Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. WGU
  3. Secure-Software-Design

WGU Secure-Software-Design Exam (page: 3)
WGU Secure Software Design (D487, KEO1)
Updated on: 24-Mar-2026

Viewing Page 3 of 16
Secure-Software-Design PDF 118 Questions

A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents.
Which secure coding practice is this describing?

  1. Access control
  2. Data protection
  3. Input validation
  4. Authentication

Answer(s): A

Explanation:

The secure coding practice being described is Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control who has access to what data and under what circumstances, which is the essence of access control.


Reference:

ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2. ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.



Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

  1. Access control
  2. System configuration
  3. Communication security
  4. Session management

Answer(s): D

Explanation:

The practice of clearing all local storage when a user logs off and automatically logging a user out after an hour of inactivity falls under the category of Session Management. This is a security measure designed to prevent unauthorized access to a user's session and to protect sensitive data that might be stored in the local storage. By clearing the local storage, any tokens, session identifiers, or other sensitive information are removed, reducing the risk of session hijacking or other attacks. The automatic logout feature ensures that inactive sessions do not remain open indefinitely, which could otherwise be exploited by attackers.


Reference:

The information aligns with the secure coding practices outlined by the OWASP Foundation1, and is supported by common practices in web development for managing sessions and local storage2.



Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?

  1. Dynamic
  2. Black box
  3. Static
  4. White box

Answer(s): B

Explanation:

The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system's external behavior. Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements. This type of testing is applicable across various levels of software testing, including unit, integration, system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.
Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.


Reference:

The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.



Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?

  1. Damage potential
  2. Reproducibility
  3. Affected users
  4. Exploitability

Answer(s): A

Explanation:

The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.


Reference:

DREAD Threat Modeling1
OWASP Risk Rating Methodology2
DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3



What is a countermeasure to the web application security frame (ASF) authentication threat category?

  1. Role-based access controls restrict access
  2. Credentials and tokens are encrypted.
  3. Cookies have expiration timestamps.
  4. Sensitive information is scrubbed from error messages

Answer(s): A

Explanation:

ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls. Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.

Let's analyze the other options:
B . Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.
C . Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats. D . Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.


Reference:

NIST Special Publication 800-53 Revision 4, Access Control (AC) Family:
(https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final) Details the importance of RBAC as a cornerstone of access control.
The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en) Outlines the ASF categories, with authentication being one of the primary areas.



Which mitigation technique is used to fight against an identity spoofing threat?

  1. Require user authorization
  2. Filtering
  3. Audit trails
  4. Encryption

Answer(s): A

Explanation:

To combat identity spoofing threats, a mitigation technique that is often used is requiring user authorization. This involves implementing strong authentication methods to verify the identity of users before granting access to sensitive information or systems. Techniques such as two-factor authentication (2FA) or multi-factor authentication (MFA) are effective in reducing the risk of unauthorized access, as they require users to provide multiple pieces of evidence to confirm their identity, making it much harder for attackers to spoof an identity successfully.


Reference:

Best practices for preventing spoofing attacks, including the use of antivirus and firewall tools, and the importance of strong authentication methods like 2FA and MFA1. The National Security Agency's guidance on identity theft threats and mitigations, emphasizing the need for personal protection and strong authentication measures2. Discussion on the effectiveness of strong authentication methods in protecting against spoofing attacks3.
The role of comprehensive identity verification and authentication strategies in preventing AI- enhanced identity fraud4.



Which mitigation technique can be used to light against a threat where a user may gain access to administrator level functionality?

  1. Encryption
  2. Quality of service
  3. Hashes
  4. Run with least privilege

Answer(s): D

Explanation:

The principle of running with the least privilege is a fundamental security concept that involves granting users only the permissions they need to perform their tasks and no more. This minimizes the risk of a user gaining access to administrator-level functionality that they are not authorized to use. By limiting the privileges of user accounts to the bare minimum necessary, the potential damage from various attacks, such as privilege escalation, is significantly reduced.


Reference:

The concept of least privilege is widely recognized as a critical security measure. Resources like Exabeam's article on preventing privilege escalation and TechTarget's guide on privilege escalation attacks provide insights into how enforcing least privilege can mitigate such threats12. These sources verify that running with the least privilege is an effective mitigation technique against the threat of unauthorized access to elevated privileges.



What is the privacy impact rating of an application that stores personally identifiable information, monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user?

  1. P1 high privacy risk
  2. P2 moderate privacy risk
  3. P3 low privacy risk
  4. P4 no privacy risk

Answer(s): A

Explanation:

The privacy impact rating for an application that stores personally identifiable information (PII), monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user would be P1 high privacy risk. Storing PII already poses a significant risk due to the potential for data breaches and misuse. Monitoring users and transferring data, even if anonymous, increases the risk as it involves ongoing data collection. Changing settings without user notification is a serious privacy concern because it can lead to unauthorized data processing or sharing, further elevating the risk level.


Reference:

Practical Data Security and Privacy for GDPR and CCPA - ISACA1. Privacy risk assessment and privacy-preserving data monitoring2. How To Effectively Monitor Your Privacy Program: A New Series3.



Viewing Page 3 of 16



Share your comments for WGU Secure-Software-Design exam with other users:

Malviya 2/3/2023 9:10:00 AM

the questions in this exam dumps is valid. i passed my test last monday. i only whish they had their pricing in inr instead of usd. but it is still worth it.
INDIA


rsmyth 5/18/2023 12:44:00 PM

q40 the answer is not d, why are you giving incorrect answers? snapshot consolidation is used to merge the snapshot delta disk files to the vm base disk
IRELAND


Keny 6/23/2023 9:00:00 PM

thanks, very relevant
PERU


Muhammad Rawish Siddiqui 11/29/2023 12:14:00 PM

wrong answer. it is true not false.
SAUDI ARABIA


Josh 7/10/2023 1:54:00 PM

please i need the mo-100 questions
Anonymous


VINNY 6/2/2023 11:59:00 AM

very good use full
Anonymous


Andy 12/6/2023 5:56:00 AM

very valid questions
Anonymous


Mamo 8/12/2023 7:46:00 AM

will these question help me to clear pl-300 exam?
UNITED STATES


Marial Manyang 7/26/2023 10:13:00 AM

please provide me with these dumps questions. thanks
Anonymous


Amel Mhamdi 12/16/2022 10:10:00 AM

in the pdf downloaded is write google cloud database engineer i think that it isnt the correct exam
FRANCE


Angel 8/30/2023 10:58:00 PM

i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable
UNITED STATES


SH 5/16/2023 1:43:00 PM

these questions are not valid , they dont come for the exam now
UNITED STATES


sudhagar 9/6/2023 3:02:00 PM

question looks valid
UNITED STATES


Van 11/24/2023 4:02:00 AM

good for practice
Anonymous


Divya 8/2/2023 6:54:00 AM

need more q&a to go ahead
Anonymous


Rakesh 10/6/2023 3:06:00 AM

question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview
Anonymous


Nik 11/10/2023 4:57:00 AM

just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.
HONG KONG


Deep 6/12/2023 7:22:00 AM

needed dumps
INDIA


tumz 1/16/2024 10:30:00 AM

very helpful
UNITED STATES


NRI 8/27/2023 10:05:00 AM

will post once the exam is finished
UNITED STATES


kent 11/3/2023 10:45:00 AM

relevant questions
Anonymous


Qasim 6/11/2022 9:43:00 AM

just clear exam on 10/06/2202 dumps is valid all questions are came same in dumps only 2 new questions total 46 questions 1 case study with 5 question no lab/simulation in my exam please check the answers best of luck
Anonymous


Cath 10/10/2023 10:09:00 AM

q.112 - correct answer is c - the event registry is a module that provides event definitions. answer a - not correct as it is the definition of event log
VIET NAM


Shiji 10/15/2023 1:31:00 PM

good and useful.
INDIA


Ade 6/25/2023 1:14:00 PM

good questions
Anonymous


Praveen P 11/8/2023 5:18:00 AM

good content
UNITED STATES


Anastasiia 12/28/2023 9:06:00 AM

totally not correct answers. 21. you have one gcp account running in your default region and zone and another account running in a non-default region and zone. you want to start a new compute engine instance in these two google cloud platform accounts using the command line interface. what should you do? correct: create two configurations using gcloud config configurations create [name]. run gcloud config configurations activate [name] to switch between accounts when running the commands to start the compute engine instances.
Anonymous


Priyanka 7/24/2023 2:26:00 AM

kindly upload the dumps
Anonymous


Nabeel 7/25/2023 4:11:00 PM

still learning
Anonymous


gure 7/26/2023 5:10:00 PM

excellent way to learn
UNITED STATES


ciken 8/24/2023 2:55:00 PM

help so much
Anonymous


Biswa 11/20/2023 9:28:00 AM

understand sql col.
Anonymous


Saint Pierre 10/24/2023 6:21:00 AM

i would give 5 stars to this website as i studied for az-800 exam from here. it has all the relevant material available for preparation. i got 890/1000 on the test.
Anonymous


Rose 7/24/2023 2:16:00 PM

this is nice.
Anonymous