WGU D487 Secure Software Design Exam Test
Bank- Complete Study Guide with 500+ Actual
Exam Questions, Verified Correct Answers &
Detailed Rationales- Updated 2026 || Brand New!!
Question 1
What is the study of real-world software security initiatives organized so companies can
measure their initiatives and understand how to evolve them over time?
A) Building Security in Maturity Model (BSIMM)
B) Security features and design
C) OWASP Software Assurance Maturity Model (SAMM)
D) ISO 27001
Correct Answer: A
Rationale: The Building Security in Maturity Model (BSIMM) is a study of real-world
software security initiatives. It helps organizations measure their security initiatives
against industry peers and understand how to evolve their security programs over time.
BSIMM provides a framework for assessing and improving software security practices.
Question 2
What is the analysis of computer software that is performed without executing
programs?
A) Dynamic analysis
B) Static analysis
C) Fuzzing
D) OWASP ZAP
Correct Answer: B
Rationale: Static analysis is performed without executing the computer programs. It
analyzes source code, bytecode, or binary code to identify potential vulnerabilities,
coding errors, and security issues. This type of analysis can catch issues early in the
development lifecycle before the code is run.
pg. 1
,Question 3
What ISO standard is the benchmark for information security today?
A) ISO/IEC 27001
B) ISO/IEC 7799
C) ISO/IEC 27034
D) ISO 8601
Correct Answer: A
Rationale: ISO/IEC 27001 is the international standard for information security
management systems (ISMS). It provides a framework for establishing, implementing,
maintaining, and continually improving an information security management system. It
is widely recognized as the benchmark for information security.
Question 4
What is the analysis of computer software that is performed by executing programs on a
real or virtual processor in real time?
A) Dynamic analysis
B) Static analysis
C) Fuzzing
D) Security testing
Correct Answer: A
Rationale: Dynamic analysis is performed by executing programs on a real or virtual
processor in real time. It monitors the behavior of the software while it runs, checking
for issues such as memory leaks, buffer overflows, and input validation failures. This
type of analysis can detect vulnerabilities that only manifest during execution.
Question 5
Which person is responsible for designing, planning, and implementing secure coding
practices and security testing methodologies?
A) Software security champion
B) Product security developer
C) Software security architect
D) Software tester
Correct Answer: C
pg. 2
,Rationale: The Software Security Architect is responsible for designing, planning, and
implementing secure coding practices and security testing methodologies. They work at
a strategic level to ensure security is built into the software architecture from the
beginning.
Question 6
A company is preparing to add a new feature to its flagship software product. The new
feature is similar to features that have been added in previous years, and the
requirements are well-documented. The project is expected to last three to four months,
at which time the new feature will be released to customers. Project team members will
focus solely on the new feature until the project ends. Which software development
methodology is being used?
A) Waterfall
B) Agile
C) Scrum
D) Extreme programming
Correct Answer: A
Rationale: The Waterfall methodology is characterized by a sequential, linear
approach where each phase must be completed before moving to the next. The project
team focuses solely on the feature until completion, with well-documented requirements
and a fixed timeline—all characteristics of Waterfall. Agile, Scrum, and XP are iterative
approaches that involve continuous feedback and incremental delivery.
Question 7
A new product will require an administration section for a small number of users.
Normal users will be able to view limited customer information and should not see
admin functionality within the application. Which concept is being used?
A) Privacy
B) Principle of least privilege
C) Software security champion
D) Elevation of privilege
Correct Answer: B
Rationale: The Principle of Least Privilege states that users should be given only the
minimum privileges necessary to perform their job functions. In this scenario, normal
users have limited access and cannot see admin functionality, while admin users have
pg. 3
, appropriate elevated privileges. This prevents unauthorized access and reduces the
attack surface.
Question 8
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile. Which threat modeling step is
being described?
A) Identifying and documenting threats
B) Drawing data flow diagram
C) Rating threats
D) Analyzing the target
Correct Answer: D
Rationale: Analyzing the target involves understanding the application's architecture,
identifying key security controls (input validation, authentication, authorization,
configuration management), and defining the security profile. This is the foundational
step in threat modeling where the team gathers information about the system's security
mechanisms.
Question 9
The scrum team is attending their morning meeting, which is scheduled at the
beginning of the work day. Each team member reports what they accomplished
yesterday, what they plan to accomplish today, and if they have any impediments that
may cause them to miss their delivery deadline. Which scrum ceremony is the team
participating in?
A) Daily scrum
B) Sprint review
C) Sprint retrospective
D) Sprint planning
Correct Answer: A
Rationale: The Daily Scrum (also called the daily stand-up) is a short, time-boxed
meeting held each day where team members synchronize their work, report progress,
and identify impediments. Each team member answers three questions: What did I do
yesterday? What will I do today? Are there any impediments?
pg. 4
Bank- Complete Study Guide with 500+ Actual
Exam Questions, Verified Correct Answers &
Detailed Rationales- Updated 2026 || Brand New!!
Question 1
What is the study of real-world software security initiatives organized so companies can
measure their initiatives and understand how to evolve them over time?
A) Building Security in Maturity Model (BSIMM)
B) Security features and design
C) OWASP Software Assurance Maturity Model (SAMM)
D) ISO 27001
Correct Answer: A
Rationale: The Building Security in Maturity Model (BSIMM) is a study of real-world
software security initiatives. It helps organizations measure their security initiatives
against industry peers and understand how to evolve their security programs over time.
BSIMM provides a framework for assessing and improving software security practices.
Question 2
What is the analysis of computer software that is performed without executing
programs?
A) Dynamic analysis
B) Static analysis
C) Fuzzing
D) OWASP ZAP
Correct Answer: B
Rationale: Static analysis is performed without executing the computer programs. It
analyzes source code, bytecode, or binary code to identify potential vulnerabilities,
coding errors, and security issues. This type of analysis can catch issues early in the
development lifecycle before the code is run.
pg. 1
,Question 3
What ISO standard is the benchmark for information security today?
A) ISO/IEC 27001
B) ISO/IEC 7799
C) ISO/IEC 27034
D) ISO 8601
Correct Answer: A
Rationale: ISO/IEC 27001 is the international standard for information security
management systems (ISMS). It provides a framework for establishing, implementing,
maintaining, and continually improving an information security management system. It
is widely recognized as the benchmark for information security.
Question 4
What is the analysis of computer software that is performed by executing programs on a
real or virtual processor in real time?
A) Dynamic analysis
B) Static analysis
C) Fuzzing
D) Security testing
Correct Answer: A
Rationale: Dynamic analysis is performed by executing programs on a real or virtual
processor in real time. It monitors the behavior of the software while it runs, checking
for issues such as memory leaks, buffer overflows, and input validation failures. This
type of analysis can detect vulnerabilities that only manifest during execution.
Question 5
Which person is responsible for designing, planning, and implementing secure coding
practices and security testing methodologies?
A) Software security champion
B) Product security developer
C) Software security architect
D) Software tester
Correct Answer: C
pg. 2
,Rationale: The Software Security Architect is responsible for designing, planning, and
implementing secure coding practices and security testing methodologies. They work at
a strategic level to ensure security is built into the software architecture from the
beginning.
Question 6
A company is preparing to add a new feature to its flagship software product. The new
feature is similar to features that have been added in previous years, and the
requirements are well-documented. The project is expected to last three to four months,
at which time the new feature will be released to customers. Project team members will
focus solely on the new feature until the project ends. Which software development
methodology is being used?
A) Waterfall
B) Agile
C) Scrum
D) Extreme programming
Correct Answer: A
Rationale: The Waterfall methodology is characterized by a sequential, linear
approach where each phase must be completed before moving to the next. The project
team focuses solely on the feature until completion, with well-documented requirements
and a fixed timeline—all characteristics of Waterfall. Agile, Scrum, and XP are iterative
approaches that involve continuous feedback and incremental delivery.
Question 7
A new product will require an administration section for a small number of users.
Normal users will be able to view limited customer information and should not see
admin functionality within the application. Which concept is being used?
A) Privacy
B) Principle of least privilege
C) Software security champion
D) Elevation of privilege
Correct Answer: B
Rationale: The Principle of Least Privilege states that users should be given only the
minimum privileges necessary to perform their job functions. In this scenario, normal
users have limited access and cannot see admin functionality, while admin users have
pg. 3
, appropriate elevated privileges. This prevents unauthorized access and reduces the
attack surface.
Question 8
The software security team is currently working to identify approaches for input
validation, authentication, authorization, and configuration management of a new
software product so they can deliver a security profile. Which threat modeling step is
being described?
A) Identifying and documenting threats
B) Drawing data flow diagram
C) Rating threats
D) Analyzing the target
Correct Answer: D
Rationale: Analyzing the target involves understanding the application's architecture,
identifying key security controls (input validation, authentication, authorization,
configuration management), and defining the security profile. This is the foundational
step in threat modeling where the team gathers information about the system's security
mechanisms.
Question 9
The scrum team is attending their morning meeting, which is scheduled at the
beginning of the work day. Each team member reports what they accomplished
yesterday, what they plan to accomplish today, and if they have any impediments that
may cause them to miss their delivery deadline. Which scrum ceremony is the team
participating in?
A) Daily scrum
B) Sprint review
C) Sprint retrospective
D) Sprint planning
Correct Answer: A
Rationale: The Daily Scrum (also called the daily stand-up) is a short, time-boxed
meeting held each day where team members synchronize their work, report progress,
and identify impediments. Each team member answers three questions: What did I do
yesterday? What will I do today? Are there any impediments?
pg. 4
