D487 EXAM (ACTUAL 2025) QUESTIONS WITH
ANSWERS
What is the study of real-world software security initiatives
organized so companies can measure their initiatives and
understand how to evolve them over time?
-Building Security in Maturity Model (BSIMM)
-Security features and design
-OWASP Software Assurance Maturity Model (SAMM)
-ISO 27001
-Building Security in Maturity Model (BSIMM)
A software security team member has created data flow
diagrams, chosen the STRIDE methodology to perform threat
reviews, and created the security assessment for the new
product.
Which category of secure software best practices did the team
member perform?
-training
-pen testing
-code review
-architecture analysis
-architecture analysis
The security team is reviewing whether new security
requirements, based on identified threats or changes to
organizational guidelines, can be implemented prior to
releasing the new product. Which activity of the Ship SDL
phase is being performed?
, D487 EXAM (ACTUAL 2025) QUESTIONS WITH
ANSWERS
-Policy compliance analysis
-Penetration testing
-Final privacy review
-Open-source licensing review
-Policy compliance analysis
The organization is moving from a waterfall to an agile
software development methodology, so the software security
group must adapt the security development life cycle as well.
They have decided to break out security requirements and
deliverables to fit better in the iterative life cycle by defining
every-sprint requirements, one-time requirements, bucket
requirements, and final security review requirements. Which
type of requirement states that all user input values must be
validated by type, size, and range?
-Every-sprint requirement
-Bucket requirement
-One-time requirement
-Final security review requirement
-Every-sprint requirement
The software security group is conducting a maturity
assessment using the Building Security in Maturity Model
, D487 EXAM (ACTUAL 2025) QUESTIONS WITH
ANSWERS
(BSIMM). They are currently focused on reviewing security
testing results from recently completed initiatives. Which
BSIMM domain is being assessed?
-Software security development life cycle (SSDL) touchpoints
-Intelligence
-Governance
-Deployment
-Software security development life cycle (SSDL) touchpoints
The organization is moving from a waterfall to an agile
software development methodology, so the software security
group must adapt the security development life cycle as well.
They have decided to break out security requirements and
deliverables to fit better in the iterative life cycle by defining
every-sprint requirements, one-time requirements, bucket
requirements, and final security review requirements. Which
type of requirement states that the team must perform remote
procedure call (RPC) fuzz testing?
-Bucket requirement
-One-time requirement
-Every-sprint requirement
-Final security review requirement
-Bucket requirement
ANSWERS
What is the study of real-world software security initiatives
organized so companies can measure their initiatives and
understand how to evolve them over time?
-Building Security in Maturity Model (BSIMM)
-Security features and design
-OWASP Software Assurance Maturity Model (SAMM)
-ISO 27001
-Building Security in Maturity Model (BSIMM)
A software security team member has created data flow
diagrams, chosen the STRIDE methodology to perform threat
reviews, and created the security assessment for the new
product.
Which category of secure software best practices did the team
member perform?
-training
-pen testing
-code review
-architecture analysis
-architecture analysis
The security team is reviewing whether new security
requirements, based on identified threats or changes to
organizational guidelines, can be implemented prior to
releasing the new product. Which activity of the Ship SDL
phase is being performed?
, D487 EXAM (ACTUAL 2025) QUESTIONS WITH
ANSWERS
-Policy compliance analysis
-Penetration testing
-Final privacy review
-Open-source licensing review
-Policy compliance analysis
The organization is moving from a waterfall to an agile
software development methodology, so the software security
group must adapt the security development life cycle as well.
They have decided to break out security requirements and
deliverables to fit better in the iterative life cycle by defining
every-sprint requirements, one-time requirements, bucket
requirements, and final security review requirements. Which
type of requirement states that all user input values must be
validated by type, size, and range?
-Every-sprint requirement
-Bucket requirement
-One-time requirement
-Final security review requirement
-Every-sprint requirement
The software security group is conducting a maturity
assessment using the Building Security in Maturity Model
, D487 EXAM (ACTUAL 2025) QUESTIONS WITH
ANSWERS
(BSIMM). They are currently focused on reviewing security
testing results from recently completed initiatives. Which
BSIMM domain is being assessed?
-Software security development life cycle (SSDL) touchpoints
-Intelligence
-Governance
-Deployment
-Software security development life cycle (SSDL) touchpoints
The organization is moving from a waterfall to an agile
software development methodology, so the software security
group must adapt the security development life cycle as well.
They have decided to break out security requirements and
deliverables to fit better in the iterative life cycle by defining
every-sprint requirements, one-time requirements, bucket
requirements, and final security review requirements. Which
type of requirement states that the team must perform remote
procedure call (RPC) fuzz testing?
-Bucket requirement
-One-time requirement
-Every-sprint requirement
-Final security review requirement
-Bucket requirement
