WGU (D487, KEO1) Secure Software Design Exam Questions Instant Access

Question 1

The Chief Information Security Officer (CISO) has recommended contracting with external experts to perform annual reviews of the enterprise's software products, including penetration testing.

Which post-release deliverable is being described?

ASecurity Strategy for Legacy Code

BPost-Release Certifications

CThird-Party Security Review

DExternal Vulnerability Disclosure Response Process

Answer : C

Question 2

While performing functional testing of the new product from a shared machine, a QA analyst closed their browser window but did not logout of the application. A different QA analyst accessed the application an hour later and was not prompted to login. They then noticed the previous analyst was still logged into the application.

How should existing security controls be adjusted to prevent this in the future?

AEnsure no sensitive information is stored in plain text in cookies

BEnsure user sessions timeout after short intervals

CEnsure role-based access control is enforced for access to all resources

DEnsure strong password policies are enforced

Answer : B

The issue described involves a session management vulnerability where the user's session remains active even after the browser window is closed, allowing another user on the same machine to access the application without logging in. To prevent this security risk, it's essential to adjust the session management controls to include an automatic timeout feature. This means that after a period of inactivity, or when the browser window is closed, the session should automatically expire, requiring a new login to access the application. This adjustment ensures that even if a user forgets to log out, their session won't remain active indefinitely, reducing the risk of unauthorized access.

Secure SDLC practices emphasize the importance of security at every stage of the software development life cycle, including the implementation of proper session management controls12.

Best practices for access control in security highlight the significance of managing session timeouts to prevent unauthorized access3.

Industry standards and guidelines often recommend session timeouts as a critical security control to protect against unauthorized access4.

Question 3

Which type of manual code review technique is being used when the reviewer starts at an input control and traces its value through the application to each of the value's outputs?

ARisk analysis

BControl flow analysis

CData flow analysis

DThreat analysis

Answer : C

Data flow analysis is a manual code review technique where the reviewer traces the path of data from its entry point in the software (input control) through its processing and manipulation within the application, to its exit points (outputs). This technique is used to ensure that the data is handled securely throughout its lifecycle within the application and to identify any potential security vulnerabilities that may arise from improper data handling or processing12

Question 4

A public library needs to implement security control on publicly used computers to prevent illegal downloads.

Which security control would prevent this threat?

ANonrepudiation

BAuthentication

CIntegrity

DAvailability

Answer : B

Authentication is the most effective control for the scenario because it directly addresses who is using the public computers:

User Identification: Authentication requires users to identify themselves (e.g., library card, login credentials) before accessing the computers. This links actions to specific individuals, making it easier to control unauthorized activity.

Policy Enforcement: Combined with other controls (e.g., content filtering), authentication enables the library to implement policies restricting downloads. If users violate the policy, their identities can be used for consequences.

Deterrent: Knowing they can be identified discourages users from attempting illegal downloads.

Question 5

Which software development model starts by specifying and implementing just a part of the software, which is then reviewed and identifies further requirements that are implemented by repeating the cycle?

AIterative

BImplementation

CWaterfall

DCode and fix

Answer : A

Comprehensive and Detailed Explanation From Exact Extract:

The Iterative software development model fits this description. It involves specifying and implementing a portion of the software, reviewing it, gathering feedback, and refining or adding requirements in successive cycles. This approach supports evolving requirements and continuous improvement. Iterative models contrast with Waterfall (C), which is linear and sequential, with no repetition of phases. ''Code and fix'' (D) is an informal, ad hoc process lacking formal review cycles. Implementation (B) is a phase, not a model. The iterative approach is advocated in ISO/IEC 12207 and NIST guidelines for secure development, as it allows early detection and remediation of security issues by incremental design and testing.

ISO/IEC 12207 Software Lifecycle Processes

NIST SP 800-64 Revision 2: Security Considerations in SDLC

Microsoft SDL Documentation

Question 6

The software security group is conducting a maturity assessment using the Building Security in Maturity Model (BSIMM). They are currently focused on reviewing attack models created during recently completed initiatives.

Which BSIMM domain is being assessed?

AGovernance

BSoftware security development life cycle (SSDL) touchpoints

CIntelligence

DDeployment

Answer : C

The Intelligence domain in the Building Security in Maturity Model (BSIMM) focuses on gathering and using information about software security. This includes understanding the types of attacks that are possible against the software being developed, which is why reviewing attack models falls under this domain. The BSIMM domain of Intelligence involves creating models of potential attacks on software (attack models), analyzing actual attacks that have occurred (attack intelligence), and sharing this information to improve security measures. By reviewing attack models, the software security group is essentially assessing the organization's ability to anticipate and understand potential security threats, which is a key aspect of the Intelligence domain.

Question 7

Which privacy impact statement requirement type defines processes to keep personal information updated and accurate?

AAccess requirements

BCollection of personal information requirements

CData integrity requirements

DPersonal information retention requirements

Answer : C

Data integrity requirements within a privacy impact statement ensure that personal information is maintained in an accurate and up-to-date manner. This involves establishing processes to regularly review and update personal data, as well as correct any inaccuracies. These requirements are crucial for maintaining the trustworthiness of the data and ensuring that decisions made based on this information are sound and reliable.

The Office of the Privacy Commissioner of Canada's guide on the Privacy Impact Assessment process emphasizes the importance of accuracy and currency of personal information1.

The European Union's General Data Protection Regulation (GDPR) outlines principles for data processing, including the necessity for data to be accurate and kept up to date2.

The General Data Protection Regulation (GDPR) also includes provisions for data protection impact assessments, which involve documenting processes before starting data processing3.

WGU Secure Software Design (D487, KEO1) Exam WGU (D487, KEO1) Secure Software Design Exam Questions