Q.1. How will you explain a newbie or beginner about what is cyber security?
A.1. Cyber security can be defined as the calculated measures taken to protect the systems that are inter-connected to software and online applications, hardware and storage from cyber attacks.
Q. 2. What is vulnerability?
A.2. Vulnerability in any system or application can be said to as the weakness or flaw that can let intruders or bugs penetrate the system, causing major threat. For minimising the threat of vulnerability, proper security measures need to be taken. This also includes regular patches and fixes which needs to be updated as and when comes.
Q.3. What are the various attributes of Security Testing?
A.3. Various attributes for security testing are: –
Q.4. How will you explain penetrating testing with minimum words?
A.4. Penetration testing is a method that helps pen-testers to identify different types of vulnerabilities in any system or application. It helps evaluating system’s security and this type of testing is either done manually or by automated tools and techniques. Its main purpose is to prevent that application or system from any potential attacks.
Q.5. Why is “Penetration Testing” important?
A.5. There are a lot of importance of Penetration testing – Any security breach can costs a lot to the owner of the system as the hackers or cyber criminals are always in search of attacking the system, crashing the workflow of the system, and / or steal sensitive data or information from the database of the system. Cyber criminals always have new ways to steal data from the applications or break the system, or left open for further attacks using backdoor. But a regular detection of such attacks and breaches is mandatory which can be done through penetration testing.
What penetration testing does is it helps identifying and protecting any application or system from those cyber attacks and keeps the organisation’s data safe and secure. Also it helps in detecting vulnerability and tell the developer to fix the issue with new patches.
Q.6. How can you integrate security into SDLC without getting into the way of project delivery?
A.6. First of all we have to study the expectations arises during the requirements phase of Software development life cycle, secondly, good tools and proper security algorithms must be used in order to maintain secure data transferring and accessing via that software – involve the security team who will help in penetration test and vulnerability detection before product delivery phase. Moreover if any issue arise or bugs found, in the maintenance phase, timely delivery of patches needs to be done for updating.
Q.7. What will be your approach of finding security flaws within a source code – by manual analysis, using automated tools, or using both?
A.7. As a fresher, I’ve to learn first what will be the best approach which will vary depending on the situation. Moreover during the training period, proper training will all also be given as to which mode of finding security flow will be beneficial in which case scenario.
Q.8. What is the very basic thing one should check while dealing with online transaction or online banking / e-payment in any website?
A.8. Https (Hyper text Transfer Protocol – Secured)
Q.9. Tell me in basic words, how can you secure your client computers against your users?
A.9. The very basic way to make it harder for the local attackers to harm my user’s system is to have a PC or system without having any options for accessing unauthorised USB. Moreover, I must inform the client to have an antivirus check before opening any DVD, CD, USB drive or other flash drives.
Q.10. How will you create a secure login field and why?
A.10. The thing we can do is provide the front page as HTTP, but at the same time deliver the login-form page through HTTPs. Moreover it should be kept in mind that the Id and password should not get displayed in the URL, which can be fixed from the developers end. The main focus should be to avoid MiTM attack or password stealing.
Q.11. What is a Software Security Misconfiguration?
A.11. Software Security misconfiguration can be defined as the vulnerability or set of bugs found when your application or software is installed and configured in such a way that it can be prone to attacks to misuse its associated information and usage. One example can be simply keeping the default username and password which is usually kept in modems and networking devices.
Q.12. What is Security Testing?
A.12. It is a process of revealing and or finding flaws in software or system security architecture, and helps in protecting data and maintaining the intended functionality of system. In this security testing phase, the tester plays the role of an attacker (in the form of penetration tester) to find vulnerabilities and bugs and report to the development team to fix it.
Q. 13. What is ISO 17799?
A.13. It’s a guideline, origin is in UK and this publishes well defined practices for (ISM) Information Security Management for private, corporate and public organizations. The guidelines incorporated in it is followed in all organizations (whether small or big) for Information security and security management related stuffs.
Q. 14. Lists some of the factors that cause vulnerability in applications and systems?
i) Weak password
ii) Complex software architecture
iii) Human errors
iv) Careless while fixing bugs and releasing patches
v) Leakage of confidential source codes
vi) Poor management of data
vii) Poor Design in system, causes loopholes
Q.15. What are the different methodologies for software testing from a security perspective?
A.15. The three methodologies of software testing from security perspective are:-
- White box security testing: where the pen-tester or security analyst is given all the information and useful algorithms for checking. They are mostly full time employees of the organisation with both development and security skills.
- Black box security testing: are done by those testers where no additional information is provided to the pen-tester, and they start penetrating the application from beta version and no source code is provided to them. These types of testers may be part time testers or full time testers. Bug bounty hunters can be said to as black box testers.
- Grey box Security testing: is the technique of testing where testers get partial information about the system or application and rest they find out of their own and try to penetrate.