Owasp Fundamentals & Resources
What is OWASP, and why is it important for application security?
Can you explain the OWASP Top 10 and its purpose?
Can you list the Top 10 OWASP vulnerabilities?
What are common types of application vulnerabilities?
How does OWASP identify the top vulnerabilities?
What is the OWASP Cheat Sheet Series, and how would you use it?
Can you describe the OWASP risk rating system?
What are CVE, CVSS, and CWE, and how do they relate to each other?
What is the OWASP API Security Top 10, and how does it differ from the main Top 10?
How did the OWASP Top 10 change from 2017 to 2021, and what new categories were introduced?
What is the OWASP Top 10 for Agentic Applications and concepts like 'least agency'?
What is the OWASP LLM/GenAI Top 10, and what are some of its key risk categories?
Secure Design Principles
What are secure coding practices?
Can you describe the concepts of Least Privilege and Defense in Depth?
Explain the principle of least privilege in application security.
Why must access control always be enforced on the server side, and what goes wrong when it's only enforced client-side?
Can you explain Insecure Design and how to mitigate it?
What is Insecure Design, and how does it manifest in applications?
Can you explain the concept of zero trust security?
Can you explain secure design principles?
Explain the concept of 'secure by default' and provide examples of how it can be applied in application development.
Discuss the importance of defense in depth in application security.
What is the difference between security by design and security by obscurity?
What does 'fail securely' or 'fail closed' mean, and why is it a secure design principle?
Why is minimizing attack surface an important security goal, and how do you do it?
What is the principle of complete mediation in access control?
What is separation of duties, and how does it apply to application security?
What are misuse and abuse cases, and how do they complement security requirements?
Injection Attacks
What is SQL Injection? Can you explain how it works and describe common prevention techniques?
Why is input validation crucial for application security, and what are different approaches to it (e.g., allowlisting vs. denylisting)?
What is an injection in the context of OWASP?
Why are parameterized queries or prepared statements considered the primary defense against SQL Injection?
Beyond SQL, what other types of injection vulnerabilities are common (e.g., OS Command Injection, NoSQL Injection, XSS)?
Can you explain the role of input validation and output encoding in preventing injection attacks, and how they differ?
Can you explain Remote Code Execution (RCE)?
What is XML External Entity (XXE) Injection and how can it be prevented?
Explain Mass Assignment vulnerabilities and how to prevent them in web applications.
What is fuzzing, and what class of vulnerabilities is it best suited to find?
How would you differentiate between the various types of SQL Injection (e.g., in-band, blind, out-of-band)?
What is Server-Side Template Injection (SSTI) and what are its common attack vectors and defenses?
What is Insecure Deserialization and why is it considered a critical vulnerability?
What are race conditions and TOCTOU flaws, and why are they considered security bugs?
Owasp Projects & Tools
What is a Web Application Firewall (WAF), and how does it help protect web applications?
Does OWASP provide any guides for web security testing?
Is the Web Security Testing Guide recommended for learning more about security testing?
What is the primary goal of the Web Security Testing Guide?
What is the Mobile Security Testing Guide?
What are OWASP WebGoat and WebScarab?
What are OWASP Dependency-Check and Dependency-Track, and what problem do they solve?
Can you explain the OWASP Application Security Verification Standard (ASVS) and its different levels (L1, L2, L3)?
Can you explain OWASP SAMM (Software Assurance Maturity Model) and its purpose?
Threat Modeling
Can you explain the term 'threat modeling' and its importance in application security?
Can you explain the concept of data flow diagrams in threat modeling?
What are best practices for threat modeling?
Can you describe the STRIDE threat modeling methodology and provide an example for each category?
Can you explain the concept of attack trees and how they are used in threat modeling?
How do you integrate threat modeling into an agile development process?
How do you ensure threat modeling is conducted regularly throughout the software development lifecycle?
How do you threat model and secure code you don't own but consume in your products?
Describe the process of threat modeling in the context of application security.
Can you explain the DREAD risk-rating model and how it's used to prioritize threats?
Cryptography
What is the difference between encryption and hashing, and when would you use each?
What is the difference between symmetric and asymmetric encryption, and when would you use each in an application?
What is the difference between encoding, encryption, and hashing?
Why should you never roll your own cryptography?
Can you explain Cryptographic Failures and how to mitigate them?
What are Cryptographic Failures, and what are common causes of this vulnerability?
What are the security implications of using weak or outdated cryptographic algorithms or protocols (e.g., MD5, SHA1, SSL/TLS 1.0)?
How do you ensure data encryption in transit and at rest in your applications?
Why did OWASP rename "Sensitive Data Exposure" to "Cryptographic Failures" in the Top 10?
What are common mistakes developers make when implementing cryptography or managing cryptographic keys?
Why is proper certificate validation important, and what is certificate pinning?
How should applications manage secrets and handle key rotation?
Authentication & Session Management
What is the difference between authentication and authorization?
What is multi-factor authentication, and why does it significantly reduce authentication risk?
How do you securely store passwords in a web application?
How can the danger of weak session management and authentication be reduced?
How would you secure the use of cookies in a web application?
Explain Session Fixation and its countermeasures.
What is the difference between stateful and stateless authentication, and what are the security implications of each?
What is the difference between credential stuffing and brute-force attacks, and how do you defend against each?
What is account enumeration, and how do you prevent it in login, registration, and password-reset flows?
How would you design a secure password reset flow?
What are salting and peppering in password storage, and why do they matter?
How do you choose an appropriate password-hashing algorithm (bcrypt, scrypt, Argon2, PBKDF2), and what makes them suitable for passwords?
Where should authentication tokens like JWTs be stored on the client, and what are the trade-offs of cookies vs localStorage?
Can you explain OAuth2/OIDC security considerations at a conceptual level?
Discuss the security considerations and common pitfalls associated with JSON Web Tokens (JWTs), including JWKs/JKUs.
Security Misconfiguration & Headers
Why are verbose error messages and stack traces a security misconfiguration risk?
Can you explain Security Misconfiguration and how to mitigate it?
Can you explain Security Logging and Monitoring Failures and how to mitigate them?
How do you ensure the security of APIs?
Discuss common file upload vulnerabilities and how to securely handle file uploads.
What should effective security logging and monitoring capture, and what shouldn't be logged?
Can you explain Software and Data Integrity Failures and how to mitigate them?
Can you explain Server-Side Request Forgery (SSRF) and its defenses?
What is business logic abuse, and how would you prevent it in your applications?
What are some common security concerns and best practices when developing or consuming GraphQL APIs?
Owasp Zap
What is OWASP ZAP, and how is it used in application security testing?
What does OWASP ZAP provide for the two kinds of scanning, passive and active?
How does spidering work in ZAP, and why is the AJAX spider sometimes needed?
How would you use ZAP as an intercepting proxy to test a request?
How do ZAP findings map to the OWASP Top 10?
Authorization & Access Control
Can you explain Broken Access Control and how to mitigate it?
What is Broken Access Control, and what are some common examples of this vulnerability?
Can you explain Insecure Direct Object References (IDOR) and how they are exploited?
What is the difference between vertical and horizontal privilege escalation?
What are Insecure Direct Object References (IDORs) and how do you prevent them?
What is forced browsing, and how does it relate to broken access control?
What is missing function-level access control, and how does it differ from IDOR?
What is the difference between RBAC and ABAC as access-control models, and when would you choose one over the other?
Cross Origin & Request Forgery
What is Cross-Site Request Forgery (CSRF), and what methods would you use to mitigate it?
Describe how CORS preflight requests work and their role in web security.
What is clickjacking, and how do the X-Frame-Options header and CSP frame-ancestors directive defend against it?
What is an open redirect vulnerability, and how would you prevent it?
How does the SameSite cookie attribute work, and how does it help mitigate CSRF?
What is the Same-Origin Policy, and how does it relate to CORS?
Can you explain how CORS (Cross-Origin Resource Sharing) works and how it can be misconfigured?
Secure Sdlc & Devsecopstesting
What are the advantages of a secure SDLC?
What's the difference between vulnerability assessment and penetration testing?
What is the difference between DevOps and DevSecOps?
What does 'shift security left' mean in the context of a secure SDLC?
What security measures would you implement in the software development life cycle (SDLC)?
What are the key differences between static and dynamic application security testing (SAST vs DAST)?
What are some weaknesses of DAST compared to other security methods?
How would you ensure secure coding practices within a development team to prevent OWASP vulnerabilities?
What best practices do you follow for secure code review?
What are the core principles of DevSecOps?
What is Static Application Security Testing (SAST), what are its advantages and disadvantages, and when in the SDLC would you typically use it?
What is application-layer rate limiting and anti-automation, and which attacks does it defend against?
What is a bug bounty program, and how does responsible/coordinated disclosure work?
What is the difference between a vulnerability scan, a penetration test, and a red-team engagement?
How do you choose between SAST, DAST, and SCA, and roll them out at scale?
How would you prioritize remediating different OWASP vulnerabilities when multiple issues are identified in a web application?
What are some common security guardrails you would implement in a development pipeline to enforce secure coding practices and configurations?
What is IAST, and how does it differ from SAST and DAST?
Cross Site Scripting & Client Side
What is output encoding and why is it important for preventing XSS?
What are the differences between stored, reflected, and DOM-based XSS?
Explain what Content Security Policy (CSP) is, how it works, and how it helps mitigate XSS attacks.
Can you explain Cross-Site Scripting (XSS) and how you can protect against it?
Explain DOM-based Cross-Site Scripting (XSS) and how it differs from reflected or stored XSS.
What is Subresource Integrity (SRI), and how does it protect against compromised third-party scripts?
What is Web Cache Deception and how can it be exploited or mitigated?
What is DOM Clobbering and what are its security implications?
Http & Web Protocol Attacks
Can you explain directory/path traversal vulnerabilities?
Can you explain HTTP Strict Transport Security (HSTS)?
How do you mitigate man-in-the-middle attacks in web applications?
Explain HTTP Parameter Pollution and its potential impact.
Can you explain the X-Content-Type-Options, Referrer-Policy, and Permissions-Policy security headers and what each protects against?
How does HTTP Request Smuggling (e.g., TE.TE) work, and how can it be prevented?
Describe common vulnerabilities and security best practices for WebSocket communication.
What is Host header injection, and what kinds of attacks can it enable?
What is HTTP response splitting, and how does it relate to CRLF injection?
Software Supply Chain
Can you explain Vulnerable and Outdated Components and how to mitigate the risk?
Explain Software Composition Analysis (SCA) and its importance in managing third-party dependencies.
What is a Software Bill of Materials (SBOM), and why is it important for application security?
How do you ensure supply chain integrity in your applications, particularly concerning open-source components?
What is a dependency confusion attack, and how do you defend against it?
Other
What is prompt injection and input trust in the context of LLM applications?