| Exam Code | Secure-Software-Design |
| Exam Name | WGU Secure Software Design (D487, KEO1) Exam |
| Questions | 118 Questions Answers With Explanation |
| Update Date | May 28,2026 |
| Price |
Was : |
Welcome to Certsleader, your ultimate source for top-quality Secure-Software-Design dumps tailored for WGU Secure-Software-Design exam. Our comprehensive resources are designed to help you excel in your exam preparations and achieve your certification goals. Whether you are a beginner looking to start a career in WGU or an experienced professional seeking to advance your skills, Certsleader has the right tools to support your journey.
At Certsleader, we are committed to your success. Our practice questions answers are designed to improve your knowledge and help you pass your exams on the first attempt with high scores. In the rare event that you do not succeed, we offer a full refund, taking responsibility for your satisfaction.
Join thousands of satisfied learners who have successfully passed their certification exams with Certsleader. Explore our study materials, download your PDF files, and take the first step towards a rewarding IT career today.
A recent vulnerability scan uncovered an XML external entity (XXE) Haw that could allowattackers to return the contents of a system file by including a specific payload in an XMLrequest.How should the organization remediate this vulnerability?
A. Ensure audit trails exist for all sensitive transactions
B. Disable resolution of external entities in the parsing library
C. Enforce role-based authorization in all application layers
D. Ensure authentication cookies are encrypted
Which type of manual code review technique is being used when the reviewer starts at aninput control and traces its value through the application to each of the value's outputs?
A. Risk analysis
B. Control flow analysis
C. Data flow analysis
D. Threat analysis
The security team is identifying technical resources that will be needed to perform the finalproduct security review.Which step of the final product security review process are they in?
A. Release and Ship
B. Identify Feature Eligibility
C. Evaluate and Plan for Remediation
D. Assess Resource Availability
What is a best practice of secure coding?
A. Planning
B. Session management
C. User acceptance testing
D. Microservices
What refers to the review of software source code by developers other than the originalcoders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or evenexperience?
A. User acceptance testing
B. Manual peer review
C. Fault injection
D. Dynamic code review
Which secure software design principle states that it is always safer to require agreementof more than one entity to make a decision?
A. Least Privilege
B. Total Mediation
C. Separation of Privileges
D. Psychological Acceptability
A product team, consisting of a Scrum Master, a Business Analyst, two Developers, and aQuality Assurance Tester, are on a video call with the Product Owner. The team isreviewing a list of work items to determine how many they feel can be added to theirbacklog and completed within the next two-week iteration.Which Scrum ceremony is the team participating in?
A. Daily Scrum
B. Sprint Planning
C. Sprint Retrospective
D. Sprint Review
The security software team has cloned the source code repository of the new softwareproduct so they can perform vulnerability testing by modifying or adding small snippets ofcode to see if they can cause unexpected behavior and application failure.Which security testing technique is being used?
A. Source-Code Fault Injection
B. Dynamic Code Analysis
C. Fuzz Testing
D. Binary Fault Injection
After being notified of a vulnerability in the company’s online payment system, the ProductSecurity Incident Response Team (PSIRT) was unable to recreate the vulnerability in atesting lab.What is the response team’s next step?
A. Determine the Severity of the Vulnerability
B. Notify the Reporter That the Case Is Going to Be Closed
C. Determine How the Reporter Was Able to Create the Vulnerability
D. Identify Resources and Schedule the Fix
Which design and development deliverable contains the results of each type of evaluationthat was performed and the type and number of vulnerabilities discovered?
A. Security test execution report
B. Security testing reports
C. Privacy compliance report
D. Remediation report
Which secure coding best practice says to ensure that buffers are allocated correctly and atthe right size, that input strings are truncated to a reasonable length, and that resources,connections, objects, and file handles are destroyed once the application no longer needsthem?
A. Input Validation
B. Memory Management
C. Session Management
D. Data Protection
A recent security review has identified an aging credential recovery/forgotten passwordcomponent that emails temporary passwords to users who claim to have forgotten theirapplication password.How should the organization remediate this vulnerability?
A. Lock a User Account After Multiple Failed Authentication Attempts
B. Ensure All Authorization Requests Are Logged
C. Implement Multifactor Authentication
D. Implement Role-Based Authorization
Which threat modeling methodology involves creating or using collections of similarthreats?
A. Data Flow Diagrams
B. Attack Libraries
C. Attack Trees
D. Security Profile
The product security incident response team (PSIRT) has decided to make a formal publicdisclosure, including base and temporal common vulnerability scoring system (CVSS)scores and a common vulnerabilities and exposures (CVE) ID report, of an externallydiscovered vulnerability.What is the most likely reason for making a public disclosure?
A. The potential for increased public awareness of a vulnerability is probable, which couldlead to higher risk for customers.
B. The vulnerability reporter has threatened to make the finding public after being notifiedthat their case was not credible.
C. The response team has determined that the vulnerability is credible.
D. Notification of a vulnerability from an external party has occurred.
Which privacy impact statement requirement type defines how personal information will beprotected when authorized or independent external entities are involved?
A. Personal information retention requirements
B. User controls requirements
C. Third party requirements
D. Data integrity requirements
What is a countermeasure to the web application security frame (ASF) datavalidation/parameter validation threat category?
A. Inputs enforce type, format, length, and range checks.
B. All administrative activities are logged and audited.
C. Sensitive information is not logged.
D. All exceptions are handled in a structured way.
Using a web-based common vulnerability scoring system (CVSS) calculator, a securityresponse team member performed an assessment on a reported vulnerability in thecompany's claims intake component. The base score of the vulnerability was 3.5 andchanged to 5.9 after adjusting temporal and environmental metrics.Which rating would CVSS assign this vulnerability?
A. Critical severity
B. High severity
C. Low severity
D. Medium severity
The software security team is performing security testing for a new software product that isclose to production release. They are concentrating on integrations between the newproduct and database servers, web servers, and web services.Which security testing technique is being used?
A. Fuzz testing
B. Dynamic code analysis
C. Binary fault injection
D. Binary code analysis
Which software control test examines an application from a user perspective by providing awide variety of input scenarios and inspecting the output?
A. Dynamic
B. Black box
C. Static
D. White box
The software security team prepared a detailed schedule napping security developmentlifecycle phases to the type of analysis they will execute.Which design and development deliverable aid the team prepare?
A. Design security review
B. Updated threat modeling artifacts
C. Privacy implementation assessment results
D. Security test plans
