Application Security - Interview preparation guide
1. What is application security?
Application security refers to the measures and practices implemented to protect applications from security threats throughout their development lifecycle and runtime. It involves identifying, fixing, and preventing security vulnerabilities in applications through secure coding practices, testing, and monitoring.
2. What are the OWASP Top 10?
The OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. The current top 10 includes:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
3. What is SQL Injection and how can it be prevented?
SQL injection is a code injection technique where malicious SQL statements are inserted into application entry points. Prevention methods include:
- Using parameterized queries/prepared statements
- Input validation and sanitization
- Implementing least privilege database access
- Using stored procedures (when properly implemented)
- Regular security testing and code reviews
4. Explain Cross-Site Scripting (XSS) and its types.
XSS is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Types include:
- Stored XSS: Malicious script stored on server and executed when users access affected pages
- Reflected XSS: Script reflected off web server in error messages or search results
- DOM-based XSS: Vulnerability exists in client-side code rather than server-side
Prevention includes input validation, output encoding, Content Security Policy (CSP), and using secure frameworks.
5. What is CSRF and how do you prevent it?
Cross-Site Request Forgery (CSRF) is an attack that forces users to execute unwanted actions on applications where they're authenticated. Prevention methods:
- CSRF tokens (synchronizer tokens)
- SameSite cookie attribute
- Checking the Origin/Referer headers
- Re-authentication for sensitive operations
- Custom headers for AJAX requests
Intermediate Level Questions
6. Explain the concept of threat modeling.
Threat modeling is a structured process to identify, analyze, and mitigate potential security threats in an application. Common methodologies include:
- STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
- PASTA: Process for Attack Simulation and Threat Analysis
- VAST: Visual, Agile, and Simple Threat modeling
The process typically involves creating system diagrams, identifying assets, analyzing threats, and implementing appropriate controls.
7. What is the difference between authentication and authorization?
- Authentication: Verifies the identity of a user (who you are) - examples include passwords, biometrics, tokens
- Authorization: Determines what an authenticated user is allowed to do (what you can access) - implemented through role-based access control (RBAC), attribute-based access control (ABAC), etc.
8. Describe secure session management practices.
Secure session management includes:
- Generate strong, random session IDs
- Use secure transmission (HTTPS only)
- Set appropriate session timeouts
- Implement proper session invalidation
- Use secure cookie attributes (HttpOnly, Secure, SameSite)
- Regenerate session IDs after authentication
- Store minimal data in sessions
- Implement concurrent session control
9. What are security headers and name some important ones?
Security headers are HTTP response headers that enhance application security. Important ones include:
- Content-Security-Policy (CSP): Prevents XSS attacks
- X-Frame-Options: Prevents clickjacking
- X-Content-Type-Options: Prevents MIME sniffing
- Strict-Transport-Security (HSTS): Enforces HTTPS
- X-XSS-Protection: Legacy XSS protection
- Referrer-Policy: Controls referrer information
- Permissions-Policy: Controls browser features
10. Explain the principle of least privilege.
The principle of least privilege means granting users, applications, and systems the minimum level of access rights necessary to perform their functions. This includes:
- User account privileges
- Database access permissions
- File system permissions
- Network access controls
- API access rights Implementation reduces attack surface and limits potential damage from compromised accounts.
Advanced Level Questions
11. Describe a comprehensive secure SDLC process.
A secure Software Development Life Cycle (SDLC) integrates security throughout development phases:
Planning: Security requirements gathering, threat modeling Design: Security architecture review, secure design patterns Implementation: Secure coding practices, static analysis Testing: Dynamic testing, penetration testing, security scanning Deployment: Security configuration, vulnerability assessment Maintenance: Security monitoring, patch management, incident response
Key practices include security training, code reviews, automated security testing, and continuous monitoring.
12. How would you implement secure API authentication and authorization?
Secure API implementation involves:
Authentication:
- OAuth 2.0/OpenID Connect for third-party access
- JWT tokens with proper validation
- API keys for service-to-service communication
- Mutual TLS for high-security scenarios
Authorization:
- Implement proper scope validation
- Use fine-grained permissions
- Rate limiting and throttling
- API versioning and deprecation strategies
Additional Security:
- Input validation and sanitization
- Proper error handling (avoid information disclosure)
- Logging and monitoring
- CORS configuration
13. Explain different types of cryptographic attacks and countermeasures.
Common cryptographic attacks include:
Brute Force: Try all possible keys
- Countermeasure: Use sufficiently long keys, account lockouts
Dictionary Attacks: Use common passwords/keys
- Countermeasure: Strong password policies, salted hashes
Rainbow Table Attacks: Pre-computed hash lookups
- Countermeasure: Use salts, key stretching (bcrypt, PBKDF2)
Side-Channel Attacks: Exploit implementation weaknesses
- Countermeasure: Constant-time algorithms, proper implementation
Man-in-the-Middle: Intercept communications
- Countermeasure: Certificate pinning, proper TLS implementation
14. How do you handle security in microservices architecture?
Microservices security considerations:
Service-to-Service Communication:
- Mutual TLS (mTLS) for encryption and authentication
- Service mesh for security policy enforcement
- API gateways for centralized security controls
Identity and Access Management:
- Centralized identity provider
- Token-based authentication (JWT)
- Service identity and RBAC
Network Security:
- Network segmentation
- Zero-trust architecture
- Traffic encryption
Monitoring and Logging:
- Distributed tracing
- Centralized logging
- Security event correlation
15. Describe how you would conduct a security code review.
Comprehensive security code review process:
Preparation:
- Understand application architecture and data flow
- Review threat model and security requirements
- Use automated static analysis tools (SAST)
Manual Review Focus Areas:
- Input validation and sanitization
- Authentication and authorization logic
- Cryptographic implementations
- Error handling and logging
- Third-party library usage
- Configuration management
Review Process:
- Line-by-line critical path analysis
- Data flow analysis
- Control flow analysis
- Configuration review
Documentation:
- Document findings with severity ratings
- Provide remediation guidance
- Track remediation efforts
Scenario-Based Questions
16. You discover a SQL injection vulnerability in production. Walk me through your response process.
Immediate Response:
- Assess the severity and potential impact
- Document the vulnerability details
- Implement temporary mitigation (WAF rules, input filtering)
- Notify relevant stakeholders
Investigation:
- Determine scope of affected systems
- Check logs for signs of exploitation
- Assess data exposure risk
Remediation:
- Develop and test the fix (parameterized queries)
- Deploy fix through proper change management
- Verify fix effectiveness
- Update security tests to prevent regression
Post-Incident:
- Conduct root cause analysis
- Update security policies/procedures
- Provide developer training
- Consider external security assessment
17. How would you design security for a new web application handling sensitive financial data?
Architecture Security:
- Multi-tier architecture with DMZ
- Database encryption at rest and in transit
- Secure communication protocols (TLS 1.3)
- Network segmentation and firewalls
Application Security:
- Strong authentication (MFA mandatory)
- Role-based access control
- Session management with short timeouts
- Input validation and output encoding
- Secure error handling
Data Protection:
- Field-level encryption for sensitive data
- Tokenization for payment data
- Secure key management (HSM/KMS)
- Data loss prevention (DLP)
Compliance:
- PCI DSS compliance for payment data
- SOC 2 Type II auditing
- Regular penetration testing
- Vulnerability management program
Monitoring:
- Real-time fraud detection
- Security event monitoring (SIEM)
- Audit logging for all transactions
- Incident response procedures
18. A developer wants to use a new third-party library. What security considerations would you evaluate?
Library Assessment:
- Known vulnerabilities (CVE database check)
- Maintenance status and update frequency
- Community reputation and adoption
- License compatibility
- Source code availability
Security Analysis:
- Static analysis of library code
- Dependency analysis (transitive dependencies)
- Permission and access requirements
- Integration security implications
Risk Management:
- Document security risks and mitigations
- Establish monitoring for new vulnerabilities
- Plan for library updates and patches
- Consider alternatives if risks are high
Implementation Security:
- Principle of least privilege for library access
- Input validation for library interactions
- Secure configuration
- Regular security updates
Industry-Specific Questions
19. What are the key security considerations for cloud-native applications?
Infrastructure Security:
- Identity and Access Management (IAM)
- Network security groups and policies
- Encryption in transit and at rest
- Secure container configurations
Application Security:
- Secure secrets management
- API security and rate limiting
- Container image scanning
- Runtime protection
DevSecOps Integration:
- Security in CI/CD pipelines
- Infrastructure as Code (IaC) security
- Automated security testing
- Compliance as Code
Monitoring and Compliance:
- Cloud security posture management
- Compliance monitoring
- Threat detection and response
- Security audit trails
20. How do you ensure security in DevOps/CI-CD pipelines?
Pipeline Security:
- Secure code repository management
- Branch protection and code review requirements
- Secrets management (no hardcoded credentials)
- Secure build environments
Automated Security Testing:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Dependency scanning
- Container image scanning
- Infrastructure scanning
Deployment Security:
- Immutable infrastructure
- Environment-specific configurations
- Automated security baselines
- Rollback capabilities
Monitoring and Response:
- Runtime security monitoring
- Automated incident response
- Security metrics and reporting
- Continuous compliance validation
Emerging Technologies
21. What are the security implications of AI/ML in applications?
AI/ML Security Risks:
- Model poisoning attacks
- Adversarial examples
- Data privacy and leakage
- Model theft and reverse engineering
- Bias and fairness issues
Security Measures:
- Secure model training pipelines
- Input validation and sanitization
- Model versioning and integrity
- Differential privacy techniques
- Regular model auditing and testing
Integration Security:
- Secure API design for ML services
- Access control for model endpoints
- Monitoring for anomalous behavior
- Secure model deployment practices
22. How would you approach security for IoT applications?
Device Security:
- Secure boot and firmware updates
- Strong device authentication
- Encrypted communication protocols
- Hardware security modules
Network Security:
- Network segmentation
- VPN or secure tunneling
- Certificate management
- Intrusion detection systems
Application Security:
- Secure data collection and processing
- Privacy-preserving analytics
- Secure device management
- Regular security updates
Compliance:
- Data protection regulations
- Industry-specific standards
- Security certification requirements
- Audit and documentation
Tips for Interview Preparation
- Stay Current: Keep up with latest security trends and vulnerabilities
- Hands-on Experience: Practice with security tools and frameworks
- Understand Business Context: Connect security measures to business value
- Communication Skills: Explain technical concepts clearly to non-technical stakeholders
- Continuous Learning: Security is constantly evolving - demonstrate commitment to learning