Security Questions Flashcards
What is Cross-Site Scripting (XSS)?
XSS is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
How can you prevent XSS attacks in ASP.NET applications?
Use input validation, output encoding, and implementing Content Security Policy (CSP).
Explain Cross-Site Request Forgery (CSRF).
CSRF is an attack where an attacker tricks a user into performing actions they didn’t intend to, often by embedding malicious requests in images or links.
What’s the purpose of using anti-forgery tokens in ASP.NET applications?
Anti-forgery tokens prevent CSRF attacks by ensuring that requests originate from the same application.
Discuss secure coding practices in .NET applications.
Secure coding practices involve input validation, proper error handling, least privilege principle, and regular security testing.
Explain the concept of SQL Injection and how to prevent it.
SQL Injection occurs when an attacker manipulates input to execute malicious SQL queries. Prevent it by using parameterized queries or ORMs.
What is OAuth, and how can it enhance security in your .NET application?
OAuth is a protocol for authorization. It enhances security by allowing third-party applications to access resources without exposing credentials.
How does the principle of “least privilege” contribute to secure coding?
Least privilege limits access rights to the minimum necessary for a user or application to perform its function, reducing attack surface.
What’s the importance of input validation in preventing security vulnerabilities?
Input validation ensures that user inputs meet expected criteria, preventing malicious data from compromising the application.
Explain the concept of “defense in depth” in software security.
Defense in depth involves implementing multiple layers of security mechanisms to protect an application, reducing the likelihood of a single point of failure.
Discuss the significance of error handling in secure coding.
Proper error handling prevents sensitive information leakage and provides attackers with less information to exploit.
How can you securely store sensitive configuration settings like API keys?
Store sensitive configuration settings in environment variables, Azure Key Vault, or using the Secret Manager tool.
What is data encryption?
Data encryption involves converting data into a secure format using algorithms to prevent unauthorized access.
Explain the difference between symmetric and asymmetric encryption.
Symmetric encryption uses a single key for both encryption and decryption, while asymmetric encryption uses a pair of keys (public and private).
How can you ensure data privacy when storing sensitive data in a database?
Use encryption to protect data at rest and in transit, and implement access controls to restrict database access.
What’s hashing, and why is it used in security practices?
Hashing is the process of converting input into a fixed-size string of characters. It’s used to securely store passwords and verify data integrity.
Discuss the purpose of a salt when hashing passwords.
A salt is random data added to the input before hashing, making it more difficult for attackers to use precomputed tables (rainbow tables) for cracking passwords.
How can you mitigate XSS vulnerabilities in ASP.NET applications?
Use ASP.NET’s built-in request validation, HTML encoding, and validation controls to prevent user inputs from being treated as code.
Explain how HttpOnly cookies help prevent XSS attacks.
HttpOnly cookies can’t be accessed through JavaScript, making it harder for attackers to steal session cookies through XSS.
What’s the difference between reflected XSS and stored XSS?
Reflected XSS involves the injection of malicious code that’s immediately reflected back to the user. Stored XSS stores the malicious code on the server for later delivery.
How can you protect your application from CSRF attacks?
Implement anti-CSRF tokens, validate Referer headers, and ensure that sensitive actions require user confirmation.
Discuss the usage of Dependency Injection in .NET applications.
Dependency Injection (DI) helps manage class dependencies by injecting them from the outside, making testing and maintenance easier.
Explain the use of async and await keywords in C#.
async and await are used for asynchronous programming, allowing non-blocking execution and improved responsiveness in applications.
What’s the purpose of the Garbage Collector in .NET?
The Garbage Collector automatically manages memory by deallocating objects that are no longer needed, preventing memory leaks.
How can you improve performance in a .NET application?
Use techniques like caching, optimizing database queries, and minimizing resource-intensive operations.
What is the Open Web Application Security Project (OWASP), and why is it important for .NET developers?
OWASP is a community that focuses on improving software security. It provides resources, tools, and guidelines to help developers prevent security vulnerabilities in their applications.
How can you prevent sensitive information exposure through error messages in your application?
Configure your application to display user-friendly error messages to users while logging detailed error information only in the backend. Avoid revealing technical details to users.
Explain the importance of secure session management in web applications. How can you prevent session fixation attacks?
Secure session management is crucial to prevent unauthorized access to user data. Prevent session fixation by regenerating session IDs upon authentication and expiration.
What are Content Security Policy (CSP) headers, and how can they enhance application security?
CSP headers define which resources can be loaded in a web page. They help prevent XSS attacks by restricting the sources from which content can be loaded.
Discuss the security considerations when using third-party libraries or packages in your .NET application.
Third-party libraries can introduce security vulnerabilities. Regularly update and patch dependencies, and choose libraries with a strong security history.
What is Secure Socket Layer (SSL)/Transport Layer Security (TLS), and how do they enhance data security in transit?
SSL/TLS protocols encrypt data transmitted between a client and a server, ensuring confidentiality and integrity during transit.
Explain the concept of “input validation” and its role in preventing security vulnerabilities.
Input validation involves validating and sanitizing user inputs to prevent attacks like SQL injection, XSS, and data manipulation.
How can you defend against XML External Entity (XXE) attacks in a .NET application?
Prevent XXE attacks by disabling external entity processing, using libraries that parse XML securely, and validating input against XML schema definitions.
Discuss the role of the Same-Origin Policy (SOP) in web security. How can CORS headers relax SOP for specific scenarios?
SOP restricts web pages from making requests to a different domain. CORS headers relax this policy for legitimate cross-origin requests, maintaining security while allowing controlled data sharing.
What are security headers in HTTP responses, and why should you implement them in your application?
Security headers (e.g., X-Frame-Options, X-XSS-Protection, Strict-Transport-Security) enhance security by instructing browsers on how to handle and render your application within the page’s context.
Explain how role-based and claims-based authorization work in ASP.NET applications. How can you ensure that users have appropriate access rights?
Role-based authorization restricts access based on predefined roles, while claims-based authorization uses claims to grant specific permissions. Ensure that users are assigned appropriate roles or claims and that access is properly validated.
