매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
WGU Secure Software Design (D487) Exam 온라인 연습
최종 업데이트 시간: 2025년12월09일
당신은 온라인 연습 문제를 통해 WGU Secure Software Design 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 Secure Software Design 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 113개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Security testing reports are the most likely deliverables to contain detailed records of evaluations, their frequency, and re-evaluations.
Here's why:
Purpose of Security Testing Reports: These reports document the results of security testing, including:
Types of tests: Vulnerability scans, penetration tests, code reviews, etc.
Frequency: How often tests were conducted (e.g., per build, per release cycle). Re-evaluations: If vulnerabilities were discovered, these reports will track whether and how often those were retested after remediation.
Focus on Testing: The question specifically emphasizes evaluations, which aligns with the core content of security testing reports.
정답:
Explanation:
Static analysis is a method used to detect vulnerabilities in software without executing the code. It involves examining the codebase for patterns that are indicative of security issues, such as SQL injection vulnerabilities. This technique can identify potential threats and weaknesses by analyzing the code’s structure, syntax, and data flow.
Reference: Static analysis as a means to identify security vulnerabilities1.
The importance of static analysis in the early stages of the SDLC to prevent security issues2.
Learning-based approaches to fix SQL injection vulnerabilities using static analysis3.
정답:
Explanation:
The security testing technique that involves using a testing tool to scan a running application for known exploit signatures is known as Automated Vulnerability Scanning. This method is part of dynamic analysis, which assesses the software in its running state to identify vulnerabilities that could be exploited by attackers. Automated vulnerability scanning tools are designed to detect and report known vulnerabilities by comparing the behavior and outputs of the application against a database of known exploit signatures1.
Reference: 1: Application Security Testing: Tools, Types and Best Practices | GitHub
정답:
Explanation:
Fuzz testing is the ideal technique in this scenario. Here's why:
Focus on Integrations: The scenario emphasizes testing links between the software, databases, web servers, and web services. Fuzz testing is specifically designed to find vulnerabilities in how software handles data and communication between components.
Pre-release Testing: The product being close to release indicates a critical need to identify security flaws before public deployment. Fuzz testing is effective in uncovering unexpected behavior and potential vulnerabilities.
Fuzz Testing Targets: Fuzz testing works by injecting invalid or unexpected data into interfaces (like those between databases, web components, etc.) to observe how the software reacts. This helps expose potential security gaps and weaknesses.
정답:
Explanation:
The deliverable that would aid a software security team in preparing a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute is Security test plans. These plans are crucial as they outline the testing strategies and specific security tests that will be conducted during the development lifecycle to ensure the software meets the required security standards.
Security test plans are developed after the requirements and design phases and are used throughout the implementation, verification, and release phases. They include detailed instructions for security testing, criteria for success, and the types of security testing to be performed, such as static and dynamic analysis, penetration testing, and code review.
These plans are living documents that should be updated as new threats are identified and as the project evolves. They ensure that all team members understand the security goals, the risks, and the measures that need to be taken to mitigate those risks.
By having a well-defined security test plan, the team can ensure that security is not an afterthought but is integrated into every phase of the software development lifecycle, thus producing more secure software.
Reference: The importance of security test plans in the software development lifecycle is supported by best practices and guidelines from sources such as Microsoft’s Security Development Lifecycle1 and Snyk’s Secure Software Development Life Cycle principles2.
정답:
Explanation:
The security testing technique that involves evaluating the vulnerability of all externally facing enterprise applications through both automated and manual system interactions is known as Penetration Testing. This method simulates real-world attacks on systems to identify potential vulnerabilities that could be exploited by attackers. It is a proactive approach to discover security weaknesses before they can be exploited in a real attack scenario. Penetration testing can include a variety of methods such as network scanning, application testing, and social engineering tactics to ensure a comprehensive security evaluation.
Reference: The concept of Penetration Testing as a method for evaluating vulnerabilities aligns with industry standards and practices, as detailed in resources from security-focused organizations and literature1.
정답:
Explanation:
The type of threat described is Tampering. This threat occurs when an attacker intercepts and manipulates data being sent from the client to the server, such as form data being submitted to an API. The attacker may alter the data to change the intended operation, inject malicious content, or compromise the integrity of the system. Tampering attacks are a significant concern in secure software design because they can lead to unauthorized changes and potentially harmful actions within the application.
Reference: Understanding the different types of API attacks and their prevention1.
Comprehensive guide on API security and threat mitigation2.
Detailed analysis of Man-in-the-Middle (MitM) attacks and their impact on API security3.
정답:
Explanation:
The step in threat modeling that involves collecting exploitable weaknesses within the product is Identify and document threats. This step is crucial as it directly addresses the identification of potential security issues that could be exploited. It involves a detailed examination of the system to uncover vulnerabilities that could be targeted by threats.
Reference: The OWASP Foundation’s Threat Modeling Process outlines a structured approach where identifying and documenting threats is a key step1. Additionally, various sources on threat modeling agree that the identification of threats is a fundamental aspect of the process, as it allows for the subsequent analysis and mitigation of these threats2345.
정답:
Explanation:
The Asset-centric approach to threat modeling focuses on identifying and protecting the assets that are most valuable to an organization. This method prioritizes the assets themselves, assessing their sensitivity, value, and the impact on the business should they be compromised. It is a strategic approach that aims to safeguard the confidentiality, integrity, and availability of the organization’s key assets.
Reference: A Review of Asset-Centric Threat Modelling Approaches1. Approaches to Threat Modeling - are you getting what you need?2.
What Is Threat Modeling? - CrowdStrike3.
정답:
Explanation:
A threat profile is a security assessment deliverable that identifies possible security vulnerabilities in a product. It involves a systematic examination of the product to uncover any weaknesses that could potentially be exploited by threats. The process typically includes identifying the assets that need protection, assessing the threats to those assets, and evaluating the vulnerabilities that could be exploited by those threats. This deliverable is crucial for understanding the security posture of a product and for prioritizing remediation efforts.
Reference: The importance of a threat profile in identifying security vulnerabilities is supported by various security resources. For instance, Future Processing’s blog on vulnerability assessments outlines the steps involved in identifying security vulnerabilities, which align with the creation of a threat profile1. Additionally, UpGuard’s article on conducting vulnerability assessments further emphasizes the role of identifying vulnerabilities as part of the security assessment process2.
정답:
Explanation:
Data integrity requirements within a privacy impact statement ensure that personal information is maintained in an accurate and up-to-date manner. This involves establishing processes to regularly review and update personal data, as well as correct any inaccuracies. These requirements are crucial for maintaining the trustworthiness of the data and ensuring that decisions made based on this information are sound and reliable.
Reference: The Office of the Privacy Commissioner of Canada’s guide on the Privacy Impact Assessment process emphasizes the importance of accuracy and currency of personal information1.
The European Union’s General Data Protection Regulation (GDPR) outlines principles for data processing, including the necessity for data to be accurate and kept up to date2.
The General Data Protection Regulation (GDPR) also includes provisions for data protection impact assessments, which involve documenting processes before starting data processing3.
정답:
Explanation:
Authentication is the most effective control for the scenario because it directly addresses who is using the public computers:
User Identification: Authentication requires users to identify themselves (e.g., library card, login credentials) before accessing the computers. This links actions to specific individuals, making it easier to control unauthorized activity.
Policy Enforcement: Combined with other controls (e.g., content filtering), authentication enables the library to implement policies restricting downloads. If users violate the policy, their identities can be used for consequences.
Deterrent: Knowing they can be identified discourages users from attempting illegal downloads.
정답:
Explanation:
The privacy impact statement requirement that defines how personal information will be protected when authorized or independent external entities are involved is best categorized under Third party requirements. This aspect of privacy impact assessments ensures that personal data is safeguarded even when it is necessary to involve third parties, which could be service providers, partners, or other entities that might handle personal information on behalf of the primary organization. These requirements typically include stipulations for data handling agreements, security measures, and compliance checks to ensure that third parties maintain the confidentiality and integrity of the personal information they process.
Reference: Guide to undertaking privacy impact assessments | OAIC1
A guide to Privacy Impact Assessments - Information and Privacy2
Personal Information Protection Law of China: Key Compliance Considerations3 Privacy Impact Assessment - General Data Protection Regulation (GDPR)4 Privacy impact assessment (PIA) - TechTarget5
정답:
Explanation:
In the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, vulnerability and exploit analysis is performed during the Attack modeling step. This step involves identifying potential threats and vulnerabilities within the system and understanding how they could be exploited.
Attack modeling is a critical phase where the focus is on simulating attacks based on identified vulnerabilities. It allows for a deep understanding of the threats in the context of the application’s architecture and system design.
During this phase, security analysts use their knowledge of the system’s technical scope and application decomposition to simulate how an attacker could exploit the system’s vulnerabilities. This helps in prioritizing the risks and planning appropriate mitigation strategies.
The goal of attack modeling is not just to identify vulnerabilities but also to understand the potential impact of exploits on the system and the business, which is essential for developing a robust security posture.
Reference: The information provided is aligned with the PASTA methodology as described in resources such as VerSprite1 and the OWASP Foundation2. These sources detail the seven stages of PASTA, with attack modeling being a key component of the process.
정답:
Explanation:
The category that classifies identified threats with no defenses in place, exposing the application to exploits, is Unmitigated Threats. This term refers to vulnerabilities for which no countermeasures or mitigations have been implemented. These threats are critical because they represent actual weaknesses that attackers can exploit. In the context of secure software design, it’s essential to identify these threats early in the SDLC to ensure that appropriate security controls can be designed and implemented to protect against them.
Reference: Taxonomy of Cyber Threats to Application Security and Applicable Defenses1.
OWASP Foundation’s Threat Modeling Process2.
Mitigating Persistent Application Security Threats3.