Application Security Basics
What does “AppSec” stand for?
Application Security
What does SQL Injection target in an application?
A database (inserts malicious SQL commands).
What is the purpose of penetration testing?
To find weaknesses before real attackers do.
Why should developers keep libraries and frameworks updated?
To patch known vulnerabilities in older versions.
What does the “S” in HTTPS mean for a website?
Secure (encrypted communication)
What is the main goal of application security?
To protect applications from threats and vulnerabilities.
What is Cross-Site Scripting (XSS) used for by attackers?
Inject malicious scripts into web pages (steal data, hijack sessions).
What is the common nickname for penetration testers who help improve security?
Ethical hackers / white-hat hackers.
What is the principle of “least privilege”?
Users get only the minimum access they need.
What is the most common reason attackers go after apps?
To steal data or gain unauthorized access.
True or False: Every application can be 100% secure forever.
False; Security must be continuously maintained.
What does CSRF stand for in security?
Cross-Site Request Forgery
Which type of test simulates real hacker attacks to find weaknesses?
Penetration test (or “pen test”).
What is input validation used for in apps?
To ensure only valid and safe data is accepted by the app.
What is ransomware designed to do?
Encrypt files and demand payment to unlock them.
What does the term “vulnerability” mean in an application?
A weakness that attackers can exploit.
What is brute-force login attack?
Repeatedly guessing usernames and passwords until access is gained.
What does a penetration tester provide at the end of a test?
A report of findings and recommendations.
What is code review’s role in security?
To catch security flaws early in code.
What global project publishes the “Top 10” list of most critical web app vulnerabilities?
OWASP (Open Web Application Security Project)
What is the difference between a bug and a security vulnerability?
A bug affects functionality, a vulnerability affects security.
What does “zero-day vulnerability” mean?
A vulnerability unknown to the vendor and without a fix yet.
What is the difference between black-box and white-box testing?
Black-box = no knowledge of system, White-box = full knowledge of system.
What is the “shift-left” approach in security testing?
Moving security testing earlier in the development lifecycle.
If a company suffers a data breach, what’s one immediate step they must take?
Notify affected users and authorities, investigate and patch the breach.