mechanism
, 4
C. Fail securely
D. Least common mechanism
Rationale: Open design states that security should not depend on the secrecy of the
design or implementation. "Security through obscurity" violates this principle.
Economy of mechanism advocates simplicity, fail securely addresses failure states,
and least common mechanism avoids shared resources.
Correct Answer: A
Q9. In the PASTA threat modeling methodology, which phase involves mapping
identified threats to business objectives and technical scope?
A. Phase 1: Definition of objectives
B. Phase 2: Definition of technical scope
C. Phase 3: Application decomposition
D. Phase 4: Threat analysis [CORRECT]
Rationale: PASTA Phase 4 (Threat Analysis) maps threats to business objectives and
technical scope using threat libraries and attack trees. Phase 1 defines objectives,
Phase 2 defines scope, and Phase 3 decomposes the application into components
and data flows.
Correct Answer: D
Q10. A system validates every access request to protected resources, regardless of
whether the same user previously accessed the resource moments ago. Which
principle is being applied?
A. Complete mediation [CORRECT]
B. Least privilege
C. Separation of privilege
D. Defense in depth
Rationale: Complete mediation requires that every access to every object be checked
for authority. Caching previous authorization decisions would violate this principle.
Least privilege limits rights, separation of privilege requires multiple conditions, and
defense in depth uses multiple layers.
Correct Answer: A
