These are not evil questions...I wish you don't want to sacrifice security..if you are hiring a security professional :-)
Here is my quick five questions on general application security:
1. Identify the fundamental security principles (at least 5) to fortify an application from potential risks and vulnerabilities.
2. How do you identify and mitigate application security risks ? How do you make trade-offs ?
3. What is a security
pattern ? Why it has to be considered in application development ?
4. Discuss the differences between Black-box and White-box security
testing ?
5. How do you perform a proactive security assessment and a reality check before deploying the application ?
---
If you would like to know the answers...I would suggest to read the Free Sample chapter made available in the book website.
---
Here is my quick five interview questions on
J2EE application security:
1. How do you guarantee the integrity and privacy of data and communication from Man-in-the-Middle attack ? What are the J2EE security options.
2. How do you implement a secure logging process which ensures confidentiality and tamper-proof ?
3. What are the security strategies available to protect access to a
Java object passed between J2EE tiers ?
4. In J2EE Web services, how do you restrict all direct access to a
SOAP endpoint and its WSDL ?
5. How do you incorporate a multi-factor authentication process (Password + Smartcard + Biometrics) in J2EE applications ?
[ January 10, 2006: Message edited by: Ramesh Nagappan ]