Software Security Testing Interview Questions



Software Security Testing - WEB Security Testing Interview Questions
  1. What type of security testing you performed?
  2. What types of web testing security problems do you know?
  3. Please classify vulnerabilities that you know.
  4. What are two common techniques used to protect a password file?
  5. What is integer overflow?
  6. What is your understanding of root causes of vulnerabilities?
  7. What is ISO 17799?
  8. Can you describe security defect prevention?
  9. List and briefly define three classes of intruders.
  10. What are three benefits that can be provided by an intrusion detection system?
  11. What services are provided by the SSL Record Protocol?
  12. Why do we need validate users input for length and characters?
  13. Why we need to keep track of individual users and authentication?
  14. What is runtime inspection?
  15. Describe with examples Fuzzers and Sniffers tools:
  16. Define buffer overflows.
  17. What are format string vulnerabilities?
  18. What is SQL injection?
  19. Provide example of command injection.
  20. Provide example of broken access control.
  21. List and briefly define the parameters that define an SSL session state.
  22. List and briefly define the parameters that define an SSL session connection.
  23. Why do we need port scanning?
  24. How to use an interactive proxy and a set of fuzz strings to manually test the application’s handling of data?
  25. What is cookie gathering?
  26. What is a honeypot?
  27. What is phishing attack?
  28. What is a dual signature and what is its purpose?
  29. How can you ensure that all input fields are properly validated to prevent code injection attacks?
  30. What tools can you use to validate the strength of SID (session ID)?
  31. What is file enumeration?
  32. What steps are involved in the SSL Record Protocol transmission?
  33. What are hidden fields in HTTP?
  34. What protocols comprise SSL?
  35. How to implement (create) a custom fuzz utility and test it against your application?
  36. Describe SOAP and WSDL.
  37. List and briefly define the principal categories of SET participants.
  38. How to test a scriptable ActiveX object?
  39. What is the difference between statistical anomaly detection and rule-based intrusion detection?
  40. What metrics are useful for profile-based intrusion detection?
  41. What is the difference between rule-based anomaly detection and rule-based penetration identification?
  42. What is a salt in the context of UNIX password management?
  43. List and briefly define four techniques used to avoid guessable passwords.
  44. What is the difference between an SSL connection and an SSL session?
  45. List and briefly define Acronyms and Abbreviations Related to Software security
  46. Write an example of misusing strcpy() in C and C++ in such a way that a buffer overflow condition exists as a bug.
    Answer:
    IPsec -  Internet Protocol Security is a suite of protocols for securing Internet 
    OSI - Open Systems Interconnection 
    ISDN Integrated Services Digital Network 
    GOSIP- Government Open Systems Interconnection Profile 
    FTP - File Transfer Protocol 
    DBA - Dynamic Bandwidth Allocation 
    DDS - Digital Data System 
    DES - Data -Encryption Standard 
    CHAP - Challenge Handshake Authentication Protocol 
    BONDING - Bandwidth On Demand Interoperability Group 
    SSH - The Secure Shell 
    COPS Common Open Policy Service 
    ISAKMP - Internet Security Association and Key Management Protocol 
    USM - User-based Security Model 
    TLS - The Transport Layer Security 
    


Some questions with answers for self review.
  1. Question: Describe a sample of attack patterns?
     Answer: Verify access control; verify that audit log is protected.
  2. Question: What C language implementation security flows do you know?
     Answer: C language has no safe native string type; buffer overruns can overrun function return addresses on the stack
  3. Question: What is SQL injection?
     Answer: Technique that allowed attacker to run its own queries against SQL database.
  4. Question: Define main steps o f threat-modelling process?
     Answer: Identify threat paths -> Identify threats -> Identify vulnerabilities -> Prioritize the vulnerabilities.
  5. Question: What is the critical number of characters for input?
     Answer: 1,024 in power 7
  6. Question: What is Cross-site scripting?
     Answer: Cross-site scripting attacks exploit the fact that a browser runs code, such as JavaScript or HTML objects. Etc.
  7. Question: Provide example of Cross-site scripting?
     Answer: script alert (document.cookie); script (brackets are removed)
  8. Question: What for we use a fuzzer tool?
     Answer: We use fuzzer to test input fields for common issues.
  9. What types of penetration testing tools do you know?
     Answer: scanners, vulnerability assessment tools, password crackers, etc
  10. What types of Denial of service (DoS0 attacks do you know?
     Answer: bandwidth, Protocol, distributed DoS
  11. What types of Malicious applet attack do you know?
     Answer: Buffer overflows, Trojans, worms, viruses, back doors.
  12. What are main two ways of modifying routing of packets used by hackers?
     Answer: 1. Control layer 2 routing (Ethernet routing) – switch forwarding table flooding, ARP cache poisoning, MAC spoofing
     2. Control layer 3 routing ( IP routing) – DNS poisoning, source routing, advertise bogus routers, ICMP redirect messages, rogue DHCP servers
  13. Describe Cain and Abel tool?
     Answer:Cain and Abel tool is a fully automated SSL cracker
  14. What security models and processes do you know?
  15. Describe wireless security risks and types of protection.


Find more on Microsoft Security Support Knowledge Base

On this page I put some Interview Questions for QA and testers. These Software Security Testing and WEB security Interview Questions are very simple and mainly were used for interviewing software testers who is involved in any type of testing. The interview questions found above are listed in order of complexity. However all new Software Security interview questions (regardless of there difficulty) will be added to the bottom of the list. You can find more WEB and software security related Interview Questions searching the WEB. END Software Security Testing Interview Questions.



Interview Questions QA Main Page
© January 2006 Alex Samurin geocities.com/xtremetesting/ © eXtremeSoftwareTesting.com