WGU D487 Secure Software Design Final Exam Prep
Document | 2026/2027 Edition | 250 Verified Questions
WGU D487 Secure Software Design Final Exam 2026-2027 QUESTIONS AND ANSWERS
ALREADY GRADED A+. 100% Verified Solutions | Updated Per Latest Guidelines | Graded A+
This comprehensive exam preparation guide for WGU D487 Secure Software Design contains 250
verified questions covering all key domains of secure software development. Each question includes
detailed rationales and distractor explanations to reinforce understanding. Aligned with the 2026/2027
curriculum, this resource ensures mastery of security principles, threat modeling, secure coding
practices, and compliance standards. Ideal for final exam review, it provides a structured approach to
achieving a high score.
Key Features:
Threat modeling and risk assessment methodologies
Secure coding practices and common vulnerabilities (OWASP Top 10)
Authentication, authorization, and access control mechanisms
Cryptography fundamentals and application in software design
Security testing, static/dynamic analysis, and code review
Compliance frameworks (NIST, ISO 27001) and secure SDLC
Updates for 2026:
- Updated to reflect 2026/2027 WGU D487 curriculum changes
- Added new questions on DevSecOps and CI/CD security
- Revised rationales to include latest OWASP Top 10 2025
- Enhanced distractor explanations for improved conceptual clarity
- Included additional scenario-based questions for applied learning
Abstract:
The WGU D487 Secure Software Design final examination assesses students' ability to integrate security into every
phase of the software development lifecycle. This answer key provides 250 meticulously verified questions that
cover threat modeling, secure design principles, authentication and authorization, cryptography, secure coding,
and security testing. Each question is accompanied by a detailed rationale explaining the correct answer and an
analysis of common distractors, enabling students to deepen their conceptual understanding. The content is
aligned with the 2026/2027 academic year and incorporates the latest industry standards, including OWASP Top
10 2025 and NIST SP 800-53. By systematically working through these questions, students will develop the critical
thinking skills necessary to identify and mitigate security risks in software systems. This resource is an essential
tool for achieving a top score on the WGU D487 final exam and for building a strong foundation in secure
software design.
Keywords:
Secure Software Design, WGU D487, Threat Modeling, OWASP Top 10, Secure Coding, Cryptography, Access
Control, Security Testing
Answer Format:
Each question is presented with four answer options, one of which is correct. The correct answer is clearly
indicated, followed by a detailed rationale explaining why it is correct and why each distractor is incorrect.
Rationales reference specific security concepts and standards to reinforce learning.
Compliance Checklist:
Aligned with 2026/2027 WGU D487 course objectives
Page 1
, Covers all domains specified in the official exam blueprint
Includes questions on latest OWASP Top 10 2025 vulnerabilities
Rationales cite authoritative sources (NIST, OWASP, ISO)
Distractor explanations address common misconceptions
Suitable for self-assessment and final exam preparation
Content Area Overview:
Content Area Questions Key Topics Weight
Secure Software Design 1-50 Security by design, least privilege, defense 20%
Principles in depth, secure SDLC, threat modeling
(STRIDE, DREAD)
Authentication and 51-100 Identity management, SSO, OAuth 2.0, 20%
Authorization RBAC, session management, MFA
Cryptography 101-150 Symmetric/asymmetric encryption, hashing, 20%
digital signatures, PKI, TLS, key
management
Secure Coding and Common 151-200 OWASP Top 10, input validation, SQL 20%
Vulnerabilities injection, XSS, buffer overflow, secure error
handling
Security Testing and 201-250 Static/dynamic analysis, penetration testing, 20%
Compliance code review, compliance (NIST, ISO
27001), DevSecOps
Page 2
,Q1. A development team is designing a microservices-based payment processing system. They need to ensure
that a compromised service cannot impersonate another service when making inter-service calls. Which
design approach BEST addresses this threat?
A. Use a shared secret key stored in each service's environment variables for HMAC-based request signing.
B. Implement mutual TLS (mTLS) with X.509 certificates issued by an internal certificate authority.
C. Rely on network segmentation and allow only internal IP addresses to communicate via a service mesh.
D. Use OAuth2 client credentials grant with a centralized authorization server for token exchange.
Correct Answer: B. Implement mutual TLS (mTLS) with X.509 certificates issued by an internal certificate
authority.
Rationale: Mutual TLS (mTLS) provides strong mutual authentication using certificates, ensuring each service
verifies the identity of the other before communication. Shared secrets (A) are vulnerable to compromise and don't
scale. Network segmentation (C) lacks cryptographic identity. OAuth2 client credentials (D) authenticate but don't
provide channel-level integrity and are vulnerable to token theft.
Why Wrong:
A - Shared secrets are static, hard to rotate, and if leaked allow impersonation; mTLS uses dynamic
per-session keys.
C - IP-based trust can be spoofed within a compromised container or via ARP spoofing; no cryptographic
identity.
D - OAuth2 tokens can be stolen or replayed; mTLS provides stronger channel binding and mutual
authentication.
Reference: OWASP Cheat Sheet Series: Transport Layer Protection; NIST SP 800-52 Rev. 2
Q2. During a threat modeling session using STRIDE, a security architect identifies that an attacker could
tamper with a configuration file stored on the local filesystem to elevate privileges. Which STRIDE category
does this threat fall under, and what is the MOST effective countermeasure?
A. Spoofing; implement digital signatures on the configuration file.
B. Tampering; use integrity checks such as signed hashes and restrict write access via mandatory access
controls.
C. Information Disclosure; encrypt the configuration file with a strong algorithm.
D. Elevation of Privilege; run the application with the least privilege necessary.
Correct Answer: B. Tampering; use integrity checks such as signed hashes and restrict write access via
mandatory access controls.
Rationale: Tampering involves unauthorized modification of data. The threat is tampering with the config file, so
countermeasures include integrity verification (signed hashes) and preventing write access (MAC). Spoofing (A) is
about identity. Information Disclosure (C) addresses confidentiality, not integrity. Elevation of Privilege (D) is the
impact, not the threat category; least privilege helps but doesn't prevent tampering.
Why Wrong:
A - Spoofing threats involve impersonation of users or processes, not modification of data.
C - Encryption protects confidentiality, not integrity; an attacker can still modify encrypted data.
D - Elevation of Privilege is the consequence, but the threat type is tampering; least privilege alone does not
prevent config tampering.
Reference: Microsoft Threat Modeling Tool, STRIDE; Shostack, A. (2014). Threat Modeling: Designing for
Security
Page 3
, Q3. An application stores passwords using bcrypt with a cost factor of 12. A security auditor recommends
increasing the cost factor to 14. What is the PRIMARY trade-off associated with this change?
A. It increases the time required for legitimate authentication, potentially degrading user experience.
B. It reduces the maximum password length that can be hashed due to output size limitations.
C. It makes the hash output longer, increasing storage requirements per user.
D. It reduces resistance to rainbow table attacks because the salt is reused more frequently.
Correct Answer: A. It increases the time required for legitimate authentication, potentially degrading user
experience.
Rationale: Increasing the cost factor in bcrypt increases the number of key expansion rounds, making each hash
computation slower. This strengthens resistance against brute-force attacks but also increases authentication
latency, which can impact user experience. B is false because bcrypt input length is limited by the algorithm, not
cost factor. C is false because output size remains fixed. D is false because salt is per-password and not affected by
cost.
Why Wrong:
B - The cost factor does not affect the maximum password length; bcrypt truncates passwords longer than 72
bytes regardless.
C - The output of bcrypt is always 184 bits (23 bytes) for the hash plus salt; cost factor does not change output
length.
D - Rainbow table resistance depends on salt uniqueness, not cost factor; cost factor affects brute-force speed.
Reference: Provos, N., & Mazières, D. (1999). A Future-Adaptable Password Scheme; OWASP Password Storage
Cheat Sheet
Q4. A web application uses a RESTful API that accepts JSON payloads. The API endpoint /api/orders
processes order data and is vulnerable to a mass assignment attack. Which of the following code changes
would BEST mitigate this vulnerability?
A. Use a whitelist of allowed fields in the deserialization step and reject any unexpected fields.
B. Validate the content-type header to ensure it is application/json.
C. Implement rate limiting on the endpoint to prevent automated exploitation.
D. Use a blacklist of sensitive fields (e.g., 'isAdmin', 'role') and remove them from the payload.
Correct Answer: A. Use a whitelist of allowed fields in the deserialization step and reject any unexpected
fields.
Rationale: Mass assignment occurs when an attacker binds unexpected fields to internal objects. A whitelist
approach explicitly defines which fields are allowed, preventing any unauthorized fields from being bound. B only
checks content type, not field presence. C does not prevent the attack, only reduces its frequency. D is flawed
because blacklists can be bypassed by using alternative field names or encoding.
Why Wrong:
B - Content-type validation does not prevent mass assignment; it only ensures the format is JSON.
C - Rate limiting mitigates brute-force or DoS but does not prevent a single malicious request from
succeeding.
D - Blacklists are incomplete; attackers may use different field names (e.g., 'is_admin' vs 'isAdmin') or nested
objects.
Reference: OWASP Mass Assignment Cheat Sheet; OWASP API Security Top 10
Page 4
Document | 2026/2027 Edition | 250 Verified Questions
WGU D487 Secure Software Design Final Exam 2026-2027 QUESTIONS AND ANSWERS
ALREADY GRADED A+. 100% Verified Solutions | Updated Per Latest Guidelines | Graded A+
This comprehensive exam preparation guide for WGU D487 Secure Software Design contains 250
verified questions covering all key domains of secure software development. Each question includes
detailed rationales and distractor explanations to reinforce understanding. Aligned with the 2026/2027
curriculum, this resource ensures mastery of security principles, threat modeling, secure coding
practices, and compliance standards. Ideal for final exam review, it provides a structured approach to
achieving a high score.
Key Features:
Threat modeling and risk assessment methodologies
Secure coding practices and common vulnerabilities (OWASP Top 10)
Authentication, authorization, and access control mechanisms
Cryptography fundamentals and application in software design
Security testing, static/dynamic analysis, and code review
Compliance frameworks (NIST, ISO 27001) and secure SDLC
Updates for 2026:
- Updated to reflect 2026/2027 WGU D487 curriculum changes
- Added new questions on DevSecOps and CI/CD security
- Revised rationales to include latest OWASP Top 10 2025
- Enhanced distractor explanations for improved conceptual clarity
- Included additional scenario-based questions for applied learning
Abstract:
The WGU D487 Secure Software Design final examination assesses students' ability to integrate security into every
phase of the software development lifecycle. This answer key provides 250 meticulously verified questions that
cover threat modeling, secure design principles, authentication and authorization, cryptography, secure coding,
and security testing. Each question is accompanied by a detailed rationale explaining the correct answer and an
analysis of common distractors, enabling students to deepen their conceptual understanding. The content is
aligned with the 2026/2027 academic year and incorporates the latest industry standards, including OWASP Top
10 2025 and NIST SP 800-53. By systematically working through these questions, students will develop the critical
thinking skills necessary to identify and mitigate security risks in software systems. This resource is an essential
tool for achieving a top score on the WGU D487 final exam and for building a strong foundation in secure
software design.
Keywords:
Secure Software Design, WGU D487, Threat Modeling, OWASP Top 10, Secure Coding, Cryptography, Access
Control, Security Testing
Answer Format:
Each question is presented with four answer options, one of which is correct. The correct answer is clearly
indicated, followed by a detailed rationale explaining why it is correct and why each distractor is incorrect.
Rationales reference specific security concepts and standards to reinforce learning.
Compliance Checklist:
Aligned with 2026/2027 WGU D487 course objectives
Page 1
, Covers all domains specified in the official exam blueprint
Includes questions on latest OWASP Top 10 2025 vulnerabilities
Rationales cite authoritative sources (NIST, OWASP, ISO)
Distractor explanations address common misconceptions
Suitable for self-assessment and final exam preparation
Content Area Overview:
Content Area Questions Key Topics Weight
Secure Software Design 1-50 Security by design, least privilege, defense 20%
Principles in depth, secure SDLC, threat modeling
(STRIDE, DREAD)
Authentication and 51-100 Identity management, SSO, OAuth 2.0, 20%
Authorization RBAC, session management, MFA
Cryptography 101-150 Symmetric/asymmetric encryption, hashing, 20%
digital signatures, PKI, TLS, key
management
Secure Coding and Common 151-200 OWASP Top 10, input validation, SQL 20%
Vulnerabilities injection, XSS, buffer overflow, secure error
handling
Security Testing and 201-250 Static/dynamic analysis, penetration testing, 20%
Compliance code review, compliance (NIST, ISO
27001), DevSecOps
Page 2
,Q1. A development team is designing a microservices-based payment processing system. They need to ensure
that a compromised service cannot impersonate another service when making inter-service calls. Which
design approach BEST addresses this threat?
A. Use a shared secret key stored in each service's environment variables for HMAC-based request signing.
B. Implement mutual TLS (mTLS) with X.509 certificates issued by an internal certificate authority.
C. Rely on network segmentation and allow only internal IP addresses to communicate via a service mesh.
D. Use OAuth2 client credentials grant with a centralized authorization server for token exchange.
Correct Answer: B. Implement mutual TLS (mTLS) with X.509 certificates issued by an internal certificate
authority.
Rationale: Mutual TLS (mTLS) provides strong mutual authentication using certificates, ensuring each service
verifies the identity of the other before communication. Shared secrets (A) are vulnerable to compromise and don't
scale. Network segmentation (C) lacks cryptographic identity. OAuth2 client credentials (D) authenticate but don't
provide channel-level integrity and are vulnerable to token theft.
Why Wrong:
A - Shared secrets are static, hard to rotate, and if leaked allow impersonation; mTLS uses dynamic
per-session keys.
C - IP-based trust can be spoofed within a compromised container or via ARP spoofing; no cryptographic
identity.
D - OAuth2 tokens can be stolen or replayed; mTLS provides stronger channel binding and mutual
authentication.
Reference: OWASP Cheat Sheet Series: Transport Layer Protection; NIST SP 800-52 Rev. 2
Q2. During a threat modeling session using STRIDE, a security architect identifies that an attacker could
tamper with a configuration file stored on the local filesystem to elevate privileges. Which STRIDE category
does this threat fall under, and what is the MOST effective countermeasure?
A. Spoofing; implement digital signatures on the configuration file.
B. Tampering; use integrity checks such as signed hashes and restrict write access via mandatory access
controls.
C. Information Disclosure; encrypt the configuration file with a strong algorithm.
D. Elevation of Privilege; run the application with the least privilege necessary.
Correct Answer: B. Tampering; use integrity checks such as signed hashes and restrict write access via
mandatory access controls.
Rationale: Tampering involves unauthorized modification of data. The threat is tampering with the config file, so
countermeasures include integrity verification (signed hashes) and preventing write access (MAC). Spoofing (A) is
about identity. Information Disclosure (C) addresses confidentiality, not integrity. Elevation of Privilege (D) is the
impact, not the threat category; least privilege helps but doesn't prevent tampering.
Why Wrong:
A - Spoofing threats involve impersonation of users or processes, not modification of data.
C - Encryption protects confidentiality, not integrity; an attacker can still modify encrypted data.
D - Elevation of Privilege is the consequence, but the threat type is tampering; least privilege alone does not
prevent config tampering.
Reference: Microsoft Threat Modeling Tool, STRIDE; Shostack, A. (2014). Threat Modeling: Designing for
Security
Page 3
, Q3. An application stores passwords using bcrypt with a cost factor of 12. A security auditor recommends
increasing the cost factor to 14. What is the PRIMARY trade-off associated with this change?
A. It increases the time required for legitimate authentication, potentially degrading user experience.
B. It reduces the maximum password length that can be hashed due to output size limitations.
C. It makes the hash output longer, increasing storage requirements per user.
D. It reduces resistance to rainbow table attacks because the salt is reused more frequently.
Correct Answer: A. It increases the time required for legitimate authentication, potentially degrading user
experience.
Rationale: Increasing the cost factor in bcrypt increases the number of key expansion rounds, making each hash
computation slower. This strengthens resistance against brute-force attacks but also increases authentication
latency, which can impact user experience. B is false because bcrypt input length is limited by the algorithm, not
cost factor. C is false because output size remains fixed. D is false because salt is per-password and not affected by
cost.
Why Wrong:
B - The cost factor does not affect the maximum password length; bcrypt truncates passwords longer than 72
bytes regardless.
C - The output of bcrypt is always 184 bits (23 bytes) for the hash plus salt; cost factor does not change output
length.
D - Rainbow table resistance depends on salt uniqueness, not cost factor; cost factor affects brute-force speed.
Reference: Provos, N., & Mazières, D. (1999). A Future-Adaptable Password Scheme; OWASP Password Storage
Cheat Sheet
Q4. A web application uses a RESTful API that accepts JSON payloads. The API endpoint /api/orders
processes order data and is vulnerable to a mass assignment attack. Which of the following code changes
would BEST mitigate this vulnerability?
A. Use a whitelist of allowed fields in the deserialization step and reject any unexpected fields.
B. Validate the content-type header to ensure it is application/json.
C. Implement rate limiting on the endpoint to prevent automated exploitation.
D. Use a blacklist of sensitive fields (e.g., 'isAdmin', 'role') and remove them from the payload.
Correct Answer: A. Use a whitelist of allowed fields in the deserialization step and reject any unexpected
fields.
Rationale: Mass assignment occurs when an attacker binds unexpected fields to internal objects. A whitelist
approach explicitly defines which fields are allowed, preventing any unauthorized fields from being bound. B only
checks content type, not field presence. C does not prevent the attack, only reduces its frequency. D is flawed
because blacklists can be bypassed by using alternative field names or encoding.
Why Wrong:
B - Content-type validation does not prevent mass assignment; it only ensures the format is JSON.
C - Rate limiting mitigates brute-force or DoS but does not prevent a single malicious request from
succeeding.
D - Blacklists are incomplete; attackers may use different field names (e.g., 'is_admin' vs 'isAdmin') or nested
objects.
Reference: OWASP Mass Assignment Cheat Sheet; OWASP API Security Top 10
Page 4
