WGU FailSafe Web Application Penetration Test
Findings Report | Complete Security Assessment |
Passed Performance Assessment 2026.
Foundational Security Principles
1. Which security principle requires that access to an object should be denied
unless explicitly granted?
A) Complete Mediation
B) Least Privilege
C) Fail-Safe Defaults
D) Open Design
Rationale: The fail-safe defaults principle, also known as "fail closed," dictates that
unless a subject is given explicit access to an object, access should be denied . This
ensures the system defaults to a secure state.
2. What is the application of multiple layers of protection so that if one layer is
breached, the next provides protection?
A) Fail-safe
B) Defense in Depth
C) Separation of Duties
D) Open Design
Rationale: Defense in depth is a security strategy that uses multiple layers of security
controls to provide redundancy in case one control fails or is compromised .
3. Which principle assumes that attackers have access to the sources and the
specifications?
A) Fail-safe
,B) Open Design
C) Economy of Mechanism
D) Psychological Acceptability
Rationale: The open design principle states that the security of a system should not
depend on the secrecy of its design or implementation. It assumes attackers can obtain
the source code and design documents .
4. Which secure coding best practice ensures servers, frameworks, and system
components are all running the latest approved versions?
A) Database Security
B) Cryptographic Practices
C) System Configuration
D) Input Validation
Rationale: System configuration best practices involve keeping all software components
up-to-date with the latest security patches and approved versions to mitigate known
vulnerabilities .
5. Which best practice is being applied when a database uses parameterized
queries and encrypted connection strings?
A) Access Control
B) Database Security
C) File Management
D) Session Management
Rationale: Database security best practices include using parameterized queries to
prevent SQL injection and encrypting connection strings to protect credentials .
6. Which security principle requires that all accesses to objects be checked to
ensure they are allowed?
A) Fail-Safe Defaults
B) Least Privilege
,C) Complete Mediation
D) Separation of Privilege
Rationale: Complete mediation requires that every access attempt to a resource is
checked against the access control policy, ensuring no access is performed without
authorization .
7. Which person is responsible for designing, planning, and implementing secure
coding practices and security testing methodologies?
A) Software Security Champion
B) Product Security Developer
C) Software Security Architect
D) Software Tester
Rationale: The software security architect is responsible for the overarching security
design and the implementation of secure practices and testing methodologies .
8. Which secure coding best practice uses well-tested, publicly available
algorithms to hide product data from unauthorized access?
A) Authentication and Password Management
B) Cryptographic Practices
C) Data Protection
D) Output Encoding
Rationale: Cryptographic practices involve using strong, well-vetted algorithms for
encryption, hashing, and signing to protect sensitive data .
9. Which secure coding best practice states that all information passed to other
systems should be encrypted?
A) Memory Management
B) Database Security
C) Communication Security
D) Output Encoding
, Rationale: Communication security best practices ensure that all data transmitted
between systems is encrypted using protocols like TLS to prevent eavesdropping and
tampering .
10. Which concept is being applied when normal users cannot see admin
functionality within an application?
A) Privacy
B) Principle of Least Privilege (POLP)
C) Software Security Champion
D) Elevation of Privilege
Rationale: The Principle of Least Privilege ensures that users are granted only the
permissions necessary to perform their job functions. This prevents normal users from
accessing administrative functions .
Threat Modeling and Risk Assessment
11. In the STRIDE threat model, what does the 'R' stand for?
A) Resource Exhaustion
B) Repudiation
C) Reconnaissance
D) Replay
Rationale: STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege. Repudiation is the ability of a user to deny
performing an action without proof .
12. What type of attack is 'surgical' by nature, has highly specific targeting, and is
technologically sophisticated?
A) Tactical Attacks
B) Strategic Attacks
Findings Report | Complete Security Assessment |
Passed Performance Assessment 2026.
Foundational Security Principles
1. Which security principle requires that access to an object should be denied
unless explicitly granted?
A) Complete Mediation
B) Least Privilege
C) Fail-Safe Defaults
D) Open Design
Rationale: The fail-safe defaults principle, also known as "fail closed," dictates that
unless a subject is given explicit access to an object, access should be denied . This
ensures the system defaults to a secure state.
2. What is the application of multiple layers of protection so that if one layer is
breached, the next provides protection?
A) Fail-safe
B) Defense in Depth
C) Separation of Duties
D) Open Design
Rationale: Defense in depth is a security strategy that uses multiple layers of security
controls to provide redundancy in case one control fails or is compromised .
3. Which principle assumes that attackers have access to the sources and the
specifications?
A) Fail-safe
,B) Open Design
C) Economy of Mechanism
D) Psychological Acceptability
Rationale: The open design principle states that the security of a system should not
depend on the secrecy of its design or implementation. It assumes attackers can obtain
the source code and design documents .
4. Which secure coding best practice ensures servers, frameworks, and system
components are all running the latest approved versions?
A) Database Security
B) Cryptographic Practices
C) System Configuration
D) Input Validation
Rationale: System configuration best practices involve keeping all software components
up-to-date with the latest security patches and approved versions to mitigate known
vulnerabilities .
5. Which best practice is being applied when a database uses parameterized
queries and encrypted connection strings?
A) Access Control
B) Database Security
C) File Management
D) Session Management
Rationale: Database security best practices include using parameterized queries to
prevent SQL injection and encrypting connection strings to protect credentials .
6. Which security principle requires that all accesses to objects be checked to
ensure they are allowed?
A) Fail-Safe Defaults
B) Least Privilege
,C) Complete Mediation
D) Separation of Privilege
Rationale: Complete mediation requires that every access attempt to a resource is
checked against the access control policy, ensuring no access is performed without
authorization .
7. Which person is responsible for designing, planning, and implementing secure
coding practices and security testing methodologies?
A) Software Security Champion
B) Product Security Developer
C) Software Security Architect
D) Software Tester
Rationale: The software security architect is responsible for the overarching security
design and the implementation of secure practices and testing methodologies .
8. Which secure coding best practice uses well-tested, publicly available
algorithms to hide product data from unauthorized access?
A) Authentication and Password Management
B) Cryptographic Practices
C) Data Protection
D) Output Encoding
Rationale: Cryptographic practices involve using strong, well-vetted algorithms for
encryption, hashing, and signing to protect sensitive data .
9. Which secure coding best practice states that all information passed to other
systems should be encrypted?
A) Memory Management
B) Database Security
C) Communication Security
D) Output Encoding
, Rationale: Communication security best practices ensure that all data transmitted
between systems is encrypted using protocols like TLS to prevent eavesdropping and
tampering .
10. Which concept is being applied when normal users cannot see admin
functionality within an application?
A) Privacy
B) Principle of Least Privilege (POLP)
C) Software Security Champion
D) Elevation of Privilege
Rationale: The Principle of Least Privilege ensures that users are granted only the
permissions necessary to perform their job functions. This prevents normal users from
accessing administrative functions .
Threat Modeling and Risk Assessment
11. In the STRIDE threat model, what does the 'R' stand for?
A) Resource Exhaustion
B) Repudiation
C) Reconnaissance
D) Replay
Rationale: STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege. Repudiation is the ability of a user to deny
performing an action without proof .
12. What type of attack is 'surgical' by nature, has highly specific targeting, and is
technologically sophisticated?
A) Tactical Attacks
B) Strategic Attacks