In this article, we are going to see the top and common questions that are asked in the Application security interview. These questions are going to help you crack your Application Security interview.
What do they ask in Application Security Interview
So, the interviewers can of course ask anything from you. But most of the things are from the security field, web security, tools, commands to implement and when to implement, Some Networking concepts. They expect you to be good at understanding all the available vulnerabilities like OWASP top 10 and if you have some programming field that will be good too.
The list of questions we are going to below are all the technical questions that may be asked in interview.
Let’s start the questions list.
Interview Questions
Q1. What do you mean by “Vulnerability”?
Ans. Vulnerability means a hole or a flaw in a system, which can provide a potential angle to attack the system.
Q2. What do you know about OWASP? What is it famous for?
Ans. OWASP or Open Web Application Security Project is an organization that works on improving the security of the software. It’s famous for its Top 10 security risk documentation which tells the most critical web application security risks.
Q3. Can you tell me something about OSI model?
Ans. The OSI model is a framework that defines the function of the basic networking system. There are total of seven layers in the OSI model.
# | Layer | Protocol |
---|---|---|
1 | Physical | Ethernet, 802.11 a/b/g/n |
2 | Data | Ethernet, 802.11 a/b/g/n |
3 | Network | IP, ICMP, IGM, OSPF, RIP, IPSEC |
4 | Transport | TCP, UDP |
5 | Session | Sockets, SOCKS, RPC, NetBIOS, Named pipes |
6 | Presentation | SSL, TLS, MIME |
7 | Application | HTTP, Websockets |
Q5. What is CSRF attack?
Ans. Cross-Site Request Forgery also known as CSRF, XSRF, sea surfing, the one-click attack is another common web application web vulnerability. It tricks the user’s web browser to do the things it doesn’t intend to do.
The attacker tricks the victim browser into generating requests to a website that performs certain actions on behalf of the user logged in. It is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
Q6. What do you mean by SSL handshake?
Ans. SSL/TLS is the network protocol. SSh handshake is nothing but a conversation between the client and the server. This conversation goes like this.-
- The client sends “hello” to the server
- The server says “hello back” while checking the cipher suite and the SSL/TLS version.
- After checking that, the Server presents certificates and the public key to the client.
- After checking the certificates, the Client will create a pre-master key using the server public key. and encrypt the message with it and send it to the server.
- If the server is able to decrypt the message using its private key then the secure encrypted connection is maintained between them.
- Now, the master key will be used in encryption and decryption.
Q7. What is SPF, DKIM and DMARC ?
Ans. SPF is the Sender Policy framework. which is basically designed for email authentication to prevent email spoofing. It checks if the email is sent from an authorized IP address or not. SPF records contain many IP addressees which authenticate the email for a domain.
DKIM is Domain Key Identified Mail. It is also designed to help protect email senders against spoofing, spamming, and phishing. Basically, DKIM uses public-key cryptography to sign the email with a private key as it leaves the sender’s server.
DMARC is Domain-based Message Authentication, Reporting, and Conformance. These records are also designed to protect domain email from spoofing, spamming, or phishing. DMARC relies on SPF and DKIM standards for all the email authentication processes. It uses DNS to publish information on how the email from the domain should be handled.
Q8. What is IDS? Name some of it’s type.
Ans. IDS is an Intrusion Detection System. It can be a device or a software application that is designed to monitor the network for any malicious activity or security policy violations. IDS creates alerts whenever a potentially malicious activity is spotted in the network. Basically, IDS is a piece of hardware or software that is used to identify and mitigates threats and risks.
There are five types of IDS.
- Network Intrusion Detection System (NIDS)
- Host Intrusion Detection System (HIDS)
- Protocol-Based Intrusion Detection System (PIDS)
- Application Protocol-Based Intrusion Detection System (APIDS)
- Hybrid Intrusion Detection System
Q9. What do you understand by SSH?
Ans. SSH is Secure Shell. We can use it to do secure remote login from one computer to another. SSH protects the communication security and integrity with strong encryption. SSH uses symmetric, asymmetric encryption and hashing in order to secure the transmission of information.
Q10. What are the three classes of intruders?
Ans. The Three classes of Intruders are -:
- Masquerader – A unauthorized user who penetrates the system using a legitimate user account. (outside)
- Misfeasor – A legitimate user who misuses the given privilege to make unauthorized access. (Inside)
- Clandestine user – Clandestine User can be an outsider or an insider. Individual who hacks the control system by bypassing all the system security.
Conclusion
These are some good questions to prepare for an Application security interview. Of course, there are lots of questions but most of the questions fall in your concept part and you will eventually know how to answer those questions if your concepts are clear. That’s it for this list. Best of luck with your next interview.
To read more articles go to our blog page.