DataStructures / Application Security Interview Questions

CIA stands for confidentiality, integrity, and availability.

Application Security works to improve the software development process to minimize the number of security flaws available to an attacker.

ISO/IEC 27034 offers guidance on information security to those specifying, designing, and programming or procuring, implementing, and using application systems.

Clickjacking is an attack that tricks a user into clicking a webpage element that is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.

Sensitive Data Exposure can be mitigated in a number of ways. Encrypting data is the easiest and most obvious way to safeguard it against cyberattacks. Sensitive information ought to be deleted as soon as feasible rather than being stored incorrectly or pointlessly. Creating a threat model for the purpose of data security in transit and during testing, storing passwords with a password protection scheme, and blocking auto-completion of forms that gather sensitive data are further methods.

IPSec is a set of communication rules or protocols for setting up secure connections over a network. Internet Protocol (IP) is the common standard that determines how data travels over the internet. IPSec adds encryption and authentication to make the protocol more secure. For example, it scrambles the data at its source and unscrambles it at its destination. It also authenticates the source of the data.

OWASP WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open-source components.

OWASP WebScarab is a framework for evaluating HTTP/HTTPS traffic. It performs a number of tasks, including fragment analysis, observing browser and server traffic, session ID analysis, manual intercept, and locating new URLs on each page browsed. WebScarab is a web security application testing tool. It serves as a proxy that intercepts and allows people to alter web browser web requests (both HTTP and HTTPS) and web server replies.

The open systems interconnection (OSI) model is a conceptual model created by the International Organization for Standardization which enables diverse communication systems to communicate using standard protocols. In plain English, the OSI provides a standard for different computer systems to be able to communicate with each other.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

ESAPI (The OWASP Enterprise Security API) is a free, open-source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

• There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.
• There is a reference implementation for each security control. The logic is not organization-specific and the logic is not application-specific. An example is string-based input validation.
• There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.

SAST (Static Application Security Testing) is the automated analysis of written code (compiled or uncompiled) for security vulnerabilities.

DAST (Dynamic Application Security Testing) is interaction with your running application with the purpose of finding and managing vulnerabilities it may have.

Software Composition Analysis (SCA) is the verification of the third-party libraries, frameworks, and components used within your application; all of the code that you and your team did not write is considered by SCA tools.

System hardening is a process to secure a computer system or server by eliminating the risks of cyberattacks. The process involves removing or disabling system applications, user accounts, and other features that cyber attackers can infiltrate to gain access to your network. These features, sometimes known as the attack surface, often serve as the entry points for malicious cyber activities or hackers.