Application Security - Interview preparation guide

1. What is application security?

Application security refers to the measures and practices implemented to protect applications from security threats throughout their development lifecycle and runtime. It involves identifying, fixing, and preventing security vulnerabilities in applications through secure coding practices, testing, and monitoring.

2. What are the OWASP Top 10?

The OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. The current top 10 includes:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

3. What is SQL Injection and how can it be prevented?

SQL injection is a code injection technique where malicious SQL statements are inserted into application entry points. Prevention methods include:

• Using parameterized queries/prepared statements
• Input validation and sanitization
• Implementing least privilege database access
• Using stored procedures (when properly implemented)
• Regular security testing and code reviews

4. Explain Cross-Site Scripting (XSS) and its types.

XSS is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Types include:

• Stored XSS: Malicious script stored on server and executed when users access affected pages
• Reflected XSS: Script reflected off web server in error messages or search results
• DOM-based XSS: Vulnerability exists in client-side code rather than server-side

Prevention includes input validation, output encoding, Content Security Policy (CSP), and using secure frameworks.

5. What is CSRF and how do you prevent it?

Cross-Site Request Forgery (CSRF) is an attack that forces users to execute unwanted actions on applications where they're authenticated. Prevention methods:

• CSRF tokens (synchronizer tokens)
• SameSite cookie attribute
• Checking the Origin/Referer headers
• Re-authentication for sensitive operations
• Custom headers for AJAX requests

Intermediate Level Questions

6. Explain the concept of threat modeling.

Threat modeling is a structured process to identify, analyze, and mitigate potential security threats in an application. Common methodologies include:

• STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
• PASTA: Process for Attack Simulation and Threat Analysis
• VAST: Visual, Agile, and Simple Threat modeling

The process typically involves creating system diagrams, identifying assets, analyzing threats, and implementing appropriate controls.

7. What is the difference between authentication and authorization?

• Authentication: Verifies the identity of a user (who you are) - examples include passwords, biometrics, tokens
• Authorization: Determines what an authenticated user is allowed to do (what you can access) - implemented through role-based access control (RBAC), attribute-based access control (ABAC), etc.

8. Describe secure session management practices.

Secure session management includes:

• Generate strong, random session IDs
• Use secure transmission (HTTPS only)
• Set appropriate session timeouts
• Implement proper session invalidation
• Use secure cookie attributes (HttpOnly, Secure, SameSite)
• Regenerate session IDs after authentication
• Store minimal data in sessions
• Implement concurrent session control

9. What are security headers and name some important ones?

Security headers are HTTP response headers that enhance application security. Important ones include:

• Content-Security-Policy (CSP): Prevents XSS attacks
• X-Frame-Options: Prevents clickjacking
• X-Content-Type-Options: Prevents MIME sniffing
• Strict-Transport-Security (HSTS): Enforces HTTPS
• X-XSS-Protection: Legacy XSS protection
• Referrer-Policy: Controls referrer information
• Permissions-Policy: Controls browser features

10. Explain the principle of least privilege.

The principle of least privilege means granting users, applications, and systems the minimum level of access rights necessary to perform their functions. This includes:

• User account privileges
• Database access permissions
• File system permissions
• Network access controls
• API access rights Implementation reduces attack surface and limits potential damage from compromised accounts.

Advanced Level Questions

11. Describe a comprehensive secure SDLC process.

A secure Software Development Life Cycle (SDLC) integrates security throughout development phases:

Planning: Security requirements gathering, threat modeling Design: Security architecture review, secure design patterns Implementation: Secure coding practices, static analysis Testing: Dynamic testing, penetration testing, security scanning Deployment: Security configuration, vulnerability assessment Maintenance: Security monitoring, patch management, incident response

Key practices include security training, code reviews, automated security testing, and continuous monitoring.

12. How would you implement secure API authentication and authorization?

Secure API implementation involves:

Authentication:

• OAuth 2.0/OpenID Connect for third-party access
• JWT tokens with proper validation
• API keys for service-to-service communication
• Mutual TLS for high-security scenarios

Authorization:

• Implement proper scope validation
• Use fine-grained permissions
• Rate limiting and throttling
• API versioning and deprecation strategies

Additional Security:

• Input validation and sanitization
• Proper error handling (avoid information disclosure)
• Logging and monitoring
• CORS configuration

13. Explain different types of cryptographic attacks and countermeasures.

Common cryptographic attacks include:

Brute Force: Try all possible keys

• Countermeasure: Use sufficiently long keys, account lockouts

Dictionary Attacks: Use common passwords/keys

• Countermeasure: Strong password policies, salted hashes

Rainbow Table Attacks: Pre-computed hash lookups

• Countermeasure: Use salts, key stretching (bcrypt, PBKDF2)

Side-Channel Attacks: Exploit implementation weaknesses

• Countermeasure: Constant-time algorithms, proper implementation

Man-in-the-Middle: Intercept communications

• Countermeasure: Certificate pinning, proper TLS implementation

14. How do you handle security in microservices architecture?

Microservices security considerations:

Service-to-Service Communication:

• Mutual TLS (mTLS) for encryption and authentication
• Service mesh for security policy enforcement
• API gateways for centralized security controls

Identity and Access Management:

• Centralized identity provider
• Token-based authentication (JWT)
• Service identity and RBAC

Network Security:

• Network segmentation
• Zero-trust architecture
• Traffic encryption

Monitoring and Logging:

• Distributed tracing
• Centralized logging
• Security event correlation

15. Describe how you would conduct a security code review.

Comprehensive security code review process:

Preparation:

• Understand application architecture and data flow
• Review threat model and security requirements
• Use automated static analysis tools (SAST)

Manual Review Focus Areas:

• Input validation and sanitization
• Authentication and authorization logic
• Cryptographic implementations
• Error handling and logging
• Third-party library usage
• Configuration management

Review Process:

• Line-by-line critical path analysis
• Data flow analysis
• Control flow analysis
• Configuration review

Documentation:

• Document findings with severity ratings
• Provide remediation guidance
• Track remediation efforts

Scenario-Based Questions

16. You discover a SQL injection vulnerability in production. Walk me through your response process.

Immediate Response:

1. Assess the severity and potential impact
2. Document the vulnerability details
3. Implement temporary mitigation (WAF rules, input filtering)
4. Notify relevant stakeholders

Investigation:

1. Determine scope of affected systems
2. Check logs for signs of exploitation
3. Assess data exposure risk

Remediation:

1. Develop and test the fix (parameterized queries)
2. Deploy fix through proper change management
3. Verify fix effectiveness
4. Update security tests to prevent regression

Post-Incident:

1. Conduct root cause analysis
2. Update security policies/procedures
3. Provide developer training
4. Consider external security assessment

17. How would you design security for a new web application handling sensitive financial data?

Architecture Security:

• Multi-tier architecture with DMZ
• Database encryption at rest and in transit
• Secure communication protocols (TLS 1.3)
• Network segmentation and firewalls

Application Security:

• Strong authentication (MFA mandatory)
• Role-based access control
• Session management with short timeouts
• Input validation and output encoding
• Secure error handling

Data Protection:

• Field-level encryption for sensitive data
• Tokenization for payment data
• Secure key management (HSM/KMS)
• Data loss prevention (DLP)

Compliance:

• PCI DSS compliance for payment data
• SOC 2 Type II auditing
• Regular penetration testing
• Vulnerability management program

Monitoring:

• Real-time fraud detection
• Security event monitoring (SIEM)
• Audit logging for all transactions
• Incident response procedures

18. A developer wants to use a new third-party library. What security considerations would you evaluate?

Library Assessment:

• Known vulnerabilities (CVE database check)
• Maintenance status and update frequency
• Community reputation and adoption
• License compatibility
• Source code availability

Security Analysis:

• Static analysis of library code
• Dependency analysis (transitive dependencies)
• Permission and access requirements
• Integration security implications

Risk Management:

• Document security risks and mitigations
• Establish monitoring for new vulnerabilities
• Plan for library updates and patches
• Consider alternatives if risks are high

Implementation Security:

• Principle of least privilege for library access
• Input validation for library interactions
• Secure configuration
• Regular security updates

Industry-Specific Questions

19. What are the key security considerations for cloud-native applications?

Infrastructure Security:

• Identity and Access Management (IAM)
• Network security groups and policies
• Encryption in transit and at rest
• Secure container configurations

Application Security:

• Secure secrets management
• API security and rate limiting
• Container image scanning
• Runtime protection

DevSecOps Integration:

• Security in CI/CD pipelines
• Infrastructure as Code (IaC) security
• Automated security testing
• Compliance as Code

Monitoring and Compliance:

• Cloud security posture management
• Compliance monitoring
• Threat detection and response
• Security audit trails

20. How do you ensure security in DevOps/CI-CD pipelines?

Pipeline Security:

• Secure code repository management
• Branch protection and code review requirements
• Secrets management (no hardcoded credentials)
• Secure build environments

Automated Security Testing:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency scanning
• Container image scanning
• Infrastructure scanning

Deployment Security:

• Immutable infrastructure
• Environment-specific configurations
• Automated security baselines
• Rollback capabilities

Monitoring and Response:

• Runtime security monitoring
• Automated incident response
• Security metrics and reporting
• Continuous compliance validation

Emerging Technologies

21. What are the security implications of AI/ML in applications?

AI/ML Security Risks:

• Model poisoning attacks
• Adversarial examples
• Data privacy and leakage
• Model theft and reverse engineering
• Bias and fairness issues

Security Measures:

• Secure model training pipelines
• Input validation and sanitization
• Model versioning and integrity
• Differential privacy techniques
• Regular model auditing and testing

Integration Security:

• Secure API design for ML services
• Access control for model endpoints
• Monitoring for anomalous behavior
• Secure model deployment practices

22. How would you approach security for IoT applications?

Device Security:

• Secure boot and firmware updates
• Strong device authentication
• Encrypted communication protocols
• Hardware security modules

Network Security:

• Network segmentation
• VPN or secure tunneling
• Certificate management
• Intrusion detection systems

Application Security:

• Secure data collection and processing
• Privacy-preserving analytics
• Secure device management
• Regular security updates

Compliance:

• Data protection regulations
• Industry-specific standards
• Security certification requirements
• Audit and documentation

Tips for Interview Preparation

1. Stay Current: Keep up with latest security trends and vulnerabilities
2. Hands-on Experience: Practice with security tools and frameworks
3. Understand Business Context: Connect security measures to business value
4. Communication Skills: Explain technical concepts clearly to non-technical stakeholders
5. Continuous Learning: Security is constantly evolving - demonstrate commitment to learning