Friday, January 5, 2018

Security Testing Interview Questions

Security Testing Interview Questions

1) What is Security?

Security is set of measures to protect an application against unforeseen actions that cause it to stop functioning or being exploited.

Unforeseen actions can be either intentional or unintentional.

2) What is Security Testing?
 
Security Testing is a type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from possible intruders.
The goal of security testing is to identify the threats in the system and measure its potential vulnerabilities. 

It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding.

3) What is Vulnerability?
 
This is a weakness in the web application. The cause of such a "weakness" can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.

4) What is a Bug?
 
A fault in a program which causes the program to perform in an unintended or unanticipated manner.

5) What are the main focus areas to be considered in Security Testing?
 
There are four main focus areas to be considered in security testing (Especially for web sites/applications):
•    Network security: This involves looking for vulnerabilities in the network infrastructure (resources and policies).
•    System software security: This involves assessing weaknesses in the various software (operating system, database system, and other software) the application depends on.
•    Client-side application security: This deals with ensuring that the client (browser or any such tool) cannot be manipulated.
•    Server-side application security: This involves making sure that the server code and its technologies are robust enough to fend off any intrusion.

6) Give an example of a basic Security Test?
 
This is an example of a very basic security test which anyone can perform on a web site/application:
•    Log into the web application.
•    Log out of the web application.
•    Click the BACK button of the browser (Check if you are asked to log in again or if you are provided the logged-in application)
Most types of security testing involve complex steps and out-of-the-box thinking but, sometimes, it is simple tests like the one above that help expose the most severe security risks.

7) What are the different types of security testing?
 
There are seven main types of security testing as per Open Source Security Testing methodology manual. They are explained as follows:

•    Vulnerability Scanning: This is done through automated software to scan a system against known vulnerability signatures.

•    Security Scanning: It involves identifying network and system weaknesses, and later provides solutions for reducing these risks. This scanning can be performed for both Manual and Automated scanning.
 
•    Penetration testing: This kind of testing simulates an attack from malicious hacker. This testing involves analysis of a particular system to check for potential vulnerabilities to an external hacking attempt.
 
•    Risk Assessment: This testing involves analysis of security risks observed in the organization. Risks are classified as Low, Medium and High. This testing recommends controls and measures to reduce the risk.
 
•    Security Auditing: This is internal inspection of Applications and Operating systems for security flaws. Audit can also be done via line by line inspection of code
 
•    Ethical hacking: It's hacking an Organization Software systems. Unlike malicious hackers, who steal for their own gains, the intent is to expose security flaws in the system.
 
•    Posture Assessment: This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.

8) What are the major tables to be included in test plan?

      Test plan should include,
•    Security related test cases or scenarios
•    Test Data related to security testing
•    Test Tools required for security testing
•    Analysis on various tests outputs from different security tools

9) What is tiger box penetration testing?

 This testing is usually done on a laptop which has a collection of OSs and hacking tools. This testing helps penetration testers and security testers to conduct vulnerabilities assessment and attacks.

10) What is black box testing?
 
Tester is authorized to do testing on everything about the network topology and the technology.

11) What is grey box testing?
 
Partial information is given to the tester about the system, and it is hybrid of white and black box models.

12) What is Fuzz Testing?
 
Fuzz testing is a black box testing technique which uses a random bad data to attack a program to check if anything breaks in the application.

13) What is smoke test?
 
Testing the application whether it is performing its basic functionality properly or not, so that the test team can go ahead with application

14) What is the difference between verification and validation?
 
Verification is a review without actually executing the process while validation is checking the product with actual execution. For instance, code review and syntax check is verification while actually running the product and checking the result is validation.

15)What are different types of verifications?
 
•    Verification is static type of s/w testing. It means code is not executed. The product is evaluated by going through the code. Types of verification are:
•    Walkthrough: Walkthroughs are informal, initiated by the author of the s/w product to a colleague for assistance in locating defects or suggestions for improvements. They are usually unplanned. Author explains the product; colleague comes out with observations and author notes down relevant points and takes corrective actions.

•    Inspection: Inspection is a thorough word-by-word checking of a software product with the intention of locating defects, confirming traceability of relevant requirements etc.

16) What are the myths and Facts of Security Testing?
 
Myth 1: We don't need a security policy as we have a small business
Fact: Everyone and every company need a security policy

Myth 2:There is no return on investment in security testing
Fact: Security Testing can point out areas for improvement that can improve efficiency and reduce downtime, enabling maximum throughput.

Myth 3: Only way to secure is to unplug it.
Fact: The only and the best way to secure organization is to find "Perfect Security". Perfect security can be achieved by performing posture assessment and compare with business, legal and industry justifications.

Myth 4: Internet isn't safe. I will purchase software or hardware to safeguard the system and save business.
Fact: One of the biggest problems is to purchase software and hardware for security. Instead, organization should understand security first and then apply it.

Interview Questions and Answers on Web Testing

Q) What is WWW?

The term WWW refers to the World Wide Web or simply the Web. The World Wide Web consists of all the public Web sites connected to the Internet worldwide, including the client devices (such as computers and cell phones) that access Web content. The WWW is just one of many applications of the Internet and computer networks. 

Q) What is Web Application?

It is Software application that is accessed over a network such as the Internet or an intranet through a web browser.

Q) What are the advantages of Web Applications over I-Tier and II-Tier Applications?

• Web Software Applications Support Thousands of clients easily

• Client side installation is optional, so maintenance is easy, adding/removing client machines is easy

• Can be deployed in Stand-alone, Intranet and Internet Environments

Q) What are the different types of environment available in the Web?
• Stand-alone

• Intranet (Local Network)

• Internet (Wide area Network)

• Extranet (Private network over Internet)

Q) What is Intranet application?
It is a private application, can be accessed within the Organization only. It uses Local /Private Network and Internet Protocol technology to share information.

Q) What is Internet application?
Generally it is a public web application, uses Wide area network. It can be accessed from anywhere.

Q) What is Extranet application?
It is also a private application over internet, can be accessed by fixed machines only. It uses Wide area network and Internet Protocol technology to share information.

Q) What are the different types of web applications available in the Software Industry?
We have different types of web applications available in the Industry

a) Websites


Ex: http://www.aurobindo.com/, http://www.pennacement.com/ etc...
-----------------------------------------------------------------
b) Web Portals

Ex: http://www.ebay.in/, http://www.naukri.com/ etc...
-----------------------------------------------------------------
c) Web Applications

Ex: www.icicibank.com/, http://www.sunlife.com/ etc...
-----------------------------------------------------------------
d) Email Service Providers

Ex: www.gmail.com, www.yahoo.com, www.rediffmail.com etc...
-----------------------------------------------------------------
e) Social Networks

Ex: www.facebook.com, www.twitter.com, www.linkedin.com etc...
-----------------------------------------------------------------
f) Discussion Forums-----------------------------------------------------------------
g) Classifieds Web sites
Ex:
-----------------------------------------------------------------
 Etc...

Q) What is Website?

Basically website is an information provider, It provides information globally using internet protocols. 

Q) What is Web Portal?


Web portal is a business gateway, It organizes business operations.

Ex: Online shopping portals, Job portals etc...

Q) What is Web Application?

Web application provides services (Free and Paid) apart from information.

Ex: Online Banking System

it provides Bank information,  Branches & ATM Information, Loans information etc...

And It provides balance enquiry, Fund transfer, Bill payments like services.

Q) What is HTML?

HTML stands for Hyper Text Markup Language, it is for displaying web pages and other information. Basically it is data presenter in the web.

Q) What is Client Side Validation?

Validating client side forms, which is typically done by Java Script. Generally it checks weather the user is entering correct form of data or not? and entering all mandatory fields or not?

Client site validation is 2 types One is Field level validation another is Form level validation.

Q) What is Server Side Validation?
Validating, processing client requests and providing response from the Server.

Q) What is Web Server?

Web server handles Clint side and server side validations and helps to deliver Web content that can be accessed through the Internet protocols.

Examples:

Microsoft IIS (Internet Information Service)

Apache Web server from Apache

Java Web server

Pramathi web server etc...

Q) What is Application Server?

Application Server also called an appserver, It is a program that handles all application operations between users and an organization's back-end business applications or databases.

Examples:

Bea WebLogic

IBM WebSphre

Q) What is Database Server?

Database server is used to refer to the back-end system of a database application using client/server architecture.

The back-end, sometimes called a database server, performs tasks such as data design, storage, data manipulations, archiving, and other non-user specific tasks.

Examples:

Oracle

MS SQL Server

MySQL (Open source)

IBM DB2 etc...

Q) What is HTTP?

Hyper Text Transfer Protocol, the data transfer protocol used on the World Wide Web. 

Q) What is HTTPS?

HTTPS stands for Hypertext Transfer Protocol Secure is a widely-used communications protocol for secure communication over a computer network.

Q) What is purpose of Java Script in the Web?
It is for performing client side validations.

Q) What is the purpose of Vbscript in the Web?
It can be used for client side validations as well as Server side validations.

Q) What is Web Browser?
Web browser is a software application used to locate, retrieve and also display content on the World Wide Web, including Web pages, images, videos and other files.

Examples:

Microsoft Internet Explorer

Mozilla Firefox

Google Chrome

Opera

Safari etc…

Q) What is Server side testing?
Q) What are the advantages of web applications than GUI based applications?

• Only server side installation, client side installation is not mandatory, so deployment and maintenance is easy.

• It can be accessible anywhere, anytime via a PC with an Internet connection. The user interface of web-based applications is easier to customize than it is in GUI applications.

• Content can also be customized for presentation on any device connected to the internet, including PDAs, mobile phones etc…

• Supports thousands of clients effectively

• Adding and removing clients is very easy.
 
Q) What are Web Services?

Web services are application components, communicate using open protocols and these can be used by other applications.

XML is the basis for Web services

SOAP (Simple Object Access Protocol), UDDI (Universal Description, Discovery and Integration) and WSDL (Web Services Description Language) are the Web services platform elements.

Q) What are the important aspects in Web Testing?
 
• Functionality Testing (Includes Forms Validation, Search operations, links testing, navigation testing etc...),

Security Testing (Ahorization, Access Control, Virus Attacks, Etc...)

Database Testing (includes Data integrity, data manipulations, data retrievals etc..),

Performance Testing (includes all types of performance like Load Testing, Stress Testing, Spike Testing, Endurance Testing and Data volume Testing),

Usability Testing (Easy Navigation, Look and feel including colors, Alignments, Fonts etc...)

Navigation testing,
Configuration Testing,

• Compatibility Testing,

• Reliability Testing,

• Availability Testing,

• Scalability Testing
Etc...

Q) What is Cookies Testing?
A "cookie" is a small piece of information that sent by a web server to store on a web browser so it can later be read back from that browser. This is useful for having the browser remember some specific information.

Q) How to perform Web Services Testing?
 

A Web Service is a service accessed via Web. Web Service is a way to publish your application over web and enable other applications to access functions defined by your web service. Web services exposes an interface defined in Web Services Description Language (WSDL).

Q) How to test Web Forms manually and using UFT (Formerly QTP) Tool?

Web forms validation is 2 types:

a) Field level validations

b) Form level validations

Using Black Box test design techniques we can test web forms manually

Using Conditional statements and built-in functions we can test web forms (Using UFT)

Q) What is the difference between desktop application testing and web testing?

Desktop testing is standalone testing. Desktop need not worry about number of user etc.

Web testing is related to client server and Web testing needs to have many testing types to be performed like Usability, GUI, Database and Load Testing etc...

Q) What are possible configurations that could affect the testing strategy of any web site?

Possible configurations that affect the testing strategy of any web site are hardware platform (PC, Mac), Browser software and version, Browser Plug-Ins, Browser settings options, Video resolution and Colour Depth, and text size.

Q) What is difference between client server and Web Testing?
The difference between client server and Web Testing:
In client server application you have two different components to test. Application is loaded on server machine while the application exe on every client machine. You will test broadly in categories like, GUI on both sides, functionality, Load, client-server interaction, back-end. This environment is mostly used in Intranet networks. You are aware of number of clients and servers and their locations in the test scenario.

Web application is a bit different and complex to test as tester don’t have that much control over the application. Application is loaded on the server whose location may or may not be known and no exe is installed on the client machine, you have to test it on different web browsers. Web applications are supposed to be tested on different browsers and OS platforms so broadly Web application is tested mainly for browser compatibility and operating system compatibility, error handling, static pages, back-end testing and load testing.

Q) What are the latest web Technologies do you know?

Latest web technologies are:

The main three web tracks:

1. Microsoft ASP.Net Track + SQl Server database engine (IDE: Expression Web, Visual Studio).

2. Oracle Java Track + Oracle database engine (IDE: NetBeans, Eclipse).

3. PHP Track + MySQL database engine (IDE: Zend Studio, DreamWeaver).

There are many new concepts and enhanced methodologies like Ajax, JQuery, JSON, and so on.

Q) What types of web testing security problems do you know?

Types of web testing security problems are:

Denial of Service (DoS) attack, buffer overflow etc…

Q) What types HTTP Response Codes do you know?


Types of HTTP Response Codes are:

2xx - success, 3xx - Redirection, 4xx - Client Error, 5xx - Server Error