WGU WGU Secure Software Design (D487, KEO1) Exam Secure-Software-Design Exam Dumps: Updated Questions & Answers (October 2025)

Comprehensive and Detailed In-Depth Explanation:

The scenario describes a stage where the developed features are deployed to a pre-production environment for verification by analysts. This aligns with the Testing phase of the Software Development Life Cycle (SDLC).

In the Testing phase, the system undergoes various evaluations to ensure it meets the specified requirements and functions correctly. This includes deploying the software in an environment that simulates production to identify and rectify defects before the actual deployment. The primary goal is to validate the software's quality and performance.

According to the SDLC framework, after the development (coding) phase, the next step is Testing, where the system is rigorously evaluated. This phase is crucial to detect issues that may not have been apparent during development and to ensure that the software operates as intended in a controlled setting before live deployment.

Comprehensive and Detailed Explanation From Exact Extract:

CVSS scores are classified into severity levels based on numeric ranges. A base score of 9.9 falls within the Critical range (9.0–10.0), but after adjustment for temporal and environmental metrics, the score is 8.0, which falls into the High severity category (7.0–8.9). Therefore, the final rating assigned is High severity. Medium severity corresponds to scores between 4.0 and 6.9, and low severity is below 4.0. This scoring methodology is defined by the FIRST Common Vulnerability Scoring System v3.1 Specification which guides how scores are adjusted to reflect real-world risk contexts.

 Session management is a core component of secure coding, which involves maintaining the state of a user’s interaction with a system. Proper session management can help protect against various security vulnerabilities, such as session hijacking and session fixation attacks. It is essential for ensuring that user data is handled securely throughout an application’s workflow.

Comprehensive and Detailed In-Depth Explanation:

Engaging an independent security consulting firm to simulate attacks on deployed products is an example of Penetration Testing.

Penetration testing involves authorized simulated attacks on a system to evaluate its security. The objective is to identify vulnerabilities that could be exploited by malicious entities and to assess the system's resilience against such attacks. This proactive approach helps organizations understand potential weaknesses and implement necessary safeguards.

According to the OWASP Testing Guide, penetration testing is a critical component of a comprehensive security program:

"Penetration testing involves testing the security of systems and applications by simulating attacks from malicious individuals."

The Intelligence domain in the Building Security in Maturity Model (BSIMM) focuses on gathering and using information about software security. This includes understanding the types of attacks that are possible against the software being developed, which is why reviewing attack models falls under this domain. The BSIMM domain of Intelligence involves creating models of potential attacks on software (attack models), analyzing actual attacks that have occurred (attack intelligence), and sharing this information to improve security measures. By reviewing attack models, the software security group is essentially assessing the organization’s ability to anticipate and understand potential security threats, which is a key aspect of the Intelligence domain.

The step in threat modeling that involves collecting exploitable weaknesses within the product is Identify and document threats. This step is crucial as it directly addresses the identification of potential security issues that could be exploited. It involves a detailed examination of the system to uncover vulnerabilities that could be targeted by threats.

Comprehensive and Detailed In-Depth Explanation:

The scenario outlines the process of decommissioning a legacy application after a new product has successfully taken over its functions. This corresponds to the End of Life phase in the Software Development Life Cycle (SDLC).

The End of Life phase involves retiring outdated systems and transitioning users to newer solutions. This phase ensures that obsolete applications are systematically phased out, reducing maintenance costs and potential security vulnerabilities associated with unsupported software.

In this case, running both the legacy and new applications concurrently provided a safety net to ensure the new system's stability. After confirming the new product's reliability, the organization proceeds to disable the legacy system, marking its End of Life.