Application Security

Question 1

What is input validation and what are the different types?

Answer 1

It ensures date inputs are valid, and there are two types Syntactic validation and semantic validation

Question 2

What is syntactic validation?

Answer 2

Makes sure the input types and the lengths are what you want in your code

Question 3

What semantic validation?

Answer 3

Makes sure the input that we do is what the application is expecting

Question 4

What are schemas?

Answer 4

defines the structure and the content stick to what you want

Question 5

What is blacklisting?

Answer 5

it bans characters and its hard to maintain

Question 6

What is whitelisting?

Answer 6

is an acceptable character list and can break something

Question 7

Vulnerabilities of HTTP Headers

Answer 7

Can be used to upload files, leak information like internal hostnames and backend servers/applications

Question 8

What is code signing?

Answer 8

It uses certificates to show code integrity, the software author and gives a digital signature

Question 9

How to secure cookies?

Answer 9

Don’t include sensitive information, and use https. Also use secure flag which verifies the cookies integrity but this can be bypassed

Question 10

What is static code analysis

Answer 10

It is automated scan, but the code is not actviely running or in running state. This is good for source code and early detection in the SDLC

Question 11

What is dynamic code analysis?

Answer 11

It is automated scan while the code is running and analyzes code behavior and how it interacts with different devices

Question 12

What is Manual code analysis?

Answer 12

Not automated and is a slow process of line by line analysis and it open to interpretation

Question 13

What is fuzzing

Answer 13

It is a automated process by inputting random data, invalid data and unexpected data. To see how the software responds, what are the error messages, are there memory leaks, does it crash, or show buffer overflow.