websecurityinterviewquestions.docVIP

Web Security Interview Questions The goal of this document is to provide appropriate questions for HR/Managers to pose to individuals who are applying for web security related positions. These questions do not have right or wrong answers, but rather spark relevant conversation between the applicant and the hiring staff. Entry Level Questions What do you see as the most critical and current threats effecting Internet accessible websites? Goal of question – To gauge the applicant’s knowledge of current web related threats. Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. Hopefully they will mention information provided by web security organizations such as the Web Application Security Consortium (WASC) or the Open Web Application Security Project (OWASP). What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat? Goal of question – Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable. What do you see as challenges to successfully deploying/monitoring web intrusion detection? Goal of question – We are attempting to see if the applicant has a wide knowledge of web security monitoring and IDS issues such as: Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP) Proper logging – increasing the verboseness of logging (Mod_Security audit_log) Remote Centralized Logging Alerting Mechanisms Updating Signatures/Policies What is your definition of the term “Cross-Site Scripting”? What is the potential impact to servers and clients?