WGU Secure-Software-Design - WGU Secure Software Design (D487, KEO1) Exam

The security assessment deliverable that identifies unmanaged code that must be kept up to date throughout the life of the product is the List of third-party software. Unmanaged code refers to code that does not run under the garbage-collected environment of the .NET Common Language Runtime, and it often includes legacy code, system libraries, or code written in languages that do not support automatic memory management. Keeping a list of third-party software is crucial because it helps organizations track dependencies and ensure they are updated, patched, and compliant with security standards. This is essential for maintaining the security posture of the software over time, as outdated components can introduce vulnerabilities.

Data integrity requirements within a privacy impact statement ensure that personal information is maintained in an accurate and up-to-date manner. This involves establishing processes to regularly review and update personal data, as well as correct any inaccuracies. These requirements are crucial for maintaining the trustworthiness of the data and ensuring that decisions made based on this information are sound and reliable.

The deliverable that would aid a software security team in preparing a detailed schedule mapping security development lifecycle phases to the type of analysis they will execute is Security test plans. These plans are crucial as they outline the testing strategies and specific security tests that will be conducted during the development lifecycle to ensure the software meets the required security standards.

Security test plans are developed after the requirements and design phases and are used throughout the implementation, verification, and release phases. They include detailed instructions for security testing, criteria for success, and the types of security testing to be performed, such as static and dynamic analysis, penetration testing, and code review.

These plans are living documents that should be updated as new threats are identified and as the project evolves. They ensure that all team members understand the security goals, the risks, and the measures that need to be taken to mitigate those risks.

By having a well-defined security test plan, the team can ensure that security is not an afterthought but is integrated into every phase of the software development lifecycle, thus producing more secure software.

To remediate the vulnerability of servers responding to ping requests with sensitive information, the organization should configure the servers to return as little information as possible to network requests. This practice is known as reducing the attack surface. By limiting the amount of information disclosed, potential attackers have less data to use when attempting to exploit vulnerabilities. Regular updates and patching (Option B) are also important, but they do not address the specific issue of information disclosure. Uninstalling or disabling unnecessary features (Option C) and restricting access to configuration files (Option D) are good security practices, but they do not directly prevent the leakage of server information through ping responses.

Validating user input data before it is processed by the application is a fundamental security control in software design. This process, known as input validation, ensures that only properly formed data is entering the workflow of the application, thereby preventing many types of attacks, including type mismatches as mentioned in the question. By validating input data, the application can reject any requests that contain unexpected or malicious data, reducing the risk of security vulnerabilities and ensuring the integrity of the system.

 Data flow analysis is a manual code review technique where the reviewer traces the path of data from its entry point in the software (input control) through its processing and manipulation within the application, to its exit points (outputs). This technique is used to ensure that the data is handled securely throughout its lifecycle within the application and to identify any potential security vulnerabilities that may arise from improper data handling or processing12

The OpenSAMM business function being assessed is Verification. This function involves activities related to reviewing and testing to ensure that the software meets the required security standards and practices. In the context of the question, the software security group’s focus on reviewing design artifacts to ensure compliance with organizational security standards falls under the Verification function. This includes tasks such as design review, implementation review, and security testing, which are all aimed at verifying that the security measures and controls are correctly integrated into the software design.