← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 11 · Cyberspace Tech Solutions Cybersecurity Curriculum

Product & Application Security

~60 minutes of interview prep, MCQs, and simulations covering Secure SDLC, DevSecOps, CI/CD security, and API security best practices.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Integrate security across the software development lifecycle
  • Implement automated security testing in CI/CD environments
  • Design and protect secure APIs against modern attacks

Topics Covered

#TopicTimeType
1Secure SDLC, Threat Modeling (STRIDE)8 minReading
2DevSecOps, CI/CD Pipeline Security5 minReading
3API Security & OWASP Top 105 minReading
4Interview Questions & Answers (20)20 minQ&A
5MCQ Quiz (25 questions)15 minQuiz
6Simulations (4)7 minSimulation
💡 Why it matters: Application security is the #1 attack surface. 84% of cyberattacks exploit application-layer vulnerabilities. OWASP, SAST/DAST, and DevSecOps knowledge are essential for AppSec roles.
Core Concepts · ~18 min

AppSec Fundamentals

Secure SDLC Phases & Security Activities

SDLC PhaseSecurity ActivityTools
RequirementsDefine security requirements, privacy requirements, abuse casesOWASP ASVS, threat model templates
DesignThreat modeling (STRIDE), secure architecture review, design patternsOWASP Threat Dragon, MS Threat Modeling Tool
ImplementationSecure coding standards, peer code review, SCA (dependency scanning)SonarQube, Semgrep, Snyk, Dependabot
TestingSAST, DAST, IAST, penetration testing, fuzz testingOWASP ZAP, Burp Suite, Veracode, Checkmarx
DeploymentSecure configuration, hardening, infrastructure scanningCheckov, Trivy, CIS Benchmarks
MaintenancePatch management, vulnerability disclosure, security monitoringDependabot, NVD feeds, PSIRT process

STRIDE Threat Model

LetterThreatCIA PillarExample
SSpoofingAuthenticationAttacker impersonates another user using stolen credentials
TTamperingIntegrityAttacker modifies data in transit or at rest
RRepudiationNon-repudiationUser denies performing an action with no audit trail
IInformation DisclosureConfidentialityStack trace reveals internal paths/versions to attacker
DDenial of ServiceAvailabilityAttacker floods API with requests causing downtime
EElevation of PrivilegeAuthorizationRegular user accesses admin functionality

SAST vs DAST vs IAST

SASTDASTIAST
Full nameStatic Application Security TestingDynamic Application Security TestingInteractive Application Security Testing
WhenAt code level (before compile)Against running applicationDuring test execution (runtime)
What it needsSource code accessRunning app (no source needed)Agent instrumented in app
StrengthsFast, early detection, no runtime neededFinds real runtime vulnerabilitiesHigh accuracy, low false positives
WeaknessesHigh false positives, no runtime contextMisses code-level issues, needs running appComplex setup, language-specific agents
ExamplesSonarQube, Semgrep, CheckmarxOWASP ZAP, Burp Suite, NiktoContrast Security, Seeker

DevSecOps — Security in the CI/CD Pipeline

Pre-commit
Secret scanning
Lint/SAST
Build
SAST
Dependency scan
License check
Test
DAST
Container scan
IAST
Deploy
IaC scan
Config hardening
Monitor
RASP
WAF
SIEM alerts
⚠️ Never hardcode secrets in source code. Use: AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, environment variables injected at runtime. Use TruffleHog / GitGuardian to scan for leaked secrets.

OWASP Top 10 (2021)

#RiskExample
A01Broken Access ControlChanging /user/123 → /user/456 to access another user's data
A02Cryptographic FailuresStoring passwords as unsalted MD5 hashes
A03InjectionSQL injection: ' OR '1'='1 bypasses login
A04Insecure DesignNo rate limiting on password reset allows brute force
A05Security MisconfigurationDefault admin credentials, debug mode in production, open S3 bucket
A06Vulnerable & Outdated ComponentsUsing Log4j 2.14.1 (vulnerable to Log4Shell)
A07Identification & Authentication FailuresNo MFA, weak session tokens, credential stuffing not prevented
A08Software & Data Integrity Failuresnpm package with backdoor, unsigned software updates
A09Security Logging & Monitoring FailuresNo logs of failed login attempts; breach undetected for months
A10Server-Side Request Forgery (SSRF)App fetches URL from user input → attacker probes internal services

OWASP API Security Top 10 (2023)

#RiskExample
API1Broken Object Level Authorization (BOLA)GET /api/orders/12345 → change to /api/orders/12346 (another user's order)
API2Broken AuthenticationAPI accepts expired JWT tokens, no rate limiting on auth endpoints
API3Broken Object Property Level AuthorizationAPI returns all user fields including hashed password in response
API4Unrestricted Resource ConsumptionNo rate limiting → DoS via API flood
API5Broken Function Level AuthorizationRegular user can call DELETE /api/admin/users/
API6Unrestricted Access to Sensitive Business FlowsBot purchases all limited-stock items before humans
API7Server-Side Request ForgeryAPI fetches external URL provided by user
API8Security MisconfigurationCORS allows all origins, verbose error messages, no TLS
API9Improper Inventory ManagementOld API v1 still accessible with no security controls
API10Unsafe Consumption of APIsTrusting data from third-party APIs without validation → injection
🎯 Interview Angle: STRIDE, SAST vs DAST, OWASP Top 10, BOLA (most common API vulnerability), JWT risks, and the "shift left" concept are essential knowledge for any AppSec or DevSecOps role.
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer.

1What is the Secure SDLC and why is it important?Easy
The Secure Software Development Lifecycle (SSDLC) integrates security activities at every phase of software development — from requirements gathering through deployment and maintenance — rather than treating security as an afterthought.
  • Why important: Finding a vulnerability in requirements costs $1 to fix. In production, it costs $100x more. Early security = cheaper, faster, safer software.
  • Reduces the attack surface of delivered software.
  • Builds a security culture within development teams.
  • Supports regulatory compliance (GDPR, PCI-DSS require secure development practices).
  • Reduces reputational risk from post-deployment breaches.
Common frameworks: Microsoft SDL, NIST SSDF (Secure Software Development Framework), OWASP SAMM (Software Assurance Maturity Model).
💡 Key message to interviewers: Security is not a one-time gate before release — it's continuous throughout the entire development process.
2What is "shift left" in DevSecOps?Easy
"Shift left" means moving security testing and validation earlier in the SDLC — from the right side (production/testing) to the left side (requirements/design/coding).
  • Developers run SAST tools in their IDE as they write code, not after.
  • Threat modeling happens during design, not after deployment.
  • Security requirements are defined alongside functional requirements.
  • Pre-commit hooks enforce secret scanning and code analysis before code is pushed.
Why shift left works: Defects are exponentially cheaper to fix earlier. A design flaw found at requirements: ~$1. Found in production: ~$100–$1000. Shift left dramatically reduces cost and risk.
3What is the difference between SAST and DAST?Medium
  • SAST (Static Application Security Testing): Analyses source code, bytecode, or binaries without executing the application. Finds vulnerabilities like SQL injection, hardcoded secrets, insecure functions at the code level. Run during development in CI pipelines. Tools: SonarQube, Semgrep, Checkmarx, Fortify.
  • DAST (Dynamic Application Security Testing): Tests a running application from the outside (like an attacker would) without access to source code. Finds runtime vulnerabilities: authentication issues, injection, misconfigurations. Tools: OWASP ZAP, Burp Suite, Nikto.
💡 Use both: SAST catches code-level issues early (cheap), DAST catches runtime issues that SAST misses. IAST combines both by instrumenting the running app. A mature AppSec program uses all three.
4What is threat modeling? Explain the STRIDE model.Medium
Threat modeling is a structured process of identifying potential security threats to a system during the design phase and designing countermeasures before building.

STRIDE model:
  • S — Spoofing: Attacker pretends to be someone else. Counter: Authentication (MFA, certificates).
  • T — Tampering: Attacker modifies data. Counter: Integrity checks, digital signatures, hashing.
  • R — Repudiation: User denies performing an action. Counter: Audit logs, non-repudiation (digital signatures).
  • I — Information Disclosure: Data exposed to unauthorized parties. Counter: Encryption, access controls, data minimization.
  • D — Denial of Service: System made unavailable. Counter: Rate limiting, redundancy, DDoS protection.
  • E — Elevation of Privilege: User gains more access than intended. Counter: Authorization controls, least privilege.
💡 Process: Draw data flow diagrams → identify trust boundaries → apply STRIDE to each element → prioritize threats (DREAD scoring) → design mitigations.
5What is DevSecOps and how does it differ from traditional DevOps?Easy
DevOps integrates Development and Operations for faster, continuous delivery. DevSecOps adds Security as a shared responsibility integrated throughout the pipeline.
Traditional DevOpsDevSecOps
Security timingPost-development security gateContinuous, at every pipeline stage
Who owns securitySecurity team onlyDevelopers, Ops, and Security jointly
Security testingManual pen test before releaseAutomated SAST/DAST/SCA in CI/CD
Feedback loopSlow (wait for security review)Fast (immediate developer feedback)
💡 Key DevSecOps principle: security is a feature, not a gate. Security teams act as enablers and coaches, not gatekeepers who slow delivery.
6What are the OWASP Top 10 and which was #1 in 2021?Medium
The OWASP Top 10 is the most authoritative list of critical web application security risks, updated periodically based on real-world data from the security community.

2021 #1: Broken Access Control — Users can access resources or perform actions beyond their intended permissions. Moved from #5 in 2017 to #1, found in 94% of tested applications.

Key changes from 2017→2021: SQL Injection dropped from #1 to part of A03 (Injection). Cryptographic Failures (formerly Sensitive Data Exposure) moved to #2. Insecure Design (A04) is a new category emphasizing security by design.
💡 Memorize the full 2021 list: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Integrity Failures, A09 Logging Failures, A10 SSRF.
7What is BOLA (Broken Object Level Authorization)?Medium
BOLA (also called IDOR — Insecure Direct Object Reference) is the #1 API vulnerability. It occurs when an API exposes object identifiers (like database IDs) in requests and doesn't verify the requesting user has permission to access that specific object.

Example:
GET /api/v1/orders/12345  ← User A's order
→ Change to:
GET /api/v1/orders/12346  ← User B's order (unauthorized!)
If the API returns User B's data without checking that the requesting user owns order 12346, it's BOLA.

Prevention:
  • Implement object-level authorization checks for every request
  • Use GUIDs instead of sequential integer IDs (not a complete fix but adds obscurity)
  • Validate that the authenticated user owns the requested resource at the data layer
  • Automated testing: fuzz IDs in API tests, use Burp Suite's Autorize extension
8How do you secure a REST API?Medium
Securing a REST API requires defence at multiple layers:
  • Authentication: OAuth 2.0 + JWT for user authentication; API keys for service-to-service; mTLS for sensitive environments.
  • Authorization: Enforce BOLA checks — verify the caller owns the requested resource. Role-based access per endpoint.
  • Transport security: HTTPS/TLS 1.2+ mandatory. No HTTP. Enforce HSTS.
  • Rate limiting: Prevent brute force and DoS. Implement per-user and per-IP rate limits. Return 429 Too Many Requests.
  • Input validation: Validate and sanitize all input. Reject unexpected fields (mass assignment prevention). Whitelist allowed values.
  • Output encoding: Encode output to prevent injection. Return only necessary fields (never return passwords/hashes).
  • Logging & monitoring: Log all API requests (authenticated user, endpoint, response code). Alert on anomalies.
  • API gateway: Centralise auth, rate limiting, WAF, and logging (Kong, AWS API Gateway, Apigee).
  • Versioning: Deprecate and remove old API versions with proper security controls.
9What is JWT and what are its security risks?Hard
JWT (JSON Web Token) is a compact, self-contained token format used for authentication and information exchange. Structure: Header.Payload.Signature — Base64URL encoded.

Security risks:
  • Algorithm confusion (alg:none): If server accepts alg:none, attacker can forge tokens with no signature.
  • Weak secret: If HS256 secret is weak/guessable, attacker can brute-force and forge tokens.
  • RS256 to HS256 confusion: If server accepts both algorithms, attacker can use public key as HS256 secret.
  • No expiry: Tokens without exp claim are valid forever — stolen tokens stay valid permanently.
  • Sensitive data in payload: JWT payload is Base64 encoded — NOT encrypted. Never put passwords or PII in payload.
  • No revocation: JWTs are stateless — once issued, they can't be revoked until expiry (use short expiry + refresh tokens).
💡 Best practices: Short expiry (15 min access tokens), refresh token rotation, validate algorithm explicitly server-side, use HTTPS only, store in HttpOnly cookies not localStorage.
10What is SQL injection and how do you prevent it?Easy
SQL Injection occurs when user-supplied input is incorporated into SQL queries without sanitization, allowing attackers to manipulate the query logic.

Example:
query = "SELECT * FROM users WHERE name = '" + username + "'"
// Attacker input: admin' OR '1'='1
// Result: SELECT * FROM users WHERE name = 'admin' OR '1'='1'
// → Returns ALL users!
Impact: Authentication bypass, data exfiltration, data deletion, remote code execution (xp_cmdshell in MSSQL).

Prevention (in priority order):
  1. Parameterized queries / Prepared statements (the only real fix) — input is never interpreted as SQL.
  2. Stored procedures (if using parameterized binding).
  3. Input validation — whitelist expected values.
  4. Least privilege — DB account should only have SELECT/INSERT on specific tables.
  5. WAF as an additional layer (not a primary defence).
11What is Cross-Site Scripting (XSS) and what are its types?Medium
XSS occurs when an attacker injects malicious client-side scripts (JavaScript) into web pages viewed by other users.
  • Reflected XSS: Malicious script in the URL/request is reflected back in the response and executed immediately. Non-persistent. Example: search result showing unsanitized search query.
  • Stored XSS: Malicious script is permanently stored in the database (e.g., comment field) and served to every user who views it. Most dangerous — affects all users.
  • DOM-based XSS: Vulnerability is in client-side JavaScript that reads from DOM (e.g., document.location) and writes to DOM without sanitization. Server never sees the payload.
Impact: Cookie theft, session hijacking, keylogging, defacement, credential harvesting.

Prevention: Output encoding (HTML encode user data before rendering), Content Security Policy (CSP), HttpOnly cookies, avoid innerHTML with user input — use textContent.
12What is a CSRF attack and how is it mitigated?Medium
CSRF (Cross-Site Request Forgery) tricks an authenticated user's browser into making an unintended request to a target site using the user's existing session/cookie.

Example: User is logged into bank. Attacker sends email with link to evil.com. The page contains: <img src="https://bank.com/transfer?to=attacker&amount=10000">. Browser automatically sends the request with the user's auth cookie.

Mitigations:
  • CSRF tokens: Unique, unpredictable token included in every state-changing form. Server validates before processing.
  • SameSite cookie attribute: SameSite=Strict/Lax prevents cookies from being sent in cross-site requests (most effective modern defense).
  • Origin/Referer header validation.
  • Custom request headers: APIs requiring X-Requested-With: XMLHttpRequest — browsers can't set this in cross-origin requests.
13What is Software Composition Analysis (SCA)?Medium
SCA is the practice of automatically identifying open-source components and third-party libraries used in an application and checking them for known vulnerabilities, outdated versions, and license compliance issues.

Why critical: Modern applications are 70–90% open-source code. One vulnerable dependency (like Log4j in 2021) can affect thousands of applications.
  • Tools: OWASP Dependency-Check, Snyk, Dependabot (GitHub), WhiteSource, Black Duck
  • What SCA checks: CVE (vulnerability) database matches, outdated versions, license conflicts (GPL contamination), transitive dependencies
  • CI/CD integration: SCA runs on every pull request — fails the build if a critical CVE is detected in dependencies
💡 Related: SBOM (Software Bill of Materials) — a complete inventory of all components in an application. Required by US Executive Order 14028 for federal software.
14What is a software supply chain attack? Give a real-world example.Hard
A software supply chain attack compromises a software component, build tool, dependency, or update mechanism that is trusted and widely used, so the attacker's code reaches many downstream targets.

Real-world examples:
  • SolarWinds (2020): Attackers inserted malicious code into the SolarWinds Orion software update. 18,000+ organizations installed it, including US government agencies.
  • Log4Shell (2021): Critical RCE vulnerability in Log4j (a ubiquitous Java logging library) used by millions of applications globally.
  • XZ Utils (2024): A malicious contributor spent 2 years building trust in the XZ project, then inserted a backdoor into the compression library used in many Linux distributions.
  • npm package poisoning: Typosquatting packages (e.g., lodahs instead of lodash) that steal environment variables when installed.
Mitigations: SCA/SBOM, pin dependency versions, verify package checksums, review transitive dependencies, use private package registries, code signing.
15How do you handle secrets in a CI/CD pipeline?Hard
Never hardcode secrets (API keys, passwords, certificates) in source code or configuration files checked into version control. Instead:
  • Use secrets managers: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager — inject secrets at runtime.
  • CI/CD environment variables: Store secrets as encrypted environment variables in GitHub Actions secrets, GitLab CI variables, Jenkins credentials — never in the pipeline YAML file.
  • Pre-commit secret scanning: TruffleHog, detect-secrets, GitGuardian — scan code for credential patterns before committing.
  • If a secret is leaked: Immediately rotate/revoke the secret, scan git history for all occurrences, audit access logs for abuse, rewrite git history (git filter-branch / BFG Repo-Cleaner).
  • Short-lived credentials: Use OIDC (OpenID Connect) with cloud providers — pipeline assumes an IAM role for each run rather than storing long-lived credentials.
16What is input validation and why is it critical?Easy
Input validation is verifying that all data entered into a system conforms to expected format, type, length, and range before it is processed.

It prevents: SQL injection, XSS, command injection, path traversal, buffer overflows, business logic bypass.

Types:
  • Whitelist validation: Only accept known-good values (preferred). E.g., phone number = digits only, max 15 chars.
  • Blacklist validation: Reject known-bad patterns (weaker — hard to be exhaustive).
  • Type validation: Ensure input is the expected data type.
  • Length/Range validation: Reject inputs outside expected bounds.
Golden rule: Validate on the server side. Client-side validation (JavaScript) is easily bypassed using Burp Suite — it's only for user experience.
17What is an API gateway and what security features does it provide?Medium
An API gateway is a centralized entry point that sits between clients and backend services, handling cross-cutting concerns for all API traffic.

Security features provided:
  • Authentication: Validate API keys, OAuth tokens, JWTs before routing to backend
  • Authorization: Enforce RBAC — only allow permitted operations per endpoint
  • Rate limiting & throttling: Prevent abuse, DoS, and brute force attacks
  • WAF integration: Inspect and block malicious payloads (SQLi, XSS)
  • TLS termination: Enforce HTTPS at the edge
  • Logging & monitoring: Centralized audit trail of all API calls
  • IP allowlisting/blocklisting
  • Request/response transformation: Strip sensitive headers before forwarding
Examples: AWS API Gateway, Kong, Apigee (Google Cloud), Azure API Management, Nginx.
18What is OAuth 2.0 and how does it work?Hard
OAuth 2.0 is an authorization framework that allows a third-party application to obtain limited access to a user's account on another service without exposing the user's credentials.

Key roles:
  • Resource Owner: The user who owns the data
  • Client: The third-party application requesting access
  • Authorization Server: Issues access tokens (e.g., Google's OAuth server)
  • Resource Server: The API that holds the protected data
Authorization Code Flow (most secure):
  1. User clicks "Login with Google" on the client app
  2. Client redirects to Google's auth server with scope, redirect_uri, state
  3. User authenticates and grants permission
  4. Auth server returns authorization code to redirect_uri
  5. Client exchanges code for access token (server-side, with client secret)
  6. Client uses access token to call the API
💡 OAuth 2.0 is for authorization (what you can do). OIDC (OpenID Connect) extends OAuth for authentication (who you are) and adds the ID token. Common security risk: open redirects in redirect_uri validation.
19What is container security and what are common vulnerabilities?Hard
Container security involves securing the entire container lifecycle: image build, registry storage, orchestration (Kubernetes), and runtime.

Common vulnerabilities:
  • Vulnerable base images: Using ubuntu:latest with unpatched CVEs. Fix: Use minimal base images (distroless), scan with Trivy/Snyk.
  • Running as root: Container processes running as root can escape to host. Fix: Add USER nonroot in Dockerfile.
  • Secrets in images: API keys baked into image layers. Fix: Use secrets managers, multi-stage builds.
  • Privileged containers: --privileged flag gives near-host-level access. Avoid unless necessary.
  • Writable filesystems: Allow malware persistence. Fix: Read-only root filesystem.
  • Kubernetes RBAC misconfiguration: Over-permissive service accounts enabling privilege escalation.
  • Container escape: Breaking out of container namespace via kernel exploits (e.g., runc vulnerability).
20How do you implement secure API authentication using JWT best practices?Hard
Implementing JWT securely requires addressing multiple attack vectors:
  • Use asymmetric signing (RS256/ES256): Private key signs, public key verifies. Eliminates HS256 secret sharing risk.
  • Short access token expiry: 5–15 minutes max. Use refresh tokens (stored in HttpOnly cookies) with rotation.
  • Validate all claims: Check exp (expiry), iss (issuer), aud (audience) on every request.
  • Explicitly specify allowed algorithms: Never accept alg:none. Hardcode the expected algorithm server-side.
  • Never put sensitive data in payload: JWT payload is Base64 — readable by anyone. Use opaque tokens for sensitive data.
  • Store in HttpOnly, Secure, SameSite cookies — not localStorage (vulnerable to XSS).
  • Implement token revocation: Maintain a revocation list (Redis-based blocklist) or use short expiry + refresh rotation for compromise detection.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Progress:
0 / 25
Simulation 1 · ~3 min

SDLC Security Phase Mapper

Match each security activity to the correct SDLC phase using the dropdown.

Simulation 2 · ~3 min

OWASP Top 10 Scenario Classifier

Classify each scenario into the correct OWASP Top 10 (2021) category.

Simulation 3 · ~4 min

Code Vulnerability Spotter

Identify the security vulnerability in each code snippet using the dropdown.

Simulation 4 · ~3 min

API Security Checklist

You are reviewing ShopAPI v1.0. Toggle each control to indicate whether it is implemented (Yes) or not (No). Then check your score.

🎉

Module 11 Complete!

You've completed Product & Application Security — the final module of the curriculum.