WGU D487 SECURE SOFTWARE DESIGN
ACTUAL EXAM QUESTIONS AND
CORRECT ANSWERS RATED A+
In the agile model, projects are divided into small incremental builds that provide working
software at the end of each iteration and adds value to business."
"In Scrum methodology, who is responsible for making decisions on the requirements?
Scrum Team
Product Owner
ScrumMaster
Technical Lead - CORRECT ANSWER=> Product Owner
The Product Owner is responsible for requirements/backlog items and prioritizing them."
"What is the reason software security teams host discovery meetings with stakeholders early in
the development life cycle?
To determine how much budget is available for new security tools
To meet the development team
To refactor functional requirements to ensure security is included
To ensure that security is built into the product from the start - CORRECT ANSWER=> To ensure
that security is built into the product from the start
To correctly and cost-effectively introduce security into the software development life cycle, it
needs to be done early."
"Which software methodology resembles an assembly-line approach?
V-model
Page | 1
,Agile model
Iterative model
Waterfall model - CORRECT ANSWER=> Waterfall model
Waterfall model is a continuous software development model in which the development steps
flow steadily downwards."
"Which software methodology approach provides faster time to market and higher business
value?
Iterative model
Waterfall model
V-model
Agile model - CORRECT ANSWER=> Agile model
"Why should a security team provide documented certification requirements during the
software assessment phase?
Certification is required if the organization wants to move to the cloud.
Depending on the environment in which the product resides, certifications may be required by
corporate or government entities before the software can be released to customers.
By ensuring software products are certified, the organization is protected from future litigation.
By ensuring all developers have security certifications before writing any code, teams can forego
discovery sessions. - CORRECT ANSWER=> Depending on the environment in which the product
resides, certifications may be required by corporate or government entities before the software
can be released to customers.
Any new product may need to be certified based on the data it stores, the frameworks it uses,
or the domain in which it resides. Those certification requirements need to be analyzed and
documented early in the development life cycle."
"What are two items that should be included in the privacy impact assessment plan regardless
of which methodology is used?Choose 2 answers.
Required process steps
Technologies and techniques
SDL project outline
Threat modeling
Post-implementation signoffs - CORRECT ANSWER=> Required process steps
Technologies and techniques
Page | 2
,"Required process steps" is correct. Required process steps explain in more detail which
requirements are relevant to developers, detailing what types of data are considered sensitive
and how they need to be protected.
"Technologies and techniques" is correct. Technologies and techniques detail techniques for
meeting legislative requirements in five categories: Confidentiality, Integrity, Availability,
Auditing and Logging, and Authentication."
"What are the goals of each SDL deliverable?
Select one of these options for each deliverable:
-Estimate the actual cost of the product
-Identify dependence on unmanaged software
-Map security activities to the development schedule
-Guide security activities to protect the product from vulnerabilities
Product risk profile
SDL project outline
Threat profile
List of third-party software - CORRECT ANSWER=> Estimate the actual cost of the product
Map security activities to the development schedule
Guide security activities to protect the product from vulnerabilities
Identify dependence on unmanaged software
The product risk profile helps management see the actual cost of a product.
The SDL project outline maps security activities to the development schedule.
A threat profile guides the security team on how to protect the product from threats.
The third-party software list identifies all components the product is using that are managed
outside the organization."
"What is a threat action that is designed to illegally access and use another person's
credentials?
Tampering
Spoofing
Elevation of privilege
Page | 3
, Information disclosure - CORRECT ANSWER=> Spoofing
Spoofing is a threat action that occurs when the cyber criminal acts as a trusted device to get
you to relay secure information."
"What are two steps of the threat modeling process?Choose 2 answers.
Survey the application
Decompose the application
Redesign the process to eliminate the threat
Transfer the risk
Identify business requirements - CORRECT ANSWER=> Survey the application
Decompose the application
"Survey the application" is correct. Surveying the application is a way to gain knowledge of how
the product works by reading product documentation and interviewing the development team.
"Decompose the application" is correct. Decomposing the application can be done by doing a
deep dive into the code and understanding how it works behind the scenes."
"What do the "A" and the first "D" in the DREAD acronym represent?Choose 2 answers.
Damage
Affected users
Denial of service
Authentication - CORRECT ANSWER=> Damage
Affected users
"Damage" is correct. Damage represents the first 'D' in DREAD and measures how much
damage will be caused if the threat exploit occurs.
"Affected users" is correct. Affected users represents the 'A' in DREAD and measures how many
users will be affected."
"Which shape indicates each type of flow diagram element?
Select an option for each element:
-Two parallel horizontal lines
-Solid line with an arrow.
-Rectangle
-Dashed line
External elements
Page | 4
ACTUAL EXAM QUESTIONS AND
CORRECT ANSWERS RATED A+
In the agile model, projects are divided into small incremental builds that provide working
software at the end of each iteration and adds value to business."
"In Scrum methodology, who is responsible for making decisions on the requirements?
Scrum Team
Product Owner
ScrumMaster
Technical Lead - CORRECT ANSWER=> Product Owner
The Product Owner is responsible for requirements/backlog items and prioritizing them."
"What is the reason software security teams host discovery meetings with stakeholders early in
the development life cycle?
To determine how much budget is available for new security tools
To meet the development team
To refactor functional requirements to ensure security is included
To ensure that security is built into the product from the start - CORRECT ANSWER=> To ensure
that security is built into the product from the start
To correctly and cost-effectively introduce security into the software development life cycle, it
needs to be done early."
"Which software methodology resembles an assembly-line approach?
V-model
Page | 1
,Agile model
Iterative model
Waterfall model - CORRECT ANSWER=> Waterfall model
Waterfall model is a continuous software development model in which the development steps
flow steadily downwards."
"Which software methodology approach provides faster time to market and higher business
value?
Iterative model
Waterfall model
V-model
Agile model - CORRECT ANSWER=> Agile model
"Why should a security team provide documented certification requirements during the
software assessment phase?
Certification is required if the organization wants to move to the cloud.
Depending on the environment in which the product resides, certifications may be required by
corporate or government entities before the software can be released to customers.
By ensuring software products are certified, the organization is protected from future litigation.
By ensuring all developers have security certifications before writing any code, teams can forego
discovery sessions. - CORRECT ANSWER=> Depending on the environment in which the product
resides, certifications may be required by corporate or government entities before the software
can be released to customers.
Any new product may need to be certified based on the data it stores, the frameworks it uses,
or the domain in which it resides. Those certification requirements need to be analyzed and
documented early in the development life cycle."
"What are two items that should be included in the privacy impact assessment plan regardless
of which methodology is used?Choose 2 answers.
Required process steps
Technologies and techniques
SDL project outline
Threat modeling
Post-implementation signoffs - CORRECT ANSWER=> Required process steps
Technologies and techniques
Page | 2
,"Required process steps" is correct. Required process steps explain in more detail which
requirements are relevant to developers, detailing what types of data are considered sensitive
and how they need to be protected.
"Technologies and techniques" is correct. Technologies and techniques detail techniques for
meeting legislative requirements in five categories: Confidentiality, Integrity, Availability,
Auditing and Logging, and Authentication."
"What are the goals of each SDL deliverable?
Select one of these options for each deliverable:
-Estimate the actual cost of the product
-Identify dependence on unmanaged software
-Map security activities to the development schedule
-Guide security activities to protect the product from vulnerabilities
Product risk profile
SDL project outline
Threat profile
List of third-party software - CORRECT ANSWER=> Estimate the actual cost of the product
Map security activities to the development schedule
Guide security activities to protect the product from vulnerabilities
Identify dependence on unmanaged software
The product risk profile helps management see the actual cost of a product.
The SDL project outline maps security activities to the development schedule.
A threat profile guides the security team on how to protect the product from threats.
The third-party software list identifies all components the product is using that are managed
outside the organization."
"What is a threat action that is designed to illegally access and use another person's
credentials?
Tampering
Spoofing
Elevation of privilege
Page | 3
, Information disclosure - CORRECT ANSWER=> Spoofing
Spoofing is a threat action that occurs when the cyber criminal acts as a trusted device to get
you to relay secure information."
"What are two steps of the threat modeling process?Choose 2 answers.
Survey the application
Decompose the application
Redesign the process to eliminate the threat
Transfer the risk
Identify business requirements - CORRECT ANSWER=> Survey the application
Decompose the application
"Survey the application" is correct. Surveying the application is a way to gain knowledge of how
the product works by reading product documentation and interviewing the development team.
"Decompose the application" is correct. Decomposing the application can be done by doing a
deep dive into the code and understanding how it works behind the scenes."
"What do the "A" and the first "D" in the DREAD acronym represent?Choose 2 answers.
Damage
Affected users
Denial of service
Authentication - CORRECT ANSWER=> Damage
Affected users
"Damage" is correct. Damage represents the first 'D' in DREAD and measures how much
damage will be caused if the threat exploit occurs.
"Affected users" is correct. Affected users represents the 'A' in DREAD and measures how many
users will be affected."
"Which shape indicates each type of flow diagram element?
Select an option for each element:
-Two parallel horizontal lines
-Solid line with an arrow.
-Rectangle
-Dashed line
External elements
Page | 4
