Download C706 Secure Software Design (Pre-Assessment) 2025\2026 Questions and Answers and more Exams Computer Communication Systems in PDF only on Docsity!
Which due diligence activity for supply chain security should occur in the initiation phase of the software acquisition life cycle? - ✔✔Developing a request for proposal (RFP) that includes supply chain security risk management
Which due diligence activity for supply chain security investigates the means by which data sets are shared and assessed? - ✔✔A document exchange and review
Identification of the entity making the access request
Verification that the request has not changed since its initiation
Application of the appropriate authorization procedures
Reexamination of previously authorized requests by the same entity
Which security design analysis is being described? - ✔✔Complete mediation
Which software security principle guards against the improper modification or destruction of information and ensures the nonrepudiation and authenticity of information? - ✔✔Integrity
What type of functional security requirement involves receiving, processing, storing, transmitting, and delivering in report form? - ✔✔Primary dataflow
WGU-C706 Secure Software Design (Pre-
Verified Solutions
Assessment) 2025 \ 2026 Questions and
Answers with
Which nonfunctional security requirement provides a way to capture information correctly and
a way to store that information to help support later audits? - ✔✔Logging
Which security concept refers to the quality of information that could cause harm or damage if
disclosed? - ✔✔Sensitivity
Which technology would be an example of an injection flaw, according to the OWASP Top 10? - ✔✔SQL
A company is creating a new software to track customer balance and wants to design a secure application.
Which best practice should be applied? - ✔✔Create multiple layers of protection so that a subsequent layer provides protection if a layer is breached
A company is developing a secure software that has to be evaluated and tested by a large number of experts.
Which security principle should be applied? - ✔✔Open design
Which type of TCP scanning indicates that a system is moving to the second phase in a three-
way TCP handshake? - ✔✔TCP SYN scanning
Which role is a training champion of software security, an advocate for the overall SDL process, and a proponent for promulgating and enforcing the overall software product security program? - ✔✔Software security evangelist (SSE)
Which role requires the technical capability to be trained as a software security architect who then assists the centralized software security group with architecture security analysis and threat modeling? - ✔✔Software champion
An application development team is designing and building an application that interfaces with a back-end database.
Which activity should be included when constructing a threat model for the application? - ✔✔Decompose the application to understand how it interacts with external entities
What is the third step for constructing a threat model for identifying a spoofing threat? -
✔✔Decompose threats
What is a step for constructing a threat model for a project when using practical risk analysis? -
✔✔Make a list of what you are trying to protect
Which cyber threats are typically surgical by nature, have highly specific targeting, and are
technologically sophisticated? - ✔✔Tactical attacks
Which type of cyberattacks are often intended to elevate awareness of a topic? -
✔✔Sociopolitical attacks
What type of attack locks a user's desktop and then requires a payment to unlock it? - ✔✔Ransomware
What is a countermeasure against various forms of XML and XML path injection attacks? - ✔✔XML attribute escaping
Which countermeasure is used to mitigate SQL injection attacks? - ✔✔Query parameterization
What is an appropriate countermeasure to an escalation of privilege attack? - ✔✔Restricting access to specific operations through role-based access controls
Which configuration management security countermeasure implements least privilege access control? - ✔✔Restricting file access to users based on authorization
Which phase of the software development life cycle (SDL/SDLC) would be used to determine the minimum set of privileges required to perform the targeted task and restrict the user to a domain with those privileges? - ✔✔Design
Which technique can be used by an attacker to compromise password security when a
password such as "123456" is used by an organization? - ✔✔Brute-force attack
Which type of password attack tests for every possible value of a parameter? - ✔✔Brute force
Which type of attack allows the complete disclosure or destruction of all data on a system and allows attackers to spoof identity, tamper with existing data, and cause repudiation issues such as voiding transactions or changing balances? - ✔✔SQL injection
Which threat uses malware that tricks users into believing that there is no way out for them
except to pay to get rid of a nuisance? - ✔✔Ransomware
Which type of application attack is used to harvest and steal sensitive information? - ✔✔Remote access tool
Which type of application attack is commonly waged through the use of rootkits? - ✔✔Escalation of privilege
Which attack aims to make web service unavailable or unusable? - ✔✔Denial-of-service
A company is developing a new software application that requires users to log in using a username and password. The company needs to implement a security control that is effective at preventing spoofing during the log-in process.
Which security control is effective at preventing this threat action? - ✔✔Authentication
A company is developing a new database application. The company needs to implement a security control that is effective at preventing tampering.
Which security control is effective at preventing this threat action? - ✔✔Integrity
A bank is developing a new checking account application for customers and needs to implement a security control that is effective at preventing an elevation of privilege attack.
Which security control is effective at preventing this threat action? - ✔✔Authorization
A database has a table called "orders_table" which has columns:
order_no,
last_name,
first_name,
ship_city,
credit_card
Which part of the change management process addresses the needs to identify, understand,
and help leaders manage opposition throughout the organization? - ✔✔Resistance management
Which component of the change management process allows developers to prioritize tasks? -
✔✔Request control
Which component of the change management process involves new system deployment testing
where the new system and the old system are operating at the same time? - ✔✔Parallel run
Which technique documents incident response times agreed upon by both a provider and a
customer? - ✔✔Service-level agreement
Which element is commonly addressed in a service-level agreement (SLA)? - ✔✔Service availability
The ASF threat list describes a risk that may occur when a software developer forgets to set an expiration for a cookie.
Which countermeasure addresses this vulnerability? - ✔✔User and session management
An undocumented command sequence is allowing unauthorized access to a software system.
What type of software defect allows this vulnerability? - ✔✔Backdoor
A small organization experiences an XSS attack on their web application.
What type of vulnerability has occurred? - ✔✔Cross-site scripting
What type of software threat occurs when password resets reveal password hints and valid usernames, according to the Application Security Frame (ASF)? - ✔✔Authentication
What type of software threat occurs when output encoding is skipped, according to the Application Security Frame (ASF)? - ✔✔Data and parameter validation
Which form of malicious software hides in the lower levels of an operating system with privileged access permissions and opens a backdoor on the system? - ✔✔Rootkit
A security administrator wants to prevent web-based code that has full access to a Windows operating system when executing on user systems.
Which technique should remediate this vulnerability? - ✔✔Prohibiting downloads of ActiveX content
What is a known SDL metric used to measure protection against vulnerabilities? - ✔✔The number of security defects found through static analysis tools
