WGU D487 SECURE SW DESIGN OBJECTIVE
ASSESSMENT ACTUAL EXAM 2025/2026
COMPLETE QUESTIONS WITH VERIFIED
CORRECT ANSWERS || 100% GUARANTEED
PASS <NEWEST VERSION>
WGU D487 Secure Software Design - Practice Questions & Answers
Domain 1: Security Requirements and Compliance
1. What is the primary goal of establishing security requirements in the SDLC?
A) To ensure the application is feature-rich.
B) To identify and mitigate potential security risks before coding begins. ✓
C) To make the development process faster.
D) To reduce the number of test cases needed.
2. Which of the following is a regulatory standard for protecting credit card data?
A) HIPAA
B) PCI DSS ✓
C) SOX
D) GDPR
3. A healthcare application must be designed to comply with which U.S. regulation?
A) FISMA
B) HIPAA ✓
C) GLBA
D) PCI DSS
4. The principle of "Privacy by Design" mandates that:
A) Privacy features are added after a breach occurs.
B) Privacy is considered throughout the entire engineering process. ✓
C) Only public data needs to be protected.
D) Privacy is the sole responsibility of the legal team.
5. What is the main purpose of data classification?
A) To increase server storage costs.
, B) To apply appropriate security controls based on data sensitivity. ✓
C) To make data backup procedures more complex.
D) To organize database tables alphabetically.
6. Which term describes the process of removing personally identifiable information (PII)
from a dataset?
A) Encryption
B) Tokenization
C) Anonymization ✓
D) Hashing
7. The European Union's General Data Protection Regulation (GDPR) is primarily
concerned with:
A) Corporate financial reporting.
B) The protection and privacy of personal data. ✓
C) Software development methodologies.
D) Network infrastructure security.
8. When defining security requirements, what is an "abuse case"?
A) A use case written for system administrators.
B) A scenario describing how an attacker might misuse the system. ✓
C) A case where the software is used beyond its intended capacity.
D) A legal case involving software licensing.
Domain 2: Secure Software Design Principles and Patterns
9. The principle of "Least Privilege" states that a user or process should have:
A) Full administrative access to be efficient.
B) Only the permissions absolutely necessary to perform its function. ✓
C) The same access rights as the CEO.
D) Access based on seniority within the organization.
10. What does the "Defense in Depth" strategy involve?
A) Relying on a single, strong firewall.
B) Implementing multiple, layered security controls. ✓
C) Focusing security only on the database layer.
D) Deploying security controls only at the network perimeter.
11. "Fail Securely" means that when a system fails, it should:
A) Display detailed error messages to the user.
B) Restart automatically without logging the event.
, C) Default to a state that denies access rather than grants it. ✓
D) Continue operating with reduced functionality.
12. Which design pattern is used to centralize and manage access to a sensitive resource?
A) Factory Pattern
B) Singleton Pattern
C) Proxy Pattern ✓
D) Observer Pattern
13. What is the primary purpose of "Separation of Duties"?
A) To speed up the development process.
B) To prevent a single individual from compromising a system. ✓
C) To ensure developers and testers don't communicate.
D) To create more managerial positions.
14. The principle of "Economy of Mechanism" suggests that security designs should be:
A) As simple and small as possible. ✓
B) Complex to confuse potential attackers.
C) Developed by the largest team available.
D) Independent of the system's architecture.
15. "Complete Mediation" requires that:
A) Every access request to a resource is checked for authorization. ✓
B) All data is fully encrypted at all times.
C) Security audits are completed monthly.
D) All software modules are of similar size.
16. Which principle ensures that a system remains secure even if its design is publicly
known?
A) Security through Obscurity
B) Open Design ✓
C) Least Astonishment
D) Psychological Acceptability
Domain 3: Common Software Vulnerabilities and Mitigations (OWASP Top 10)
17. What is the most effective way to prevent SQL Injection attacks?
A) Using a Web Application Firewall (WAF).
B) Sanitizing all user input with an allow-list.
C) Using parameterized queries or prepared statements. ✓
D) Hiding database error messages.
, 18. Cross-Site Scripting (XSS) attacks allow an attacker to:
A) Execute malicious SQL queries on the database.
B) Bypass network firewalls.
C) Inject client-side scripts into web pages viewed by other users. ✓
D) Gain root access to the server.
19. Broken Authentication vulnerabilities often involve:
A) Weak session management and credential stuffing. ✓
B) Lack of encryption on the database server.
C) Poorly designed user interfaces.
D) Insufficient server processing power.
20. Sensitive Data Exposure can be mitigated by:
A) Storing passwords in plain text for easy recovery.
B) Using strong, modern encryption for data at rest and in transit. ✓
C) Transmitting data over HTTP for better performance.
D) Using Base64 encoding as a primary encryption method.
21. XML External Entity (XXE) attacks exploit:
A) Misconfigured XML parsers that process external entities. ✓
B) Weaknesses in the CSS of a web page.
C) Buffer overflows in the operating system.
D) Insecure direct object references.
22. What is the primary risk associated with Security Misconfiguration?
A) It can lead to unauthorized access due to default accounts, unused pages, or
unprotected files. ✓
B) It makes the user interface less intuitive.
C) It slows down the application's response time.
D) It increases the cost of software licensing.
23. Cross-Site Request Forgery (CSRF) attacks trick a user's browser into:
A) Executing a local script on their machine.
B) Sending an unintended and authenticated request to a web application. ✓
C) Downloading a virus from a malicious site.
D) Caching too much sensitive data.
24. Using components with known vulnerabilities is dangerous because:
A) They are always open-source.
B) Attackers can exploit these known weaknesses easily. ✓
ASSESSMENT ACTUAL EXAM 2025/2026
COMPLETE QUESTIONS WITH VERIFIED
CORRECT ANSWERS || 100% GUARANTEED
PASS <NEWEST VERSION>
WGU D487 Secure Software Design - Practice Questions & Answers
Domain 1: Security Requirements and Compliance
1. What is the primary goal of establishing security requirements in the SDLC?
A) To ensure the application is feature-rich.
B) To identify and mitigate potential security risks before coding begins. ✓
C) To make the development process faster.
D) To reduce the number of test cases needed.
2. Which of the following is a regulatory standard for protecting credit card data?
A) HIPAA
B) PCI DSS ✓
C) SOX
D) GDPR
3. A healthcare application must be designed to comply with which U.S. regulation?
A) FISMA
B) HIPAA ✓
C) GLBA
D) PCI DSS
4. The principle of "Privacy by Design" mandates that:
A) Privacy features are added after a breach occurs.
B) Privacy is considered throughout the entire engineering process. ✓
C) Only public data needs to be protected.
D) Privacy is the sole responsibility of the legal team.
5. What is the main purpose of data classification?
A) To increase server storage costs.
, B) To apply appropriate security controls based on data sensitivity. ✓
C) To make data backup procedures more complex.
D) To organize database tables alphabetically.
6. Which term describes the process of removing personally identifiable information (PII)
from a dataset?
A) Encryption
B) Tokenization
C) Anonymization ✓
D) Hashing
7. The European Union's General Data Protection Regulation (GDPR) is primarily
concerned with:
A) Corporate financial reporting.
B) The protection and privacy of personal data. ✓
C) Software development methodologies.
D) Network infrastructure security.
8. When defining security requirements, what is an "abuse case"?
A) A use case written for system administrators.
B) A scenario describing how an attacker might misuse the system. ✓
C) A case where the software is used beyond its intended capacity.
D) A legal case involving software licensing.
Domain 2: Secure Software Design Principles and Patterns
9. The principle of "Least Privilege" states that a user or process should have:
A) Full administrative access to be efficient.
B) Only the permissions absolutely necessary to perform its function. ✓
C) The same access rights as the CEO.
D) Access based on seniority within the organization.
10. What does the "Defense in Depth" strategy involve?
A) Relying on a single, strong firewall.
B) Implementing multiple, layered security controls. ✓
C) Focusing security only on the database layer.
D) Deploying security controls only at the network perimeter.
11. "Fail Securely" means that when a system fails, it should:
A) Display detailed error messages to the user.
B) Restart automatically without logging the event.
, C) Default to a state that denies access rather than grants it. ✓
D) Continue operating with reduced functionality.
12. Which design pattern is used to centralize and manage access to a sensitive resource?
A) Factory Pattern
B) Singleton Pattern
C) Proxy Pattern ✓
D) Observer Pattern
13. What is the primary purpose of "Separation of Duties"?
A) To speed up the development process.
B) To prevent a single individual from compromising a system. ✓
C) To ensure developers and testers don't communicate.
D) To create more managerial positions.
14. The principle of "Economy of Mechanism" suggests that security designs should be:
A) As simple and small as possible. ✓
B) Complex to confuse potential attackers.
C) Developed by the largest team available.
D) Independent of the system's architecture.
15. "Complete Mediation" requires that:
A) Every access request to a resource is checked for authorization. ✓
B) All data is fully encrypted at all times.
C) Security audits are completed monthly.
D) All software modules are of similar size.
16. Which principle ensures that a system remains secure even if its design is publicly
known?
A) Security through Obscurity
B) Open Design ✓
C) Least Astonishment
D) Psychological Acceptability
Domain 3: Common Software Vulnerabilities and Mitigations (OWASP Top 10)
17. What is the most effective way to prevent SQL Injection attacks?
A) Using a Web Application Firewall (WAF).
B) Sanitizing all user input with an allow-list.
C) Using parameterized queries or prepared statements. ✓
D) Hiding database error messages.
, 18. Cross-Site Scripting (XSS) attacks allow an attacker to:
A) Execute malicious SQL queries on the database.
B) Bypass network firewalls.
C) Inject client-side scripts into web pages viewed by other users. ✓
D) Gain root access to the server.
19. Broken Authentication vulnerabilities often involve:
A) Weak session management and credential stuffing. ✓
B) Lack of encryption on the database server.
C) Poorly designed user interfaces.
D) Insufficient server processing power.
20. Sensitive Data Exposure can be mitigated by:
A) Storing passwords in plain text for easy recovery.
B) Using strong, modern encryption for data at rest and in transit. ✓
C) Transmitting data over HTTP for better performance.
D) Using Base64 encoding as a primary encryption method.
21. XML External Entity (XXE) attacks exploit:
A) Misconfigured XML parsers that process external entities. ✓
B) Weaknesses in the CSS of a web page.
C) Buffer overflows in the operating system.
D) Insecure direct object references.
22. What is the primary risk associated with Security Misconfiguration?
A) It can lead to unauthorized access due to default accounts, unused pages, or
unprotected files. ✓
B) It makes the user interface less intuitive.
C) It slows down the application's response time.
D) It increases the cost of software licensing.
23. Cross-Site Request Forgery (CSRF) attacks trick a user's browser into:
A) Executing a local script on their machine.
B) Sending an unintended and authenticated request to a web application. ✓
C) Downloading a virus from a malicious site.
D) Caching too much sensitive data.
24. Using components with known vulnerabilities is dangerous because:
A) They are always open-source.
B) Attackers can exploit these known weaknesses easily. ✓
