Security¶
209 cards — 🟢 52 easy | 🟡 118 medium | 🔴 27 hard
🟢 Easy (52)¶
1. What is CSRF? How to handle CSRF?
Show answer
Cross-Site Request Forgery (CSRF) is an attack that makes the end user to initiate a unwanted action on the web application in which the user has a authenticated session, the attacker may user an email and force the end user to click on the link and that then execute malicious actions. When an CSRF attack is successful it will compromise the end user dataYou can use OWASP ZAP to analyze a "request", and if it appears that there no protection against cross-site request forgery when the Security Level is set to 0 (the value of csrf-token is SecurityIsDisabled.) One can use data from this request to prepare a CSRF attack by using OWASP ZAP
2. What is a "Backdoor" in information security?
Show answer
A backdoor is hidden access method bypassing normal authentication.Types:
- Software backdoors: Hidden code in applications
- Hardware backdoors: Chip-level access
- Administrative backdoors: Undocumented accounts
- Protocol backdoors: Intentional weaknesses
How they get there:
- Malware installation
- Developer intentionally added
- Supply chain compromise
- Left from development/testing
- Vulnerability exploitation
Examples:
- Default credentials
- Hidden admin accounts
- Secret URLs/parameters
- Debug modes in production
- Hardcoded passwords
Detection:
- Code review
- Network monitoring
- Behavioral analysis
- Integrity checking
- Security audits
Famous: SolarWinds backdoor, XZ Utils (CVE-2024-3094)
3. What is an SQL injection? How to manage it?
Show answer
SQL injection is an attack consists of inserts either a partial or full SQL query through data input from the browser to the web application. When a successful SQL injection happens it will allow the attacker to read sensitive information stored on the database for the web application.You can test by using a stored procedure, so the application must be sanitize the user input to get rid of the risk of code injection. If not then the user could enter bad SQL, that will then be executed within the procedure
4. What is "Diffie-Hellman key exchange" and how does it work?
Show answer
Have you heard of [The Two General's Problem](https://en.wikipedia.org/wiki/Two_Generals%27_Problem)? The Diffie-Hellman key exchange is a solution to this problem to allow for the secure exchange of cryptographic keys over an encrypted channel.It works using public/private key pairs (asymmetric encryption). Two parties that wish to communicate securely over a public channel will each generate a public/private key pair and distribute the public key to the other party (note that public keys are free to be exchanged over a public channel). From here, each party can derive a shared key using a combination of their personal private key and the public key of the other party. This combined key can now be used as a symmetric encryption key for communications.
5. What is a Certificate Authority?
Show answer
[wikipedia](https://en.wikipedia.org/wiki/Certificate_authority) : A certificate Authority that stores, singns and issues certificates.A certificate certifies the authenticity of the public key delivered by the website. It prevents [man-in-the-middle](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks by providing a lot of information which identifie the public key.
6. What is SSRF (Server-Side Request Forgery) and why is it dangerous?
Show answer
SSRF (Server-side request forgery) it's a vulnerability where you can make a server make arbitrary requests to anywhere you want.Read more about it at [portswigger.net](https://portswigger.net/web-security/ssrf)
Remember: "CIA triad = Confidentiality, Integrity, Availability." Every security control maps to one or more of these.
Example: Encryption = confidentiality, checksums = integrity, redundancy = availability.
7. What is DNS Spoofing? How to prevent it?
Show answer
DNS spoofing occurs when a particular DNS server’s records of “spoofed” or altered maliciously to redirect traffic to the attacker. This redirection of traffic allows the attacker to spread malware, steal data, etc.**Prevention**
- Use encrypted data transfer protocols - Using end-to-end encryption via SSL/TLS will help decrease the chance that a website / its visitors are compromised by DNS spoofing.
- Use DNSSEC - DNSSEC, or Domain Name System Security Extensions, uses digitally signed DNS records to help determine data authenticity.
- Implement DNS spoofing detection mechanisms - it’s important to implement DNS spoofing detection software. Products such as XArp help product against ARP cache poisoning by inspecting the data that comes through before transmitting it.
8. What is a package manager?
Show answer
[Baudry et al.](https://arxiv.org/pdf/2001.07808.pdf): "A tool that allows you to easily download, add and thus reuse programming libraries in your project." E.g. npm or yarn.Remember: "RBAC = Role-Based Access Control." Users get roles, roles get permissions. Simpler than per-user ACLs at scale.
Example: In K8s, a ClusterRole "viewer" grants get/list/watch on all resources.
9. What is port scanning? When is it used?
Show answer
Port scanning probes systems to find open ports and services.Purpose:
- Security assessment (find open services)
- Penetration testing
- Network inventory
- Malicious reconnaissance
Types:
- TCP Connect: Full connection
- SYN scan: Half-open (stealthier)
- UDP scan: UDP services
- Version detection: Identify service versions
Tools:
- nmap: Industry standard
- masscan: Very fast
- netcat: Simple probing
nmap examples:
- nmap -sS target: SYN scan
- nmap -sV target: Version detection
- nmap -p 1-1000 target: Specific ports
- nmap -A target: Aggressive scan
Legal note: Only scan systems you're authorized to test.
Detection: IDS/IPS, firewall logs
Remember: "WAF = Web Application Firewall." It inspects HTTP traffic for attacks (SQLi, XSS, etc.) at layer 7.
Example: AWS WAF, Cloudflare WAF, ModSecurity (open source).
10. What is Certification Authority?
Show answer
A CA (Certificate Authority) issues and manages digital certificates.Role:
- Verifies identity of certificate requesters
- Signs certificates with CA's private key
- Maintains certificate revocation lists (CRL)
- Trusted by browsers/systems (root CA)
Certificate chain:
- Root CA → Intermediate CA → End certificate
- Root CAs pre-installed in browsers/OS
- Intermediate CAs sign server certificates
Types:
- Public CAs: DigiCert, Let's Encrypt, Comodo
- Private CAs: Internal enterprise use
- Self-signed: No CA (not trusted publicly)
Certificate contains:
- Subject (who it's for)
- Issuer (CA)
- Public key
- Validity period
- Signature
Remember: "Security headers = free defense layer." Key headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options.
11. What is Microsegmentation?
Show answer
- Security method- Managing network access between endpoints (processes, devices, instances)
- A method in which security policies are applied to limit traffic
- based on concepts such as "Zero Trust" and "Least Privileged"
- The result of Microsegmentation should be:
- Reduced attack ability
- Better breach containment
12. What is a build tool?
Show answer
[Baudry et al.](https://arxiv.org/pdf/2001.07808.pdf): "A tool that fetches the packages (dependencies) that are required to compile, test and deploy your application."Remember: "Container image scanning = CVE checking for containers." Scan in CI before deploy.
Example: trivy image nginx:latest scans for known vulnerabilities.
13. What is port flooding?
Show answer
Port flooding overwhelms network ports with traffic to cause denial of service.Types:
- SYN flood: Half-open TCP connections
- UDP flood: Random UDP packets
- ICMP flood: Ping flood
SYN flood details:
- Attacker sends many SYN packets
- Server allocates resources for each
- Never completes handshake
- Connection table exhausted
- Legitimate users can't connect
Defense:
- SYN cookies
- Rate limiting
- Connection timeouts
- Increase backlog queue
- Firewall filtering
- DDoS protection services
Detection:
- High number of SYN_RECV connections
- netstat -an | grep SYN_RECV
- Monitoring alerts
Part of larger DDoS attack strategy.
14. What is a nonce and how is it used in cryptography?
Show answer
Nonce (Number used ONCE) is a random/unique value used once in cryptographic operations.Purpose:
- Prevent replay attacks
- Ensure uniqueness of operations
- Add randomness to encryption
Uses:
- TLS handshake (random bytes)
- API authentication (prevent request replay)
- OAuth state parameter
- CSRF tokens
- Proof of work (blockchain mining)
Properties:
- Should be unique
- Often random
- Sometimes sequential counter
- Never reused with same key
Example (API):
1. Server provides nonce
2. Client includes nonce in signed request
3. Server verifies and invalidates nonce
4. Replay attempt fails (nonce already used)
15. What is password salting? What attack does it help to deter?
Show answer
Password salting is the processing of prepending or appending a series of characters to a user's password before hashing this new combined value. This value should be different for every single user but the same salt should be applied to the same user password every time it is validated.This ensures that users that have the same password will still have very different hash values stored in the password database. This process specifically helps deter rainbow table attacks since a new rainbow table would need to be computed for every single user in the database.
16. What is ARP Poisoning?
Show answer
ARP poisoning (ARP spoofing) manipulates Address Resolution Protocol to intercept traffic.How ARP works normally:
- Maps IP addresses to MAC addresses
- Broadcast "Who has 192.168.1.1?"
- Response "I'm at aa:bb:cc:dd:ee:ff"
ARP poisoning attack:
1. Attacker sends fake ARP replies
2. Victim's ARP cache poisoned
3. Traffic meant for gateway goes to attacker
4. Enables MITM attack
Attack tool: arpspoof, ettercap
Defense:
- Static ARP entries (not scalable)
- Dynamic ARP Inspection (switches)
- ARP monitoring (arpwatch)
- Encrypt traffic (HTTPS, VPN)
- 802.1X authentication
Limited to local network (same broadcast domain).
Remember: "Zero trust = never trust, always verify." No implicit trust based on network location.
17. What is Cache Poisoned Denial of Service?
Show answer
CPDoS or Cache Poisoned Denial of Service. It poisons the CDN cache. By manipulating certain header requests, the attacker forces the origin server to return a Bad Request error which is stored in the CDN’s cache. Thus, every request that comes after the attack will get an error page.Remember: "SIEM = Security Information and Event Management." It aggregates logs, correlates events, and alerts on threats.
18. What is a Security Misconfiguration?
Show answer
**Security misconfiguration** is a vulnerability when a device/application/network is configured in a way which can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc.Remember: "Supply chain attacks target dependencies, not your code." SolarWinds, Codecov, and npm package hijacks are examples.
19. What is DDoS attack? How do you deal with it?
Show answer
DDoS (Distributed Denial of Service) overwhelms systems with traffic.Types:
- Volumetric: Flood bandwidth (UDP flood)
- Protocol: Exploit protocol weaknesses (SYN flood)
- Application: Target application layer (HTTP flood)
Defense strategies:
1. CDN/DDoS protection services
- Cloudflare, AWS Shield, Akamai
- Absorb and filter traffic
2. Rate limiting
- Limit requests per IP
- Connection limits
3. Traffic analysis
- Identify attack patterns
- Block suspicious sources
4. Anycast
- Distribute traffic globally
- No single point to overwhelm
5. Over-provisioning
- More capacity than needed
- Absorb spikes
6. Response plan
- Documented procedures
- Contact ISP/hosting provider
20. What is the difference, if any, between SSL and TLS?
Show answer
TLS is the successor to SSL; they are different protocol versions.History:
- SSL 1.0: Never released
- SSL 2.0: 1995, deprecated
- SSL 3.0: 1996, deprecated (POODLE)
- TLS 1.0: 1999, deprecated
- TLS 1.1: 2006, deprecated
- TLS 1.2: 2008, current standard
- TLS 1.3: 2018, latest
Key differences:
- TLS has stronger cipher suites
- TLS has improved handshake
- TLS 1.3 is faster and more secure
- SSL protocols have known vulnerabilities
Terminology:
- "SSL" often used colloquially for TLS
- "SSL certificate" actually works with TLS
- OpenSSL library supports both
Current recommendation:
- Use TLS 1.2 or 1.3 only
- Disable all SSL versions
- Disable TLS 1.0 and 1.1
21. What is XSS (Cross-Site Scripting) and how is it prevented?
Show answer
Cross Site Scripting (XSS) is an type of a attack when the attacker inserts browser executable code within a HTTP response. Now the injected attack is not stored in the web application, it will only affect the users who open the maliciously crafted link or third-party web page. A successful attack allows the attacker to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site22. Explain what is Single Sign-On
Show answer
SSO (Single Sign-on), is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again.23. Give an example of basic authentication process
Show answer
A user uses the browser to authenticate to some server. It does so by using the authorization field which is constructed from the username and the password combined with a single colon. The result string is encoded using a certain character set which is compatible with US-ASCII. The authorization method + a space is prepended to the encoded string.24. What is a threatening actor and how can this actor take advantage of open source or third party vendor's packages/libraries?
Show answer
[Wikipedia](https://en.wikipedia.org/wiki/Threat_actor): A threatening actor is one or more people who target technical artifacts such as software, networks and/or devices with the purpose of harming it.[Aquasec](https://www.aquasec.com/cloud-native-academy/devsecops/supply-chain-security/): An attacking actor may identify, target and inject malicious software in a vulnerable part of an open source package or a third party vendor’s code. The consumer of this code may consequently and unknowingly deploy the malicious code throughout their pipelines, thus infecting their own projects. An example of this happening is the hack of [SolarWinds](https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack).
25. Explain what is Buffer Overflow
Show answer
A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations.26. What is "Key Exchange" (or "key establishment") in cryptography?
Show answer
[Wikipedia](https://en.wikipedia.org/wiki/Key_exchange): "Key exchange (also key establishment) is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm."27. What is SNI (Server Name Indication)?
Show answer
[Wikipedia](https://en.wikipedia.org/wiki/Server_Name_Indication): "an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process"Remember: "SSH hardening: disable password auth, use keys, change default port, use fail2ban."
28. What authentication methods are there?
Show answer
Authentication verifies identity through several methods:Something you know:
- Password
- PIN
- Security questions
Something you have:
- Hardware token (YubiKey)
- Smart card
- Phone (SMS, authenticator app)
- Certificate
Something you are:
- Fingerprint
- Face recognition
- Retina scan
- Voice
Multi-factor (MFA):
- Combines two or more methods
- Example: Password + TOTP
- Significantly more secure
For systems:
- SSH keys
- Kerberos tickets
- OAuth tokens
- Certificates (mTLS)
29. Explain the following: vulnerability, exploit, risk
Show answer
Three related but distinct security concepts:Vulnerability:
- A weakness in a system
- Could be exploited
- Example: SQL injection flaw, unpatched software
- CVEs catalog known vulnerabilities
Exploit:
- Code/technique that uses vulnerability
- Actually leverages the weakness
- Example: Exploit code for CVE-2021-44228
- Proof of concept or weaponized
Risk:
- Probability × Impact
- Likelihood of exploitation AND damage
- Factors: Exposure, exploitability, asset value
- Risk = Threat × Vulnerability × Asset Value
Relationship:
- Vulnerability exists
- Exploit activates vulnerability
- Risk quantifies potential damage
Risk management: Identify vulnerabilities, assess risk, prioritize fixes.
30. What is hashing and how is it used in security and data integrity?
Show answer
Hashing is a mathematical function for mapping data of arbitrary sizes to fixed-size values. This function produces a "digest" of the data that can be used for verifying that the data has not been modified (amongst other uses)31. What security sources are you using to keep updated?
Show answer
Multiple sources for security awareness:Vulnerability databases:
- NVD (National Vulnerability Database)
- CVE (Common Vulnerabilities and Exposures)
- Vendor security bulletins
News and blogs:
- Krebs on Security
- The Hacker News
- Ars Technica Security
- Schneier on Security
Mailing lists:
- oss-security
- Full Disclosure
- Vendor security lists (Ubuntu, Red Hat)
Social media:
- Twitter security researchers
- Reddit r/netsec
Feeds:
- US-CERT alerts
- SANS Internet Storm Center
Tools:
- Feedly for aggregation
- RSS feeds
Active participation:
- Security conferences (DEF CON, Black Hat)
- CTF competitions
- Bug bounty programs
Remember: "Network segmentation = blast radius control." VLANs, security groups, and network policies limit lateral movement.
32. What is DevSecOps? What its core principals?
Show answer
A couple of quotations from chosen companies:[Snyk](https://snyk.io/series/devsecops): "DevSecOps refers to the integration of security practices into a DevOps software delivery model. Its foundation is a culture where development and operations are enabled through process and tooling to take part in a shared responsibility for delivering secure software."
Remember: Security automation = toil reduction." Automate patching, scanning, compliance checks, and incident response playbooks.
33. What is the role of an SSH key?
Show answer
[Wikipedia definition](https://en.wikipedia.org/wiki/Secure_Shell) : SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user. Two keys are created, private is stored inside user's computer to decrypt the communication then the public key is stored inside the remoted computer where user want to connect with and it is used to encrypt the communication.34. Name three SSH hardening basics.
Show answer
1) Disable root login (PermitRootLogin no).2) Use key-based auth and disable password auth.
3) Use a non-default port or restrict source IPs with AllowUsers/firewall rules. Also: enforce short session timeouts.
35. Why should secrets never be committed to git?
Show answer
Git history is permanent — even if you delete the file, the secret remains in previous commits. Attackers scan public repos for leaked keys. Use environment variables, vault systems, or .gitignore to prevent exposure.Remember: "SOC 2 = security audit for service providers." Type I = point-in-time, Type II = over a period (more valuable).
36. What are the risks of granting unrestricted sudo?
Show answer
Full root access means a compromised account owns the system. Use sudoers to allow only specific commands. Log all sudo usage. Avoid NOPASSWD for privileged commands. Prefer dedicated service accounts over broad sudo.37. Why is centralized logging important for incident response?
Show answer
Attackers often tamper with local logs. Centralized logging (syslog, ELK, CloudWatch) preserves evidence, enables correlation across hosts, and provides a timeline. Without it, you may not detect or reconstruct an incident.Remember: "Backup 3-2-1 rule: 3 copies, 2 media types, 1 offsite." Test restores regularly — untested backups are not backups.
38. Why must backup restores be tested regularly?
Show answer
Untested backups may be corrupted, incomplete, or incompatible with current systems. Regular restore drills verify RTO/RPO targets are achievable. An untested backup is not a backup — it is a hope.39. What are the six phases of incident response (NIST)?
Show answer
1) Preparation.2) Identification/Detection.
3) Containment.
4) Eradication.
5) Recovery.
6) Lessons Learned. Each phase feeds into the next. Post-incident review improves preparation for the next event.
40. What is an SBOM and what are the two main formats?
Show answer
An SBOM (Software Bill of Materials) is a machine-readable inventory of every component in an artifact: libraries, versions, and licenses. The two main formats are SPDX (Linux Foundation standard) and CycloneDX (OWASP standard). SBOMs let you answer "does this image contain log4j?" in seconds rather than days.41. How do you scan a container image for vulnerabilities using grype?
Show answer
Run "grype ghcr.io/org/myapp:v1.2.3" to scan an image against CVE databases. Use "--fail-on high" to fail CI on high/critical vulnerabilities. Output JSON with "-o json" and filter for critical issues with jq. You can also scan from an SBOM: "grype sbom:./sbom.spdx.json" for faster repeated scans.42. What cosign command verifies a signed container image and what flags constrain trust?
Show answer
Use "cosign verify" with --certificate-identity-regexp (constrains which identity signed it, e.g., a GitHub Actions workflow path) and --certificate-oidc-issuer (constrains which OIDC provider issued the token, e.g., https://token.actions.githubusercontent.com). Both flags together establish a chain of trust: the image was signed by a specific CI pipeline.43. What is HashiCorp Vault and what are its core use cases?
Show answer
Vault is the industry standard for secrets management, providing centralized storage and access control for secrets. Core use cases include static secret storage (KV engine), dynamic credential generation (database, cloud IAM), encryption-as-a-service (transit engine), PKI certificate management, and audit logging of all secret access.44. What is Vault Agent and what problem does it solve?
Show answer
Vault Agent is a client daemon that runs alongside applications (often as a sidecar in Kubernetes). It handles automatic auth token renewal, secret caching, and template rendering (writing secrets to files the app can read). This removes the need for applications to implement Vault client logic, token lifecycle management, and re-authentication after token expiry.45. What is a Vault token and what are root tokens used for?
Show answer
Every authenticated request to Vault requires a token. Tokens have policies, TTLs, and can create child tokens. Root tokens have unlimited access and no TTL. They are generated during initialization (with the unseal keys) and should be revoked after initial setup. Use them only for emergency recovery or initial configuration -- never for application access.46. What is the principle of least privilege?
Show answer
Every user, service, and process should have the minimum permissions required to do its job — nothing more. This applies to user accounts, service accounts, processes, network ports, and time-limited access.47. Why should IAM permissions be managed through groups rather than individual user policies?
Show answer
Groups allow you to define a permission set once and apply it to many users. This is easier to audit, modify, and maintain than managing separate policies per user, and reduces the risk of permission drift or orphaned access.48. What two sshd_config settings are most critical for SSH hardening?
Show answer
PasswordAuthentication no (keys only, prevents brute-force password attacks) and PermitRootLogin no (forces users to authenticate as themselves and then escalate, providing an audit trail).Remember: "XSS = Cross-Site Scripting." Attacker injects malicious scripts into web pages viewed by other users. Prevention: output encoding and CSP.
49. Why is deleting a file containing a secret in the next git commit insufficient?
Show answer
Git stores full history. The secret remains accessible via git log -p or by checking out older commits. The secret must be rotated immediately, and history rewritten with git filter-repo if needed.50. Why are shared credentials an operational security problem?
Show answer
Shared credentials eliminate individual accountability (who made the change?), cannot be revoked for one person without rotating for everyone, and get weaker as they spread. Compliance frameworks require individual identities.Remember: "Rate limiting prevents brute force and DDoS." Implement at multiple layers: CDN, load balancer, application.
51. What is the risk of leaving default configurations in production?
Show answer
Default passwords (e.g., admin/admin), services bound to 0.0.0.0, and unauthenticated data stores are the first things attackers check. Defaults are publicly documented and trivially exploitable.52. What tools can prevent secrets from being committed to a git repository?
Show answer
Pre-commit hooks using tools like git-secrets, detect-secrets, or truffleHog scan staged changes for high-entropy strings, known key patterns (AWS keys, private keys), and custom regex rules. Install as a pre-commit hook so every commit is checked before it reaches the repo.🟡 Medium (118)¶
1. Give three examples of three potential security threats related to the software supply chain and describe them.
Show answer
[IEEE](https://ieeexplore.ieee.org/abstract/document/9203862):* Sensitive data being exposed or lost.
* In a software supply chain, sensitive data may be passed throughout the chain. Security threats involve loss or exposure of this data, such as customer credit card details.
* Cloud technology.
* Data sharing in the cloud might jeopardize the privacy of the data within the chain.
* Third-party vendors.
* Third-party vendors’ code solutions might not provide sufficient cybersecurity and risk being a potential subject to data breaches.
2. What does it mean to be "FIPS compliant"?
Show answer
FIPS (Federal Information Processing Standards) compliance means meeting US government cryptographic requirements.FIPS 140-2/140-3:
- Standard for cryptographic modules
- Required for US federal systems
- Four security levels (1-4)
Requirements:
- Approved algorithms only (AES, SHA-2, RSA)
- Validated cryptographic modules
- Key management procedures
- Self-tests on startup
What it means in practice:
- Use certified crypto libraries (OpenSSL FIPS module)
- Disable non-approved algorithms
- Enable FIPS mode in OS
- Regular auditing
Enable on Linux:
- fips=1 kernel parameter
- /etc/crypto-policies/back-ends/
3. How do you secure SSH at scale?
Show answer
Defense in depth approach:**Authentication**:
* Key-only auth (disable password: `PasswordAuthentication no`)
* No root login (`PermitRootLogin no`)
* Require specific groups (`AllowGroups sshusers`)
**Architecture**:
* Bastion/jump hosts - no direct access to internal systems
* Certificate-based auth for large fleets (SSH CA)
* Short-lived certificates where possible
**Auditing**:
* Centralized logging of SSH sessions
* Session recording for privileged access
* Alerting on anomalous access patterns
**Enforcement**:
* Configuration management (Ansible) ensures consistency
* Compliance scanning detects drift
* Regular key rotation
4. Explain "Forward Secrecy"
Show answer
Forward Secrecy (Perfect Forward Secrecy) ensures session keys can't be compromised even if long-term keys are.How it works:
- Ephemeral keys generated per session
- Session key derived from ephemeral exchange
- Long-term key only authenticates
- Past sessions safe if private key leaked later
Without Forward Secrecy:
- Attacker records encrypted traffic
- Later obtains server private key
- Can decrypt all past sessions
With Forward Secrecy:
- Each session has unique ephemeral key
- Key discarded after session
- Past traffic remains secure
Implementation:
- Diffie-Hellman Ephemeral (DHE)
- Elliptic Curve DHE (ECDHE)
- TLS 1.3 requires forward secrecy
Cipher suites: Look for DHE or ECDHE
5. Explain "Format String Vulnerability"
Show answer
Format string vulnerability occurs when user input is used directly as format string.Vulnerable code:
printf(user_input); // WRONG!
// Instead: printf("%s", user_input);
Exploitation:
- %x: Read stack memory
- %n: Write to memory
- %s: Read from arbitrary address
- Can leak memory or execute code
Example attack:
Input: "%x %x %x %x"
Output: Stack values leaked
Prevention:
- Never use user input as format string
- Always use format specifier: printf("%s", input)
- Compiler warnings: -Wformat-security
- Static analysis tools
Impact:
- Information disclosure
- Denial of service
- Remote code execution
Remember: "Least privilege = minimum access needed." Don't give root when read-only suffices. Applies to users, services, and API tokens.
6. How Microsegmentation is applied?
Show answer
There are different ways to apply Microsegmentation:- Cloud Native: Using cloud embedded capabilities such as security groups, firewalls, etc.
- Agent: Agents running on the different endpoints (instances, services, etc.)
- Network: Modify network devices and their configuration to create microsegmentation
7. Explain Symmetrical encryption
Show answer
A symmetric encryption is any technique where a key is used to both encrypt and decrypt the data/entire communication.Example: nmap -sS -p 1-1000 10.0.0.1 does a SYN scan of the first 1000 ports.
Remember: "nmap = network mapper." SYN scan (-sS) is stealthy; connect scan (-sT) completes the handshake.
8. What is OAuth and how does it enable delegated authorization?
Show answer
OAuth 2.0 is an authorization framework for delegated access.Key concept:
- Grants limited access without sharing credentials
- "Login with Google/Facebook/GitHub"
- Third-party apps access resources on your behalf
Roles:
- Resource Owner: User
- Client: Application requesting access
- Authorization Server: Issues tokens
- Resource Server: Hosts protected resources
Flow (Authorization Code):
1. App redirects to auth server
2. User logs in and consents
3. Auth server redirects with code
4. App exchanges code for token
5. App uses token to access API
Token types:
- Access token: Short-lived API access
- Refresh token: Get new access tokens
Common use: SSO, API access, third-party integrations
Remember: "CVE = Common Vulnerabilities and Exposures." Format: CVE-YEAR-NUMBER. Example: CVE-2021-44228 is Log4Shell.
Fun fact: MITRE maintains the CVE database. NVD (NIST) adds severity scores.
9. Explain Asymmetrical encryption
Show answer
Asymmetric encryption is any technique where there are two different keys that are used for encryption and decryption, these keys are known as public key and private key.10. HIDS vs NIDS and which one is better and why?
Show answer
**HIDS** is host intrusion detection system and **NIDS** is network intrusion detection system. Both the systems work on the similar lines. It’s just that the placement in different. **HIDS** is placed on each host whereas **NIDS** is placed in the network. For an enterprise, **NIDS** is preferred as **HIDS** is difficult to manage, plus it consumes processing power of the host as well.Remember: "Defense in depth = layers." Network, host, app, data — compromise one layer, others still protect.
Example: Firewall + WAF + input validation + encryption = four layers.
11. How is hashing different from encryption?
Show answer
Encrypted data can be decrypted to its original value. Hashed data cannot be reversed to view the original data - hashing is a one-way function.12. Explain the flow of using cookies
Show answer
1. User enters credentials2. The server verifies the credentials -> a sessions is created and stored in the database
3. A cookie with the session ID is set in the browser of that user
4. On every request, the session ID is verified against the database
5. The session is destroyed (both on client-side and server-side) when the user logs out
Remember: "Patch Tuesday = Microsoft's monthly update cycle (2nd Tuesday)." Linux distros have their own cadences — subscribe to security mailing lists.
Gotcha: Unpatched systems are the #1 attack vector. Automate patching where possible.
13. How can you make sure that you use trustworthy packages for your project?
Show answer
You can’t. You will always be exposed to security risk once you start using open source or vendor packages. The goal is to minimize the risk in order to avoid security breaches. This could be done by:* Regularly update the project's dependencies to apply latest bug fixes and vulnerability clean-ups.
* However, unless you trust the author, do not update your dependencies instantly, since package updates recently have been a common target by hackers.
* Check for changes of the file content in previous versions.
14. Explain "Web Cache Deception Attach"
Show answer
Web Cache Deception Attack tricks a cache server into storing sensitive, user-specific pages by appending a cacheable extension to the URL.Example: attacker shares `https://example.com/account/settings/logo.png` — the CDN caches the account page because of the .png extension. Mitigation: configure caches to respect Cache-Control headers and validate Content-Type before caching.
15. What is a WAF and what are its types?
Show answer
**WAF** stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. **WAF** can be either a box type or cloud based.Remember: "2FA = something you know + something you have." Password + TOTP app, or password + hardware key.
16. What can you tell me about Stuxnet?
Show answer
Stuxnet is a computer worm that was originally aimed at Iran’s nuclear facilities and has since mutated and spread to other industrial and energy-producing facilities. The original Stuxnet malware attack targeted the programmable logic controllers (PLCs) used to automate machine processes. It generated a flurry of media attention after it was discovered in 2010 because it was the first known virus to be capable of crippling hardware and because it appeared to have been created by the U.S. National Security Agency, the CIA, and Israeli intelligence.17. Explain Risk-based authentication
Show answer
Risk-based authentication adjusts security based on context and risk signals.Risk factors evaluated:
- Location (unusual country?)
- Device (new device?)
- Time (unusual hours?)
- Behavior (different patterns?)
- IP reputation
- Failed attempts history
Responses based on risk:
- Low risk: Normal login
- Medium risk: Additional verification (MFA)
- High risk: Block and alert
Examples:
- Login from new country → require MFA
- Unusual time + new device → additional questions
- Multiple failures → temporary lockout
Benefits:
- Better user experience (less friction normally)
- Stronger security when needed
- Adaptive to threats
Used by: Banks, Google, Microsoft, etc.
18. Does Kerberos make use of symmetric encryption, asymmetric encryption, both, or neither?
Show answer
Symmetric Encryption - Kerberos uses exclusively symmetric encryption with pre-shared keys for transmitting encrypted information and authorizing users.Example: Lynis audit: lynis audit system scans for hardening issues.
Remember: "CIS Benchmarks = industry-standard hardening checklists." Available for every major OS and cloud platform.
19. What is air-gapped network or air-gapped environment?
Show answer
Air-gapped network is physically isolated from other networks.Characteristics:
- No internet connection
- No network links to other systems
- Complete physical isolation
- Data transfer via removable media only
Use cases:
- Military/classified systems
- Critical infrastructure (power grids)
- Financial transaction systems
- Nuclear facilities
- Secure development environments
Challenges:
- Data transfer is cumbersome
- Updates require manual process
- Still vulnerable to:
- Insider threats
- Infected removable media (Stuxnet)
- Side-channel attacks
Security measures:
- Strict media policies
- Media scanning stations
- Physical security
- Personnel screening
Not foolproof: Stuxnet crossed air gaps via USB.
Remember: "Fail2ban watches logs, bans IPs." It parses log files for failed auth attempts and adds firewall rules.
Example: fail2ban-client status sshd shows banned IPs.
20. Explain RBAC (Role-based Access Control)
Show answer
Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.- RBAC mapped to job function, assumes that a person will take on different roles, overtime, within an organization and different responsibilities in relation to IT systems.
21. What is compliance in IT and why does it matter?
Show answer
Abiding by a set of standards set by a government/Independent party/organisation, e.g. an industry which stores, processes or transmits Payment related information needs to be complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organisation complying with its own policies.22. True or False? Cookie-based authentication is stateful
Show answer
True. Cookie-based authentication session must be kept on both server and client-side.Remember: "OWASP Top 10 = most critical web app security risks." Updated periodically. #1 is usually injection or broken access control.
23. Explain Authentication and Authorization
Show answer
Authentication is the process of identifying whether a service or a person is who they claim to be.Authorization is the process of identifying what level of access the service or the person have (after authentication was done)
Remember: "SQL injection = untrusted input in SQL queries." Prevention: parameterized queries (prepared statements), never string concatenation.
24. What are CVE and CVSS, and how are they used in vulnerability management?
Show answer
[Red Hat](https://www.redhat.com/en/topics/security/what-is-cve#how-does-it-work) : "When someone refers to a CVE (Common Vulnerabilities and Exposures), they mean a security flaw that's been assigned a CVE ID number. They don’t include technical data, or information about risks, impacts, and fixes." So CVE is just identified by an ID written with 8 digits. The CVE ID have the following format: CVE prefix + Year + Arbitrary Digits.Anyone can submit a vulnerability, [Exploit Database](https://www.exploit-db.com/submit) explains how it works to submit.
Then CVSS stands for Common Vulnerability Scoring System, it attempts to assign severity scores to vulnerabilities, allowing to ordonnance and prioritize responses and resources according to threat.
25. Describe bloated dependencies.
Show answer
[Baudry et al.](https://arxiv.org/pdf/2001.07808.pdf):An application usually has different dependencies. Typically, not all of them are required for building and running the application. Bloated dependencies is the concept of including the unnecessary dependencies for building and running your application.
26. What is the difference between asynchronous and synchronous encryption?
Show answer
Terms usually refer to symmetric vs asymmetric encryption:Symmetric (Synchronous):
- Same key encrypts and decrypts
- Fast, efficient
- Key distribution challenge
- Algorithms: AES, ChaCha20
- Use: Bulk data encryption
Asymmetric:
- Public/private key pair
- Public encrypts, private decrypts
- Slower but solves key distribution
- Algorithms: RSA, ECDSA, Ed25519
- Use: Key exchange, signatures
Hybrid approach (common):
- Asymmetric to exchange session key
- Symmetric for bulk data
- Example: TLS handshake
Signing (asymmetric):
- Private key signs
- Public key verifies
- Proves authenticity
Remember: "IDS detects, IPS prevents." IDS alerts on suspicious traffic; IPS actively blocks it.
Example: Snort and Suricata can run in either IDS or IPS mode.
27. True or False? The private key can be mathematically computed from a public key
Show answer
False. The private key cannot be derived from the public key — that's the fundamental security property of asymmetric cryptography. If this were possible, all public-key encryption would be broken.28. Explain MAC flooding attack
Show answer
MAC address flooding attack (CAM table flooding attack) is a type of network attack where an attacker connected to a switch port floods the switch interface with very large number of Ethernet frames with different fake source MAC address.29. What are some examples of security architecture requirements?
Show answer
Security architecture covers multiple domains:Network security:
- Segmentation (VLANs, firewalls)
- DMZ for public services
- Zero trust architecture
- Encrypted transit (TLS everywhere)
Identity & Access:
- Centralized authentication (SSO)
- Multi-factor authentication
- Role-based access control
- Privileged access management
Data protection:
- Encryption at rest and in transit
- Data classification
- DLP (Data Loss Prevention)
- Backup and recovery
Application security:
- Secure SDLC
- WAF protection
- Input validation
- Security testing (SAST/DAST)
Monitoring:
- SIEM implementation
- Log aggregation
- Intrusion detection
- Incident response plan
Compliance: SOC2, HIPAA, PCI-DSS, GDPR
Remember: "Rootless containers = no root daemon." Podman runs rootless by default; Docker requires configuration.
30. Explain how the Kerberos authentication protocol works as a SSO solution
Show answer
Kerberos works as a SSO solution by only requiring the user to sign in using their credentials once within a specific validity time window. Kerberos authentication grants the user a Ticket Granting Ticket (TGT) from a trusted authentication server which can then be used to request service tickets for accessing various services and resources. By passing around this encrypted TGT instead of credentials, the user does not need to sign-in multiple times for each resource that has been integrated with Kerberos.31. Explain Token-based authentication
Show answer
Token-based auth uses tokens instead of sending credentials repeatedly.How it works:
1. User authenticates (username/password)
2. Server issues token (JWT, opaque token)
3. Client stores token
4. Token sent with each request
5. Server validates token
JWT (JSON Web Token):
- Header: Algorithm, type
- Payload: Claims (user ID, expiry, roles)
- Signature: Validates integrity
- Self-contained, stateless
Benefits:
- No session storage on server
- Scalable (stateless)
- Works across domains
- Mobile-friendly
Security considerations:
- Token expiry (short-lived)
- Secure storage (httpOnly cookies)
- HTTPS required
- Refresh token rotation
32. What are cookies? Explain cookie-based authentication.
Show answer
Cookies are small data pieces stored by browser, sent with requests.Cookie-based auth flow:
1. User submits credentials
2. Server creates session, stores server-side
3. Server sends session ID in cookie
4. Browser sends cookie with every request
5. Server looks up session
Cookie attributes:
- HttpOnly: JavaScript can't access
- Secure: HTTPS only
- SameSite: CSRF protection
- Domain/Path: Scope
- Expires/Max-Age: Lifetime
Session storage:
- Server-side: Database, Redis
- Stateful (unlike JWT)
Security:
- HttpOnly prevents XSS token theft
- SameSite=Strict prevents CSRF
- Secure ensures encryption
- Short expiry limits damage
33. What is XSS, how will you mitigate it?
Show answer
**Cross Site Scripting** is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side.Countermeasures of XSS are input validation, implementing a CSP (Content security policy) and other.
34. How to mitigate password attacks?
Show answer
* Strong password policy* Do not reuse passwords
* ReCaptcha
* Training personnel against Social Engineering
* Risk Based Authentication
* Rate limiting
* MFA
35. Do using VLANs contribute to network security?
Show answer
VLANs provide network segmentation but are not a security boundary.Security benefits:
- Logical separation of traffic
- Reduced broadcast domain
- Limit lateral movement
- Easier access control between VLANs
Limitations:
- VLAN hopping attacks possible
- Misconfiguration can expose traffic
- Layer 2 only, need firewalls for filtering
- Not encryption
VLAN hopping attacks:
- Switch spoofing: Pretend to be trunk
- Double tagging: Nested VLAN tags
Best practices:
- Disable DTP (Dynamic Trunking Protocol)
- Use dedicated VLAN for management
- Prune VLANs on trunks
- Don't use VLAN 1
- Firewall between VLANs
VLANs are one layer, not complete security.
Remember: "Audit logs = forensic evidence." Log who did what, when, from where. Immutable storage prevents tampering.
36. iptables vs nftables - what matters?
Show answer
nftables is the successor to iptables with significant improvements:**nftables advantages**:
* Faster rule processing (single evaluation)
* Unified framework (no separate ip6tables, arptables)
* Atomic rule updates (no packet loss during reload)
* Better syntax, easier to read
* Sets and maps for efficient matching
**Conceptually similar**: Both use chains, rules, hooks. Knowledge transfers.
**Practical reality**:
* RHEL 8+/Debian 10+ default to nftables
* `iptables` command often wraps nftables backend
* Legacy scripts still work via compatibility layer
**Migration**: `iptables-translate` converts rules to nftables syntax.
37. What TCP and UDP vulnerabilities are you familiar with?
Show answer
Protocol-level vulnerabilities in TCP/UDP:TCP vulnerabilities:
- SYN Flood: Exhaust connection table
- TCP Reset Attack: Spoofed RST packets
- Session Hijacking: Predict sequence numbers
- TCP Timestamp Attack: Leak system info
UDP vulnerabilities:
- UDP Flood: Volumetric DoS
- DNS Amplification: Abuse DNS for DDoS
- NTP Amplification: Abuse NTP monlist
- SSDP Reflection: Abuse UPnP
Mitigations:
- SYN cookies (SYN flood)
- Rate limiting
- Ingress filtering (BCP38)
- Disable unnecessary UDP services
- Response rate limiting
Network level:
- BGP hijacking awareness
- TCP/IP stack hardening
- Proper firewall rules
38. What is a DMZ (demilitarized zone) in network security?
Show answer
DMZ (Demilitarized Zone) is a network segment between internal and external networks.Purpose:
- Hosts public-facing services
- Adds security layer
- Isolates internal network
Architecture:
- Firewall 1: Internet ↔ DMZ
- Firewall 2: DMZ ↔ Internal
- Double-layer protection
DMZ typically contains:
- Web servers
- Mail servers
- DNS servers
- Reverse proxies
- VPN endpoints
Rules:
- Internet → DMZ: Limited ports
- DMZ → Internal: Very restricted
- Internal → DMZ: As needed
Benefits:
- Breach in DMZ doesn't expose internal
- Defense in depth
- Compliance requirement
39. True or False? The symmetrical encryption is making use of public and private keys where the private key is used to decrypt the data encrypted with a public key
Show answer
False. Symmetric encryption uses the same shared key for both encryption and decryption (e.g., AES-256). The description of public/private key pairs fits asymmetric encryption (e.g., RSA, ECDSA). In practice, TLS uses asymmetric encryption for the initial key exchange, then switches to faster symmetric encryption for the session data.40. Briefly describe what a software supply chain is.
Show answer
A company’s software supply chain consists of any third party or open source component which could be used to compromise the final product. Such component is usually an API provided by an actor. For instance Twilio who offers mobile communication APIs to their customers.[WhiteSource](https://www.whitesourcesoftware.com/resources/blog/software-supply-chain-security-the-basics-and-four-critical-best-practices/): "Enterprise software projects increasingly depend on third-party and open source components.
41. SELinux - why keep it enabled?
Show answer
SELinux provides Mandatory Access Control (MAC) that catches classes of exploits that discretionary permissions (DAC) never will.**Why it matters**:
* Limits damage from compromised processes - even root can be constrained
* Defense in depth - if app has vulnerability, SELinux limits lateral movement
* Catches misconfigurations that DAC would allow
* Required for many compliance standards
**Common objection**: "It breaks things" - usually means something is misconfigured, not that SELinux is wrong.
**Proper approach**: Debug denials, fix policies, don't disable. An attacker who compromises your app is betting you turned it off.
42. True or False? In the case of SSH, asymmetrical encryption is not used to the entire SSH session
Show answer
True. In SSH, asymmetric encryption is used only during the initial key exchange to securely establish a shared session key. After that, all data is encrypted with faster symmetric encryption (typically AES-256). The asymmetric step ensures the symmetric key is shared securely without being intercepted. This hybrid approach balances security with performance.43. What is a checksum and how is it used to verify data integrity?
Show answer
[Fred Cohen (permission needed)](https://reader.elsevier.com/reader/sd/pii/0167404887900319?token=D5339ABC064AD9A2B50B74D8CE890B0E22A302A0BC461A50078D407BEA01052737DC6AAEF95A854E72A73B6D0C67E260&originRegion=eu-west-1&originCreation=20220502180611): Checksum is a way to verify the integrity of information in systems with no built-in protection. In other words, it provides a way of validating that the content of a file or a package / library is intact. This is useful since attacks or errors may occur during transmission of files.44. What're some benefits of a software supply chain?
Show answer
[Increment](https://increment.com/apis/apis-supply-chain-software/): Resource-saving. Using and paying for existing solutions to resource-heavy problems saves time as well as money. Hence resulting in efficient, cheap and greater opportunities to develop and deploy software products for consumers.45. Explain a few cons of bloated dependencies.
Show answer
[Baudry et al.](https://arxiv.org/pdf/2001.07808.pdf):* Challenging to manage.
* Decreases performance of the application.
* Risk for malicious code that a threathening actor can take advantage of.
46. What are ephemeral environments in the context of Microsegmentation?
Show answer
- These are short-lived resources like containers or serverless functions that start and stop quickly.- Because they don’t last long, they need security rules that can change just as fast.
- Microsegmentation helps by giving each one exactly the network access it needs — nothing more.
47. What password attacks are you familiar with?
Show answer
Common password attacks: Dictionary (tries common words and passwords from leaked databases), Brute Force (tries every possible combination), Password Spraying (tries a few common passwords against many accounts to avoid lockouts), and Social Engineering variants: Phishing (fake emails/sites), Vishing (voice calls), Whaling (targeting executives). Mitigations: MFA, account lockout policies, and password managers.48. What solutions are there for managing project dependencies?
Show answer
[Npm.js documentation](https://docs.npmjs.com/cli/v8/commands/npm-prune): Use clean-up commands that are usually provided by the package manager authors. For instance, npm prune will remove any extraneous package. Another command is npm audit which will scan your repository and report any vulnerable dependencies found.Remember: "Penetration testing = authorized attack simulation." Red team attacks, blue team defends, purple team collaborates.
49. What the "Zero Trust" concept means? How Organizations deal with it?
Show answer
[Codefresh definition](https://codefresh.io/security-testing/codefresh-runner-overview): "Zero trust is a security concept that is centered around the idea that organizations should never trust anyone or anything that does not originate from their domains. Organizations seeking zero trust automatically assume that any external services it commissions have security breaches and may leak sensitive information"50. How HTTPS is different from HTTP?
Show answer
The 'S' in HTTPS stands for 'secure'. HTTPS uses TLS to provide encryption of HTTP requests and responses, as well as providing verifaction by digitally signing requests and responses. As a result, HTTPS is far more secure than HTTP and is used by default for most modern websites.51. What types of firewalls are there?
Show answer
Firewalls filter traffic at different layers:Packet Filter (Stateless):
- Filters by IP, port, protocol
- Each packet independent
- Fast but limited
- Example: Basic iptables rules
Stateful Firewall:
- Tracks connection state
- Allows return traffic automatically
- More intelligent filtering
- Example: iptables with conntrack
Application Layer (WAF):
- Inspects application content
- HTTP/HTTPS aware
- Blocks SQL injection, XSS
- Example: ModSecurity, AWS WAF
Next-Gen Firewall (NGFW):
- Deep packet inspection
- Application awareness
- IPS integration
- User identity aware
- Example: Palo Alto, Fortinet
Cloud/Host-based:
- Security groups (AWS)
- Network policies (Kubernetes)
- Host firewall (firewalld, ufw)
Remember: "Threat modeling = structured 'what could go wrong?'" STRIDE: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
52. What challenges arise when scaling Microsegmentation?
Show answer
- As more systems get added, managing all the rules becomes harder.- It’s tough to keep security rules consistent when everything’s changing all the time.
- You also have to be careful not to slow things down while keeping everything secure.
53. How does Microsegmentation help prevent lateral movement?
Show answer
- It sets tight rules for how services or systems can talk to each other.- If one system gets hacked, the attacker can’t easily move to others.
- By dividing systems into smaller zones, it makes the whole network harder to break into.
54. What are the three primary factors of authentication? Give three examples of each
Show answer
Something you have- Smart card
- Physical authentication device
- Software token
Something you know
- Password
- PIN
- Passphrase
Something you are
- Fingerprint
- Iris or retina scan
- Gait analysis
55. Explain HTTP Header Injection vulnerability
Show answer
HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.Remember: "Secrets scanning in CI catches leaked credentials." Tools: gitleaks, truffleHog, detect-secrets.
Example: gitleaks detect --source . scans the git history for secrets patterns.
56. What's SSL termination (or SSL offloading)?
Show answer
SSL termination is the process of decrypting encrypted traffic. The advantage in SSL termination is that the server doesn't have to perform it, we can use SSL termination to reduce the load on the server, speed up some processes, and allow the server to focus on its core functionality (e.g. deliver content)57. Describe how do you secure public repositories
Show answer
Protecting code in public repositories:Prevent secrets exposure:
- Never commit credentials
- Use .gitignore for sensitive files
- Pre-commit hooks (git-secrets)
- Scan history for secrets (trufflehog)
- Environment variables for secrets
Branch protection:
- Require PR reviews
- Protected branches (no force push)
- Status checks before merge
- Signed commits
Access control:
- Minimal write access
- Review collaborators regularly
- Use teams with appropriate permissions
Code security:
- Dependency scanning (Dependabot)
- SAST tools (CodeQL)
- License compliance
- Security policy (SECURITY.md)
Monitoring:
- Enable security alerts
- Watch for forks
- Audit log review
58. What is TLS (Transport Layer Security) and how does it secure communication?
Show answer
TLS (Transport Layer Security) encrypts network communication.Purpose:
- Confidentiality (encryption)
- Integrity (tampering detection)
- Authentication (certificates)
TLS handshake:
1. Client Hello (supported ciphers, TLS version)
2. Server Hello (chosen cipher, certificate)
3. Key exchange (establish shared secret)
4. Encrypted communication begins
Versions:
- TLS 1.0, 1.1: Deprecated
- TLS 1.2: Current standard
- TLS 1.3: Latest, faster handshake
Components:
- Certificates: Identity verification
- Cipher suites: Encryption algorithms
- Key exchange: ECDHE, DHE
Use cases:
- HTTPS (web)
- SMTPS, IMAPS (email)
- Database connections
- API communication
59. How hashes are part of SSH?
Show answer
Hashes used in SSH to verify the authenticity of messages and to verify that nothing tampered with the data received.60. Explain MFA (Multi-Factor Authentication)
Show answer
Multi-Factor Authentication (Also known as 2FA). Allows the user to present two pieces of evidence, credentials, when logging into an account.- The credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Credentials must come from two different categories to enhance security.
61. Explain Man-in-the-middle attack
Show answer
MITM attack intercepts communication between two parties.How it works:
1. Attacker positions between victim and server
2. Intercepts all traffic
3. Can read/modify data
4. Both sides think they're talking directly
Attack vectors:
- ARP spoofing (LAN)
- DNS spoofing
- Rogue WiFi access points
- SSL stripping
- BGP hijacking
Prevention:
- HTTPS (TLS encryption)
- Certificate pinning
- HSTS (HTTP Strict Transport Security)
- VPN on untrusted networks
- Verify certificate warnings
Detection:
- Certificate warnings
- Unexpected redirects
- Network monitoring
Example: Attacker on coffee shop WiFi intercepts login credentials.
62. Why do we need Microsegmentation solutions? Why using something such as firewalls isn't enough?
Show answer
- Firewalls focused on north-south traffic. Basically traffic that is outside of the company perimeter- Traffic that is considered west-east, internal workflows and communication, is usually left untreated
63. How do you identify and manage vulnerabilities?
Show answer
Systematic approach to vulnerability management:Identification:
- Vulnerability scanners (Nessus, OpenVAS, Qualys)
- Dependency scanning (Snyk, Dependabot)
- SAST/DAST for code
- Penetration testing
- Bug bounty programs
Prioritization:
- CVSS score (severity)
- Exploitability (is exploit public?)
- Asset criticality
- Exposure (internal vs public)
Remediation:
- Patch management
- Configuration fixes
- Compensating controls
- Accept risk (documented)
Process:
1. Continuous scanning
2. Triage and prioritize
3. Assign to teams
4. Track remediation
5. Verify fixes
6. Report metrics
Tools: Jira, ServiceNow for tracking
Remember: "Incident response = Identify, Contain, Eradicate, Recover, Learn." The NIST framework.
64. What can you tell me about the BootHole vulnerability?
Show answer
BootHole (CVE-2020-10713) was a GRUB2 buffer overflow vulnerability.The vulnerability:
- Buffer overflow in GRUB2 config parsing
- Exploitable via malicious grub.cfg
- Could bypass Secure Boot
- Affected most Linux distributions
Impact:
- Arbitrary code execution in GRUB
- Persistent malware before OS loads
- Secure Boot bypass
- Rootkit installation
Mitigation:
- Update GRUB2 packages
- Update shim bootloader
- Revoke vulnerable signatures (dbx)
- Update firmware
Lesson learned:
- Boot security is complex
- Secure Boot isn't foolproof
- Trust chain only as strong as weakest link
65. What can you tell me about Spectre?
Show answer
Spectre is an attack method which allows a hacker to “read over the shoulder” of a program it does not have access to. Using code, the hacker forces the program to pull up its encryption key allowing full access to the program66. How do you manage sensitive information like passwords?
Show answer
Use secrets management solutions, never plaintext:Solutions:
- HashiCorp Vault: Industry standard
- AWS Secrets Manager / Parameter Store
- Azure Key Vault
- Kubernetes Secrets (basic)
- Ansible Vault (for configs)
Best practices:
- Never commit secrets to git
- Rotate secrets regularly
- Audit access
- Encrypt at rest
- Least privilege access
- Separate dev/prod secrets
For applications:
- Environment variables (okay for some cases)
- Secrets from Vault at runtime
- Service accounts with limited scope
Tools:
- git-secrets: Prevent committing secrets
- detect-secrets: Scan for secrets
- pre-commit hooks
67. What benefits SNI introduces?
Show answer
SNI allows a single server to serve multiple certificates using the same IP and port.Practically this means that a single IP can server multiple web services/pages, each using a different certificate.
68. Are you familiar with "OWASP top 10"?
Show answer
The OWASP Top 10 is a regularly updated list of the most critical web application security risks. Current top risks include: Broken Access Control, Cryptographic Failures, Injection (SQL/XSS), Insecure Design, Security Misconfiguration, and Server-Side Request Forgery (SSRF). It serves as the baseline standard for web application security testing and developer training.69. Explain "Privilege Restriction"
Show answer
Privilege restriction limits access rights to minimum necessary.Principle of Least Privilege:
- Users get only permissions they need
- No more, no less
- Applies to humans and services
Implementation:
- Role-based access (RBAC)
- Don't run as root
- Separate admin accounts
- Time-limited elevated access
- Service accounts with minimal scope
Linux examples:
- sudo instead of root login
- Drop capabilities in containers
- SELinux/AppArmor policies
- File permissions
Benefits:
- Limits damage from compromise
- Reduces attack surface
- Easier auditing
- Compliance requirement
Related: Defense in depth, zero trust
Remember: "PKI = Public Key Infrastructure." It manages digital certificates for authentication and encryption.
70. Have you worked with hybrid cloud environments, and how did you integrate them with on-premises data centers?
Show answer
• Assessment of Workloads: Assess workloads to determine which applications or services are suitable for migration to the cloud and which should remain on-premises. • Selecting Cloud Services: Choose appropriate cloud services and providers based on workload requirements, considering factors like scalability, performance, and cost. • Connectivity Solutions: Implement secure connectivity solutions, such as Virtual Private Networks (VPNs) or dedicated connections, to establish communication between on-premises data centers and the cloud.71. Discuss a time when you successfully implemented a change that resulted in improved data center efficiency.
Show answer
In a previous role, we identified inefficiencies in server utilization, leading to increased operational costs and resource wastage. To address this, we implemented a server virtualization initiative. **Steps Taken:* • • Assessment: Conducted a comprehensive assessment of server utilization, identifying underutilized servers and areas for consolidation. • Virtualization Strategy: Developed a virtualization strategy to migrate workloads to a virtual environment using VMware, optimizing server resources.72. Discuss the role of change management in a data center environment.
Show answer
• Controlled Changes: Change management ensures that all changes to the data center environment, including configurations, hardware, and software, are controlled and documented. • Risk Mitigation: It helps identify potential risks associated with changes, assess their impact, and implement mitigation strategies to prevent disruptions. • Communication: Change management facilitates communication among teams, ensuring that all stakeholders are informed about upcoming changes and their potential impact.73. How do you collaborate with other teams, such as network engineers or system administrators?
Show answer
• Regular Meetings: Schedule regular meetings with cross-functional teams to discuss ongoing projects, share updates, and address challenges collaboratively. • Communication Platforms: Utilize communication platforms such as Slack, Microsoft Teams, or dedicated collaboration tools for real-time communication and file sharing. • Project Planning: Collaborate during the project planning phase to ensure alignment on goals, timelines, and resource requirements.74. What criteria do you consider when choosing between different server or networking equipment vendors?
Show answer
• Performance and Scalability: Evaluate the performance specifications and scalability of the equipment to ensure it meets current and future demands. • Reliability and Availability: Consider the vendor's track record for reliability and the availability of support services to minimize downtime. • Compatibility: Ensure compatibility with existing infrastructure, protocols, and standards to facilitate seamless integration. • Cost-effectiveness: Analyze the total cost of ownership, including purchase, maintenance, and operational costs, to determine cost-effectiveness.75. Explain the concept of server hardening and its importance.
Show answer
Server hardening is the process of securing a server by reducing its attack surface and strengthening its defenses against potential security threats. It involves implementing security best practices and configurations to minimize vulnerabilities. **Importance:* • • Mitigating Security Risks: Server hardening helps mitigate security risks by reducing the likelihood of unauthorized access, data breaches, and other security incidents. • Compliance Requirements: It ensures compliance with industry standards and regulations that mandate specific security configurations.76. How do you create and test a disaster recovery plan for a data center?
Show answer
Creating and testing a disaster recovery plan involves the following steps: **Risk Assessment:* • Identify potential risks and threats to the data center, such as natural disasters, hardware failures, or cyberattacks. **Critical Asset Identification:* • Determine critical systems, applications, and data that need protection and recovery. **Recovery Objectives:* • Define recovery time objectives (RTO) and recovery point objectives (RPO) for each critical asset.77. Explain the importance of firewalls in a data center environment.
Show answer
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. **Importance in Data Center:* • • Access Control: Firewalls control access to and from the data center, allowing only authorized traffic and blocking unauthorized or potentially harmful traffic. • Security Perimeter: Firewalls establish a security perimeter around the data center, acting as a barrier between the internal network and external networks, such as the internet.78. What are the security implications of integrating on-premises data centers with cloud services?
Show answer
• Data Transmission Security: Security implications arise during the transmission of data between on-premises data centers and the cloud. Encryption protocols (TLS/SSL) should be employed to secure data in transit. • Identity and Access Management (IAM): Integrating on-premises systems with cloud services requires a robust IAM strategy to manage user access and permissions across both environments consistently.79. Discuss a situation where you had to communicate technical issues to non-technical stakeholders.
Show answer
In a previous role, I encountered a critical server outage that affected a key business application. To communicate this technical issue to non-technical stakeholders, I followed these steps: • Clarity in Language: Avoided technical jargon and communicated in clear, simple language to ensure understanding. • Impact Assessment: Clearly outlined the impact on business operations, emphasizing the significance of the issue. • Root Cause Analysis: Provided a brief explanation of the root cause of the outage without delving into overly technical details.80. Describe a situation where you had to prioritize tasks in a data center environment with limited resources and time.
Show answer
In a previous role, we faced a situation where multiple critical tasks needed to be addressed urgently, but resources and time were limited. **Steps Taken:* • • Task Prioritization: Conducted a quick assessment of the tasks based on their impact on business operations and criticality. • Communication: Communicated with stakeholders, including management and end-users, to set expectations regarding task prioritization and potential delays. • Resource Allocation: Assessed the availability of resources, including personnel and equipment, and allocated them based on the priority of tasks.81. Discuss your experience with configuration management tools such as Puppet or Chef.
Show answer
In a previous role, I utilized Puppet for configuration management in a large-scale data center environment. **Key Experiences:* • • Infrastructure as Code (IaC): Implemented Infrastructure as Code (IaC) principles using Puppet manifests to define and manage infrastructure configurations. • Automated Configuration Deployment: Automated the deployment and configuration of servers, ensuring consistency across the entire infrastructure. • Role-Based Configuration: Organized configurations into role-based modules, allowing for easy management and scalability.82. How do you ensure data integrity and security when decommissioning or repurposing hardware?
Show answer
• Data Sanitization: Implement data sanitization methods, such as secure erasure or disk wiping, to ensure that sensitive data is irreversibly removed from storage devices. • Encryption Decryption: Encrypt data on storage devices, and only decrypt it when necessary during the decommissioning process. • Secure Disposal: Dispose of hardware securely by following industry best practices, such as physically destroying storage devices or utilizing certified e-waste disposal services.83. How should SSH keys be managed in production?
Show answer
Use ssh-agent or a secrets manager — never store unencrypted private keys on disk. Rotate keys periodically. Use ed25519 over RSA. Deploy keys via config management. Revoke departed users' keys immediately.Remember: "Compliance ≠ security." Being compliant means meeting minimum standards. Being secure means actually defending against threats.
84. What should you do immediately after discovering a leaked secret?
Show answer
1) Rotate/revoke the secret immediately.2) Audit access logs for unauthorized use.
3) Remove from git history (git filter-repo or BFG).
4) Force-push cleaned history.
5) Notify affected teams. Speed matters — automated scrapers find leaked keys within minutes.
85. How do you audit sudo usage on a Linux system?
Show answer
Check /var/log/auth.log or /var/log/secure for sudo entries. Use: grep sudo /var/log/auth.log. For centralized auditing, forward sudo logs to a SIEM. Also: sudoreplay if session recording is enabled.86. What log sources should you review during a Linux security incident?
Show answer
/var/log/auth.log (logins, sudo), /var/log/syslog (system events), audit.log (auditd rules), lastlog/wtmp (login history), cron logs, application logs. Also: journalctl for systemd services, and any SIEM alerts.87. What are common indicators of compromise (IOCs) on a Linux host?
Show answer
Unexpected processes or open ports, modified system binaries (check with rpm -V or debsums), new cron jobs or user accounts, unusual outbound connections, files with recent mtime in /tmp or /dev/shm, unfamiliar SSH authorized_keys entries.Remember: "mTLS = mutual TLS." Both client and server present certificates. Used in service mesh (Istio, Linkerd) for zero-trust service-to-service auth.
88. How do you check for unauthorized cron jobs?
Show answer
List all user crontabs: for u in $(cut -f1 -d: /etc/passwd); do crontab -l -u $u 2>/dev/null; done. Also check /etc/cron.d/, /etc/cron.daily/, and systemd timers (systemctl list-timers). Compare against a known-good baseline.89. What is the difference between containment and eradication?
Show answer
Containment stops the spread — isolate the host (network ACL, disable account, firewall rule) but keep evidence intact. Eradication removes the threat — delete malware, patch vulnerability, rotate credentials. Contain first, then eradicate.90. How do you contain a compromised Linux host without destroying evidence?
Show answer
1) Isolate network (iptables DROP all or unplug).2) Do NOT reboot — volatile memory holds evidence.
3) Disable compromised accounts.
4) Snapshot disk/memory if in cloud.
5) Block known malicious IPs at the firewall. Preserve before you clean.
91. What is the order of volatility in digital forensics?
Show answer
Most volatile first:1) CPU registers/cache.
2) RAM.
3) Network connections and routing tables.
4) Running processes.
5) Disk (filesystem).
6) Remote logs/backups. Collect evidence from most volatile to least to preserve maximum data.
92. How do you validate a restore after a security incident?
Show answer
1) Restore to an isolated environment.2) Verify data integrity (checksums, record counts).
3) Scan restored data for malware/backdoors.
4) Check that the backup predates the compromise.
5) Confirm application functionality before promoting to production.
93. What are common incident responder mistakes?
Show answer
1) Rebooting the system (destroys volatile evidence).2) Running commands on the compromised host that alter state.
3) Not preserving chain of custody.
4) Alerting the attacker.
5) Skipping containment and jumping to eradication.
6) Failing to rotate all affected credentials.
94. What are common Linux privilege escalation indicators?
Show answer
1) SUID binaries in unusual locations (find / -perm -4000).2) World-writable files in PATH.
3) Weak sudo rules (sudo -l).
4) Kernel exploit artifacts in /tmp.
5) Modified /etc/passwd or /etc/shadow.
6) Unexpected setcap capabilities on binaries.
95. What patterns indicate credential exposure?
Show answer
1) Secrets in environment variables visible via /proc/*/environ.2) Credentials in shell history files.
3) Hardcoded passwords in scripts or config files.
4) API keys in git commits.
5) Tokens in URL query strings in access logs.
6) Plaintext passwords in log output.
96. After credential exposure, what is the full remediation checklist?
Show answer
1) Revoke/rotate the exposed credential immediately.2) Identify scope of access the credential granted.
3) Audit logs for unauthorized use of the credential.
4) Check for lateral movement.
5) Update all systems using the credential.
6) Add detection for the old credential in logs.
97. How do you audit for overly permissive IAM or file permissions?
Show answer
Files: find / -perm -o+w -type f to find world-writable files. IAM (AWS): use Access Analyzer or review policies for Action: * or Resource: *. Locally: audit sudoers, check group memberships, review /etc/passwd for shell access. Automate with periodic scans.Remember: "Security is everyone's job, not just the security team." DevSecOps = security shifted left into the dev pipeline.
98. What is SLSA and what do its levels guarantee?
Show answer
SLSA (Supply-chain Levels for Software Artifacts) is a graduated security framework with Levels 1-3. Higher levels provide stronger guarantees: Level 1 requires build provenance documentation, Level 2 requires a hosted build service, Level 3 requires a hardened build platform with non-falsifiable provenance. Each level increases confidence that an artifact was built from claimed source by a trustworthy system.99. How does cosign sign container images in keyless mode?
Show answer
In keyless mode, cosign uses OIDC identity (e.g., GitHub Actions' OIDC token) instead of a static key pair. The CI system proves its identity to Sigstore's Fulcio CA, receives a short-lived signing certificate, signs the image by digest, and records the signature in the Rekor transparency log. Consumers verify using the OIDC issuer and identity constraints.100. What is Rekor and what role does it play in Sigstore?
Show answer
Rekor is Sigstore's immutable transparency log that records all signing events. When an artifact is signed with cosign, the signature and metadata are logged in Rekor, creating a tamper-evident audit trail. Anyone can search Rekor to verify when and by whom an artifact was signed, providing non-repudiation even for keyless signatures.101. How does Kyverno enforce container image signature verification in Kubernetes?
Show answer
Kyverno is a Kubernetes admission controller that evaluates policies before pods are created. A ClusterPolicy with verifyImages rules checks that images matching specified patterns (e.g., "ghcr.io/org/*") have valid cosign signatures from authorized identities. If an unsigned or improperly signed image is deployed, the admission webhook denies the pod creation.102. How do you generate and attach an SBOM to a container image?
Show answer
Generate an SBOM with syft: "syft ghcr.io/org/myapp:v1.2.3 -o spdx-json > sbom.spdx.json" (or -o cyclonedx-json for CycloneDX). Attach it as an OCI artifact with "cosign attach sbom --sbom sbom.spdx.json ghcr.io/org/myapp:v1.2.3". Consumers can then verify the SBOM attestation with "cosign verify-attestation --type spdxjson".103. What does it mean for Vault to be sealed vs unsealed, and how does unsealing work?
Show answer
When Vault starts, it is sealed -- it knows where encrypted data is stored but cannot decrypt it. Unsealing requires providing a threshold of key shares (Shamir's Secret Sharing, e.g., 3 of 5 shares). Once enough shares are provided, Vault reconstructs the master key, decrypts the encryption key, and becomes operational. Auto-unseal via cloud KMS is the production alternative.104. What is AppRole auth and how do applications authenticate to Vault?
Show answer
AppRole is Vault's machine-oriented auth method. An application authenticates using a role_id (like a username, relatively static) and a secret_id (like a password, often single-use and short-lived). The secret_id is typically delivered via a trusted broker or CI system. On successful auth, Vault returns a token with policies attached.105. What is the difference between KV v1 and KV v2 secrets engines?
Show answer
KV v1 is a simple key-value store with no versioning -- writes overwrite the previous value permanently. KV v2 adds versioning: every write creates a new version, and you can read, compare, or rollback to any previous version. KV v2 also supports check-and-set (CAS) to prevent accidental overwrites and metadata like creation time and deletion time.106. What is a Vault lease and what happens when a lease expires?
Show answer
Every dynamic secret and auth token has a lease with a TTL (time-to-live). Applications must renew the lease before expiry by calling the renew endpoint. If the lease expires without renewal, Vault automatically revokes the associated credential (e.g., drops the database user). Applications should handle renewal proactively to avoid sudden credential invalidation.107. How does Vault audit logging work and why is it critical?
Show answer
Vault can log every API request and response to one or more audit devices (file, syslog, socket). Every secret read, write, auth event, and policy change is recorded with the accessor identity, timestamp, and request path. At least one audit device must be enabled -- Vault blocks all operations if it cannot write to any configured audit backend.108. Why are IAM roles preferred over long-lived access keys for service authentication?
Show answer
Roles provide temporary credentials that expire automatically, reducing the blast radius if credentials are compromised. Access keys are long-lived, can be leaked, and must be manually rotated. Roles are assumed on-demand and never stored on disk.Remember: "CSRF = Cross-Site Request Forgery." Tricks a logged-in user's browser into making unwanted requests. Prevention: CSRF tokens and SameSite cookies.
109. What does "defense in depth" mean in practice for an operations engineer?
Show answer
Multiple layers of security so that if one control fails, the next catches it: cloud security groups + host-level firewall + application authentication + encryption in transit. Never rely on a single layer. Each layer reduces the impact of a breach in another layer.110. In an AWS IAM policy, what do the Effect, Action, and Resource fields specify?
Show answer
Effect is Allow or Deny. Action specifies which API operations are permitted (e.g., s3:GetObject, s3:ListBucket). Resource specifies which AWS resources the policy applies to (e.g., a specific S3 bucket ARN). Together they form a precise permission boundary.111. What is the security principle behind a default-deny firewall rule, and how is it implemented in iptables?
Show answer
Default-deny means all traffic is blocked unless explicitly allowed by a preceding rule. In iptables: add specific ACCEPT rules first (e.g., SSH from internal network, HTTPS from anywhere, established connections), then end with "iptables -A INPUT -j DROP" to deny everything else.112. What is the Principle of Least Privilege, and what is a common violation?
Show answer
Grant only the minimum permissions needed for the task, for the shortest duration. A common violation is IAM policies with Action: * and Resource: * or Kubernetes ClusterRoleBindings granting cluster-admin to developer groups.Remember: "JWT = JSON Web Token." Three parts: header.payload.signature (base64 encoded, dot-separated).
Gotcha: JWTs are signed, not encrypted — anyone can read the payload. Never store secrets in JWTs.
113. Why are unpatched systems the number one entry point for attackers?
Show answer
Known CVEs have public exploits within days of disclosure. Unpatched systems present known vulnerabilities with tested attack paths. A patching SLA (critical within 48h, high within 1 week) is essential.114. What is wrong with running containers as root, and how do you fix it?
Show answer
Root inside a container maps to root on the host in many configurations, enabling container escape. Fix by adding a USER directive in the Dockerfile to run as a non-root user (e.g., USER appuser).115. What is the security risk of a security group rule allowing inbound traffic from 0.0.0.0/0 on all ports?
Show answer
It exposes every port on the instance to the entire internet, allowing any attacker to probe and exploit any running service. Rules should restrict to specific ports and source CIDR blocks.116. What is a software supply chain attack, and how do you defend against it?
Show answer
An attacker compromises a dependency (library, container base image, CI plugin) to inject malicious code into your build. Defend with: dependency scanning (Dependabot, Snyk, Trivy), pinning versions with checksums, reviewing dependency updates, using signed images, and auditing CI pipeline plugins.117. Why are environment variables a poor choice for storing secrets in production?
Show answer
Environment variables are visible via /proc/118. What are CIS Benchmarks, and how do you use them to harden systems?
Show answer
CIS Benchmarks are prescriptive security configuration guides for OSes, cloud providers, databases, and containers. Use automated scanners (CIS-CAT, Lunar, kube-bench for Kubernetes) to audit systems against the benchmark, then remediate failures. Run scans on every new AMI/image build and periodically in production.🔴 Hard (27)¶
1. Why is "root inside container" still dangerous despite container isolation?
Show answer
Containers share the kernel with the host - root in container has paths to root on host.The shared kernel problem:
- Containers are NOT VMs
- Same kernel handles syscalls for container and host
- Kernel vulnerability = container escape
- Root in container can exploit kernel bugs
Specific risks:
1. Capabilities
- Root has capabilities even in container
- CAP_SYS_ADMIN = near-complete control
- Misconfigured: --privileged = actual root
2. 10 quick points about web server hardening.
Show answer
Example:- if machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened
- create a separate partition with the `nodev`, `nosuid`, and `noexec` options set for `/tmp`
- create separate partitions for `/var`, `/var/log`, `/var/log/audit`, and `/home`
- enable randomized virtual memory region placement
- remove legacy services (e.g.
3. What is a false positive and false negative in case of IDS?
Show answer
When the device generated an alert for an intrusion which has actually not happened: this is **false positive** and if the device has not generated any alert and the intrusion has actually happened, this is the case of a **false negative**.4. How do you debug SELinux denials properly?
Show answer
Never blindly generate policies. Understand the denial first.**Step-by-step**:
```bash\n# 1. Find the denial\nausearch -m avc -ts recent\n\n# 2. Understand why\naudit2why < /var/log/audit/audit.log\n\n# 3. Check context\nls -Z /path/to/file\nps -eZ | grep process\n```
**Common fixes**:
* Wrong file context: `restorecon -Rv /path`
* Need new context: `semanage fcontext -a -t type_t '/path(/.*)?'`
* Need boolean: `setsebool -P httpd_can_network_connect on`
**Only after understanding**, if custom policy needed:
```bash\naudit2allow -M mypolicy < /var/log/audit/audit.log\nsemodule -i mypolicy.pp\n```
5. Explain "Advanced persistent threat (APT)"
Show answer
APT is a sophisticated, long-term cyber attack by well-resourced adversaries.Characteristics:
- Advanced: Custom tools, zero-days
- Persistent: Months to years presence
- Threat: Targeted at specific org/data
Typical APT phases:
1. Reconnaissance: Research target
2. Initial compromise: Spear phishing, watering hole
3. Establish foothold: Backdoors, persistence
4. Lateral movement: Spread through network
5. Data collection: Find valuable data
6. Exfiltration: Steal data covertly
7. Maintain presence: Stay hidden
Attackers:
- Nation-states (APT28, APT29, APT41)
- State-sponsored groups
- Well-funded criminal organizations
Defense:
- Defense in depth
- Threat intelligence
- Network monitoring
- Endpoint detection
- User training
- Incident response plan
Remember: "DAST = Dynamic Application Security Testing." It tests running apps by sending malicious requests (black-box testing).
Example: OWASP ZAP is a popular free DAST tool.
6. What is the difference between policies, processes and guidelines?
Show answer
As **security policy** defines the security objectives and the security framework of an organisation. A **process** is a detailed step by step how to document that specifies the exact action which will be necessary to implement important security mechanism. **Guidelines** are recommendations which can be customized and used in the creation of procedures.7. What is CSRF (Cross-Site Request Forgery) and how is it prevented?
Show answer
**Cross Site Request Forgery** is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly. It can be further followed by the ways to detect this, examples and countermeasures.8. Why is disabling SELinux worse than never having it at all?
Show answer
Disabling SELinux removes security while hiding the misconfigurations it was catching.The problem:
1. Loss of audit signal
- SELinux denials = visibility into access attempts
- Disabled = blind to policy violations
- Attackers move freely, no alerts
2. Masked misconfigurations
- SELinux enforcing often means "apps configured wrong"
- Disabling "fixes" symptoms, not causes
- Underlying problems remain, now invisible
- Permissions too broad, attack surface increased
Remember: "Encryption at rest = stored data, in transit = network data." Both are required for compliance (PCI-DSS, HIPAA, SOC2).
9. Why is it important to avoid rebooting a compromised system during investigation?
Show answer
RAM contains running processes, network connections, loaded kernel modules, and decrypted data that are lost on reboot. Capture memory (e.g., LiME) and volatile state (ps, netstat, lsof) before any destructive action.10. How do you detect if a kernel exploit was used for privilege escalation?
Show answer
Check dmesg/syslog for kernel oops or segfaults. Look for exploit source code or compiled binaries in /tmp, /dev/shm. Check kernel version against known CVEs. Compare running kernel modules (lsmod) to baseline. Audit unexpected root processes.11. How do you establish a forensic timeline from Linux logs?
Show answer
Merge auth.log, syslog, audit.log, and application logs into a single timeline sorted by timestamp. Correlate user logins with file changes (find -newer), process execution (auditd EXECVE records), and network connections. Tools: log2timeline/plaso, or manual grep + sort.12. What is an in-toto attestation and how does it differ from a simple signature?
Show answer
An in-toto attestation binds a subject (artifact digest) to a structured predicate (build provenance, vuln scan results, SBOM). While a simple signature only proves who signed, an attestation also proves how the artifact was produced, what tests passed, and what components it contains. Policy engines like Kyverno can enforce rules based on attestation predicates.13. What is a dependency confusion attack and how do you prevent it?
Show answer
Dependency confusion exploits package managers that check public registries before private ones. An attacker publishes a higher-versioned package with the same name as an internal package to a public registry (npm, PyPI). The build system then pulls the malicious public version. Prevent it by configuring scoped registries, pinning exact versions, using lockfiles, and setting up registry priority rules.14. How do you generate SLSA Level 3 provenance in GitHub Actions?
Show answer
Use the slsa-framework/slsa-github-generator reusable workflow. In your release workflow, build and push the image, capture its digest, then call the generator workflow with the image and digest as inputs. The workflow requires id-token: write permission for keyless signing. Verify locally with "cosign verify-attestation --type slsaprovenance".15. How can OPA Gatekeeper be used for image verification as an alternative to Kyverno?
Show answer
OPA Gatekeeper uses ConstraintTemplates with Rego policy language to define image verification rules. While Kyverno has built-in verifyImages, Gatekeeper requires custom Rego logic or external data (e.g., calling a verification webhook). Kyverno is simpler for image signing use cases, but Gatekeeper offers more flexible general-purpose policy expression.16. What is the transit secrets engine and when would you use it?
Show answer
The transit engine provides encryption-as-a-service: applications send plaintext to Vault's API and receive ciphertext back (or vice versa) without ever handling encryption keys directly. Use it for application-level encryption (encrypting database fields, files) when you want centralized key management, key rotation, and audit logging without embedding crypto libraries in every app.17. How do dynamic credentials work in Vault and why are they more secure than static secrets?
Show answer
When an application requests dynamic credentials (e.g., a database login), Vault creates a unique, short-lived credential on demand with a TTL lease. Each application instance gets its own credential. When the lease expires, Vault automatically revokes the credential. This eliminates shared passwords, makes credential rotation automatic, and provides per-client attribution in audit logs.18. What is Vault disaster recovery replication and how does it differ from performance replication?
Show answer
DR replication creates a standby cluster in another region that receives a full copy of all data but does not serve requests until promoted. Performance replication creates read replicas that can serve read requests locally but forward writes to the primary. DR replication is for failover; performance replication is for geographic distribution and read scaling.19. How do Vault policies control access and what is a path-based policy?
Show answer
Vault policies are written in HCL and define which paths (secret engines, auth methods, system endpoints) a token can access and with which capabilities (create, read, update, delete, list, sudo). For example: path "secret/data/myapp/*" { capabilities = ["read", "list"] } grants read-only access to all secrets under myapp. Policies are attached to tokens and auth method roles.20. What additional SSH hardening measures go beyond disabling password auth and root login?
Show answer
Restrict access with AllowGroups, limit MaxAuthTries (e.g., 3), set idle timeouts (ClientAliveInterval 300, ClientAliveCountMax 2), disable X11Forwarding and AllowTcpForwarding unless needed, and enforce strong ciphers only (chacha20-poly1305, aes256-gcm) with secure key exchange algorithms (curve25519-sha256).21. What is the CVE response workflow, and how should severity (CVSS score) drive response time?
Show answer
1. Alert on new CVE.2. Assess severity: Critical 9.0-10.0 patch immediately, High 7.0-8.9 within days, Medium 4.0-6.9 within weeks, Low 0.1-3.9 normal cycle.
3. Scope: identify affected systems.
4. Mitigate with workaround if no patch.
5. Patch affected packages/images.
6. Verify the fix is applied everywhere.
22. How should vulnerability scanning be integrated into CI/CD, and what tools are commonly used?
Show answer
Scan container images with trivy (trivy image --severity HIGH,CRITICAL myapp:v1.2.3), scan IaC with trivy config or checkov, and scan for secrets in git with trufflehog. Integrate these as CI pipeline gates that block deployment on critical/high findings. This shifts security left — catching issues before they reach production.23. What are the correct remediation steps when a secret is accidentally committed to git?
Show answer
1) Rotate the secret immediately (assume compromised).2) Rewrite git history with git filter-repo (only after rotation).
3) Force-push the cleaned branch.
4) Invalidate cached copies in CI caches, container images, and artifacts.
24. What are the minimum security events you should monitor and alert on?
Show answer
Authentication successes and failures, privilege escalation events, configuration changes on critical systems, network connection anomalies, and file integrity changes on sensitive paths (e.g., /etc/passwd, /etc/shadow).25. What container security anti-patterns beyond running as root should you avoid?
Show answer
Using the :latest tag (no reproducibility), running privileged containers, not scanning images for CVEs, mounting the Docker socket into containers (gives full host control), and storing secrets in environment variables visible via docker inspect.Remember: "CORS = Cross-Origin Resource Sharing." Browsers block cross-origin requests unless the server explicitly allows them via headers.
26. What is a secret rotation SLA, and what are reasonable targets?
Show answer
A secret rotation SLA defines the maximum time a credential can live before mandatory rotation. Reasonable targets: API keys and tokens — 90 days, database passwords — 90 days, service account keys — 180 days, emergency/break-glass credentials — after every use. Automate rotation or enforce via expiry policies.27. How do you detect credential exfiltration from a compromised host?