• Home
  • Articles
  • Check Real WGU Secure-Software-Design Exam Question for Free (2025) [Q20-Q44]

Check Real WGU Secure-Software-Design Exam Question for Free (2025) [Q20-Q44]

Share

Check Real WGU Secure-Software-Design Exam Question for Free (2025)

Get Ready to Boost your Prepare for your Secure-Software-Design Exam with 118 Questions

NEW QUESTION # 20
The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.
Which category of secure software best practices does this represent?

  • A. Architecture analysis
  • B. Attack models
  • C. Training
  • D. Code review

Answer: C

Explanation:
The category of secure software best practices being described is Training. This is because the focus is on educating new developers about organizational security policies and coding practices to mitigate potential threats. Training is a proactive approach to ensure that developers are aware of security concerns and are equipped with the knowledge to address them in their coding practices.
: The importance of training in secure software best practices is supported by industry resources such as the SAFECode's "Fundamental Practices for Secure Software Development" which emphasizes the need for application security control definition and management1, and the NIST's Secure Software Development Framework (SSDF) which recommends integrating secure development practices throughout the software development lifecycle2. Additional support for this category can be found in resources detailing effective secure development practices345.


NEW QUESTION # 21
Which design and development deliverable contains the results of each type of evaluation that was performed and the type and number of vulnerabilities discovered?

  • A. Security test execution report
  • B. Remediation report
  • C. Security testing reports
  • D. Privacy compliance report

Answer: C

Explanation:
Security testing reports are the deliverables that typically contain detailed results of the security evaluations performed. These reports include the types of tests conducted, such as static and dynamic analysis, penetration testing, and code reviews, as well as the number and types of vulnerabilities discovered. The purpose of these reports is to document the security posture of the software at the time of testing and to provide a basis for remediation efforts.
: The information aligns with best practices in secure software development, which emphasize the importance of documenting security requirements and conducting risk analysis during the design phase to identify and mitigate vulnerabilities early in the SDLC12.


NEW QUESTION # 22
Which type of security analysis is limited by the fact that a significant time investment of a highly skilled team member is required?

  • A. Static code analysis
  • B. Dynamic code analysis
  • C. Manual code review
  • D. Fuzz testing

Answer: C

Explanation:
Manual code review is a type of security analysis that requires a significant time investment from a highly skilled team member. This process involves a detailed and thorough examination of the source code to identify security vulnerabilities that automated tools might miss. It is labor-intensive because it relies on the expertise of the reviewer to understand the context, logic, and potential security implications of the code.
Unlike automated methods like static or dynamic code analysis, manual code review demands a deep understanding of the codebase, which can be time-consuming and requires a high level of skill and experience.
: The information provided here is based on industry best practices and standards for secure software design and development, as well as my understanding of security analysis methodologies12.


NEW QUESTION # 23
The product security incident response team (PSIRT) has decided to make a formal public disclosure, including base and temporal common vulnerability scoring system (CVSS) scores and a common vulnerabilities and exposures (CVE) ID report, of an externally discovered vulnerability.
What is the most likely reason for making a public disclosure?

  • A. Notification of a vulnerability from an external party has occurred.
  • B. The response team has determined that the vulnerability is credible.
  • C. The vulnerability reporter has threatened to make the finding public after being notified that their case was not credible.
  • D. The potential for increased public awareness of a vulnerability is probable, which could lead to higher risk for customers.

Answer: B


NEW QUESTION # 24
Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

  • A. Access control
  • B. Session management
  • C. Communication security
  • D. System configuration

Answer: B

Explanation:
The practice of clearing all local storage when a user logs off and automatically logging a user out after an hour of inactivity falls under the category of Session Management. This is a security measure designed to prevent unauthorized access to a user's session and to protect sensitive data that might be stored in the local storage. By clearing the local storage, any tokens, session identifiers, or other sensitive information are removed, reducing the risk of session hijacking or other attacks. The automatic logout feature ensures that inactive sessions do not remain open indefinitely, which could otherwise be exploited by attackers.
: The information aligns with the secure coding practices outlined by the OWASP Foundation1, and is supported by common practices in web development for managing sessions and local storage2.


NEW QUESTION # 25
A product team, consisting of a Scrum Master, a Business Analyst, two Developers, and a Quality Assurance Tester, are on a video call with the Product Owner. The team is reviewing a list of work items to determine how many they feel can be added to their backlog and completed within the next two-week iteration.
Which Scrum ceremony is the team participating in?

  • A. Daily Scrum
  • B. Sprint Review
  • C. Sprint Planning
  • D. Sprint Retrospective

Answer: C


NEW QUESTION # 26
The security team contracts with an independent security consulting firm to simulate attacks on deployed products and report results to organizational leadership.
Which category of secure software best practices is the team performing?

  • A. Architecture analysis
  • B. Attack models
  • C. Code review
  • D. Penetration testing

Answer: D

Explanation:
Comprehensive and Detailed In-Depth Explanation:
Engaging an independent security consulting firm to simulate attacks on deployed products is an example of Penetration Testing.
Penetration testing involves authorized simulated attacks on a system to evaluate its security. The objective is to identify vulnerabilities that could be exploited by malicious entities and to assess the system's resilience against such attacks. This proactive approach helps organizations understand potential weaknesses and implement necessary safeguards.
According to the OWASP Testing Guide, penetration testing is a critical component of a comprehensive security program:
"Penetration testing involves testing the security of systems and applications by simulating attacks from malicious individuals." References:
* OWASP Testing Guide


NEW QUESTION # 27
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.
Which BSIMM domain is being assessed?

  • A. Software security development life cycle (SSDL) touchpoints
  • B. Governance
  • C. Intelligence
  • D. Deployment

Answer: C

Explanation:
The Intelligence domain in the Building Security in Maturity Model (BSIMM) focuses on gathering and using information about software security. This includes understanding the types of attacks that are possible against the software being developed, which is why reviewing attack models falls under this domain. The BSIMM domain of Intelligence involves creating models of potential attacks on software (attack models), analyzing actual attacks that have occurred (attack intelligence), and sharing this information to improve security measures. By reviewing attack models, the software security group is essentially assessing the organization's ability to anticipate and understand potential security threats, which is a key aspect of the Intelligence domain.
: The references used to verify this answer include the official BSIMM documentation and related resources that describe the various domains and their activities within the BSIMM framework12345.


NEW QUESTION # 28
A potential threat was discovered during automated system testing when a PATCH request sent to the API caused an unhandled server exception. The API only supports GET. POST. PUT,and DELETE requests.
How should existing security controls be adjusted to prevent this in the future?

  • A. Use API keys to enforce authorization of every request
  • B. Ensure audit logs are in place for sensitive transactions
  • C. Enforce role-based authorization
  • D. Property configure acceptable API requests

Answer: D

Explanation:
The issue described involves a PATCH request causing an unhandled server exception because the API does not support this method. The most direct and effective way to prevent such exceptions is to ensure that the API is configured to accept only the supported request methods: GET, POST, PUT, and DELETE. This can be achieved by implementing strict input validation to reject any requests that do not conform to thedefined API specifications, including the request method. By doing so, any requests using unsupported methods like PATCH will be immediately rejected, thus preventing the server from reaching an exception state.
References:
* OWASP's guidance on error and exception handling emphasizes the importance of managing exceptions in a centralized manner and ensuring that all unexpected behavior is correctly handled within the application1.
* Additional best practices for error handling in software development suggest the significance of input validation and the implementation of defensive programming techniques to prevent errors2.
* The OWASP Foundation also highlights the principle that all security mechanisms should deny access until specifically granted, which supports the approach of configuring acceptable API requests3.


NEW QUESTION # 29
The security team is reviewing all noncommercial software libraries used in the new product to ensure they are being used according to the legal specifications defined by the authors.
What activity of the Ship SDL phase is being performed?

  • A. Penetration testing
  • B. Policy compliance analysis
  • C. Open-source licensing review
  • D. Final security review

Answer: C

Explanation:
The activity described pertains to the review of noncommercial software libraries to ensure compliance with the legal specifications set by the authors. This is part of the open-source licensing review, which is a critical activity in the Ship phase of the Security Development Lifecycle (SDL). This review ensures that all open-source components are used in accordance with their licenses, which is essential for legal and security compliance.
References: The Ship phase of the SDL includes various activities such as policy compliance review, vulnerability scanning, penetration testing, open-source licensingreview, and final security and privacy reviews12. The open-source licensing review specifically addresses the legal aspects of using third-party software components2.


NEW QUESTION # 30
Which type of threat exists when an attacker can intercept and manipulate form data after the user clicks the save button but before the request is posted to the API?

  • A. Tampering
  • B. Information disclosure
  • C. Spoofing
  • D. Elevation of privilege

Answer: A

Explanation:
The type of threat described is Tampering. This threat occurs when an attacker intercepts and manipulates data being sent from the client to the server, such as form data being submitted to an API. The attacker may alter the data to change the intended operation, inject malicious content, or compromise the integrity of the system. Tampering attacks are a significant concern in secure software design because they can lead to unauthorized changes and potentially harmful actions within the application.
:
Understanding the different types of API attacks and their prevention1.
Comprehensive guide on API security and threat mitigation2.
Detailed analysis of Man-in-the-Middle (MitM) attacks and their impact on API security3.


NEW QUESTION # 31
What refers to the review of software source code by developers other than the original coders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or even experience?

  • A. Dynamic code review
  • B. Manual peer review
  • C. Fault injection
  • D. User acceptance testing

Answer: B

Explanation:
Manual peer review refers to the systematic examination of software source code by developers other than the original author. This practice is recognized as a valuable tool for reducing software defects and improving the quality of software projects. It involves developers inspecting the code to find and fix mistakes overlooked in the initial development phase, which enhances both the overall quality of software and the developers' skills.
Peer code review is less formal and more "lightweight" than the code inspections performed in the past, and it provides benefits such as knowledge transfer, increased team awareness, and creation of alternative solutions to problems.
References:
* Expectations, Outcomes, and Challenges Of Modern Code Review1
* Introduction to Software Engineering/Quality/Code Review2
* Software Security during Modern Code Review: The Developer's Perspective3


NEW QUESTION # 32
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.
Which BSIMM domain is being assessed?

  • A. Software security development life cycle (SSDL) touchpoints
  • B. Governance
  • C. Intelligence
  • D. Deployment

Answer: C

Explanation:
The Intelligence domain in the Building Security in Maturity Model (BSIMM) focuses on gathering and using information about software security. This includes understanding the types of attacks that are possible against the software being developed, which is why reviewing attack models falls under this domain. The BSIMM domain of Intelligence involves creating models of potential attacks on software (attack models), analyzing actual attacks that have occurred (attack intelligence), and sharing this information to improve security measures. By reviewing attack models, the software security group is essentially assessing the organization's ability to anticipate and understand potential security threats, which is a key aspect of the Intelligence domain.
References: The references used to verify this answer include the official BSIMM documentation and related resources that describe the various domains and their activities within the BSIMM framework12345.


NEW QUESTION # 33
Which step in the change management process includes modifying the source code?

  • A. Policy compliance analysis
  • B. Installation management
  • C. Privacy implementation assessment
  • D. Patch management

Answer: D

Explanation:
Modifying the source code is typically associated with the patch management step in the change management process. Patch management involves the acquisition, testing, and installation of code changes, which can include updates, bug fixes, or improvements to existing software. This step ensures that modifications to the software are made in a controlled and systematic manner, maintaining the integrity and security of the software throughout the change.
References: The information provided aligns with industry-standard practices for change management in software engineering1.


NEW QUESTION # 34
Which secure coding best practice says to assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?

  • A. Session management
  • B. General coding practices
  • C. System configuration
  • D. Input validation

Answer: D

Explanation:
The secure coding best practice that emphasizes treating all incoming data as untrusted and subjecting it to validation is known as input validation. This practice is crucial for ensuring that a system only processes valid, clean data, thereby preventing many types of vulnerabilities, such as SQL injection, cross-site scripting (XSS), and buffer overflows, which can arise from maliciously crafted inputs.
* Input validation involves verifying that the data meets certain criteria before it is processed by the system. This includes checking for the correct data type, length,format, and range. It also involves sanitizing the data to ensure that it does not contain any potentially harmful elements that could lead to security breaches.
* A centralized input validation routine is recommended for the entire application, which helps in maintaining consistency and effectiveness in the validation process. This routine should be implemented on a trusted system, typically server-side, to prevent tampering or bypassing of the validation logic.
* It's important to classify all data sources into trusted and untrusted categories and to apply rigorous validation to all data from untrusted sources, such as user input, databases, file streams, and network interfaces.
By adhering to the input validation best practice, developers can significantly reduce the attack surface of their applications and protect against a wide array of common security threats.
References: The verified answer is supported by the Secure Coding Practices outlined by the OWASP Foundation1 and other reputable sources such as Coding Dojo2 and CERT Secure Coding3.


NEW QUESTION # 35
Which type of manual code review technique is being used when the reviewer starts at an input control and traces its value through the application to each of the value's outputs?

  • A. Data flow analysis
  • B. Risk analysis
  • C. Control flow analysis
  • D. Threat analysis

Answer: A

Explanation:
Data flow analysis is a manual code review technique where the reviewer traces the path of data from its entry point in the software (input control) through its processing and manipulation within the application, to its exit points (outputs). This technique is used to ensure that the data is handled securely throughout its lifecycle within the application and to identify any potential security vulnerabilities that may arise from improper data handling or processing12


NEW QUESTION # 36
Which SDL security goal is defined as ensuring timely and reliable access to and use of information?

  • A. Information security
  • B. Availability
  • C. Confidentiality
  • D. Integrity

Answer: B

Explanation:
The term 'availability' in the context of Secure Software Development Lifecycle (SDL) refers to ensuring that systems, applications, and data are accessible to authorized userswhen needed. This means that the information must be timely and reliable, without undue delays or interruptions. Availability is a critical aspect of security, as it ensures that the software functions correctly and efficiently, providing users with the information they need to perform their tasks.
References:
* The definition of availability as per the National Institute of Standards and Technology (NIST) Glossary1.
* The Microsoft Security Development Lifecycle (SDL) which emphasizes the importance of availability in secure software design2.
* General principles of Secure Software Development Life Cycle (SSDLC) that include availability as a key security goal3.


NEW QUESTION # 37
The organization has contracted with an outside firm to simulate an attack on the new software product and report findings and remediation recommendations.
Which activity of the Ship SDL phase is being performed?

  • A. Policy compliance analysis
  • B. Open-source licensing review
  • C. Final security review
  • D. Penetration testing

Answer: D

Explanation:
Penetration testing is an activity where a simulated attack is performed on a software product to identify vulnerabilities that could be exploited by attackers. It is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely trying to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and risky end-user behavior. In the context of the Ship phase of the Security Development Lifecycle (SDL), penetration testing is conducted as a final check to uncover any potential security issues that might have been missed during previous phases. This ensures that the software product is robust and secure before it is released.
References:
* The Ship phase of the SDL includes activities such as policy compliance review, vulnerability scanning, penetration testing, open-source licensing review, and final security and privacy reviews1.
* Penetration testing is a critical component of the Ship phase, as it helps to identify and fix security vulnerabilities before the software is deployed2.


NEW QUESTION # 38
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

  • A. Dynamic testing
  • B. Reasonableness testing
  • C. White box testing
  • D. Black box testing

Answer: C

Explanation:
White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question.
References:
* Control Structure Testing - GeeksforGeeks1
* What is White Box Testing? - BrowserStack2
* Software Testing Strategies Chapter 18 - IIT3


NEW QUESTION # 39
Which secure coding best practice says to use well-vetted algorithms to ensure that the application uses random identifiers, that identifiers are appropriately restricted to the application, and that user processes are fully terminated on logout?

  • A. Input Validation
  • B. Access Control
  • C. Session Management
  • D. Output Encoding

Answer: C


NEW QUESTION # 40
While performing functional testing of the new product from a shared machine, a QA analyst closed their browser window but did not logout of the application. A different QA analyst accessed the application an hour later and was not prompted to login. They then noticed the previous analyst was still logged into the application.
How should existing security controls be adjusted to prevent this in the future?

  • A. Ensure no sensitive information is stored in plain text in cookies
  • B. Ensure strong password policies are enforced
  • C. Ensure role-based access control is enforced for access to all resources
  • D. Ensure user sessions timeout after short intervals

Answer: D

Explanation:
The issue described involves a session management vulnerability where the user's session remains active even after the browser window is closed, allowing another user on the same machine to access the application without logging in. To prevent this security risk, it's essential to adjust the session management controls to include an automatic timeout feature. This means that after a period of inactivity, or when the browser window is closed, the session should automatically expire, requiring a new login to access the application.
This adjustment ensures that even if a user forgets to log out, their session won't remain active indefinitely, reducing the risk of unauthorized access.
:
Secure SDLC practices emphasize the importance of security at every stage of the software development life cycle, including the implementation of proper session management controls12.
Best practices for access control in security highlight the significance of managing session timeouts to prevent unauthorized access3.
Industry standards and guidelines often recommend session timeouts as a critical security control to protect against unauthorized access4.


NEW QUESTION # 41
Company leadership has contracted with a security firm to evaluate the vulnerability of all externally lacing enterprise applications via automated and manual system interactions. Which security testing technique is being used?

  • A. Properly-based-testing
  • B. Source-code analysis
  • C. Source-code fault injection
  • D. Penetration testing

Answer: D

Explanation:
The security testing technique that involves evaluating the vulnerability of all externally facing enterprise applications through both automated and manual system interactions is known as Penetration Testing. This method simulates real-world attacks on systems to identify potential vulnerabilities that could be exploited by attackers. It is a proactive approach to discover security weaknesses before they can be exploited in a real attack scenario. Penetration testing can include a variety of methods such as network scanning, application testing, and social engineering tactics to ensure a comprehensive security evaluation.
: The concept of Penetration Testing as a method for evaluating vulnerabilities aligns with industry standards and practices, as detailed in resources from security-focused organizations and literature1.


NEW QUESTION # 42
The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.
Which BSIMM domain is being assessed?

  • A. Software security development life cycle (SSDL) touchpoints
  • B. Governance
  • C. Intelligence
  • D. Deployment

Answer: C

Explanation:
The Intelligence domain in the Building Security in Maturity Model (BSIMM) focuses on gathering and using information about software security. This includes understanding the types of attacks that are possible against the software being developed, which is why reviewing attack models falls under this domain. The BSIMM domain of Intelligence involves creating models of potential attacks on software (attack models), analyzing actual attacks that have occurred (attack intelligence), and sharing this information to improve security measures. By reviewing attack models, the software security group is essentially assessing the organization's ability to anticipate and understand potential security threats, which is a key aspect of the Intelligence domain.
References: The references used to verify this answer include the official BSIMM documentation and related resources that describe the various domains and their activities within the BSIMM framework12345.


NEW QUESTION # 43
The security testing team received a report from one of the contracted penetration testing vendors that details a flaw discovered in the login component of the new software product, along with a recommended fix.
Which phase of the penetration testing process is the team in?

  • A. Assess
  • B. Deploy
  • C. Identify
  • D. Evaluate and plan

Answer: A

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The team is in the Assess phase of penetration testing. This phase involves actively testing the software, identifying vulnerabilities, and documenting findings with recommendations. Receiving a report detailing a discovered flaw confirms that testing has been conducted and results are being evaluated. The Identify (A) phase involves defining scope and targets, Evaluate and Plan (B) covers planning test activities, and Deploy (C) refers to executing the test environment setup. The OWASP Penetration Testing Guide and NIST SP 800-
115 clarify that assessment includes vulnerability discovery and documentation.
References:
OWASP Penetration Testing Guide
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment Microsoft SDL Security Testing Guidance


NEW QUESTION # 44
......

Use Free Secure-Software-Design Exam Questions that Stimulates Actual EXAM : https://www.actual4dump.com/WGU/Secure-Software-Design-actualtests-dumps.html

Get 100% Real Secure-Software-Design Free Online Practice Test: https://drive.google.com/open?id=1L3pR6IvOToHH1mhfYYUZls7pXRfsSpE3

Related Articles

more
WGU Secure-Software-Design Certification Practice Exam