Week 8 - Application Security Testing

Question 1

What is Application Security Testing?

Answer 1

• Refers to the practice of evaluating & testing software applications to identify & remediate vulnerabilities and weaknesses that could be exploited by attackers.

Question 2

What does the Application Security Lifecycle Approach encompass?

Answer 2

Design, development, production & runtime.

Question 3

What is the goal of Application Security Lifecycle?

Answer 3

To provide integrated security layers for applications defense.

Question 4

What type of analysis should be conducted at the application level?

Answer 4

Thorough threat & vulnerability analysis.

Question 5

What is the purpose of Static Code Analysis?

Answer 5

To identify vulnerabilities and security issues in the source code of software applications before they are compiled or executed.

Question 6

Why is it important to identify core level vulnerabilities before execution?

Answer 6

It prevents potential security issues from being introduced into the running application, reducing the risk of attacks.

Question 7

SAST tools can also check if your code adheres to coding standards and …?

Answer 7

Best practices.

Question 8

What is data flow analysis, in the context of SAST?

Answer 8

Can trace how data flows through the application and can identify potential security issues related to data handling.

Question 9

What is dependency scanning, in the context of SAST?

Answer 9

Analyze third-party libraries and components used in the application to identify known vulnerabilities.

Question 10

What is false positive reduction, in the context of SAST?

Answer 10

Reduce false positives (non-existent issues reported as vulnerabilities) by using various techniques like pattern recognition & code context analysis.

Question 11

What is Interactive Application Security Testing (IAST)?

Answer 11

IAST is a dynamic security testing technique used to assess the security of web applications and APIs during runtime while they are actively running or being tested.

Question 12

How does IAST differ from SAST and DAST?

Answer 12

IAST combines elements of both SAST and DAST to provide a comprehensive assessment.

Question 13

What does IAST monitor during runtime?

Answer 13

Instruments the application to monitor its behavior, interactions with components, databases, and external services, and actively identifies security vulnerabilities by analyzing these interactions.

Question 14

How does DAST detect SQL injection?

Answer 14

DAST detects SQL injection vulnerabilities by sending malicious SQL queries as input and checking if they are executed by the database.

Question 15

How does DAST detect Directory Traversal?

Answer 15

DAST detects directory traversal vulnerabilities by sending requests that attempt to access files or directories outside the intended scope.

Question 16

How does DAST detect Authentication Bypasses?

Answer 16

DAST identifies authentication weaknesses by attempting to access restricted resources without proper credentials.

Question 17

What is Dynamic Application Security Testing (DAST)?

Answer 17

Used to evaluate the security of web applications and APIs during runtime by interacting with them as external attackers might.

Question 18

How does DAST detect cross-site scripting (XSS)?

Answer 18

By injecting malicious scripts into input fields or URL parameters and analyzing the applications responses.

Question 19

What is the main purpose of DAST in a production environment?

Answer 19

To assess the security of applications in real-time by simulating attacks to uncover vulnerabilities that may be exploited by external attackers.

Question 20

What is Runtime Application Self-Protection (RASP)?

Answer 20

A security technology integrated directly into an application or its runtime environment to protect against security threats during runtime.

Question 21

How does RASP prevent SQLi attacks?

Answer 21

RASP detects SQL injection attempts by analyzing SQL queries in real-time and can block or sanitize them to prevent unauthorized access or modification of the database.

Question 22

Why is RASP important?

Answer 22

It provides real-time protection against security threats, enabling applications to respond to attacks as they occur.

Question 23

How does RASP protect against Cross-Site Scripting (XSS) attacks?

Answer 23

Monitoring user inputs and the content rendered in the browser, blocking or sanitizing any detected script injection attempts.

Question 24

What role does RASP play in authentication and session management security?

Answer 24

RASP detects and responds to authentication issues, such as brute force attacks or session fixation, by blocking suspicious login attempts or invalidating compromised sessions.