Interview › Security & DevSecOps
What is the OWASP Top 10, and name a few categories? [Advanced]
Answer
The OWASP Top 10 is a widely used awareness list of critical web application security risks. Categories include broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable/outdated components, identification and authentication failures, software/data integrity failures, logging/monitoring failures, and SSRF.
Technical explanation
It is not a compliance checklist by itself, but it is useful for developer education and secure design reviews.
Many categories map directly to controls in CI/CD, code review, testing, and runtime monitoring.
The most effective use is to convert categories into concrete engineering standards and test cases.
Hands-on example
Hands-on: create secure coding checklists from OWASP categories. For injection, require parameterized queries. For broken access control, require authorization tests. For vulnerable components, require SCA. For logging failures, require security event logging and alerting.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]