Module 11 · Cyberspace Tech Solutions Cybersecurity Curriculum
Product & Application Security
~60 minutes of interview prep, MCQs, and simulations covering Secure SDLC, DevSecOps, CI/CD security, and API security best practices.
20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes
Learning Outcomes
- Integrate security across the software development lifecycle
- Implement automated security testing in CI/CD environments
- Design and protect secure APIs against modern attacks
Topics Covered
| # | Topic | Time | Type |
|---|---|---|---|
| 1 | Secure SDLC, Threat Modeling (STRIDE) | 8 min | Reading |
| 2 | DevSecOps, CI/CD Pipeline Security | 5 min | Reading |
| 3 | API Security & OWASP Top 10 | 5 min | Reading |
| 4 | Interview Questions & Answers (20) | 20 min | Q&A |
| 5 | MCQ Quiz (25 questions) | 15 min | Quiz |
| 6 | Simulations (4) | 7 min | Simulation |
💡 Why it matters: Application security is the #1 attack surface. 84% of cyberattacks exploit application-layer vulnerabilities. OWASP, SAST/DAST, and DevSecOps knowledge are essential for AppSec roles.
Core Concepts · ~18 min
AppSec Fundamentals
Secure SDLC Phases & Security Activities
| SDLC Phase | Security Activity | Tools |
|---|---|---|
| Requirements | Define security requirements, privacy requirements, abuse cases | OWASP ASVS, threat model templates |
| Design | Threat modeling (STRIDE), secure architecture review, design patterns | OWASP Threat Dragon, MS Threat Modeling Tool |
| Implementation | Secure coding standards, peer code review, SCA (dependency scanning) | SonarQube, Semgrep, Snyk, Dependabot |
| Testing | SAST, DAST, IAST, penetration testing, fuzz testing | OWASP ZAP, Burp Suite, Veracode, Checkmarx |
| Deployment | Secure configuration, hardening, infrastructure scanning | Checkov, Trivy, CIS Benchmarks |
| Maintenance | Patch management, vulnerability disclosure, security monitoring | Dependabot, NVD feeds, PSIRT process |
STRIDE Threat Model
| Letter | Threat | CIA Pillar | Example |
|---|---|---|---|
| S | Spoofing | Authentication | Attacker impersonates another user using stolen credentials |
| T | Tampering | Integrity | Attacker modifies data in transit or at rest |
| R | Repudiation | Non-repudiation | User denies performing an action with no audit trail |
| I | Information Disclosure | Confidentiality | Stack trace reveals internal paths/versions to attacker |
| D | Denial of Service | Availability | Attacker floods API with requests causing downtime |
| E | Elevation of Privilege | Authorization | Regular user accesses admin functionality |
SAST vs DAST vs IAST
| SAST | DAST | IAST | |
|---|---|---|---|
| Full name | Static Application Security Testing | Dynamic Application Security Testing | Interactive Application Security Testing |
| When | At code level (before compile) | Against running application | During test execution (runtime) |
| What it needs | Source code access | Running app (no source needed) | Agent instrumented in app |
| Strengths | Fast, early detection, no runtime needed | Finds real runtime vulnerabilities | High accuracy, low false positives |
| Weaknesses | High false positives, no runtime context | Misses code-level issues, needs running app | Complex setup, language-specific agents |
| Examples | SonarQube, Semgrep, Checkmarx | OWASP ZAP, Burp Suite, Nikto | Contrast Security, Seeker |
DevSecOps — Security in the CI/CD Pipeline
Pre-commit
Secret scanning
Lint/SAST
Secret scanning
Lint/SAST
→
Build
SAST
Dependency scan
License check
SAST
Dependency scan
License check
→
Test
DAST
Container scan
IAST
DAST
Container scan
IAST
→
Deploy
IaC scan
Config hardening
IaC scan
Config hardening
→
Monitor
RASP
WAF
SIEM alerts
RASP
WAF
SIEM alerts
⚠️ Never hardcode secrets in source code. Use: AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, environment variables injected at runtime. Use TruffleHog / GitGuardian to scan for leaked secrets.
OWASP Top 10 (2021)
| # | Risk | Example |
|---|---|---|
| A01 | Broken Access Control | Changing /user/123 → /user/456 to access another user's data |
| A02 | Cryptographic Failures | Storing passwords as unsalted MD5 hashes |
| A03 | Injection | SQL injection: ' OR '1'='1 bypasses login |
| A04 | Insecure Design | No rate limiting on password reset allows brute force |
| A05 | Security Misconfiguration | Default admin credentials, debug mode in production, open S3 bucket |
| A06 | Vulnerable & Outdated Components | Using Log4j 2.14.1 (vulnerable to Log4Shell) |
| A07 | Identification & Authentication Failures | No MFA, weak session tokens, credential stuffing not prevented |
| A08 | Software & Data Integrity Failures | npm package with backdoor, unsigned software updates |
| A09 | Security Logging & Monitoring Failures | No logs of failed login attempts; breach undetected for months |
| A10 | Server-Side Request Forgery (SSRF) | App fetches URL from user input → attacker probes internal services |
OWASP API Security Top 10 (2023)
| # | Risk | Example |
|---|---|---|
| API1 | Broken Object Level Authorization (BOLA) | GET /api/orders/12345 → change to /api/orders/12346 (another user's order) |
| API2 | Broken Authentication | API accepts expired JWT tokens, no rate limiting on auth endpoints |
| API3 | Broken Object Property Level Authorization | API returns all user fields including hashed password in response |
| API4 | Unrestricted Resource Consumption | No rate limiting → DoS via API flood |
| API5 | Broken Function Level Authorization | Regular user can call DELETE /api/admin/users/ |
| API6 | Unrestricted Access to Sensitive Business Flows | Bot purchases all limited-stock items before humans |
| API7 | Server-Side Request Forgery | API fetches external URL provided by user |
| API8 | Security Misconfiguration | CORS allows all origins, verbose error messages, no TLS |
| API9 | Improper Inventory Management | Old API v1 still accessible with no security controls |
| API10 | Unsafe Consumption of APIs | Trusting data from third-party APIs without validation → injection |
🎯 Interview Angle: STRIDE, SAST vs DAST, OWASP Top 10, BOLA (most common API vulnerability), JWT risks, and the "shift left" concept are essential knowledge for any AppSec or DevSecOps role.
Interview Q&A · ~20 min · 20 Questions
Interview Questions & Model Answers
Click any question to reveal the model answer.
1What is the Secure SDLC and why is it important?Easy▼
The Secure Software Development Lifecycle (SSDLC) integrates security activities at every phase of software development — from requirements gathering through deployment and maintenance — rather than treating security as an afterthought.
- Why important: Finding a vulnerability in requirements costs $1 to fix. In production, it costs $100x more. Early security = cheaper, faster, safer software.
- Reduces the attack surface of delivered software.
- Builds a security culture within development teams.
- Supports regulatory compliance (GDPR, PCI-DSS require secure development practices).
- Reduces reputational risk from post-deployment breaches.
💡 Key message to interviewers: Security is not a one-time gate before release — it's continuous throughout the entire development process.
2What is "shift left" in DevSecOps?Easy▼
"Shift left" means moving security testing and validation earlier in the SDLC — from the right side (production/testing) to the left side (requirements/design/coding).
- Developers run SAST tools in their IDE as they write code, not after.
- Threat modeling happens during design, not after deployment.
- Security requirements are defined alongside functional requirements.
- Pre-commit hooks enforce secret scanning and code analysis before code is pushed.
3What is the difference between SAST and DAST?Medium▼
- SAST (Static Application Security Testing): Analyses source code, bytecode, or binaries without executing the application. Finds vulnerabilities like SQL injection, hardcoded secrets, insecure functions at the code level. Run during development in CI pipelines. Tools: SonarQube, Semgrep, Checkmarx, Fortify.
- DAST (Dynamic Application Security Testing): Tests a running application from the outside (like an attacker would) without access to source code. Finds runtime vulnerabilities: authentication issues, injection, misconfigurations. Tools: OWASP ZAP, Burp Suite, Nikto.
💡 Use both: SAST catches code-level issues early (cheap), DAST catches runtime issues that SAST misses. IAST combines both by instrumenting the running app. A mature AppSec program uses all three.
4What is threat modeling? Explain the STRIDE model.Medium▼
Threat modeling is a structured process of identifying potential security threats to a system during the design phase and designing countermeasures before building.
STRIDE model:
STRIDE model:
- S — Spoofing: Attacker pretends to be someone else. Counter: Authentication (MFA, certificates).
- T — Tampering: Attacker modifies data. Counter: Integrity checks, digital signatures, hashing.
- R — Repudiation: User denies performing an action. Counter: Audit logs, non-repudiation (digital signatures).
- I — Information Disclosure: Data exposed to unauthorized parties. Counter: Encryption, access controls, data minimization.
- D — Denial of Service: System made unavailable. Counter: Rate limiting, redundancy, DDoS protection.
- E — Elevation of Privilege: User gains more access than intended. Counter: Authorization controls, least privilege.
💡 Process: Draw data flow diagrams → identify trust boundaries → apply STRIDE to each element → prioritize threats (DREAD scoring) → design mitigations.
5What is DevSecOps and how does it differ from traditional DevOps?Easy▼
DevOps integrates Development and Operations for faster, continuous delivery. DevSecOps adds Security as a shared responsibility integrated throughout the pipeline.
| Traditional DevOps | DevSecOps | |
|---|---|---|
| Security timing | Post-development security gate | Continuous, at every pipeline stage |
| Who owns security | Security team only | Developers, Ops, and Security jointly |
| Security testing | Manual pen test before release | Automated SAST/DAST/SCA in CI/CD |
| Feedback loop | Slow (wait for security review) | Fast (immediate developer feedback) |
💡 Key DevSecOps principle: security is a feature, not a gate. Security teams act as enablers and coaches, not gatekeepers who slow delivery.
6What are the OWASP Top 10 and which was #1 in 2021?Medium▼
The OWASP Top 10 is the most authoritative list of critical web application security risks, updated periodically based on real-world data from the security community.
2021 #1: Broken Access Control — Users can access resources or perform actions beyond their intended permissions. Moved from #5 in 2017 to #1, found in 94% of tested applications.
Key changes from 2017→2021: SQL Injection dropped from #1 to part of A03 (Injection). Cryptographic Failures (formerly Sensitive Data Exposure) moved to #2. Insecure Design (A04) is a new category emphasizing security by design.
2021 #1: Broken Access Control — Users can access resources or perform actions beyond their intended permissions. Moved from #5 in 2017 to #1, found in 94% of tested applications.
Key changes from 2017→2021: SQL Injection dropped from #1 to part of A03 (Injection). Cryptographic Failures (formerly Sensitive Data Exposure) moved to #2. Insecure Design (A04) is a new category emphasizing security by design.
💡 Memorize the full 2021 list: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Integrity Failures, A09 Logging Failures, A10 SSRF.
7What is BOLA (Broken Object Level Authorization)?Medium▼
BOLA (also called IDOR — Insecure Direct Object Reference) is the #1 API vulnerability. It occurs when an API exposes object identifiers (like database IDs) in requests and doesn't verify the requesting user has permission to access that specific object.
Example:
Prevention:
Example:
GET /api/v1/orders/12345 ← User A's order → Change to: GET /api/v1/orders/12346 ← User B's order (unauthorized!)If the API returns User B's data without checking that the requesting user owns order 12346, it's BOLA.
Prevention:
- Implement object-level authorization checks for every request
- Use GUIDs instead of sequential integer IDs (not a complete fix but adds obscurity)
- Validate that the authenticated user owns the requested resource at the data layer
- Automated testing: fuzz IDs in API tests, use Burp Suite's Autorize extension
8How do you secure a REST API?Medium▼
Securing a REST API requires defence at multiple layers:
- Authentication: OAuth 2.0 + JWT for user authentication; API keys for service-to-service; mTLS for sensitive environments.
- Authorization: Enforce BOLA checks — verify the caller owns the requested resource. Role-based access per endpoint.
- Transport security: HTTPS/TLS 1.2+ mandatory. No HTTP. Enforce HSTS.
- Rate limiting: Prevent brute force and DoS. Implement per-user and per-IP rate limits. Return 429 Too Many Requests.
- Input validation: Validate and sanitize all input. Reject unexpected fields (mass assignment prevention). Whitelist allowed values.
- Output encoding: Encode output to prevent injection. Return only necessary fields (never return passwords/hashes).
- Logging & monitoring: Log all API requests (authenticated user, endpoint, response code). Alert on anomalies.
- API gateway: Centralise auth, rate limiting, WAF, and logging (Kong, AWS API Gateway, Apigee).
- Versioning: Deprecate and remove old API versions with proper security controls.
9What is JWT and what are its security risks?Hard▼
JWT (JSON Web Token) is a compact, self-contained token format used for authentication and information exchange. Structure:
Security risks:
Header.Payload.Signature — Base64URL encoded.
Security risks:
- Algorithm confusion (alg:none): If server accepts
alg:none, attacker can forge tokens with no signature. - Weak secret: If HS256 secret is weak/guessable, attacker can brute-force and forge tokens.
- RS256 to HS256 confusion: If server accepts both algorithms, attacker can use public key as HS256 secret.
- No expiry: Tokens without
expclaim are valid forever — stolen tokens stay valid permanently. - Sensitive data in payload: JWT payload is Base64 encoded — NOT encrypted. Never put passwords or PII in payload.
- No revocation: JWTs are stateless — once issued, they can't be revoked until expiry (use short expiry + refresh tokens).
💡 Best practices: Short expiry (15 min access tokens), refresh token rotation, validate algorithm explicitly server-side, use HTTPS only, store in HttpOnly cookies not localStorage.
10What is SQL injection and how do you prevent it?Easy▼
SQL Injection occurs when user-supplied input is incorporated into SQL queries without sanitization, allowing attackers to manipulate the query logic.
Example:
Prevention (in priority order):
Example:
query = "SELECT * FROM users WHERE name = '" + username + "'" // Attacker input: admin' OR '1'='1 // Result: SELECT * FROM users WHERE name = 'admin' OR '1'='1' // → Returns ALL users!Impact: Authentication bypass, data exfiltration, data deletion, remote code execution (xp_cmdshell in MSSQL).
Prevention (in priority order):
- Parameterized queries / Prepared statements (the only real fix) — input is never interpreted as SQL.
- Stored procedures (if using parameterized binding).
- Input validation — whitelist expected values.
- Least privilege — DB account should only have SELECT/INSERT on specific tables.
- WAF as an additional layer (not a primary defence).
11What is Cross-Site Scripting (XSS) and what are its types?Medium▼
XSS occurs when an attacker injects malicious client-side scripts (JavaScript) into web pages viewed by other users.
Prevention: Output encoding (HTML encode user data before rendering), Content Security Policy (CSP), HttpOnly cookies, avoid
- Reflected XSS: Malicious script in the URL/request is reflected back in the response and executed immediately. Non-persistent. Example: search result showing unsanitized search query.
- Stored XSS: Malicious script is permanently stored in the database (e.g., comment field) and served to every user who views it. Most dangerous — affects all users.
- DOM-based XSS: Vulnerability is in client-side JavaScript that reads from DOM (e.g.,
document.location) and writes to DOM without sanitization. Server never sees the payload.
Prevention: Output encoding (HTML encode user data before rendering), Content Security Policy (CSP), HttpOnly cookies, avoid
innerHTML with user input — use textContent.
12What is a CSRF attack and how is it mitigated?Medium▼
CSRF (Cross-Site Request Forgery) tricks an authenticated user's browser into making an unintended request to a target site using the user's existing session/cookie.
Example: User is logged into bank. Attacker sends email with link to
Mitigations:
Example: User is logged into bank. Attacker sends email with link to
evil.com. The page contains: <img src="https://bank.com/transfer?to=attacker&amount=10000">. Browser automatically sends the request with the user's auth cookie.
Mitigations:
- CSRF tokens: Unique, unpredictable token included in every state-changing form. Server validates before processing.
- SameSite cookie attribute:
SameSite=Strict/Laxprevents cookies from being sent in cross-site requests (most effective modern defense). - Origin/Referer header validation.
- Custom request headers: APIs requiring
X-Requested-With: XMLHttpRequest— browsers can't set this in cross-origin requests.
13What is Software Composition Analysis (SCA)?Medium▼
SCA is the practice of automatically identifying open-source components and third-party libraries used in an application and checking them for known vulnerabilities, outdated versions, and license compliance issues.
Why critical: Modern applications are 70–90% open-source code. One vulnerable dependency (like Log4j in 2021) can affect thousands of applications.
Why critical: Modern applications are 70–90% open-source code. One vulnerable dependency (like Log4j in 2021) can affect thousands of applications.
- Tools: OWASP Dependency-Check, Snyk, Dependabot (GitHub), WhiteSource, Black Duck
- What SCA checks: CVE (vulnerability) database matches, outdated versions, license conflicts (GPL contamination), transitive dependencies
- CI/CD integration: SCA runs on every pull request — fails the build if a critical CVE is detected in dependencies
💡 Related: SBOM (Software Bill of Materials) — a complete inventory of all components in an application. Required by US Executive Order 14028 for federal software.
14What is a software supply chain attack? Give a real-world example.Hard▼
A software supply chain attack compromises a software component, build tool, dependency, or update mechanism that is trusted and widely used, so the attacker's code reaches many downstream targets.
Real-world examples:
Real-world examples:
- SolarWinds (2020): Attackers inserted malicious code into the SolarWinds Orion software update. 18,000+ organizations installed it, including US government agencies.
- Log4Shell (2021): Critical RCE vulnerability in Log4j (a ubiquitous Java logging library) used by millions of applications globally.
- XZ Utils (2024): A malicious contributor spent 2 years building trust in the XZ project, then inserted a backdoor into the compression library used in many Linux distributions.
- npm package poisoning: Typosquatting packages (e.g.,
lodahsinstead oflodash) that steal environment variables when installed.
15How do you handle secrets in a CI/CD pipeline?Hard▼
Never hardcode secrets (API keys, passwords, certificates) in source code or configuration files checked into version control. Instead:
- Use secrets managers: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager — inject secrets at runtime.
- CI/CD environment variables: Store secrets as encrypted environment variables in GitHub Actions secrets, GitLab CI variables, Jenkins credentials — never in the pipeline YAML file.
- Pre-commit secret scanning: TruffleHog, detect-secrets, GitGuardian — scan code for credential patterns before committing.
- If a secret is leaked: Immediately rotate/revoke the secret, scan git history for all occurrences, audit access logs for abuse, rewrite git history (
git filter-branch/ BFG Repo-Cleaner). - Short-lived credentials: Use OIDC (OpenID Connect) with cloud providers — pipeline assumes an IAM role for each run rather than storing long-lived credentials.
16What is input validation and why is it critical?Easy▼
Input validation is verifying that all data entered into a system conforms to expected format, type, length, and range before it is processed.
It prevents: SQL injection, XSS, command injection, path traversal, buffer overflows, business logic bypass.
Types:
It prevents: SQL injection, XSS, command injection, path traversal, buffer overflows, business logic bypass.
Types:
- Whitelist validation: Only accept known-good values (preferred). E.g., phone number = digits only, max 15 chars.
- Blacklist validation: Reject known-bad patterns (weaker — hard to be exhaustive).
- Type validation: Ensure input is the expected data type.
- Length/Range validation: Reject inputs outside expected bounds.
17What is an API gateway and what security features does it provide?Medium▼
An API gateway is a centralized entry point that sits between clients and backend services, handling cross-cutting concerns for all API traffic.
Security features provided:
Security features provided:
- Authentication: Validate API keys, OAuth tokens, JWTs before routing to backend
- Authorization: Enforce RBAC — only allow permitted operations per endpoint
- Rate limiting & throttling: Prevent abuse, DoS, and brute force attacks
- WAF integration: Inspect and block malicious payloads (SQLi, XSS)
- TLS termination: Enforce HTTPS at the edge
- Logging & monitoring: Centralized audit trail of all API calls
- IP allowlisting/blocklisting
- Request/response transformation: Strip sensitive headers before forwarding
18What is OAuth 2.0 and how does it work?Hard▼
OAuth 2.0 is an authorization framework that allows a third-party application to obtain limited access to a user's account on another service without exposing the user's credentials.
Key roles:
Key roles:
- Resource Owner: The user who owns the data
- Client: The third-party application requesting access
- Authorization Server: Issues access tokens (e.g., Google's OAuth server)
- Resource Server: The API that holds the protected data
- User clicks "Login with Google" on the client app
- Client redirects to Google's auth server with scope, redirect_uri, state
- User authenticates and grants permission
- Auth server returns authorization code to redirect_uri
- Client exchanges code for access token (server-side, with client secret)
- Client uses access token to call the API
💡 OAuth 2.0 is for authorization (what you can do). OIDC (OpenID Connect) extends OAuth for authentication (who you are) and adds the ID token. Common security risk: open redirects in redirect_uri validation.
19What is container security and what are common vulnerabilities?Hard▼
Container security involves securing the entire container lifecycle: image build, registry storage, orchestration (Kubernetes), and runtime.
Common vulnerabilities:
Common vulnerabilities:
- Vulnerable base images: Using
ubuntu:latestwith unpatched CVEs. Fix: Use minimal base images (distroless), scan with Trivy/Snyk. - Running as root: Container processes running as root can escape to host. Fix: Add
USER nonrootin Dockerfile. - Secrets in images: API keys baked into image layers. Fix: Use secrets managers, multi-stage builds.
- Privileged containers:
--privilegedflag gives near-host-level access. Avoid unless necessary. - Writable filesystems: Allow malware persistence. Fix: Read-only root filesystem.
- Kubernetes RBAC misconfiguration: Over-permissive service accounts enabling privilege escalation.
- Container escape: Breaking out of container namespace via kernel exploits (e.g., runc vulnerability).
20How do you implement secure API authentication using JWT best practices?Hard▼
Implementing JWT securely requires addressing multiple attack vectors:
- Use asymmetric signing (RS256/ES256): Private key signs, public key verifies. Eliminates HS256 secret sharing risk.
- Short access token expiry: 5–15 minutes max. Use refresh tokens (stored in HttpOnly cookies) with rotation.
- Validate all claims: Check
exp(expiry),iss(issuer),aud(audience) on every request. - Explicitly specify allowed algorithms: Never accept
alg:none. Hardcode the expected algorithm server-side. - Never put sensitive data in payload: JWT payload is Base64 — readable by anyone. Use opaque tokens for sensitive data.
- Store in HttpOnly, Secure, SameSite cookies — not localStorage (vulnerable to XSS).
- Implement token revocation: Maintain a revocation list (Redis-based blocklist) or use short expiry + refresh rotation for compromise detection.
MCQ Quiz · ~15 min · 25 Questions
Multiple Choice Questions
Progress:
0 / 25
Simulation 1 · ~3 min
SDLC Security Phase Mapper
Match each security activity to the correct SDLC phase using the dropdown.
Simulation 2 · ~3 min
OWASP Top 10 Scenario Classifier
Classify each scenario into the correct OWASP Top 10 (2021) category.
Simulation 3 · ~4 min
Code Vulnerability Spotter
Identify the security vulnerability in each code snippet using the dropdown.
Simulation 4 · ~3 min
API Security Checklist
You are reviewing ShopAPI v1.0. Toggle each control to indicate whether it is implemented (Yes) or not (No). Then check your score.
🎉
Module 11 Complete!
You've completed Product & Application Security — the final module of the curriculum.