Skip to content

Interview

QA

CrowdStrike

  • Goal: We stop breaches!

  • Falcon Platform

    • Endpoint Security
      • Next-Gen Antivirus
      • Endpoint Detection & Response
      • Device Control
    • Security Platform
      • IT Hygiene
      • Threat Hunting
      • Vulnerability Management
    • Threat Intelligence
      • Intelligence Automation
      • Malware Search
      • Malware Analysis

  • Endpoint Security

    • Cybersecurity approach to defending endpoints such as desktops, laptops, and mobile devices from malicious activity.
    • An endpoint is any device that connects to the corporate network from outside its firewall.
    • Endpoint Protection Platform:
      • Solution used to detect & prevent security threats like file-based malware attacks
      • Provides investigation & remediation capabilities needed to respond to dynamic security incidents & alerts.
    • Endpoint Security is necessary because every remote endpoint can be entry point from the attack
    • Working:
      • Examines files, processes & system activity for suspicious or malicious indicators
      • Offers a centralized management console from which administrators can monitor, protect, investigate & respond to incidents
    • Benefits:
      • Endpoint Protection
      • Identity Protection
      • Threat Detection & Response
    • Core Functions
      • Next-Gen Anti-Virus (NGAV) (Prevention)
        • Traditional AC compares malicious signatures or bits of code, to a database that is updated by contributors whenever a new malware signature is detected.
        • But, unknown antivirus can not be identified using that database.
        • NGAV closes this gap by using advanced endpoint protection technologies such as AI & ML, to identify new malware by examining more elements such as file hashes, URLs & IP addresses.
      • Endpoint Detection & Response (EDR) (Detection)
        • Silent Failure: Allow attackers to access organization's environment without detection
        • To prevent silent failures, an EDR solution provides continuous & comprehensive visibility into what is happening on endpoints in real time.
      • Managed Threat Hunting:
        • Conducted by elite teams that learn from incidents that have already occurred, aggregate crowdsourced data & provide guidance on how best to respond when malicious activity is detected
      • Threat Intelligence Integration:
        • Provides automation to investigate all incidents & gain knowledge in minutes
        • It should generate custom indicators of compromise directly from endpoints to enable a proactive defense.
    • Types of Endpoint Protection:
      • Legacy Endpoint Protection: On-Premises security framework that operates in conjunction with a locally hosted data center
      • Hybrid Endpoint Protection: Legacy + Cloud
      • Cloud-Native Endpoint Protection: Cloud-based solution, Network administrators can remotely monitor & manage all endpoints through a centralized management console & lightweight agent
    • Challenges:
      • Diversity of Devices
      • High Volume of alerts
      • Advanced Persistent Threats (APT)
    • Key Aspects:
      • Endpoint Visibility: View activities on endpoints
      • Threat Database: Signs of attacks with variety of analytic techniques
      • Behavioral Protection: Search for indicators of attack (IOAs)
      • Insight & Intelligence: Threat Intelligence can provide context
      • Fast Response: Fast & Accurate Response
      • Cloud-Based Solution: Manage & monitor in cloud

  • Security Platform:

    • IT Hygiene:
      • Provides real time & historical visibility into your assets & applications
      • Identify rogue computers
      • Gets an accurate inventory of the systems in your environment, software they are running & user accounts.
    • Threat Hunting:
      • Threat Hunting is the practice of proactively searching for cyber threats that are present undetected in a network
      • Methodology:
        • Threat Hunters assume that adversaries are already in system
        • Hypothesis Based Investigation: Identify Tactics, Techniques & Procedures (TTPs)
        • Investigation based on Indicators of Compromise / Attack (IOCs or IOAs)
        • Advanced Tactics & ML investigations: Use ML to analyze massive data
    • Vulnerability Management:
      • Ongoing, Regular process of identifying, assessing, reporting, managing & remediating security vulnerabilities across endpoints, workloads & systems
      • Concepts:
        • Vulnerability: A weakness of an asset
        • Threat: Something can exploit the vulnerability
        • Risk: What happens when threat exploits the vulnerability

  • Threat Intelligence:

    • Automated Intelligence:
      • Uses data analytics & AI/ML algorithms to analyze, predict & respond to cyber threats, enriching telemetry with high threat intelligence
      • System can learn from data, identify patterns & make decision with minimal human input.
    • Malware Search:
      • Process of understanding the behavior & purpose of suspicious file or URL
      • Static Analysis: Examines the file for signs of malicious intent
      • Dynamic Analysis: Executes malicious code in a safe environment called sandbox
      • Hybrid Analysis: Static + Dynamic

  • Security Controls

    • Measure / Mechanism implemented to reduce the risk of threats
    • Preventive, Detective, Compensating, Corrective, Administrative
  • Information Lifecycle:
    • Creation, Storage, Processing, Transmission, Disposal
  • Information Security Governance:
    • Framework, Processes & structures that an organization implements to ensure information security
  • Secure a server
    • Update & Patch
    • Configure Firewall
    • Ensure Port Security
  • Why insider threats are easy
    • Insider Knowledge
    • Legitimate Access
    • Insufficient Monitoring & Controls
  • Deleted Data
    • OS removes file entry from file system index. But, the actual data remains intact until it is overwritten by new data
  • Chain of Custody
    • Tracking of handling, transfer & preservation of digital evidence throughout its lifecycle
  • Ports
    • Filtered Ports: Protected by Firewall
    • Closed Ports: Not actively listening
  • Cloud Security Challenges
    • Misconfiguration
    • Poor Authentication Controls
    • Poor API Implementation
    • DDOS
    • Data Loss
    • Open S3 Buckets
    • Lambda Command Injection
  • OSI Model
    • Physical: Transmits raw bits over physical medium
    • Data Link: Responsible for framing data into frames & adding physical addresses to frames
    • Network: Responsible for routing packets from source to destination across multiple networks
    • Transport: Responsible for end-to-end communication between hosts, providing reliable & ordered delivery of data packets.
    • Session: Responsible for establishing, managing & terminating sessions between applications
    • Presentation: Responsible for data translation, encryption & compression to ensure integrity & confidentiality
    • Application: Provides network services to end users such as HTTP, SMTP, FTP, etc.
  • CSRF
    • Vulnerability that allows attacker to trick user into executing unintended actions
    • CSRF Tokens, SameSite Cookies, Referrer Header, Anti-CSRF Header
  • Malwares
    • Trojans
    • Ransomeware
    • Botnets
    • Worms
    • Spyware
    • Keyloggers
    • Fileless Virus
  • XSS
    • Attackers inject malicious scripts into web pages viewed by other users
  • IDOR -> Insecure Direct Object Reference
  • NIST Cybersecurity Framework:
    • Help businesses to understand, manage & reduce their cybersecurity risk & protect their network & data
    • Identify, Protect, Detect, Respond, Recover

Penetration Testing

  • Penetration Testing → A simulated testing that companies use to identify vulnerabilities in system, network or app that could be exploited by attackers
  • Cyber Kill Chain:
    1. Reconnaissance → Information gathering about the target
    2. Weaponization → Creating the malicious payload
    3. Delivery → Sending the malicious payload to the target
    4. Exploitation → Executing the malicious payload
    5. Installation → Installing malware to maintain access
    6. Command and Control (C2) → Establishing communication with the compromised system
    7. Actions on Objectives → Performing final objectives like data exfiltration or further compromise
  • Phases:
    • Pre-Engagement Plan → Setting scope & other rules
    • Reconnaissance: Gather intelligence about the target system, such as IPs, domains, and network details.
    • Scanning: Use tools to identify system vulnerabilities and assess behavior in various scenarios.
    • Exploitation: Attempt to exploit vulnerabilities to confirm their severity and impact.
    • Post Exploit - Maintaining Access & Privilege Escalation: Secure persistent access and escalate privileges to assess further risks.
    • Reporting: Document findings and provide recommendations to improve security.
    • Remediation → Offers guidance on how to remediate identified vulnerabilities.
  • Classification of Pentests:
    • Based on Knowledge Level → Black, White, Grey
    • Based on Scope/Target → Network, Web, Mobile, Physical
    • Based on Execution Approach → Internal, External
  • Penetration Testing Teams:
    • Red Team → Simulate cyberattacks
    • Blue Team → Defend organization's systems
    • Purple Team → Collaborate between Red & Blue teams to enhance overall security
    • White Team → Oversee the penetration testing process
  • Types of Attackers:
    • Script Kiddie
    • Advanced Persistent Threat (APT)
    • Malicious Insider
    • Hacktivist
    • Cybercriminal
    • Competitor
  • Types of Malware:
    • Virus
    • Worm
    • Trojan Horse
    • Ransomware
    • Spyware
    • Adware
    • Rootkit
    • Keylogger
    • Botnet
    • Fileless Malware
  • Vulnerability Databases:
    • National Vulnerability Database (NVD)
    • Exploit Database (Exploit DB)
    • VulnHub
  • Common Vulnerability Scoring System (CVSS) → an open framework used to evaluate and rank the severity of security vulnerabilities
    • It provides a standardized way to communicate the impact of vulnerabilities across organizations.
    • Low (0.1–3.9): Minimal impact, low exploitability.
    • Medium (4.0–6.9): Moderate impact and exploitability.
    • High (7.0–8.9): Severe impact with significant exploitability.
    • Critical (9.0–10.0): Extremely high impact and exploitability.
  • How to rate Vulnerabilities with Risk Matrix:
    • Identify Impact
    • Determine Likelihood
    • Use the Risk Matrix
  • Testing officially begins during the Scanning Phase, where tools are used to probe for vulnerabilities and potential points of entry.
  • Common Vulnerabilities:
    • SQLI
    • CMDI
    • XSS
    • Broken Access Control (BAC)
    • IDOR
    • CSRF
    • Sensitive Data Exposure
    • Weak Encryption
  • Principle of Least Privilege → A security concept where users, systems, or applications are granted the minimal access or permissions required to perform their tasks.
  • OSI Model → Open Systems Interconnection
    • Physical Layer (Layer 1) → Deals with the physical connection between devices.
      • Transmission of raw binary data (bits) over a medium (e.g., cables, wireless).
    • Data Link Layer (Layer 2) → Provides node-to-node data transfer and handles error detection/correction.
      • Framing, MAC addressing, and controlling data flow.
    • Network Layer (Layer 3) → Handles routing of data between devices on different networks.
      • Logical addressing (IP), path determination, and packet forwarding.
    • Transport Layer (Layer 4) → Ensures reliable data transfer between systems.
      • Segmentation, error correction, and flow control.
    • Session Layer (Layer 5) → Manages sessions or connections between applications.
      • Establishing, maintaining, and terminating sessions.
    • Presentation Layer (Layer 6) → Translates data into a format usable by the application layer.
      • Data encryption, compression, and formatting.
    • Application Layer (Layer 7) → - Provides network services to end-users.
      • Interfaces for applications to interact with the network.
Layer Purpose Examples
Physical Transmits raw data (bits) Cables, hubs
Data Link Error detection & framing MAC, switches
Network Routing and addressing IP, routers
Transport Reliable delivery TCP, UDP
Session Manages connections NetBIOS, RPC
Presentation Data translation & encryption SSL/TLS, JPEG
Application User interaction & services HTTP, FTP, DNS
  • Honeypot → A security mechanism designed to mimic a legitimate target to lure and deceive attackers
  • Data
    • Encoding → To convert data into a different format for transmission or storage.
    • Hashing → To produce a fixed-length representation of data for integrity verification.
    • Encryption → To secure data by making it unreadable without a decryption key.
  • Nessus → Nessus is a popular vulnerability assessment tool developed by Tenable, used to identify security vulnerabilities in systems, networks, and applications.
    • Vulnerability Scanning, Compliance Audits, Configuration Assessment, Reporting
  • Remotely Access Internal Services
    • VPN
    • SSH Tunneling
    • Jump Server
    • Port Forwarding
  • Allow Regular Users to Run Bash Scripts as Root → Edit the sudoers file: visudo.
    • username ALL=(ALL) NOPASSWD: /path/to/script.sh
  • Ports → 65,536 ports (numbered 0 to 65,535)
    • Ports 0 to 1023 are reserved and known as well-known ports.
  • MITRE ATT&CK → Adversary Tactics, Techniques and Common Knowledge
  • Concepts:
    • Vulnerability → A Weakness or Flaw
    • Threat → A potential event or actor that could exploit the vulnerability
    • Risk → The likelihood & impact of a threat exploiting a vulnerability
  • Vulnerability Assessment → A process to identify, classify, and prioritize vulnerabilities in a system.
  • Penetration Testing → A simulated attack to exploit identified vulnerabilities and test security defenses.
  • Pentest Report
    • Executive Summary
    • Methodology
    • Scope
    • Rules of Engagement
    • Vulnerabilities, Exploitation, Impact
    • Remediation
    • Conclusion
  • OWASP Top 10:
    • Broken Access Control
    • Cryptographic Failures
    • Injection
    • Insecure Design
    • Security Misconfiguration
    • Vulnerable and Outdated Components
    • Identification and Authentication Failures
    • Software and Data Integrity Failures
    • Security Logging and Monitoring Failures
    • Server-Side Request Forgery (SSRF)

  • you will conduct a comprehensive security assessment of a cloud-native, microservices-based architecture

    • Cloud Native → IAM, Networking, Data Security
    • Microservices → API Security, Rate Limiting
    • Container Security → Image Hardening, Runtime Protection, Isolation
    • CI/CD Pipeline Security → Code Scanning, Secrets Management, Access Control
  • Your focus will be on web and mobile applications and cloud security testing, adversary emulation, and continuous security posture improvement.
    • Mobile Application Security Tools:
      • SAST
        • MobSF → Mobile Security Framework → Analyzes APK/IPA files for hardcoded secrets, misconfigurations, and vulnerabilities.
        • QARK → Detects common security issues in Android apps, like misconfigured intents or exported components.
        • Checkmarx → 1. - Comprehensive code analysis platform for mobile applications.
      • DAST
        • Burp Suite Mobile Assistant → Intercepts and analyzes mobile app network traffic for vulnerabilities like weak encryption and API issues.
        • OWASP ZAP → Automated scanning for mobile app web interactions.
        • Charles Proxy → Captures and analyzes HTTP/HTTPS requests from mobile apps.
      • Drozer → Android-specific tool for security assessments of app components.
      • Frida → Dynamic instrumentation framework for analyzing and modifying app behavior.
      • JADX → Decompiles APK files to readable Java code for manual inspection.
  • You will leverage your expertise in application security, utilizing tools such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) to perform both static and dynamic source code reviews
    • SAST → SAST is a method of analyzing source code or binaries to identify security vulnerabilities without executing the application.
      • SonarQube, Checkmarx, Fortify Static Code Analyzer, Veracode Static Analysis, AppScan CodeSweep, Klocwork, CodeQL
    • DAST →  DAST involves testing a running application to identify vulnerabilities by simulating external attacks.
      • Burp Suite, OWASP ZAP, AppScan Standard, Acunetix, Netsparker, Tenable, Astra
    • SCA → SCA identifies and manages security risks in the open-source and third-party components used in an application.
      • Scan components, identify vulnerabilities, manage risks
      • Ex. Snyk, Dependabot, WhiteSource, Black Duck, JFrog Xray, Nexus Lifecycle, FOSSA
  • you will employ threat modeling and threat actor attack pathing to continually validate the effectiveness of the customer’s security controls.
  • The primary goal is to ensure that the security controls implemented by the organization are functioning as intended.
  • By doing so, you will enhance the overall security defenses and collaborate with global development teams to maintain the ongoing security of the globally adopted application.
  • Security Testing of Developer Operations and Mobile Apps:
    • Conduct thorough security testing of developer operations and mobile applications (iPhone and Android).
    • Identify security issues and vulnerabilities.
  • Source Code Reviews: - Perform in-depth source code reviews to identify security flaws or weaknesses.
  • Executing Tests/Assessments and Drafting Reports: Execute detailed assessments and compile findings into reports for further review and action.
  • Tools: Burp Suite Pro, Checkmarx, Corellium, Synopsys, Acunetix, VeraCode, SAST & DAST Tools, Plextrac, Cloud security (AWS / Azure / Oracle), Postman, SmartBear ReadyAPI, SoapUI, and Hashicorp Vault

Tools:

  • Burp Suite Pro
    • A comprehensive web vulnerability scanner used for penetration testing and manual testing of web applications.
    • Known for features like intercepting proxy, automated scanning, and advanced extensions.
  • Checkmarx
    • A SAST tool that scans application source code to identify vulnerabilities during development.
    • Offers seamless CI/CD integration and multi-language support.
  • Corellium
    • A virtualized mobile device platform for security research, app testing, and reverse engineering.
    • Provides high-fidelity iOS and Android device emulation.
  • Synopsys (Coverity & Black Duck)
    • Coverity: A SAST tool for finding critical code vulnerabilities.
    • Black Duck: An SCA tool for managing open-source risks, including licensing and vulnerabilities.
  • Acunetix
    • A DAST tool focused on web applications and APIs to detect vulnerabilities like SQL injection and XSS.
    • Supports automated scanning and compliance reporting.
  • Veracode
    • A cloud-based SAST and DAST platform for application security testing across the SDLC.
    • Provides actionable recommendations and strong enterprise integrations.
  • PlexTrac
    • A reporting and collaboration platform for penetration testers and red teams.
    • Streamlines vulnerability management and enhances client communication.
  • Cloud Security (AWS / Azure / Oracle)
    • AWS Security Tools: Includes GuardDuty, Macie, and IAM for monitoring, threat detection, and access control.
    • Azure Security Tools: Features Defender for Cloud, Sentinel (SIEM), and Privileged Identity Management (PIM).
    • Oracle Cloud Security: Offers services like Identity Cloud Service (IDCS) and Cloud Guard for risk mitigation and compliance.
  • Postman
    • A popular API testing tool for creating, testing, and automating REST and GraphQL API requests.
    • Offers features like automated workflows, API monitoring, and collaboration.
  • SmartBear ReadyAPI
    • A powerful API testing suite for functional, security, and performance testing of REST and SOAP APIs.
    • Allows for seamless CI/CD pipeline integration.
  • SoapUI
    • An open-source tool for testing SOAP and REST APIs.
    • Provides features for API functional, security, and load testing.
  • HashiCorp Vault
    • A tool for securely managing and accessing secrets like tokens, API keys, and passwords.
    • Supports dynamic secrets and access control policies for enhanced security.

SAST (Static Application Security Testing)

  • SonarQube → Identifies vulnerabilities and code quality issues during development across multiple languages.
  • Checkmarx → Multi-language source code scanner for finding vulnerabilities early in the SDLC.
  • Fortify Static Code Analyzer → Enterprise-grade tool for static code analysis and secure application development.
  • Veracode Static Analysis → Cloud-based SAST solution for identifying vulnerabilities in source code and binaries.
  • CodeQL → Query-based code analysis tool for detecting vulnerabilities in open-source projects.
  • AppScan → - Scans source code for vulnerabilities and integrates with development tools.
  • Klocwork → A SAST tool ideal for embedded systems, focusing on C, C++, and Java vulnerabilities.

DAST (Dynamic Application Security Testing)

  • Burp Suite → Comprehensive tool for automated and manual web application vulnerability testing.
  • OWASP ZAP (Zed Attack Proxy) → Open-source tool for automated web application scanning and penetration testing.
  • Acunetix → Automates vulnerability detection for web applications, including SQL injection and XSS.
  • Netsparker → Automatically detects and verifies web application vulnerabilities with proof of exploitation.
  • AppScan Standard → A DAST tool for testing and analyzing security risks in running web applications.
  • Tenable.io → Continuously monitors web applications for vulnerabilities in a dynamic environment.
  • Astra Pentest → Cloud-based DAST tool for API and application security testing.

SCA (Software Composition Analysis)

  • Snyk → Identifies and fixes vulnerabilities in open-source dependencies and container images.
  • Dependabot → GitHub-integrated tool for automated dependency updates with vulnerability alerts.
  • WhiteSource (Mend) → Scans open-source dependencies for vulnerabilities and licensing issues.
  • Black Duck → Manages open-source dependencies and ensures compliance with security policies.
  • JFrog Xray → Scans binaries and container images for vulnerabilities across CI/CD pipelines.
  • Nexus Lifecycle → - Analyzes open-source components for vulnerabilities and licensing risks.
  • FOSSA → Automates dependency auditing for security and license compliance.

Source Code Review

  • Source → What allows vuln to happen
    • Ex. Accepting user input
  • Sink → Where the vuln actually happens
    • Ex. exec(), system()
  • Grepping
    • Hardcoded secrets
    • Use of dangerous functions
    • Outdated Dependencies
    • Weak Cryptography
    • User Supplied Input
    • Developer Comments

Application Security

  • SSL vs TLSTransport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities. TLS authenticates more efficiently and continues to support encrypted communication channels.
  • Google.com
    • DNS Lookup: Browser resolves google.com to its IP address.
    • TCP Connection: Browser establishes a TCP connection with the server.
    • SSL/TLS Handshake: Secure connection setup if using HTTPS.
    • HTTP Request: Browser sends a GET request to fetch the page.
    • Server Response: Server returns the requested HTML and assets.
    • Rendering: Browser processes and renders the content visually.
    • Additional Requests: Browser fetches extra resources like images, CSS, or JS.
  • SAST vs SCA
    • SAST → Analyzes your source code for vulnerabilities during development.
      • Detects coding errors, security flaws, and logic issues in custom code.
      • ex. Checkmarx, Veracode, SonarQube.
    • SCA → Scans third-party libraries and dependencies for known vulnerabilities.
      • Identifies outdated, vulnerable, or non-compliant open-source components.
      • ex. snyk, Dependabot
  • SQLi Mitigation
    • Parameterized Queries/Prepared Statements
    • Input Validation
    • Web Application Firewall (WAF)
  • XSS → Cross-Site Scripting (XSS) is a web security vulnerability where attackers inject malicious scripts into trusted websites, enabling them to steal data/cookies, hijack user sessions, or manipulate site content.
    • Input Validation: Validate all user inputs for allowed formats (e.g., only alphanumeric characters in usernames)
    • Output Encoding: Encode user inputs before displaying them in the browser to neutralize special characters.
    • Content Security Policy (CSP): Implement a CSP header to restrict what scripts can execute on the page.
    • HTTPOnly Cookies: Use the HttpOnly attribute for cookies to prevent them from being accessed via JavaScript.
  • Login Page BruteForce Mitigation
    • Account Lockout Mechanism
    • Rate Limiting
    • CAPTCHA Implementation
    • Multi-Factor Authentication (MFA)
    • Strong Password Policies
  • Policies:
    • CORS → Cross-Origin Resource Sharing
      • CORS is a security mechanism that allows or restricts web resources on a server to be accessed from a different origin (domain, protocol, or port).
      • Ex. A website at https://example.com tries to fetch data from https://api.anotherdomain.com.
        • If the server at api.anotherdomain.com includes the header:
          • Access-Control-Allow-Origin: https://example.com
        • The browser allows the request.
      • Applies to cross-origin HTTP requests.
    • SOP → Same Origin Policy
      • The Same-Origin Policy is a browser security model that restricts how documents or scripts loaded from one origin can interact with resources from another origin.
      • Prevent malicious websites from reading sensitive data from other origins.
      • Two URLs are considered to have the same origin if they share the same:
        • Protocol (e.g., https)
        • Hostname (e.g., example.com)
        • Port (e.g., :443 for HTTPS).
      • Allowed: https://example.com/home accessing https://example.com/api.
      • Blocked: https://example.com/home accessing https://api.anotherdomain.com.
      • Applies to all interactions (scripts, DOM, etc.).
    • CSP → Content Security Policy
      • CSP is a security standard that helps prevent cross-site scripting (XSS), data injection, and other code-injection attacks by controlling the sources of content (e.g., scripts, styles, images) that the browser can load.
      • Ex. Developers define a CSP in HTTP headers or <meta> tags to whitelist trusted content sources.
      • Content-Security-Policy: script-src 'self' https://trusted.cdn.com
      • Only scripts from the same origin ('self') or https://trusted.cdn.com are allowed.
      • Applies to resource loading (scripts, styles, etc.).
  • CSRF
    • CSRF is a web security vulnerability where an attacker tricks a user into performing unintended actions on a web application in which the user is authenticated
    • CSRF Tokens → Generate a unique, random token for each user session and include it in every form or request. Validate the token server-side.
    • SameSite Cookie → Use the SameSite attribute on cookies to restrict them from being sent with cross-site requests.
    • Verify HTTP Referer Header → Check the Referer header to ensure the request originates from a trusted source.
    • User Authentication for Sensitive Actions → Re-prompt users for their credentials (or an additional factor) before performing critical operations.
  • Secure Error Handling
    • Do not reveal internal details, such as stack traces, database queries, or file paths, to end-users.
    • These details can help attackers identify vulnerabilities in the application.
    • Bad: SQL Error: Column "username" does not exist in "users" table.
    • Good: Something went wrong. Please try again later.
  • Secure Logging
    • Do not log sensitive data like passwords, API keys, credit card numbers, or PII (Personally Identifiable Information).
    • Logs are often accessed during troubleshooting or breaches, making them a potential security risk.
    • BadUser logged in with password: MyP@ssw0rd123!
    • GoodUser login attempt at 2024-12-15 10:30:00 UTC.
  • Managing Secrets:
    • Never Hardcode Secrets in Code
    • Use Environment Variables
    • Use Secret Management Tools → AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, Google Secret Manager
    • Implement Access Control
    • Rotate Secrets Regularly
  • Ensuring Security of Third-Party Libraries and Dependencies
    • Use Trusted Sources and Repositories → Downloading dependencies from unverified sources can lead to introducing malicious code into your application.
    • Regularly Update Dependencies → Older versions of libraries may have known vulnerabilities that attackers can exploit.
    • Perform Dependency Vulnerability Scanning → Automated tools can identify vulnerabilities in your dependencies.
    • Understand and Evaluate Dependencies → Blindly adding libraries without understanding their purpose or security can introduce risks.
    • Minimize Dependencies → Fewer dependencies mean fewer attack surfaces and vulnerabilities to manage.
    • Verify Package Integrity → Attackers can tamper with libraries or dependencies during distribution.
    • Use Dependency Pinning → - Prevent unintentional upgrades to newer, potentially insecure versions of libraries.
    • Monitor Vulnerability Databases → Stay informed about vulnerabilities in libraries and frameworks you use.
  • Approach to Conducting a Secure Code Review
    • Gain a clear understanding of the application, its purpose, and its architecture.
    • Start with High-Risk Areas
    • Use Automated Tools for Initial Screening
  • Secure Coding Standards
    • OWASP Secure Coding Practices
    • CERT Secure Coding Standards
      • Language-Specific Guidelines
    • NIST Secure Software Development Framework (SSDF)
  • STRIDE Threat Modeling Methodology
    • S: Spoofing, T: Tampering, R: Repudiation, I: Information Disclosure, D: Denial of Service (DoS), E: Elevation of Privilege
    • How STRIDE Works
      1. Identify Assets: Determine the critical assets that need protection (e.g., data, services, systems).
      2. Define Architecture: Map out the application architecture, including data flows, components, and trust boundaries.
      3. Analyze Threats: Use STRIDE to identify threats for each component.
      4. Prioritize Threats: Assess the impact and likelihood of each threat.
      5. Mitigate Threats: Implement controls to reduce the risks.
  • Prioritize Threats Identified During a Threat Modeling Exercise
    • Assess Threat Impact and Likelihood
    • Use a Risk Rating Framework
    • Apply the STRIDE Framework to Threat Scenarios
    • Consider Business Context
  • Designing a Safe and Secure Password Mechanism
    • Enforce Strong Password Policies
      • At least 12 characters, including:
        • 1 uppercase letter (A-Z),
        • 1 lowercase letter (a-z),
        • 1 number (0-9),
        • 1 special character (e.g., !@#$%^&*).
    • Secure Password Storage
      • Hash, Salting, Peppering
    • Implement Rate Limiting and Throttling
      • Prevent brute-force attacks by limiting the number of login attempts.
    • Use Multi-Factor Authentication (MFA)
    • Secure Password Transmission
    • Provide Password Recovery Mechanisms
    • Password Change Mechanism
  • Approach to Threat Modeling for a Financial Application
    • Define the Scope and Understand the Application
    • Create Data Flow Diagrams (DFDs)
    • Identify Threats Using STRIDE
    • Prioritize Threats
    • Mitigation and Controls
    • Test and Validate
  • OWASP Mobile Top 10
    • M1: Improper Credential Usage → Improper handling of user credentials, such as storing them insecurely or reusing credentials for multiple systems.
    • M2: Inadequate Supply Chain Security → Reliance on third-party libraries, SDKs, or APIs with vulnerabilities or malicious code.
    • M3: Insecure Authentication/Authorization → Weak or improper authentication and authorization mechanisms that allow unauthorized access or privilege escalation.
    • M4: Insufficient Input/Output Validation → Failing to validate or sanitize user inputs and application outputs, leading to potential injection attacks or data leaks.
    • M5: Insecure Communication → Lack of proper encryption or secure protocols during data transmission, making data vulnerable to interception or tampering.
    • M6: Inadequate Privacy Controls → Poor handling of user data, leading to potential privacy violations or data leaks.
    • M7: Insufficient Binary Protections → Lack of protections to prevent reverse engineering, tampering, or unauthorized analysis of the application binary.
    • M8: Security Misconfiguration → Misconfigured application settings, APIs, or servers that expose sensitive data or functionalities.
    • M9: Insecure Data Storage → Storing sensitive data on the device insecurely, making it accessible to attackers.
    • M10: Insufficient Cryptography → Improper or weak implementation of cryptographic practices, making sensitive data vulnerable to decryption or compromise.
  • App Wrapping → App wrapping is a security technique where an application is encapsulated with a security layer without altering its core functionality.
  • Software Composition Analysis
    • It is a process of identifying, managing, and mitigating risks associated with the use of third-party and open-source software components in an application.
    • SCA tools automate the identification of vulnerabilities, outdated components, and license compliance issues within these dependencies.
  • Web Cache Poisoning
    • a type of attack where an attacker manipulates the cached content stored in a web cache (e.g., CDN or reverse proxy) to deliver malicious or unexpected content to other users.