• Home
  • Articles
  • Ultimate Guide to Secure-Software-Design Dumps - Enhance Your Future Career Now [Q31-Q54]

Ultimate Guide to Secure-Software-Design Dumps - Enhance Your Future Career Now [Q31-Q54]

Share

 [Apr 18, 2026] WGU Dumps - Learn How To Deal With The (Secure-Software-Design) Exam Anxiety

DEMO FREE BEFORE YOU BUY Secure-Software-Design DUMPS

NEW QUESTION # 31
Which software control test examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output?

  • A. Static
  • B. Dynamic
  • C. White box
  • D. Black box

Answer: D

Explanation:
The software control test that examines an application from a user perspective by providing a wide variety of input scenarios and inspecting the output is known as black box testing. This testing method focuses on the functionality of the application rather than its internal structures or workings. Testers provide inputs and examine outputs without knowing how and where the inputs are worked upon. It's designed to test the system's external behavior.
* Black box testing is used to verify that the system meets the requirements and behaves as expected in various scenarios, including edge cases and incorrect input data. It helps in identifying discrepancies between the system's actual functionality and its specified requirements.
* This type of testing is applicable across various levels of software testing, including unit, integration,
* system, and acceptance testing. It is particularly useful for validating user stories and use cases during the software development process.
* Since black box testing treats the software as a "black box", it does not require the tester to have knowledge of the programming languages or the system's implementation. This allows testers to objectively test the software's behavior and performance.
References: The concept of black box testing is well-documented and is a standard practice in secure software design, as outlined by sources such as LambdaTest1 and other industry best practices.


NEW QUESTION # 32
Which software development model starts by specifying and implementing just a part of the software, which is then reviewed and identifies further requirements that are implemented by repeating the cycle?

  • A. Code and fix
  • B. Implementation
  • C. Iterative
  • D. Waterfall

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The Iterative software development model fits this description. It involves specifying and implementing a portion of the software, reviewing it, gathering feedback, and refining or adding requirements in successive cycles. This approach supports evolving requirements and continuous improvement. Iterative models contrast with Waterfall (C), which is linear and sequential, with no repetition of phases. "Code and fix" (D) is an informal, ad hoc process lacking formal review cycles. Implementation (B) is a phase, not a model. The iterative approach is advocated in ISO/IEC 12207 and NIST guidelines for secure development, as it allows early detection and remediation of security issues by incremental design and testing.
References:
ISO/IEC 12207 Software Lifecycle Processes
NIST SP 800-64 Revision 2: Security Considerations in SDLC
Microsoft SDL Documentation


NEW QUESTION # 33
The scrum team decided that before any change can be merged and tested, it must be looked at by the learns lead developer, who will ensure accepted coding patterns are being followed and that the code meets the team's quality standards.
Which category of secure software best practices is the team performing?

  • A. Architecture analysis
  • B. Training
  • C. Code review
  • D. Penetration testing

Answer: C

Explanation:
The practice described is Code review, which is a part of secure software development best practices. Code reviews are conducted to ensure that the code adheres to accepted coding patterns and meets the team's quality standards. This process involves the examination of source code by a person or a group other than the author to identify bugs, security vulnerabilities, and ensure compliance with coding standards.
References:
* Fundamental Practices for Secure Software Development - SAFECode1.
* Secure Software Development Framework | CSRC2.
* Secure Software Development Best Practices - Hyperproof3.


NEW QUESTION # 34
The security software team has cloned the source code repository of the new software product so they can perform vulnerability testing by modifying or adding small snippets of code to see if they can cause unexpected behavior and application failure.
Which security testing technique is being used?

  • A. Fuzz Testing
  • B. Binary Fault Injection
  • C. Dynamic Code Analysis
  • D. Source-Code Fault Injection

Answer: D


NEW QUESTION # 35
What sits between a browser and an internet connection and alters requests and responses in a way the developer did not intend?

  • A. Reverse engineering
  • B. Intercept proxy
  • C. Load testing
  • D. Input validation

Answer: B

Explanation:
An intercept proxy, also known as a proxy server, sits between a web client (such as a browser) and an external server to filter, monitor, or manipulate the requests and responses passing through it. This can be used for legitimate purposes, such as security testing and user privacy, but it can also be exploited by attackers to alter web traffic in a way that the developer did not intend, potentially leading to security vulnerabilities.
:
Understanding of HTTP and HTTPS protocols12.
Definition and role of proxy servers3.


NEW QUESTION # 36
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?

  • A. Reasonableness testing
  • B. Dynamic testing
  • C. Black box testing
  • D. White box testing

Answer: D

Explanation:
White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question.
:
Control Structure Testing - GeeksforGeeks1
What is White Box Testing? - BrowserStack2
Software Testing Strategies Chapter 18 - IIT3


NEW QUESTION # 37
Which security assessment deliverable defines measures that can be periodically reported to management?

  • A. Threat Profile
  • B. Metrics Template
  • C. Product Risk Profile
  • D. SDL Project Outline

Answer: B


NEW QUESTION # 38
The software security group is conducting a maturity assessment using the Open Web Application Security Project Software Assurance Maturity Model (OWASP SAMM). They are currently focused on reviewing design artifacts to ensure they comply with organizational security standards.
Which OpenSAMM business function is being assessed?

  • A. Verification
  • B. Construction
  • C. Governance
  • D. Deployment

Answer: A

Explanation:
Comprehensive and Detailed In-Depth Explanation:
The Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) is a framework designed to help organizations assess and improve their software security posture. SAMM is structured around five primary business functions: Governance, Design, Implementation, Verification, and Operations.
In this scenario, the focus is on reviewing design artifacts to ensure compliance with organizational security standards. This activity aligns with the Verification business function within SAMM. The Verification function encompasses security practices related to assessing and validating the security of software artifacts throughout the development lifecycle. Key practices under this function include:
* Design Review: Evaluating design documents and models to identify potential security issues and ensure that security requirements are adequately addressed.
* Code Review: Analyzing source code to detect security vulnerabilities and ensure adherence to secure coding standards.
* Security Testing: Conducting various testing methodologies, such as penetration testing and vulnerability scanning, to identify and remediate security weaknesses in the software.
By focusing on the Verification function, the organization aims to proactively identify and address security concerns during the design and development phases, thereby enhancing the overall security posture of their software products.
References:
* OWASP SAMM - Verification


NEW QUESTION # 39
What refers to the review of software source code by developers other than the original coders to try to identify oversights, mistakes, assumptions, a lack of knowledge, or even experience?

  • A. User acceptance testing
  • B. Fault injection
  • C. Dynamic code review
  • D. Manual peer review

Answer: D

Explanation:
Manual peer review refers to the systematic examination of software source code by developers other than the original author. This practice is recognized as a valuable tool for reducing software defects and improving the quality of software projects. It involves developers inspecting the code to find and fix mistakes overlooked in the initial development phase, which enhances both the overall quality of software and the developers' skills.
Peer code review is less formal and more "lightweight" than the code inspections performed in the past, and it provides benefits such as knowledge transfer, increased team awareness, and creation of alternative solutions to problems.
References:
* Expectations, Outcomes, and Challenges Of Modern Code Review1
* Introduction to Software Engineering/Quality/Code Review2
* Software Security during Modern Code Review: The Developer's Perspective3


NEW QUESTION # 40
Due to positive publicity from the release of the new software product, leadership has decided that it is in the best interests of the company to become ISO 27001 compliant. ISO 27001 is the leading international standard focused on information security.
Which security development life cycle deliverable is being described?

  • A. Third-party security review
  • B. Security strategy for M&A products
  • C. Post-release certifications
  • D. External vulnerability disclosure response process

Answer: C


NEW QUESTION # 41
Which threat modeling step collects exploitable weaknesses within the product?

  • A. Rate threats
  • B. Identify and document threats
  • C. Analyze the target
  • D. Set the scope

Answer: B

Explanation:
The step in threat modeling that involves collecting exploitable weaknesses within the product is Identify and document threats. This step is crucial as it directly addresses the identification of potential security issues that could be exploited. It involves a detailed examination of the system to uncover vulnerabilities that could be targeted by threats.
References: The OWASP Foundation's Threat Modeling Process outlines a structured approach where identifying and documenting threats is a key step1. Additionally, various sources on threat modeling agree that the identification of threats is a fundamental aspect of the process, as it allows for the subsequent analysis and mitigation of these threats2345.


NEW QUESTION # 42
The organization is moving from a waterfall to an agile software development methodology, so the software security group must adapt the security development life cycle as well. They have decided to break out security requirements and deliverables to fit better in the iterative life cycle by defining every-sprint requirements, one- time requirements, bucket requirements, and final security review requirements.
Which type of requirement slates that the team must identify primary security and privacy contacts?

  • A. Every-sprint requirement
  • B. Bucket requirement
  • C. Final security review requirement
  • D. One-time requirement

Answer: B

Explanation:
Bucket requirements are ongoing requirements that do not need to be addressed every sprint but must be completed before project completion. Identifying primary security and privacy contacts is a bucket requirement because it is a one-time, essential task that supports security governance throughout the project lifecycle. Every-sprint requirements (D) are repeated tasks for each sprint, one-time requirements (C) are tasks performed once usually early in the project, and final security review (B) occurs at project end. Agile SDL adaptation recommendations by Microsoft SDL and OWASP emphasize categorizing security tasks to fit iterative delivery, with bucket requirements ensuring important but non-iterative activities are not overlooked.
References:
Microsoft SDL Agile Adaptation Guidelines
OWASP Secure SDLC in Agile
NIST SP 800-64: Security Considerations in Agile Development


NEW QUESTION # 43
Which secure coding best practice says to require authentication before allowing any files to be uploaded and to limit the types of files to only those needed for the business purpose?

  • A. Memory management
  • B. Data protection
  • C. File management
  • D. Communication security

Answer: C

Explanation:
The secure coding best practice that requires authentication before allowing any files to be uploaded, and limits the types of files to only those needed for the business purpose, falls under the category of File Management. This practice is crucial for preventing unauthorized file uploads, which can be a common vector for attacks such as uploading malicious files or scripts. By enforcing authentication, the application ensures that only legitimate users can upload files. Additionally, restricting the file types to those necessary for business operations minimizes the risk of uploading potentially harmful files that could compromise the system.
:
OWASP Secure Coding Practices1
File Upload Security Best Practices | CodeHandbook2
File Upload Protection - 10 Best Practices for Preventing ... - OPSWAT3


NEW QUESTION # 44
While performing functional testing of the ordering feature in the new product, a tester noticed that the order object was transmitted to the POST endpoint of the API as a human-readable JSON object.
How should existing security controls be adjusted to prevent this in the future?

  • A. Ensure passwords and private information are not logged
  • B. Ensure sensitive transactions can be traced through an audit log
  • C. Ensure all requests and responses are encrypted
  • D. Ensure the contents of authentication cookies are encrypted

Answer: C

Explanation:
Comprehensive and Detailed In-Depth Explanation:
Transmitting data in a human-readable format, such as JSON, over an API can expose sensitive information if the communication channel is not secure. To protect the confidentiality and integrity of the data, it's essential to encrypt all requests and responses between clients and servers.
Implementing encryption, typically through protocols like HTTPS (which utilizes TLS/SSL), ensures that data transmitted over the network is not readable by unauthorized parties. This prevents potential attackers from intercepting and understanding the data, thereby safeguarding sensitive information contained within the API communications.
This practice is a fundamental aspect of secure software development and aligns with the Implementation business function of the OWASP SAMM. Within this function, the Secure Build practice emphasizes the importance of configuring the software to operate securely in its intended environment, which includes enforcing encryption for data in transit.
References:
* OWASP SAMM: Implementation - Secure Build


NEW QUESTION # 45
The software security team prepared a detailed schedule napping security development lifecycle phases to the type of analysis they will execute.
Which design and development deliverable aid the team prepare?

  • A. Updated threat modeling artifacts
  • B. Privacy implementation assessment results
  • C. Security test plans
  • D. Design security review

Answer: C

Explanation:
The deliverable that would aid a software security team in preparing a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute is Security test plans. These plans are crucial as they outline the testing strategies and specific security tests that will be conducted during the development lifecycle to ensure the software meets the required security standards.
* Security test plans are developed after the requirements and design phases and are used throughout the implementation, verification, and release phases. They include detailed instructions for security testing, criteria for success, and the types of security testing to be performed, such as static and dynamic analysis, penetration testing, and code review.
* These plans are living documents that should be updated as new threats are identified and as the project evolves. They ensure that all team members understand the security goals, the risks, and the measures that need to be taken to mitigate those risks.
* By having a well-defined security test plan, the team can ensure that security is not an afterthought but is integrated into every phase of the software development lifecycle, thus producing more secure software.
: The importance of security test plans in the software development lifecycle is supported by best practices and guidelines from sources such as Microsoft's Security Development Lifecycle1 and Snyk's Secure Software Development Life Cycle principles2.


NEW QUESTION # 46
Which secure coding best practice says to use a single application-level authorization component that will lock down the application if it cannot access its configuration information?

  • A. Data protection
  • B. Session management
  • C. Access control
  • D. Communication security

Answer: C

Explanation:
The secure coding best practice that recommends using a single application-level authorization component to lock down the application if it cannot access its configuration information is known as Access Control. This practice is part of a broader set of security measures aimed at ensuring that only authorized users have access to certain functionalities or data within an application. By centralizing the authorization logic, it becomes easier to manage and enforce security policies consistently across the application. If the authorization component cannot retrieve its configuration, it defaults to a secure state, thus preventing unauthorized access1.
References: 1: OWASP Secure Coding Practices - Quick Reference Guide


NEW QUESTION # 47
During fuzz testing of the new product, random values were entered into input elements Search requests were sent to the correct API endpoint but many of them failed on execution due to type mismatches.
How should existing security controls be adjusted to prevent this in the future?

  • A. Ensure all user input data is validated prior to transmitting requests
  • B. Ensure sensitive transactions can be traced through an audit log
  • C. Ensure all requests and responses are encrypted
  • D. Ensure the contents of authentication cookies are encrypted

Answer: A

Explanation:
Validating user input data before it is processed by the application is a fundamental security control in software design. This process, known as input validation, ensures that only properly formed data is entering the workflow of the application, thereby preventing many types of attacks, including type mismatches as mentioned in the question. By validating input data, the application can reject any requests that contain unexpected or malicious data, reducing the risk of security vulnerabilities and ensuring the integrity of the system.
:
Secure SDLC practices emphasize the importance of integrating security activities, such as creating security and functional requirements, code reviews, security testing, architectural analysis, and risk assessment, into the existing development workflow1.
A Secure Software Development Life Cycle (SSDLC) ensures that security is considered at every phase of the development process, from planning and design to coding, testing, deploying, and maintaining the software2.


NEW QUESTION # 48
The software security team prepared a report of necessary coding and architecture changes identified during the security assessment.
Which design and development deliverable did the team prepare?

  • A. Security test plans
  • B. Updated threat modeling artifacts
  • C. Privacy implementation assessment results
  • D. Design security review

Answer: B

Explanation:
Comprehensive and Detailed In-Depth Explanation:
In the context of software security, a threat model is a structured representation that identifies potential threats to the system, evaluates their severity, and guides the development of mitigation strategies. When a security assessment reveals vulnerabilities or areas of concern, it's imperative to update the threat modeling artifacts to reflect these findings. This ensures that the threat model remains an accurate and current representation of the system's security posture.
By updating the threat modeling artifacts, the team documents the identified threats and outlines necessary coding and architectural changes to mitigate these threats. This proactive approach allows for the integration of security considerations early in the design and development phases, reducing the likelihood of vulnerabilities in the deployed system.
This practice aligns with the Design business function of the OWASP Software Assurance Maturity Model (SAMM), which emphasizes the importance of incorporating security into the software design process.
Within this function, the Threat Assessment practice focuses on identifying and evaluating potential threats to inform security requirements and design decisions. Updating threat modeling artifacts is a key activity within this practice, ensuring that security assessments directly influence the system's design and architecture.
References:
* OWASP SAMM: Design - Threat Assessment


NEW QUESTION # 49
Which category classifies identified threats that have defenses in place and do not expose the application to exploits?

  • A. Unmitigated Threats
  • B. Partially Mitigated Threat
  • C. Threat Profile
  • D. Fully Mitigated Threat

Answer: D


NEW QUESTION # 50
Which category classifies identified threats that do not have defenses in place and expose the application to exploits?

  • A. Unmitigated threats
  • B. Fully mitigated threat
  • C. Partially mitigated threat
  • D. Threat profile

Answer: A

Explanation:
The category that classifies identified threats with no defenses in place, exposing the application to exploits, is Unmitigated Threats. This term refers to vulnerabilities for which no countermeasures or mitigations have been implemented. These threats are critical because they represent actual weaknesses that attackers can exploit. In the context of secure software design, it's essential to identify these threats early in the SDLC to ensure that appropriate security controls can be designed and implemented to protect against them.
References:
* Taxonomy of Cyber Threats to Application Security and Applicable Defenses1.
* OWASP Foundation's Threat Modeling Process2.
* Mitigating Persistent Application Security Threats3.


NEW QUESTION # 51
Which secure coding best practice says to require authentication before allowing any files to be uploaded and to limit the types of files to only those needed for the business purpose?

  • A. Memory management
  • B. Data protection
  • C. File management
  • D. Communication security

Answer: C

Explanation:
The secure coding best practice that requires authentication before allowing any files to be uploaded, and limits the types of files to only those needed for the business purpose, falls under the category of File Management. This practice is crucial for preventing unauthorized file uploads, which can be a common vector for attacks such as uploading malicious files or scripts. By enforcing authentication, the application ensures that only legitimate users can upload files. Additionally, restricting the file types to those necessary for business operations minimizes the risk of uploading potentially harmful files that could compromise the system.
References:
* OWASP Secure Coding Practices1
* File Upload Security Best Practices | CodeHandbook2
* File Upload Protection - 10 Best Practices for Preventing ... - OPSWAT3


NEW QUESTION # 52
In which step of the PASTA threat modeling methodology is vulnerability and exploit analysis performed?

  • A. Define technical scope
  • B. Define objectives
  • C. Attack modeling
  • D. Application decomposition

Answer: C

Explanation:
In the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, vulnerability and exploit analysis is performed during the Attack modeling step. This step involves identifying potential threats and vulnerabilities within the system and understanding how they could be exploited.
* Attack modeling is a critical phase where the focus is on simulating attacks based on identified vulnerabilities. It allows for a deep understanding of the threats in the context of the application's architecture and system design.
* During this phase, security analysts use their knowledge of the system's technical scope and application decomposition to simulate how an attacker could exploit the system's vulnerabilities. This helps in prioritizing the risks and planning appropriate mitigation strategies.
* The goal of attack modeling is not just to identify vulnerabilities but also to understand the potential impact of exploits on the system and the business, which is essential for developing a robust security posture.
: The information provided is aligned with the PASTA methodology as described in resources such as VerSprite1 and the OWASP Foundation2. These sources detail the seven stages of PASTA, with attack modeling being a key component of the process.


NEW QUESTION # 53
A new product does not display personally identifiable information, will not let private documents be printed, and requires elevation of privilege to retrieve archive documents. Which secure coding practice is this describing?

  • A. Data protection
  • B. Authentication
  • C. Input validation
  • D. Access control

Answer: D

Explanation:
The secure coding practice being described is Access Control. This practice ensures that access to data and features within a system is restricted and controlled. The description given indicates that the product has mechanisms to prevent the display of personally identifiable information (PII), restrict the printing of private documents, and require elevated privileges to access archived documents. These are all measures to control who has access to what data and under what circumstances, which is the essence of access control.
References:
* ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud1.
* NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)2.
* ISO/IEC 29151:2017, Code of practice for personally identifiable information protection3.


NEW QUESTION # 54
......

Latest WGU Secure-Software-Design Dumps with Test Engine and PDF: https://actual4test.practicetorrent.com/Secure-Software-Design-practice-exam-torrent.html

Related Articles

more
WGU Secure-Software-Design Certification Practice Exam

We offer you the latest exam questions in three versions which you can choose as you like. The pdf version supports the printing and is easy to be read. You can try the free demo questions to check the validity. Our practice material is the key to success.

Tags

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 PracticeTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy