Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. WGU
  5. Secure-Software-Design

WGU Secure-Software-Design Exam
WGU Secure Software Design (D487, KEO1) (Page 5 )

Updated On: 9-Feb-2026
Page 5 of 25
PDF with 118 Questions

The security team has a library of recorded presentations that are required viewing tor all new developers in the organization. The video series details organizational security policies and demonstrates how to define, test for. and code tor possible threats.
Which category of secure software best practices does this represent?

  1. Attack models
  2. Training
  3. Architecture analysis
  4. Code review

Answer(s): B

Explanation:

The category of secure software best practices being described is Training. This is because the focus is on educating new developers about organizational security policies and coding practices to mitigate potential threats. Training is a proactive approach to ensure that developers are aware of security concerns and are equipped with the knowledge to address them in their coding practices.


Reference:

The importance of training in secure software best practices is supported by industry resources such as the SAFECode's "Fundamental Practices for Secure Software Development" which emphasizes the need for application security control definition and management1, and the NIST's Secure Software Development Framework (SSDF) which recommends integrating secure development practices throughout the software development lifecycle2. Additional support for this category can be found in resources detailing effective secure development practices345.



A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents.
Which secure coding practice is this describing?

  1. Access control
  2. Data protection
  3. Input validation
  4. Authentication

Answer(s): A

Explanation:

The secure coding practice being described is Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control who has access to what data and under what circumstances, which is the essence of access control.


Reference:

ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2. ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.



Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

  1. Access control
  2. System configuration
  3. Communication security
  4. Session management

Answer(s): D

Explanation:

The practice of clearing all local storage when a user logs off and automatically logging a user out after an hour of inactivity falls under the category of Session Management. This is a security measure designed to prevent unauthorized access to a user's session and to protect sensitive data that might be stored in the local storage. By clearing the local storage, any tokens, session identifiers, or other sensitive information are removed, reducing the risk of session hijacking or other attacks. The automatic logout feature ensures that inactive sessions do not remain open indefinitely, which could otherwise be exploited by attackers.


Reference:

The information aligns with the secure coding practices outlined by the OWASP Foundation1, and is supported by common practices in web development for managing sessions and local storage2.



Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?

  1. Dynamic
  2. Black box
  3. Static
  4. White box

Answer(s): B

Explanation:

The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system's external behavior. Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements. This type of testing is applicable across various levels of software testing, including unit, integration, system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.
Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.


Reference:

The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.



Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?

  1. Damage potential
  2. Reproducibility
  3. Affected users
  4. Exploitability

Answer(s): A

Explanation:

The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.


Reference:

DREAD Threat Modeling1
OWASP Risk Rating Methodology2
DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3






Post your Comments and Discuss WGU Secure-Software-Design exam prep with other Community members:

Join the Secure-Software-Design Discussion