WGU University WGU-KEO1 Online Practice
Questions and Exam Preparation
WGU-KEO1 Exam Details
Exam Code
:WGU-KEO1
Exam Name
:WGU Secure Software Design (D487, KEO1)
Certification
:WGU University Certifications
Vendor
:WGU University
Total Questions
:133 Q&As
Last Updated
:May 29, 2026
WGU University WGU-KEO1 Online Questions &
Answers
Question 91:
Which software control test examines the internal logical structures of a program and steps through the code line by line to analyze the program for potential errors?
A. White box testing B. Reasonableness testing C. Black box testing D. Dynamic testing
A. White box testing
White box testing, also known as clear box testing, glass box testing, transparent box testing, and structural testing, is a method of software testing where the internal structure, design, and coding of the software are tested to verify the flow of input-output and to improve the design, usability, and security. It involves looking at the structures that are internal to the system, with the tester having knowledge of the internal workings of the product. This type of testing is concerned with examining the internal logical structures of the program and is typically performed by stepping through the code line by line to analyze the program for potential errors, which aligns with the description of the control test in question. Control Structure Testing - GeeksforGeeks What is White Box Testing?.- BrowserStack Software Testing Strategies Chapter 18 - IIT
Question 92:
The security team is reviewing all noncommercial software libraries used in the new product to ensure they are being used according to the legal specifications defined by the authors. What activity of the Ship SDL phase is being performed?
A. Policy compliance analysis B. Open-source licensing review C. Penetration testing D. Final security review
B. Open-source licensing review
The activity described pertains to the review of noncommercial software libraries to ensure compliance with the legal specifications set by the authors. This is part of the open-source licensing review, which is a critical activity in the Ship phase of the Security Development Lifecycle (SDL). This review ensures that all open-source components are used in accordance with their licenses, which is essential for legal and security compliance. The Ship phase of the SDL includes various activities such as policy compliance review, vulnerability scanning, penetration testing, open-source licensing review, and final security and privacy reviews12.The open-source licensing review specifically addresses the legal aspects of using third-party software components.
Question 93:
A potential threat was discovered during vulnerability testing when an environment configuration file was found that contained the database username and password stored in plain text. How should existing security controls be adjusted to prevent this in the future?
A. Enforce Role-Based Authorization B. Encrypt Secrets in Storage and Transit C. Ensure Strong Password Policies are in Effect D. Validate All User Input
B. Encrypt Secrets in Storage and Transit
Question 94:
Which security assessment deliverable identities unmanaged code that must be kept up to date throughout the life of the product?
A. Threat profile B. Metrics template C. Product risk profile D. List of third-party software
D. List of third-party software
The security assessment deliverable that identifies unmanaged code that must be kept up to date throughout the life of the product is the.List of third-party software. Unmanaged code refers to code that does not run under the garbage-collected environment of the .NET Common Language Runtime, and it often includes legacy code, system libraries, or code written in languages that do not support automatic memory management. Keeping a list of third-party software is crucial because it helps organizations track dependencies and ensure they are updated, patched, and compliant with security standards. This is essential for maintaining the security posture of the software over time, as outdated components can introduce vulnerabilities. The references provided from the web search results support the importance of monitoring and updating software components, including unmanaged code, as part of a secure software development lifecycle.
Question 95:
The security team is identifying technical resources that will be needed to perform the final product security review. Which step of the final product security review process are they in?
A. Release and Ship B. Identify Feature Eligibility C. Evaluate and Plan for Remediation D. Assess Resource Availability
D. Assess Resource Availability
Question 96:
An individual is developing a software application that has a back-end database and is concerned that a malicious user may run the following SOL query to pull information about all accounts from the database: Which technique should be used to detect this vulnerability without running the source codes?
A. Dynamic analysis B. Cross-site scripting C. Static analysis D. Fuzz testing
C. Static analysis
Static analysis is a method used to detect vulnerabilities in software without executing the code. It involves examining the codebase for patterns that are indicative of security issues, such as SQL injection vulnerabilities. This technique can identify potential threats and weaknesses by analyzing the code's structure, syntax, and data flow.
Static analysis as a means to identify security vulnerabilities1.
The importance of static analysis in the early stages of the SDLC to prevent security issues2.
Learning-based approaches to fix SQL injection vulnerabilities using static analysis3.
Question 97:
The software security team is using an automation tool that generates random data to input into every field in the new product and track results. Which security testing technique is being used?
A. Black-Box Debugging B. Fuzz Testing C. Binary Code Analysis D. Byte Code Analysis
B. Fuzz Testing
Question 98:
A security analyst is reviewing a report that lists identified threats, their likelihood, impact, and whether existing controls fully address them. Which threat classification is being documented for items that still expose the application to limited risk?
A. Unmitigated threats B. Fully mitigated threats C. Partially mitigated threats D. Threat profiles
C. Partially mitigated threats
Partially mitigated threats are those for which some defensive controls exist, but residual risk remains. These threats are not fully eliminated and may still expose the application to limited exploitation. Fully mitigated threats have sufficient controls in place, while unmitigated threats have no effective defenses applied.
Question 99:
Which concept is demonstrated when every module in a particular abstraction layer of a computing environment can only access the information and resources that are necessary for its legitimate purpose?
A. Privacy B. Principle of Least Privilege C. Elevation of Privilege D. Confidentiality
B. Principle of Least Privilege
Question 100:
Which secure coding practice uses role-based authentication where department-specific credentials will authorize department-specific functionality?
A. Access Control B. Data Protection C. Input Validation D. Authentication
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only WGU University exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your WGU-KEO1 exam preparations
and WGU University certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.