Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. WGU
  3. Secure-Software-Design

WGU Secure-Software-Design Exam (page: 3)
WGU Secure Software Design (D487, KEO1)
Updated on: 07-Feb-2026

Viewing Page 3 of 16
Secure-Software-Design PDF 118 Questions

A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents.
Which secure coding practice is this describing?

  1. Access control
  2. Data protection
  3. Input validation
  4. Authentication

Answer(s): A

Explanation:

The secure coding practice being described is Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control who has access to what data and under what circumstances, which is the essence of access control.


Reference:

ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2. ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.



Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

  1. Access control
  2. System configuration
  3. Communication security
  4. Session management

Answer(s): D

Explanation:

The practice of clearing all local storage when a user logs off and automatically logging a user out after an hour of inactivity falls under the category of Session Management. This is a security measure designed to prevent unauthorized access to a user's session and to protect sensitive data that might be stored in the local storage. By clearing the local storage, any tokens, session identifiers, or other sensitive information are removed, reducing the risk of session hijacking or other attacks. The automatic logout feature ensures that inactive sessions do not remain open indefinitely, which could otherwise be exploited by attackers.


Reference:

The information aligns with the secure coding practices outlined by the OWASP Foundation1, and is supported by common practices in web development for managing sessions and local storage2.



Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?

  1. Dynamic
  2. Black box
  3. Static
  4. White box

Answer(s): B

Explanation:

The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system's external behavior. Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements. This type of testing is applicable across various levels of software testing, including unit, integration, system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.
Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.


Reference:

The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.



Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?

  1. Damage potential
  2. Reproducibility
  3. Affected users
  4. Exploitability

Answer(s): A

Explanation:

The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.


Reference:

DREAD Threat Modeling1
OWASP Risk Rating Methodology2
DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3



What is a countermeasure to the web application security frame (ASF) authentication threat category?

  1. Role-based access controls restrict access
  2. Credentials and tokens are encrypted.
  3. Cookies have expiration timestamps.
  4. Sensitive information is scrubbed from error messages

Answer(s): A

Explanation:

ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls. Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.

Let's analyze the other options:
B . Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.
C . Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats. D . Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.


Reference:

NIST Special Publication 800-53 Revision 4, Access Control (AC) Family:
(https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final) Details the importance of RBAC as a cornerstone of access control.
The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en) Outlines the ASF categories, with authentication being one of the primary areas.



Which mitigation technique is used to fight against an identity spoofing threat?

  1. Require user authorization
  2. Filtering
  3. Audit trails
  4. Encryption

Answer(s): A

Explanation:

To combat identity spoofing threats, a mitigation technique that is often used is requiring user authorization. This involves implementing strong authentication methods to verify the identity of users before granting access to sensitive information or systems. Techniques such as two-factor authentication (2FA) or multi-factor authentication (MFA) are effective in reducing the risk of unauthorized access, as they require users to provide multiple pieces of evidence to confirm their identity, making it much harder for attackers to spoof an identity successfully.


Reference:

Best practices for preventing spoofing attacks, including the use of antivirus and firewall tools, and the importance of strong authentication methods like 2FA and MFA1. The National Security Agency's guidance on identity theft threats and mitigations, emphasizing the need for personal protection and strong authentication measures2. Discussion on the effectiveness of strong authentication methods in protecting against spoofing attacks3.
The role of comprehensive identity verification and authentication strategies in preventing AI- enhanced identity fraud4.



Which mitigation technique can be used to light against a threat where a user may gain access to administrator level functionality?

  1. Encryption
  2. Quality of service
  3. Hashes
  4. Run with least privilege

Answer(s): D

Explanation:

The principle of running with the least privilege is a fundamental security concept that involves granting users only the permissions they need to perform their tasks and no more. This minimizes the risk of a user gaining access to administrator-level functionality that they are not authorized to use. By limiting the privileges of user accounts to the bare minimum necessary, the potential damage from various attacks, such as privilege escalation, is significantly reduced.


Reference:

The concept of least privilege is widely recognized as a critical security measure. Resources like Exabeam's article on preventing privilege escalation and TechTarget's guide on privilege escalation attacks provide insights into how enforcing least privilege can mitigate such threats12. These sources verify that running with the least privilege is an effective mitigation technique against the threat of unauthorized access to elevated privileges.



What is the privacy impact rating of an application that stores personally identifiable information, monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user?

  1. P1 high privacy risk
  2. P2 moderate privacy risk
  3. P3 low privacy risk
  4. P4 no privacy risk

Answer(s): A

Explanation:

The privacy impact rating for an application that stores personally identifiable information (PII), monitors users with ongoing transfers of anonymous data, and changes settings without notifying the user would be P1 high privacy risk. Storing PII already poses a significant risk due to the potential for data breaches and misuse. Monitoring users and transferring data, even if anonymous, increases the risk as it involves ongoing data collection. Changing settings without user notification is a serious privacy concern because it can lead to unauthorized data processing or sharing, further elevating the risk level.


Reference:

Practical Data Security and Privacy for GDPR and CCPA - ISACA1. Privacy risk assessment and privacy-preserving data monitoring2. How To Effectively Monitor Your Privacy Program: A New Series3.



Viewing Page 3 of 16



Share your comments for WGU Secure-Software-Design exam with other users:

P Simon 8/25/2023 2:39:00 AM

please could you upload (isc)2 certified in cybersecurity (cc) exam questions
SOUTH AFRICA


Karim 10/8/2023 8:34:00 PM

good questions, wrong answers
Anonymous


Itumeleng 1/6/2024 12:53:00 PM

im preparing for exams
Anonymous


MS 1/19/2024 2:56:00 PM

question no: 42 isnt azure vm an iaas solution? so, shouldnt the answer be "no"?
Anonymous


keylly 11/28/2023 10:10:00 AM

im study azure
Anonymous


dorcas 9/22/2023 8:08:00 AM

i need this now
Anonymous


treyf 11/9/2023 5:13:00 AM

i took the aws saa-c03 test and scored 935/1000. it has all the exam dumps and important info.
UNITED STATES


anonymous 1/11/2024 4:50:00 AM

good questions
Anonymous


Anjum 9/23/2023 6:22:00 PM

well explained
Anonymous


Thakor 6/7/2023 11:52:00 PM

i got the full version and it helped me pass the exam. pdf version is very good.
INDIA


sartaj 7/18/2023 11:36:00 AM

provide the download link, please
INDIA


loso 7/25/2023 5:18:00 AM

please upload thank.
THAILAND


Paul 6/23/2023 7:12:00 AM

please can you share 1z0-1055-22 dump pls
UNITED STATES


exampei 10/7/2023 8:14:00 AM

i will wait impatiently. thank youu
Anonymous


Prince 10/31/2023 9:09:00 PM

is it possible to clear the exam if we focus on only these 156 questions instead of 623 questions? kindly help!
Anonymous


Ali Azam 12/7/2023 1:51:00 AM

really helped with preparation of my scrum exam
Anonymous


Jerman 9/29/2023 8:46:00 AM

very informative and through explanations
Anonymous


Jimmy 11/4/2023 12:11:00 PM

prep for exam
INDONESIA


Abhi 9/19/2023 1:22:00 PM

thanks for helping us
Anonymous


mrtom33 11/20/2023 4:51:00 AM

i prepared for the eccouncil 350-401 exam. i scored 92% on the test.
Anonymous


JUAN 6/28/2023 2:12:00 AM

aba questions to practice
UNITED STATES


LK 1/2/2024 11:56:00 AM

great content
Anonymous


Srijeeta 10/8/2023 6:24:00 AM

how do i get the remaining questions?
INDIA


Jovanne 7/26/2022 11:42:00 PM

well formatted pdf and the test engine software is free. well worth the money i sept.
ITALY


CHINIMILLI SATISH 8/29/2023 6:22:00 AM

looking for 1z0-116
Anonymous


Pedro Afonso 1/15/2024 8:01:00 AM

in question 22, shouldnt be in the data (option a) layer?
Anonymous


Pushkar 11/7/2022 12:12:00 AM

the questions are incredibly close to real exam. you people are amazing.
INDIA


Ankit S 11/13/2023 3:58:00 AM

q15. answer is b. simple
UNITED STATES


S. R 12/8/2023 9:41:00 AM

great practice
FRANCE


Mungara 3/14/2023 12:10:00 AM

thanks to this exam dumps, i felt confident and passed my exam with ease.
UNITED STATES


Anonymous 7/25/2023 2:55:00 AM

need 1z0-1105-22 exam
Anonymous


Nigora 5/31/2022 10:05:00 PM

this is a beautiful tool. passed after a week of studying.
UNITED STATES


Av dey 8/16/2023 2:35:00 PM

can you please upload the dumps for 1z0-1096-23 for oracle
INDIA


Mayur Shermale 11/23/2023 12:22:00 AM

its intresting, i would like to learn more abouth this
JAPAN