WGU D487 SECURE SOFTWARE DESIGN EXAM 2024/2025 WITH VERIFIED ACCURATE Q&A WITH
EXPLANATIONS (100% Correct)
Threat Modeling
1. What is the purpose of threat modeling in secure software design?
A. To prioritize project deadlines
B. To identify and mitigate potential security risks
C. To assess software usability
D. To define hardware requirements
Answer: B
Explanation: Threat modeling identifies vulnerabilities and creates strategies to mitigate risks
during the design phase.
2. Which framework is commonly used in threat modeling to classify threats?
A. OWASP
B. STRIDE
C. NIST
D. ISO 27001
Answer: B
Explanation: STRIDE categorizes threats as Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, and Elevation of Privilege.
3. What is the first step in the threat modeling process?
A. Define mitigations
B. Identify security controls
C. Identify assets
D. Deploy the software
Answer: C
Explanation: Identifying assets helps understand what needs protection and forms the basis for
further threat modeling.
Secure Coding Practices
4. Which of the following best prevents SQL injection attacks?
A. Using encrypted database connections
B. Implementing parameterized queries
C. Allowing unrestricted user input
D. Storing passwords in plaintext
Answer: B
Explanation: Parameterized queries separate user input from code execution, preventing
malicious SQL injection.
5. What is the main purpose of input validation?
A. To improve software performance
B. To prevent security vulnerabilities from malicious input
, C. To format data for better readability
D. To speed up query execution
Answer: B
Explanation: Input validation ensures only expected, safe data is processed by the application.
6. Which coding practice helps prevent buffer overflow attacks?
A. Disabling exception handling
B. Using languages with bounds checking
C. Using older cryptographic algorithms
D. Allowing unrestricted array sizes
Answer: B
Explanation: Languages like Python and Java include built-in bounds checking to avoid buffer
overflow.
Authentication and Authorization
7. What does the principle of least privilege imply?
A. Users should have access to all system resources
B. Users should have the minimum level of access required to perform their tasks
C. Privileges should never expire
D. Privileges should be shared among multiple users
Answer: B
Explanation: Least privilege limits access to only what is necessary, reducing the risk of
accidental or malicious misuse.
8. What is a common weakness of password-only authentication?
A. It is too secure
B. It is susceptible to brute-force attacks
C. It requires multi-factor authentication
D. It does not allow user recovery options
Answer: B
Explanation: Password-only authentication is vulnerable to attacks if passwords are weak or
reused.
9. Which authentication method is the most secure?
A. Username and password only
B. Two-factor authentication (2FA)
C. Password reset questions
D. IP-based restrictions
Answer: B
Explanation: 2FA adds an extra layer of security by requiring a second factor, such as a mobile
device or biometric.
EXPLANATIONS (100% Correct)
Threat Modeling
1. What is the purpose of threat modeling in secure software design?
A. To prioritize project deadlines
B. To identify and mitigate potential security risks
C. To assess software usability
D. To define hardware requirements
Answer: B
Explanation: Threat modeling identifies vulnerabilities and creates strategies to mitigate risks
during the design phase.
2. Which framework is commonly used in threat modeling to classify threats?
A. OWASP
B. STRIDE
C. NIST
D. ISO 27001
Answer: B
Explanation: STRIDE categorizes threats as Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, and Elevation of Privilege.
3. What is the first step in the threat modeling process?
A. Define mitigations
B. Identify security controls
C. Identify assets
D. Deploy the software
Answer: C
Explanation: Identifying assets helps understand what needs protection and forms the basis for
further threat modeling.
Secure Coding Practices
4. Which of the following best prevents SQL injection attacks?
A. Using encrypted database connections
B. Implementing parameterized queries
C. Allowing unrestricted user input
D. Storing passwords in plaintext
Answer: B
Explanation: Parameterized queries separate user input from code execution, preventing
malicious SQL injection.
5. What is the main purpose of input validation?
A. To improve software performance
B. To prevent security vulnerabilities from malicious input
, C. To format data for better readability
D. To speed up query execution
Answer: B
Explanation: Input validation ensures only expected, safe data is processed by the application.
6. Which coding practice helps prevent buffer overflow attacks?
A. Disabling exception handling
B. Using languages with bounds checking
C. Using older cryptographic algorithms
D. Allowing unrestricted array sizes
Answer: B
Explanation: Languages like Python and Java include built-in bounds checking to avoid buffer
overflow.
Authentication and Authorization
7. What does the principle of least privilege imply?
A. Users should have access to all system resources
B. Users should have the minimum level of access required to perform their tasks
C. Privileges should never expire
D. Privileges should be shared among multiple users
Answer: B
Explanation: Least privilege limits access to only what is necessary, reducing the risk of
accidental or malicious misuse.
8. What is a common weakness of password-only authentication?
A. It is too secure
B. It is susceptible to brute-force attacks
C. It requires multi-factor authentication
D. It does not allow user recovery options
Answer: B
Explanation: Password-only authentication is vulnerable to attacks if passwords are weak or
reused.
9. Which authentication method is the most secure?
A. Username and password only
B. Two-factor authentication (2FA)
C. Password reset questions
D. IP-based restrictions
Answer: B
Explanation: 2FA adds an extra layer of security by requiring a second factor, such as a mobile
device or biometric.
