Pass4Future also provide interactive practice exam software for preparing WGU Secure Software Design (D487, KEO1) (WGU (D487, KEO1) Secure Software Design) Exam effectively. You are welcome to explore sample free WGU (D487, KEO1) Secure Software Design Exam questions below and also try WGU (D487, KEO1) Secure Software Design Exam practice test software.
Do you know that you can access more real WGU Secure-Software-Design exam questions via Premium Access? ()
A software security team recently completed an internal assessment of the company's security assurance program. The team delivered a set of scorecards to leadership along with proposed changes designed to improve low-scoring governance, development, and deployment functions.
Which software security maturity model did the team use?
Answer : A
Using a web-based common vulnerability scoring system (CVSS) calculator, a security response team member performed an assessment on a reported vulnerability in the company's customer portal. The base score of the vulnerability was 9.9 and changed to 8.0 after adjusting temporal and environmental metrics.
Which rating would CVSS assign this vulnerability?
Answer : D
Comprehensive and Detailed Explanation From Exact Extract:
CVSS scores are classified into severity levels based on numeric ranges. A base score of 9.9 falls within the Critical range (9.0--10.0), but after adjustment for temporal and environmental metrics, the score is 8.0, which falls into the High severity category (7.0--8.9). Therefore, the final rating assigned is High severity. Medium severity corresponds to scores between 4.0 and 6.9, and low severity is below 4.0. This scoring methodology is defined by the FIRST Common Vulnerability Scoring System v3.1 Specification which guides how scores are adjusted to reflect real-world risk contexts.
FIRST CVSS v3.1 Specification
OWASP Vulnerability Severity Classification
NIST National Vulnerability Database (NVD)
A legacy application has been replaced by a new product that provides mobile capabilities to the company's customer base. The two products have run concurrently for the last three months to provide a fallback if the new product experienced a large-scale failure. The time has come to turn off access to the legacy application.
Which phase of the Software Development Life Cycle (SDLC) is being described?
Answer : A
Comprehensive and Detailed In-Depth Explanation:
The scenario outlines the process of decommissioning a legacy application after a new product has successfully taken over its functions. This corresponds to the End of Life phase in the Software Development Life Cycle (SDLC).
The End of Life phase involves retiring outdated systems and transitioning users to newer solutions. This phase ensures that obsolete applications are systematically phased out, reducing maintenance costs and potential security vulnerabilities associated with unsupported software.
In this case, running both the legacy and new applications concurrently provided a safety net to ensure the new system's stability. After confirming the new product's reliability, the organization proceeds to disable the legacy system, marking its End of Life.
Systems Development Life Cycle
Which concept is demonstrated when every module in a particular abstraction layer of a computing environment can only access the information and resources that are necessary for its legitimate purpose?
Answer : B
Due to positive publicity from the release of the new software product, leadership has decided that it is in the best interests of the company to become ISO 27001 compliant. ISO 27001 is the leading international standard focused on information security.
Which security development life cycle deliverable is being described?
Answer : D
Comprehensive and Detailed In-Depth Explanation:
ISO/IEC 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Achieving ISO 27001 certification demonstrates an organization's commitment to information security and provides assurance to customers and stakeholders that security best practices are in place.
In the context of the software development life cycle (SDLC), post-release certifications refer to obtaining formal certifications, such as ISO 27001, after a product has been developed and released. This process involves a comprehensive assessment of the organization's information security practices to ensure they align with the standards set forth by ISO 27001. The certification process typically includes:
Gap Analysis: Evaluating existing information security measures against ISO 27001 requirements to identify areas needing improvement.
Implementation: Addressing identified gaps by implementing necessary policies, procedures, and controls.
Internal Audit: Conducting internal audits to verify the effectiveness of the ISMS and readiness for external assessment.
External Audit: Engaging an accredited certification body to perform a thorough evaluation, leading to certification if compliance is demonstrated.
By pursuing ISO 27001 certification post-release, the company aims to enhance its security posture, comply with international standards, and build trust with its customer base.
ISO/IEC 27001:2022 - Information Security Management Systems
