Get 2026 Most Reliable WGU Secure-Software-Design Training Materials [Q37-Q60]

Get 2026 Most Reliable WGU Secure-Software-Design Training Materials

The Realest Study Materials Secure-Software-Design Dumps

WGU Secure-Software-Design Exam Syllabus Topics:

Topic	Details
Topic 1	Design Pattern Selection and Implementation: This section of the exam measures skills of Software Developers and Software Architects and covers the selection and implementation of appropriate design patterns. Learners examine common design patterns and their applications in software development. The material focuses on understanding when and how to apply specific patterns to solve recurring design problems and improve code organization.
Topic 2	Large Scale Software System Design: This section of the exam measures skills of Software Architects and covers the design and analysis of large scale software systems. Learners investigate methods for planning complex software architectures that can scale and adapt to changing requirements. The content addresses techniques for creating system designs that accommodate growth and handle increased workload demands.
Topic 3	Software Architecture Types: This section of the exam measures skills of Software Architects and covers various architecture types used in large scale software systems. Learners explore different architectural models and frameworks that guide system design decisions. The content addresses how to identify and evaluate architectural patterns that best fit specific project requirements and organizational needs.

 

NEW QUESTION # 37
Using a web-based common vulnerabilityscoringsystem (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's claims intake component.The base score of the vulnerability was 3.5 and changed to 5.9 after adjusting temporal andenvironmental metrics.
Which rating would CVSS assign this vulnerability?

• A. Medium severity
• B. High severity
• C. Critical severity
• D. Low severity

Answer: B

Explanation:
The Common Vulnerability Scoring System (CVSS) uses the following ranges to determine the severity rating of a vulnerability:
* 0.1 - 3.9: Low severity
* 4.0 - 6.9: Medium severity
* 7.0 - 8.9: High severity
* 9.0 - 10.0: Critical severity
Since the adjusted score for the vulnerability is 5.9, it falls within theHigh severityrange.
References:
* CVSS v3.1 Specification Document - FIRST: https://www.first.org/cvss/specification-document
* National Vulnerability Database (NVD) - NIST: https://nvd.nist.gov/vuln-metrics/cvss

NEW QUESTION # 38
The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.
Which category of secure software best practices is the team performing?

• A. Architecture analysis
• B. Code review
• C. Training
• D. Penetration testing

Answer: B

Explanation:
The practice described is Code review, which is a part of secure software development best practices. Code reviews are conducted to ensure that the code adheres to accepted coding patterns and meets the team's quality standards. This process involves the examination of source code by a person or a group other than the author to identify bugs, security vulnerabilities, and ensure compliance with coding standards.
References:
* Fundamental Practices for Secure Software Development - SAFECode1.
* Secure Software Development Framework | CSRC2.
* Secure Software Development Best Practices - Hyperproof3.

NEW QUESTION # 39
Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?

• A. Error Handling and Logging
• B. System Configuration
• C. Input Validation
• D. Authentication and Password Management

Answer: A

NEW QUESTION # 40
Which design and development deliverable contains the types of evaluations that were performed, how many times they were performed, and how many times they were re-evaluated?

• A. Security testing reports
• B. Security test execution report
• C. Privacy compliance report
• D. Remediation report

Answer: A

Explanation:
Security testing reports are the most likely deliverables to contain detailed records of evaluations, their frequency, and re-evaluations. Here's why:
* Purpose of Security Testing Reports: These reports document the results of security testing, including:
* Types of tests: Vulnerability scans, penetration tests, code reviews, etc.
* Frequency: How often tests were conducted (e.g., per build, per release cycle).
* Re-evaluations: If vulnerabilities were discovered, these reports will track whether and how often those were retested after remediation.
* Focus on Testing: The question specifically emphasizes evaluations, which aligns with the core content of security testing reports.

NEW QUESTION # 41
Company leadership has contracted with a security firm to evaluate the vulnerability of all externally lacing enterprise applications via automated and manual system interactions. Which security testing technique is being used?

• A. Properly-based-testing
• B. Source-code fault injection
• C. Penetration testing
• D. Source-code analysis

Answer: C

Explanation:
The security testing technique that involves evaluating the vulnerability of all externally facing enterprise applications through both automated and manual system interactions is known as Penetration Testing. This method simulates real-world attacks on systems to identify potential vulnerabilities that could be exploited by attackers. It is a proactive approach to discover security weaknesses before they can be exploited in a real attack scenario. Penetration testing can include a variety of methods such as network scanning, application testing, and social engineering tactics to ensure a comprehensive security evaluation.
: The concept of Penetration Testing as a method for evaluating vulnerabilities aligns with industry standards and practices, as detailed in resources from security-focused organizations and literature1.

NEW QUESTION # 42
Which type of security analysis is performed using automated software tools while an application is running and is most commonly executed during the testing phase of the SDLC?

• A. Fuzz testing
• B. Manual code review
• C. Dynamic analysis
• D. Static analysis

Answer: C

Explanation:
Dynamic analysis is a security testing method that involves analyzing the behavior of software while it is running or in execution. It is most commonly executed during the testing phase of the Software Development Life Cycle (SDLC). This type of analysis is used to detect issues that might not be visible in the code's static state, such as runtime errors and memory leaks. Automated tools are employed to perform dynamic analysis, which can simulate attacks on the application and identify vulnerabilities that could be exploited by malicious actors.
References: The information provided here is verified by multiple sources that discuss security automation in the SDLC and the role of dynamic analysis during the testing phase123.

NEW QUESTION # 43
During fuzz testing of the new product, random values were entered into input elements Searchrequests were sent to the correct API endpoint but many of them failed on execution due to type mismatches.
How should existing security controls be adjusted to prevent this in the future?

• A. Ensure all user input data is validated prior to transmitting requests
• B. Ensure the contents of authentication cookies are encrypted
• C. Ensure sensitive transactions can be traced through an audit log
• D. Ensure all requests and responses are encrypted

Answer: A

Explanation:
Validating user input data before it is processed by the application is a fundamental security control in software design. This process, known as input validation, ensures that only properly formed data is entering the workflow of the application, thereby preventing many types of attacks, including type mismatches as mentioned in the question. By validating input data, the application can reject any requests that contain unexpected or malicious data, reducing the risk of security vulnerabilities and ensuring the integrity of the system.
References:
* Secure SDLC practices emphasize the importance of integrating security activities, such as creating security and functional requirements, code reviews, security testing, architectural analysis, and risk assessment, into the existing development workflow1.
* A Secure Software Development Life Cycle (SSDLC) ensures that security is considered at every phase of the development process, from planning and design to coding, testing, deploying, and maintaining the software2.

NEW QUESTION # 44
An individual is developing a software application that has a back-end database and is concerned that a malicious user may run the following SOL query to pull information about all accounts from the database:

Which technique should be used to detect this vulnerability without running the source codes?

• A. Static analysis
• B. Fuzz testing
• C. Dynamic analysis
• D. Cross-site scripting

Answer: A

Explanation:
Static analysis is a method used to detect vulnerabilities in software without executing the code. It involves examining the codebase for patterns that are indicative of security issues, such as SQL injection vulnerabilities. This technique can identify potential threats and weaknesses by analyzing the code's structure, syntax, and data flow.
References:
* Static analysis as a means to identify security vulnerabilities1.
* The importance of static analysis in the early stages of the SDLC to prevent security issues2.
* Learning-based approaches to fix SQL injection vulnerabilities using static analysis3.

NEW QUESTION # 45
Which software-testing technique can be automated or semi-automated and provides invalid, unexpected, or random data to the inputs of a computer software program?

• A. Fuzzing
• B. Bugtraq
• C. Dynamic analysis
• D. Static analysis

Answer: A

Explanation:
Fuzzing is an automated or semi-automated software testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program1. This process is designed to uncover coding errors, security vulnerabilities, and other potential issues within the software by observing how it behaves under unexpected or malformed inputs. Fuzzing is particularly effective because it can expose corner cases that have not been properly dealt with and can be used to test programs that take structured inputs, such as file formats or protocols2.
References: 1: Wikipedia - Fuzzing 2: DZone - Fuzzing in Software Engineering

NEW QUESTION # 46
The software security team has been tasked with assessing a document management application that has been in use for many years and developing a plan to ensure it complies with organizational policies.
Which post-release deliverable is being described?

• A. Post-release certifications
• B. Security strategy tor M&A products
• C. Security strategy for legacy code
• D. External vulnerability disclosure response process

Answer: C

Explanation:
The task described involves assessing a document management application that has been in use for many years. This scenario typically requires a security strategy that addresses the unique challenges of legacy code.
Legacy code refers to software that has been around for a long time and may not have been developed with current security standards in mind. A security strategy for legacy code would include measures to ensure that the application complies with current organizational policies, which may involve code reviews, updates, and the implementation of modern security practices to mitigate any potential vulnerabilities inherent in older code12.
References:
* Remotebase, "Best Practices for Managing Legacy Code"
* Medium, "The Engineer's Complete Guide to Legacy Code"
* Parasoft, "Testing Legacy Code & 3 Steps to Update"

NEW QUESTION # 47
Which secure coding best practice ensures sensitive information is not disclosed in any responses to users, authorized or unauthorized?

• A. Error handling and logging
• B. System configuration
• C. Input validation
• D. Authentication and password management

Answer: A

Explanation:
Comprehensive and Detailed In-Depth Explanation:
Preventing the disclosure of sensitive information in application responses is primarily addressed by implementing proper Error Handling and Logging practices.
When errors occur, applications may inadvertently reveal sensitive data through detailed error messages. To mitigate this risk, error handling mechanisms should be designed to provide generic error messages to end- users, while detailed error information is logged securely for internal review. This approach ensures that sensitive information, such as system configurations, stack traces, or personal data, is not exposed to unauthorized users.
The OWASP Secure Coding Practices emphasize the importance of error handling and logging to prevent information leakage:
"Ensure that error messages displayed to users do not reveal sensitive information that can be exploited by attackers." References:
* OWASP Secure Coding Practices - Quick Reference Guide

NEW QUESTION # 48
A software security team recently completed an internal assessment of the company's security assurance program. The team delivered a set of scorecards to leadership along with proposed changes designed to improve low-scoring governance, development, and deployment functions.
Which software security maturity model did the team use?

• A. Open Web Application Security Project (OWASP) Open Software Assurance Maturity Model (SAMM)
• B. International Organization for Standardization ISO/IEC 27034
• C. U.S. Department of Homeland Security Software Assurance Program
• D. Building Security In Maturity Model (BSIMM)

Answer: D

NEW QUESTION # 49
The security team contracts with an independent security consulting firm to simulate attacks on deployed products and report results to organizational leadership.
Which category of secure software best practices is the team performing?

• A. Penetration testing
• B. Architecture analysis
• C. Attack models
• D. Code review

Answer: A

Explanation:
Comprehensive and Detailed In-Depth Explanation:
Engaging an independent security consulting firm to simulate attacks on deployed products is an example of Penetration Testing.
Penetration testing involves authorized simulated attacks on a system to evaluate its security. The objective is to identify vulnerabilities that could be exploited by malicious entities and to assess the system's resilience against such attacks. This proactive approach helps organizations understand potential weaknesses and implement necessary safeguards.
According to the OWASP Testing Guide, penetration testing is a critical component of a comprehensive security program:
"Penetration testing involves testing the security of systems and applications by simulating attacks from malicious individuals." References:
* OWASP Testing Guide

NEW QUESTION # 50
The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.
Which category of secure software best practices is the team performing?

• A. Penetration testing
• B. Architecture analysis
• C. Code review
• D. Training

Answer: A

Explanation:
The practice described is Code review, which is a part of secure software development best practices. Code reviews are conducted to ensure that the code adheres to accepted coding patterns and meets the team's quality standards. This process involves the examination of source code by a person or a group other than the author to identify bugs, security vulnerabilities, and ensure compliance with coding standards.
References:
* Fundamental Practices for Secure Software Development - SAFECode1.
* Secure Software Development Framework | CSRC2.
* Secure Software Development Best Practices - Hyperproof3.

NEW QUESTION # 51
Which secure coding best practice says to assume all incoming data should be considered untrusted and should be validated to ensure the system only accepts valid data?

• A. General coding practices
• B. System configuration
• C. Session management
• D. Input validation

Answer: D

Explanation:
The secure coding best practice that emphasizes treating all incoming data as untrusted and subjecting it to validation is known as input validation. This practice is crucial for ensuring that a system only processes valid, clean data, thereby preventing many types of vulnerabilities, such as SQL injection, cross-site scripting (XSS), and buffer overflows, which can arise from maliciously crafted inputs.
* Input validation involves verifying that the data meets certain criteria before it is processed by the system. This includes checking for the correct data type, length,format, and range. It also involves sanitizing the data to ensure that it does not contain any potentially harmful elements that could lead to security breaches.
* A centralized input validation routine is recommended for the entire application, which helps in maintaining consistency and effectiveness in the validation process. This routine should be implemented on a trusted system, typically server-side, to prevent tampering or bypassing of the validation logic.
* It's important to classify all data sources into trusted and untrusted categories and to apply rigorous validation to all data from untrusted sources, such as user input, databases, file streams, and network interfaces.
By adhering to the input validation best practice, developers can significantly reduce the attack surface of their applications and protect against a wide array of common security threats.
References: The verified answer is supported by the Secure Coding Practices outlined by the OWASP Foundation1 and other reputable sources such as Coding Dojo2 and CERT Secure Coding3.

NEW QUESTION # 52
What is an advantage of using the Agile development methodology?

• A. The overall plan fits very neatly into a Gantt chart so a project manager can easily view the project timeline.
• B. Each stage is clearly defined, making it easier to assign clear roles to teams and departments who feed into the project.
• C. Customer satisfaction is improved through rapid and continuous delivery of useful software.
• D. There is much less predictability throughout the project regarding deliverables.

Answer: C

NEW QUESTION # 53
What is a countermeasure to the web application security frame (ASF) authentication threat category?

• A. Cookies have expiration timestamps.
• B. Role-based access controls restrict access
• C. Credentials and tokens are encrypted.
• D. Sensitive information is scrubbed from error messages

Answer: B

Explanation:
* ASF Authentication Threats: The Web Application Security Frame (ASF) authentication category encompasses threats related to how users and systems prove their identity to the application. This includes issues like weak passwords, compromised credentials, and inadequate access controls.
* Role-Based Access Control (RBAC): RBAC is a well-established security principle that aligns closely with addressing authentication threats. It involves assigning users to roles and granting those roles specific permissions based on the principle of least privilege. This limits the attack surface and reduces the impact of a compromised user account.
Let's analyze the other options:
* B. Credentials and tokens are encrypted: While vital for security, encryption primarily protects data at rest or in transit. It doesn't directly address authentication risks like brute-force attacks or weak password management.
* C. Cookies have expiration timestamps: Expiring cookies are a good practice, but their primary benefit is session management rather than directly mitigating authentication-specific threats.
* D. Sensitive information is scrubbed from error messages: While essential for preventing information leakage, this practice doesn't address the core threats within the ASF authentication category.
References:
* NIST Special Publication 800-53 Revision 4, Access Control (AC)
Family: (https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final) Details the importance of RBAC as a cornerstone of access control.
* The Web Application Security Frame (ASF): (https://patents.google.com/patent/US7818788B2/en) Outlines the ASF categories, with authentication being one of the primary areas.

NEW QUESTION # 54
Which secure coding best practice says to ensure that buffers are allocated correctly and at the right size, that input strings are truncated to a reasonable length, and that resources, connections, objects, and file handles are destroyed once the application no longer needs them?

• A. Input Validation
• B. Session Management
• C. Data Protection
• D. Memory Management

Answer: D

NEW QUESTION # 55
Which secure coding practice involves clearing all local storage as soon as a user logs of for the night and will automatically log a user out after an hour of inactivity?

• A. Session management
• B. Communication security
• C. System configuration
• D. Access control

Answer: A

Explanation:
The practice of clearing all local storage when a user logs off and automatically logging a user out after an hour of inactivity falls under the category of Session Management. This is a security measure designed to prevent unauthorized access to a user's session and to protect sensitive data that might be stored in the local storage. By clearing the local storage, any tokens, session identifiers, or other sensitive information are removed, reducing the risk of session hijacking or other attacks. The automatic logout feature ensures that inactive sessions do not remain open indefinitely, which could otherwise be exploited by attackers.
References: The information aligns with the secure coding practices outlined by the OWASP Foundation1, and is supported by common practices in web development for managing sessions and local storage2.

NEW QUESTION # 56
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

• A. White box testing
• B. Black box testing
• C. Dynamic testing
• D. Reasonableness testing

Answer: A

Explanation:
White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question.
References:
* Control Structure Testing - GeeksforGeeks1
* What is White Box Testing? - BrowserStack2
* Software Testing Strategies Chapter 18 - IIT3

NEW QUESTION # 57
Company leadership has contracted with a security firm to evaluate the vulnerabilityofall externally lacing enterprise applications via automated and manual system interactions. Which security testing technique is being used?

• A. Properly-based-testing
• B. Source-code fault injection
• C. Penetration testing
• D. Source-code analysis

Answer: C

Explanation:
The security testing technique that involves evaluating the vulnerability of all externally facing enterprise applications through both automated and manual system interactions is known as Penetration Testing. This method simulates real-world attacks on systems to identify potential vulnerabilities that could be exploited by attackers. It is a proactive approach to discover security weaknesses before they can be exploited in a real attack scenario. Penetration testing can include a variety of methods such as network scanning, application testing, and social engineering tactics to ensure a comprehensive security evaluation.
References: The concept of Penetration Testing as a method for evaluating vulnerabilities aligns with industry standards and practices, as detailed in resources from security-focused organizations and literature1.

NEW QUESTION # 58
Which mitigation technique can be used to light against a threat where a user may gain access to administrator level functionality?

• A. Hashes
• B. Quality of service
• C. Run with least privilege
• D. Encryption

Answer: C

Explanation:
The principle of running with the least privilege is a fundamental security concept that involves granting users only the permissions they need to perform their tasks and no more. This minimizes the risk of a user gaining access to administrator-level functionality that they are not authorized to use. By limiting the privileges of user accounts to the bare minimum necessary, the potential damage from various attacks, such as privilege escalation, is significantly reduced.
References: The concept of least privilege is widely recognized as a critical security measure. Resources like Exabeam's article on preventing privilege escalation and TechTarget's guide on privilege escalation attacks provide insights into how enforcing least privilege can mitigate such threats12. These sources verify that running with the least privilege is an effective mitigation technique against the threat of unauthorized access to elevated privileges.

NEW QUESTION # 59
Which type of security analysis is performed by injecting malformed data into open interfaces of an executable or running application and is most commonly executed during the testing or deployment phases of the SDLC?

• A. Manual Code Review
• B. Static Analysis
• C. Fuzz Testing
• D. Dynamic Analysis

Answer: C

NEW QUESTION # 60
......

LATEST Secure-Software-Design Exam Practice Material: https://examcompass.topexamcollection.com/Secure-Software-Design-vce-collection.html