WGU Secure Software Design (D487, KEO1) Exam WGU (D487, KEO1) Secure Software Design Exam Practice Test

Page: 1 / 14
Total 118 questions
Question 1

Senior IT staff has determined that a new product will be hosted in the cloud and will support web and mobile users. Developers will need to deliver secure REST services. Android and IOS mobile apps. and a web application. Developers are currently determining how to deliver each part of the overall product.

Which phase of the software development lifecycle (SDLC) is being described?



Answer : D

The phase being described is the Design phase of the SDLC. During this phase, developers and IT staff determine the architectural and operational details of the product, which includes decisions on how to deliver various components such as secure REST services, mobile apps, and web applications. The Design phase is crucial for setting the foundation for the development work that will follow, ensuring that the product will be secure, scalable, and maintainable.


Question 2

Which DREAD category is based on how easily a threat exploit can be found?



Answer : C


Question 3

Which type of threat exists when an attacker can intercept and manipulate form data after the user clicks the save button but before the request is posted to the API?



Answer : C

The type of threat described is Tampering. This threat occurs when an attacker intercepts and manipulates data being sent from the client to the server, such as form data being submitted to an API. The attacker may alter the data to change the intended operation, inject malicious content, or compromise the integrity of the system. Tampering attacks are a significant concern in secure software design because they can lead to unauthorized changes and potentially harmful actions within the application.


Understanding the different types of API attacks and their prevention1.

Comprehensive guide on API security and threat mitigation2.

Detailed analysis of Man-in-the-Middle (MitM) attacks and their impact on API security3.

Question 4

Which DKEAD category has a risk rating based on the threat exploit's potential level of harm?



Answer : A

The DKEAD category that has a risk rating based on the threat exploit's potential level of harm is Damage potential. This category assesses the total damage or impact that a threat could cause if it is exploited by an attacker. The risk rating in this category is determined by evaluating the severity of the potential damage, which could range from information disclosure to complete system destruction or loss of system availability.


DREAD Threat Modeling1

OWASP Risk Rating Methodology2

DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis3

Question 5

During fuzz testing of the new product, random values were entered into input elements Search requests were sent to the correct API endpoint but many of them failed on execution due to type mismatches.

How should existing security controls be adjusted to prevent this in the future?



Answer : A

Validating user input data before it is processed by the application is a fundamental security control in software design. This process, known as input validation, ensures that only properly formed data is entering the workflow of the application, thereby preventing many types of attacks, including type mismatches as mentioned in the question. By validating input data, the application can reject any requests that contain unexpected or malicious data, reducing the risk of security vulnerabilities and ensuring the integrity of the system.


Secure SDLC practices emphasize the importance of integrating security activities, such as creating security and functional requirements, code reviews, security testing, architectural analysis, and risk assessment, into the existing development workflow1.

A Secure Software Development Life Cycle (SSDLC) ensures that security is considered at every phase of the development process, from planning and design to coding, testing, deploying, and maintaining the software2.

Question 6

Which secure software design principle states that it is always safer to require agreement of more than one entity to make a decision?



Answer : C


Question 7

Developers have finished coding, and changes have been peer-reviewed. Features have been deployed to a pre-production environment so that analysts may verify that the product is working as expected.

Which phase of the Software Development Life Cycle (SDLC) is being described?



Answer : C

Comprehensive and Detailed In-Depth Explanation:

The scenario describes a stage where the developed features are deployed to a pre-production environment for verification by analysts. This aligns with the Testing phase of the Software Development Life Cycle (SDLC).

In the Testing phase, the system undergoes various evaluations to ensure it meets the specified requirements and functions correctly. This includes deploying the software in an environment that simulates production to identify and rectify defects before the actual deployment. The primary goal is to validate the software's quality and performance.

According to the SDLC framework, after the development (coding) phase, the next step is Testing, where the system is rigorously evaluated. This phase is crucial to detect issues that may not have been apparent during development and to ensure that the software operates as intended in a controlled setting before live deployment.


Software Development Life Cycle Documentation

Page:    1 / 14   
Total 118 questions