Basic Questions:
1. What is Application Security?
• Application Security ensures applications are secure from vulnerabilities through
processes like secure coding, testing, and threat mitigation.
2. What is S-SDLC?
• Secure Software Development Life Cycle integrates security practices into each phase of
the software development process.
3. What is Threat Modeling?
• Threat Modeling identifies, evaluates, and mitigates potential security threats to an
application.
4. What is the purpose of a Code Review in AppSec?
• To detect and fix security vulnerabilities in the source code.
5. Name some common web application vulnerabilities.
• SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF),
Insecure Direct Object References.
Intermediate Questions:
6. How do you perform API security testing?
• Validate endpoints, authentication, rate limiting, and identify issues like Broken Object
Level Authorization (BOLA) or excessive data exposure.
7. What is DevSecOps?
• The practice of integrating security into DevOps to ensure security checks are automated
and continuous throughout the CI/CD pipeline.
8. How do you assess mobile application security?
• Analyze the APK/IPA, perform reverse engineering, memory analysis, and check for
insecure storage, weak encryption, and insecure communication.
9. What is the use of tools like Checkmarx or Fortify?
• They are Static Application Security Testing (SAST) tools to identify vulnerabilities in
source code.
10.What is the difference between SAST and DAST?
• SAST analyzes code statically (without execution), while DAST identifies
vulnerabilities dynamically during runtime.
Advanced Questions:
11.Explain the STRIDE model in Threat Modeling.
� • STRIDE identifies six threat categories: Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, and Elevation of Privilege.
12.How do you integrate security in CI/CD pipelines?
• Automate security tests (SAST, DAST), use tools like Checkmarx or Veracode, and
ensure early feedback during development.
13.How would you assess firmware security?
• Extract firmware, analyze binaries for backdoors, hardcoded credentials, and perform
fuzzing or static analysis.
14.What is a vulnerability assessment?
• A systematic review of security weaknesses in an application or system to prioritize
remediation.
15.How do you handle independent AppSec delivery for global clients?
• Gather requirements, plan and execute security assessments, provide actionable
remediation, and conduct detailed reporting.
Certification and Scenario-Based Questions:
16.Why is OSCP or CISSP valuable in AppSec?
• OSCP proves penetration testing skills; CISSP validates overall security expertise.
17.How would you handle an RFP for an AppSec project?
• Understand client requirements, estimate scope, propose technical solutions, and draft a
compelling response.
18.What steps would you take if a critical vulnerability is found in production?
• Notify stakeholders, assess impact, apply a hotfix or patch, and ensure remediation is
tested and validated.
19.Explain how Black Duck helps in security.
• It identifies and manages open-source vulnerabilities and license compliance issues.
20.How would you conduct a penetration test for a web application?
• Enumerate endpoints, exploit vulnerabilities (e.g., injection, XSS), and provide a
detailed report with recommendations.
