WGU Secure Software Design (D487) Exam Version: Demo [ Total Questions: 10] Web: www.dumpscafe.com Email: support@dumpscafe.com WGU Secure-Software-Design IMPORTANT NOTICE Feedback We have developed quality product and state-of-art service to ensure our customers interest. If you have any suggestions, please feel free to contact us at feedback@dumpscafe.com Support If you have any questions about our product, please provide the following items: exam code screenshot of the question login id/email please contact us at and our technical experts will provide support within 24 hours. support@dumpscafe.com Copyright The product of each order has its own encryption code, so you should use it independently. Any unauthorized changes will inflict legal punishment. We reserve the right of final explanation for this statement. WGU - Secure-Software-Design Pass Exam 1 of 6 Verified Solution - 100% Result A. B. C. D. A. B. C. D. A. B. C. D. Question #:1 Which architecture deliverable identifies the organization's tolerance to security issues and how the organization plans to react if a security issue occurs? Threat Modeling Artifacts Risk Mitigation Plan Business Requirements Policy Compliance Analysis Answer: B Question #:2 A software security team recently completed an internal assessment of the company's security assurance program. The team delivered a set of scorecards to leadership along with proposed changes designed to improve low-scoring governance, development, and deployment functions. Which software security maturity model did the team use? Building Security In Maturity Model (BSIMM) Open Web Application Security Project (OWASP) Open Software Assurance Maturity Model (SAMM) U.S. Department of Homeland Security Software Assurance Program International Organization for Standardization ISO/IEC 27034 Answer: A Question #:3 Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized? Input validation System configuration Authentication and password management Error handling and logging Answer: D WGU - Secure-Software-Design Pass Exam 2 of 6 Verified Solution - 100% Result A. B. C. D. Explanation Comprehensive and Detailed In-Depth Explanation: Preventing the disclosure of sensitive information in application responses is primarily addressed by implementing proper practices. Error Handling and Logging When errors occur, applications may inadvertently reveal sensitive data through detailed error messages. To mitigate this risk, error handling mechanisms should be designed to provide generic error messages to end- users, while detailed error information is logged securely for internal review. This approach ensures that sensitive information, such as system configurations, stack traces, or personal data, is not exposed to unauthorized users. The OWASP Secure Coding Practices emphasize the importance of error handling and logging to prevent information leakage: "Ensure that error messages displayed to users do not reveal sensitive information that can be exploited by attackers." References: OWASP Secure Coding Practices - Quick Reference Guide Question #:4 Which type of security analysis is performed using automated software tools while an application is running and is most commonly executed during the testing phase of the SDLC? Dynamic analysis Manual code review Static analysis Fuzz testing Answer: A Explanation Dynamic analysis is a security testing method that involves analyzing the behavior of software while it is running or in execution. It is most commonly executed during the testing phase of the Software Development Life Cycle (SDLC). This type of analysis is used to detect issues that might not be visible in the code’s static state, such as runtime errors and memory leaks. Automated tools are employed to perform dynamic analysis, which can simulate attacks on the application and identify vulnerabilities that could be exploited by malicious actors. References: The information provided here is verified by multiple sources that discuss security automation in the SDLC and the role of dynamic analysis during the testing phase123. WGU - Secure-Software-Design Pass Exam 3 of 6 Verified Solution - 100% Result A. B. C. D. A. B. C. Question #:5 The software security team prepared a detailed schedule napping security development lifecycle phases to the type of analysis they will execute. Which design and development deliverable aid the team prepare? Design security review Updated threat modeling artifacts Privacy implementation assessment results Security test plans Answer: D Explanation The deliverable that would aid a software security team in preparing a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute is . These plans are Security test plans crucial as they outline the testing strategies and specific security tests that will be conducted during the development lifecycle to ensure the software meets the required security standards. Security test plans are developed after the requirements and design phases and are used throughout the implementation, verification, and release phases. They include detailed instructions for security testing, criteria for success, and the types of security testing to be performed, such as static and dynamic analysis, penetration testing, and code review. These plans are living documents that should be updated as new threats are identified and as the project evolves. They ensure that all team members understand the security goals, the risks, and the measures that need to be taken to mitigate those risks. By having a well-defined security test plan, the team can ensure that security is not an afterthought but is integrated into every phase of the software development lifecycle, thus producing more secure software. References : The importance of security test plans in the software development lifecycle is supported by best practices and guidelines from sources such as Microsoft’s Security Development Lifecycle1 and Snyk’s Secure Software Development Life Cycle principles2. Question #:6 Which security assessment deliverable identities possible security vulnerabilities in the product? SDL project outline Metrics template Threat profile WGU - Secure-Software-Design Pass Exam 4 of 6 Verified Solution - 100% Result D. A. B. C. D. List of third-party software Answer: C Explanation A threat profile is a security assessment deliverable that identifies possible security vulnerabilities in a product. It involves a systematic examination of the product to uncover any weaknesses that could potentially be exploited by threats. The process typically includes identifying the assets that need protection, assessing the threats to those assets, and evaluating the vulnerabilities that could be exploited by those threats. This deliverable is crucial for understanding the security posture of a product and for prioritizing remediation efforts. References: The importance of a threat profile in identifying security vulnerabilities is supported by various security resources. For instance, Future Processing’s blog on vulnerability assessments outlines the steps involved in identifying security vulnerabilities, which align with the creation of a threat profile1. Additionally, UpGuard’s article on conducting vulnerability assessments further emphasizes the role of identifying vulnerabilities as part of the security assessment process2. Question #:7 A company is moving forward with a new product. Product scope has been determined, teams have formed, and backlogs have been created. Developers are actively writing code for the new product, with one team concentrating on delivering data via REST services, one Team working on the mobile apps, and a third team writing the web application. Which phase of the software development lifecycle (SDLC) is being described? Deployment Design Implementation Requirements Answer: C Explanation The phase being described is the phase of the SDLC. During this phase, the actual Implementation development starts, and the product begins to be built. The teams are actively writing code, which is a key activity of the Implementation phase. This phase involves translating the design and specifications into executable code, developing the software’s features, and then integrating the various components into a full- fledged system. References : The Software Development Life Cycle (SDLC): 7 Phases and 5 Models1. WGU - Secure-Software-Design Pass Exam 5 of 6 Verified Solution - 100% Result A. B. C. D. A. B. C. D. What Is the Software Development Life Cycle? SDLC Explained2. SDLC: 6 Main Stages of the Software Product Development Lifecycle3. Software Development Life Cycle (SDLC) Phases & Models4. Question #:8 Which type of manual code review technique is being used when the reviewer starts at an input control and traces its value through the application to each of the value's outputs? Risk analysis Control flow analysis Data flow analysis Threat analysis Answer: C Explanation Data flow analysis is a manual code review technique where the reviewer traces the path of data from its entry point in the software (input control) through its processing and manipulation within the application, to its exit points (outputs). This technique is used to ensure that the data is handled securely throughout its lifecycle within the application and to identify any potential security vulnerabilities that may arise from improper data handling or processing12 Question #:9 A recent security review has identified an aging credential recovery/forgotten password component that emails temporary passwords to users who claim to have forgotten their application password. How should the organization remediate this vulnerability? Lock a User Account After Multiple Failed Authentication Attempts Ensure All Authorization Requests Are Logged Implement Multifactor Authentication Implement Role-Based Authorization Answer: C Question #:10 WGU - Secure-Software-Design Pass Exam 6 of 6 Verified Solution - 100% Result A. B. C. D. Which threat modeling methodology involves creating or using collections of similar threats? Data Flow Diagrams Attack Libraries Attack Trees Security Profile Answer: B About dumpscafe.com dumpscafe.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam Questions, Study Guides, Practice Tests. We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on. View list of all certification exams: All vendors We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed below. Sales: sales@dumpscafe.com Feedback: feedback@dumpscafe.com Support: support@dumpscafe.com Any problems about IT certification or our products, You can write us back and we will get back to you within 24 hours.