Interview Questions and Answers for 'Security' | Search Interview Question - javasearch.buggybread.com
Javasearch.buggybread.com

Search Interview Questions


 More than 3000 questions in repository.
 There are more than 900 unanswered questions.
Click here and help us by providing the answer.
 Have a video suggestion.
Click Correct / Improve and please let us know.
Label / Company      Label / Company / Text

   



Interview Questions and Answers for 'Security' - 28 question(s) found - Order By Newest

Advanced level question. Frequently asked in High end product companies. Frequently asked in Google , Cognizant and Deloitte ( Based on 2 feedback )
  Q1. Why is String immutable in Java ?Core Java
Ans. 1. String Pool - When a string is created and if it exists in the pool, the reference of the existing string will be returned instead of creating a new object. If string is not immutable, changing the string with one reference will lead to the wrong value for the other references.

Example -

String str1 = "String1";
String str2 = "String1"; // It doesn't create a new String and rather reuses the string literal from pool

// Now both str1 and str2 pointing to same string object in pool, changing str1 will change it for str2 too

2. To Cache its Hashcode - If string is not immutable, One can change its hashcode and hence it's not fit to be cached.

3. Security - String is widely used as parameter for many java classes, e.g. network connection, opening files, etc. Making it mutable might possess threats due to interception by the other code segment.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     java   oops   string   string class   immutable  immutability   advanced     Asked in 39 Companies      expert        frequent

Try 4 Question(s) Test


Frequently asked in all types of companies especially Indian Services companies. Frequently asked in CTS (Based on 2 feedback)
  Q2. What is the use of hashcode in Java ?Core Java
Ans. Hashcode is used for bucketing in Hash implementations like HashMap, HashTable, HashSet etc. The value received from hashcode() is used as bucket number for storing elements. This bucket number is the address of the element inside the set/map. when you do contains() then it will take the hashcode of the element, then look for the bucket where hashcode points to and if more than 1 element is found in the same bucket (multiple objects can have the same hashcode) then it uses the equals() method to evaluate if object are equal, and then decide if contain() is true or false, or decide if element could be added in the set or not.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     java   collections   hashcode   advanced  hashtable     Asked in 33 Companies      intermediate        frequent

Try 1 Question(s) Test


 Q3. How does making string as immutable helps with securing information ? How does String Pool pose a security threat ?Core Java
Ans. String is widely used as parameter for many java classes, e.g. network connection, opening files, etc. Making it mutable might possess threats due to interception by the other code segment or hacker over internet.

Once a String constant is created in Java , it stays in string constant pool until garbage collected and hence stays there much longer than what's needed. Any unauthorized access to string Pool pose a threat of exposing these values.


 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     Security  String pool   string immutable  immutability      expert        rare


Advanced level question usually asked to senior developers , leads and architects.
 Q4. How does volatile affect code optimization by compiler?Core Java
Ans. Volatile is an instruction that the variables can be accessed by multiple threads and hence shouldn't be cached. As volatile variables are never cached and hence their retrieval cannot be optimized.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     java   java keywords   volatile   synchronization   compiler optimization   variable caching   architecture     Asked in 3 Companies      expert


 Q5. Can a EC2 instance have multiple Security Groups ? Can a single security group be assigned to multiple Ec2 instances ? If either of them is true , doesn't it result in conflict ?Amazon Web Services (AWS)
Ans. We can assign multiple security groups to single instance and we can use single security group with multiple instances.

It never results in conflict as security groups only have allow rules and no deny rules. Multiple security groups for an instance results in union of all rules.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     aws ec2  aws computing  amazon cloud computing  amazon ec2  aws security group


 Q6. Can we deny access for particular IP using Security Groups ?Amazon Web Services (AWS)
Ans. No, We can do that through ACL

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     aws security group


 Q7. Java doesn't provide exclusive access to memory like C/C++ and other lower level languages ? What are the advantanges and disadvantages ?Core Java
Ans. Yes, doesn't provide exclusive access as we cannot allocate and deallocate memory exclusively as Java internally manages it. The advantage of this is that it relieves the coder for such tasks and helps protect from many bugs that may get introduced with imperfect coding. Moreover as java garbage collector collects all unclaimed memory or objects, it helps the application from memory leaks.

On the flip side , as coder doesn't have extensive excess to memory , it is upto java to decide on the state for programming construct and data storage and hence may introduce some security risks. For example - Java keeps string literals in string pool and there is no exclusive way to remove it and hence may stay and sensitive data in string pool may introduce security issues. Moreover when we overwrite a value or object for a variable / reference, it is upto java to purge those values and hence it may stay in memory for a while till java decide that it is no longer referenced and hence should be removed and hence makes it vulnerable for inappropriate access.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     disadvantages of garbage collection  advantages and disadvantages of java memory management  java for security applications  java with sensitive data  memory management


  Q8. What are the types of authentication used in Web services ?Web Service
Ans. Encrypted User Name / Password
Encrypted Password within Cookie
Encrypted Tokens
IP
Client Certificates
Oauth

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     authentication  security  web service     Asked in 12 Companies      basic        frequent


 Q9. How have you configured Security Groups ?Amazon Web Services (AWS)
Ans. AWS console >> security groups >> Create security group >> Configure security group bases on Network requirement of EC2 instance

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     aws security group


 Q10. Describe best practices with respect to AWS security groups ?Amazon Web Services (AWS)
Ans. Configure it while creating EC2 instance only

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     aws security groups     Asked in 1 Companies


 Q11. Have you ever heard about csrf attacks ?Security
Ans. Yes, Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     csrf attack  Cross-Site Request Forgery (CSRF)     Asked in 16 Companies


 Q12. Do you think a csrf token should only be generated after authentication ?Security
Ans. No, they should be created before authentication too

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     csrf token  csrf attack


 Q13. What is a certificate authority ?Security
Ans. A trusted organization which issues public key certificates and provides identification to the bearer.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     authentication  auth certificates


 Q14. What is ACL ?Operating System
Ans. Access Control List or ACL is the list of permissions attached to an object in the File System.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     acl  file system  file security  object security  operating system


 Q15. Can you tell something about Web security ?Web
 This question was recently asked at 'Symantec'.This question is still unanswered. Can you please provide an answer.


 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     web security     Asked in 1 Companies


 Q16. Have you ever changed IAM policy ?Amazon Web Services (AWS)
Ans. Yes I did it for an execution role of a Lambda function to give it write access on S3 bucket.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     aws security  aws iam  amazon iam


 Q17. What is DDOS attack ?Security
Ans. DDOS is denial of service attack in which the hacker seeks to make a machine or resource unavailable to its expected users by disrupting services.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     ddos  cyber security


 Q18. What is XSS or Cross site scripting ?Security
Ans. XSS or cross site scripting is a javascript vulnerability in web applications. The easiest way to explain this is with a case when the user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve          Asked in 3 Companies


 Q19. Which IAM policy condition key should be used if you want to check whether the request was sent using SSL?Amazon Web Services (AWS)
Ans. AWS: secure transport

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     aws security  aws iam  amazon iam


 Q20. If you are asked to develop a financial system, how would you make sure that there are proper checks , balances and audits ?Solution
 This question was recently asked at 'BzzAgent'.This question is still unanswered. Can you please provide an answer.


 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     Design  Security     Asked in 1 Companies


 Q21. What are the ways we can get over XSS or cross site scripting vulnerability ?Security
Ans. The counter measures of XSS are input validation and implementing a CSP (Content Security Policy).

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     Cross Site Scripting  XSS     Asked in 1 Companies


 Q22. How can an XSS attack harm a system ?Security
 This question is still unanswered. Can you please provide an answer.


 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     xss


 Q23. What can be done to protect the application from DDOS attack ?Security
Ans. We can set the max number of requests from a given IP or an IP range

We can set the time out so that a single request cannot hold on to resources for too long.

We can identify patterns ( like too many requests from single IP for single page ) and then block such requests.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     DDOS  security vulnerability


 Q24. How can we protect an application from an XSS attack ?Security
Ans. By properly encoding data while persisting as well as retrieval.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     xss attack  web security     Asked in 3 Companies


 Q25. What is a csrf token ? What is it used for ?Security
Ans. A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.

CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user. Since the attacker cannot determine or predict the value of a user's CSRF token, they cannot construct a request with all the parameters that are necessary for the application to honor the request.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     csrf token.csrf attack


 Q26. Difference between XSS and CSRF ?Security
Ans. SRF attack requires an authenticated session, whereas an XSS attack doesn’t.
XSS doesn’t require any user interaction.CSRF is restricted to the actions the victim can perform.
XSS requires a vulnerability to happen, whereas CSRF relies on tricking the user to click a link or access a page.
CSRF can only send an HTTP request but cannot view the response. XSS can send and receive HTTP requests and responses to extract the required data.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     xss attack  csrf attack  security vulnerabilities  security attack  web security     Asked in 3 Companies


 Q27. What is SameSite cookie attribute ?Security
Ans. SameSite cookie attribute is used by browsers to identify how first- and third-party cookies should be handled.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     samesite attribute  cookie


 Q28. Is it safe to use session storage ?Javascript
Ans. Session storage can be accessed from XSS (Cross site Scripting) attacks but cookies (if set with "HttpOnly" and "Secure" flags) are more safer against these attacks.

 Help us improve. Please let us know the company, where you were asked this question :   

   Like         Discuss         Correct / Improve     session storage  security



Help us and Others Improve. Please let us know the questions asked in any of your previous interview.

Any input from you will be highly appreciated and It will unlock the application for 10 more requests.

Company Name:
Questions Asked: