1
WGU D487 OA Secure Software Design Objective
Assessment Exam Actual Exam 2026/2027 | Complete
Exam-Style Questions | 100% Verified – Detailed
Rationales – Pass Guaranteed – A+ Graded
TABLE OF CONTENTS
Section 1 | Secure Software Development Lifecycle (SDLC) | Q1 – Q10
Section 2 | Threat Modeling and Risk Assessment | Q11 – Q20
Section 3 | Security Design Principles and Architecture | Q21 – Q30
Section 4 | Secure Coding Practices and Vulnerabilities | Q31 – Q40
Section 5 | Security Testing, Compliance, and Assurance | Q41 – Q50
══════════════════════════════════════
SECTION 1: SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC) Q1 – Q10
══════════════════════════════════════
Question 1 of 50
A junior developer on a healthcare finance team wants to add a new feature to the patient billing
portal just three days before the scheduled release. The feature promises to significantly improve
user experience, but it has not undergone the standard code review or security unit testing
required by the company's SDLC policy. As the lead developer, you must decide whether to
include this feature in the upcoming release. Given the organization's commitment to security
and stability, what is the most appropriate course of action?
A. Approve the feature for release because the user experience improvement outweighs the
potential security risks.
B. Delay the release to allow the feature to undergo the full security testing and code review
process.
C. Release the feature as a beta update to a small group of users to test security in production.
D. Include the feature but disable it via configuration flags until the next sprint.
,2
Correct Answer: B
Rationale: Adhering to the established SDLC process ensures that all code, regardless of its
perceived value or timing, undergoes rigorous security testing and review to prevent
vulnerabilities. Approving the feature creates technical debt and security risk, while releasing it
untested to any user environment, even a small group, violates the fundamental principle of
verifying security before deployment.
Question 2 of 50
Your software development team has historically relied on a "waterfall" approach, performing
security audits only after the entire application is built. You are experiencing a high number of
critical vulnerabilities being found late in the cycle, causing expensive delays. To address this,
you propose shifting to a "DevSecOps" model. What is the primary benefit of integrating
security activities earlier in the development lifecycle?
A. It eliminates the need for security professionals on the team by automating all checks.
B. It allows developers to write code faster without worrying about security protocols.
C. It reduces the cost and effort of fixing vulnerabilities by identifying them during the design
and coding phases.
D. It ensures that the application is completely free of bugs before the first line of code is written.
Correct Answer: C
Rationale: Shifting security left, a core tenet of DevSecOps, identifies vulnerabilities when they
are cheaper and easier to fix, rather than after the software is feature-complete. While automation
is a tool used in this model, it does not eliminate the need for human expertise, and no
methodology can guarantee completely bug-free code before coding begins.
Question 3 of 50
, 3
You are gathering requirements for a new mobile banking application that will handle sensitive
financial data. During the stakeholder interviews, the marketing team emphasizes the need for
fast transaction speeds, while the compliance team stresses strict data protection. To align these
conflicting needs into a cohesive software design, you should categorize data protection as which
type of requirement?
A. Functional requirement
B. Non-functional requirement
C. Technical constraint
D. User story
Correct Answer: B
Rationale: Data protection, including speed, security, and reliability, is a quality attribute known
as a non-functional requirement because it dictates how the system performs rather than what
specific action it takes. Functional requirements describe specific behaviors the system must
exhibit, such as "the user must be able to transfer funds."
Question 4 of 50
A development team is transitioning to an Agile methodology for a critical infrastructure project.
They are concerned that the rapid two-week sprint cycles might compromise security because
there isn't enough time for traditional deep-dive security audits. How can the team best maintain
security rigor without slowing down the Agile delivery process?
A. Conduct a full, manual security audit at the end of every six sprints instead of every sprint.
B. Automate security checks within the Continuous Integration/Continuous Deployment (CI/CD)
pipeline.
C. Pause all development for one week every quarter to allow for manual penetration testing.
D. Rely on the senior developers to manually review code during the sprint planning meeting.
Correct Answer: B
WGU D487 OA Secure Software Design Objective
Assessment Exam Actual Exam 2026/2027 | Complete
Exam-Style Questions | 100% Verified – Detailed
Rationales – Pass Guaranteed – A+ Graded
TABLE OF CONTENTS
Section 1 | Secure Software Development Lifecycle (SDLC) | Q1 – Q10
Section 2 | Threat Modeling and Risk Assessment | Q11 – Q20
Section 3 | Security Design Principles and Architecture | Q21 – Q30
Section 4 | Secure Coding Practices and Vulnerabilities | Q31 – Q40
Section 5 | Security Testing, Compliance, and Assurance | Q41 – Q50
══════════════════════════════════════
SECTION 1: SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC) Q1 – Q10
══════════════════════════════════════
Question 1 of 50
A junior developer on a healthcare finance team wants to add a new feature to the patient billing
portal just three days before the scheduled release. The feature promises to significantly improve
user experience, but it has not undergone the standard code review or security unit testing
required by the company's SDLC policy. As the lead developer, you must decide whether to
include this feature in the upcoming release. Given the organization's commitment to security
and stability, what is the most appropriate course of action?
A. Approve the feature for release because the user experience improvement outweighs the
potential security risks.
B. Delay the release to allow the feature to undergo the full security testing and code review
process.
C. Release the feature as a beta update to a small group of users to test security in production.
D. Include the feature but disable it via configuration flags until the next sprint.
,2
Correct Answer: B
Rationale: Adhering to the established SDLC process ensures that all code, regardless of its
perceived value or timing, undergoes rigorous security testing and review to prevent
vulnerabilities. Approving the feature creates technical debt and security risk, while releasing it
untested to any user environment, even a small group, violates the fundamental principle of
verifying security before deployment.
Question 2 of 50
Your software development team has historically relied on a "waterfall" approach, performing
security audits only after the entire application is built. You are experiencing a high number of
critical vulnerabilities being found late in the cycle, causing expensive delays. To address this,
you propose shifting to a "DevSecOps" model. What is the primary benefit of integrating
security activities earlier in the development lifecycle?
A. It eliminates the need for security professionals on the team by automating all checks.
B. It allows developers to write code faster without worrying about security protocols.
C. It reduces the cost and effort of fixing vulnerabilities by identifying them during the design
and coding phases.
D. It ensures that the application is completely free of bugs before the first line of code is written.
Correct Answer: C
Rationale: Shifting security left, a core tenet of DevSecOps, identifies vulnerabilities when they
are cheaper and easier to fix, rather than after the software is feature-complete. While automation
is a tool used in this model, it does not eliminate the need for human expertise, and no
methodology can guarantee completely bug-free code before coding begins.
Question 3 of 50
, 3
You are gathering requirements for a new mobile banking application that will handle sensitive
financial data. During the stakeholder interviews, the marketing team emphasizes the need for
fast transaction speeds, while the compliance team stresses strict data protection. To align these
conflicting needs into a cohesive software design, you should categorize data protection as which
type of requirement?
A. Functional requirement
B. Non-functional requirement
C. Technical constraint
D. User story
Correct Answer: B
Rationale: Data protection, including speed, security, and reliability, is a quality attribute known
as a non-functional requirement because it dictates how the system performs rather than what
specific action it takes. Functional requirements describe specific behaviors the system must
exhibit, such as "the user must be able to transfer funds."
Question 4 of 50
A development team is transitioning to an Agile methodology for a critical infrastructure project.
They are concerned that the rapid two-week sprint cycles might compromise security because
there isn't enough time for traditional deep-dive security audits. How can the team best maintain
security rigor without slowing down the Agile delivery process?
A. Conduct a full, manual security audit at the end of every six sprints instead of every sprint.
B. Automate security checks within the Continuous Integration/Continuous Deployment (CI/CD)
pipeline.
C. Pause all development for one week every quarter to allow for manual penetration testing.
D. Rely on the senior developers to manually review code during the sprint planning meeting.
Correct Answer: B
