Question

Secure Programming Practices Interview Questions and Answers

Secure Coding Patterns

Secure coding involves the development of computer software, such that it guards against the accidental introduction of security vulnerabilities.

Defects, bugs, and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Therefore, secure coding practices must be incorporated in the entire development life cycle of an application.

A critical first step to develop a secure application is an effective training plan that allows developers to learn important secure coding principles and how they can be applied. Compliance with this control is assessed through Application Security Testing Program , which includes testing for secure coding principles described in OWASP Secure Coding Guidelines:

1. Communication Security
2. System Configuration
3. Authentication and Password Management (includes secure handling of credentials by external services/scripts)
4. Input Validation
5. Session Management
6. Data Protection
7. Database Security
8. Output Encoding
9. Access Control
10. Cryptographic Practices
11. Error Handling and Logging
12. File Management
13. Memory Management
14. General Coding Practices

Secure Programming Questions and Answers

1) Through a successful format-string attack against a web application, an attacker is able to execute which of the following actions?

a) All the above options

b) Read and write to memory at will  

c) Write only certain areas using tokens

d) Read certain memory areas using the %s token

Answer : b) Read and write to memory at will 

2) Setting the cookie flag to which of the following mode is a good programming practice?

a) Protected

b) Secure  

c) Locked

d) Safe
 

Answer : b) Secure  

3) Identify the correct statement in the following:

B) Customer trust, reputation, financial, compliance, and privacy are the major reasons to implement a software security program.

C) To secure online data, build secure software.

A) Security is a technical problem and is the responsibility of the security manager.

D) All the above options  

E) A) and C)  

Answer: E) A) and C)

4) Secure practices for access control include which of the following?

a) All the above options 

b) Business workflow

c) Authorization on each request

d) Role-based access

Answer: a) All the above options

5) Which of the following is not recommended to secure web applications against authenticated users?

a) Running the application with least privileges

b) Client-side data validation  

c) Filtering data with a default deny regular expression

d) Using parameterized queries to access a database

Answer: b) Client-side data validation  

6) Which of the following is the best approach to use when providing access to an SSO application in a portal?

a) Mandatory access control

b) Biometric access control

c) Role-based access control

d) Discretionary access control

Answer: c) Role-based access control

7) Exception Handling refers to:

a) During application execution, if certain special conditions are met, a specific subroutine 'exception handler' is called.

b) All the above options 

c) Identifying all possible erroneous inputs, and managing how an application responds to them.

d) Commercial runtime environments that contain tools to record debugging information from memory at the time of the exception, to provide 'root-cause' analysis information later.

Answer: b) All the above options

8) Which of the following is not an authorization type?

a) Role-based Access Control

b) Mandatory Access Control

c) User Access Control  

d) Discretionary Access Control

Answer: c) User Access Control

9) Which of the following is a security advantage of managed code over unmanaged code?

a) Size of the attack surface  

b) Size of the chroot jail

c) Number of lines of code

d) Number of roles

Answer: a) Size of the attack surface

10) There are various HTTP authentication mechanisms to authenticate a user. Login credentials are sent to the web server in clear text, in which of the following authentication scheme?

a) Digest

b) NTLM

c) None of the options

d) Basic  

e) Client Certificates

Answer: d) Basic 

11) Security check can be enforced at compile time by:

B) Writing code for large projects.

D) Adding debug traces to code.

A) Enabling all compiler warnings, and paying attention to these warnings.

F) None of the above options

E) A) and C)  

C) Checking all pointer against null(0) values before using them.

Answer: E) A) and C)

12) Which of the following is a best practice for Audit Trail and Logging?

a) Restrict the access level of configuration and program-level resources.

b) Apply the principle of Secure Default.

c) All the above options  

d) While processing, do not save sensitive information on the file system of the server.  

e) Ensure server time is synchronized.

Answer: d) While processing, do not save sensitive information on the file system of the server

13) Temporarily files created by applications can expose confidential data if:

a) Special characters are not used in the filename to hide the file

b) The existence of the file exceeds three seconds

c) Special characters indicating a system file are not used in the filename

d) File permissions are not set appropriately  

Answer: d) File permissions are not set appropriately

14) One of the main disadvantages of integrating cryptography into applications is:

a) Enhanced reliability, as users can no longer modify the source code.

b) Increased stability, as the programs are protected against a virus attack.

c) Reduced breaches of policy due to disclosure of information.

d) Possible denial of service if the keys are corrupted.  

Answer: d) Possible denial of service if the keys are corrupted.

15) Which of the following is true about improper error handling?

a) Attackers can use exposed error messages to craft advanced attacks and gain system access.

b) Attackers can use error messages to extract specific information from a system.

c) All the above options  

d) Attackers can use unexpected errors to knock an application offline, creating a denial-of-service attack.

Answer: c) All the above options

16) From application security perspective, why should a CAPTCHA be used in a web application?

a) To check the color blindness of a user

b) To check the validity of a user session

c) To prevent scripted attacks  

d) To provide biometric authentication

Answer: c) To prevent scripted attacks

17) To improve the overall quality of web applications, developers should abide by which of the following rules?

a) Trust user-supplied data

b) Allow the use of HIDDEN form fields

c) Use GET instead of POST

d) Clean and validate all user input  

Answer: d) Clean and validate all user input  

18) On logout, how should an application deal with session cookies?

a) Store IP

b) Update the time

c) Clear the cookies  

d) Update the header

Answer: c) Clear the cookies  

19) Identify the correct statement in the following:

a) None of the above options. 

b) High vulnerability can be ignored, and software can be released to the customer.

c) Development teams need not worry about rework due to security vulnerability.

d) A firewall is the best protection against application attacks.

Answer: a) None of the above options. 

20) Which of the following algorithm/encryption method is the safest to use?

a) Block Ciphers using Electronic Code Book (ECB) mode

b) AES 

c) RC4

d) DES

Answer: b) AES