Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
Wipro · System Security
Practice System Security questions specifically asked in Wipro interviews – ideal for online test preparation, technical rounds and final HR discussions.
Questions
44
Tagged for this company + subject
Company
Wipro
View company-wise questions
Subject
System Security
Explore topic-wise practice
Go through each question and its explanation. Use this page for targeted revision just before your Wipro System Security round.
NAT was designed for address conservation, but it also obscures internal hosts and blocks unsolicited inbound sessions by default. It is not a security control on its own, but it adds friction for attackers when combined with strong firewall rules.
Example: 10.0.0.0/24 → 198.51.100.10 with stateful rules; inbound ports explicitly DNATed only as needed
For complete preparation, combine this company + subject page with full company-wise practice and subject-wise practice. You can also explore other companies and topics from the links below.
Enforce ownership at every read and write. Do not rely on the client to hide IDs. Check object access with server-side lookups and role rules. Validate both object-level and property-level authorization so users cannot set privileged fields. Log deny decisions for audit. Add tests for IDOR and for mass-assignment paths. This aligns with OWASP API Top 10 guidance and reduces high-impact data leaks.
const obj = await repo.get(id); if (obj.owner !== auth.userId) return 403; const allowed = pick(body, editableFieldsFor(auth));
Volatile data disappears first. Capture the most short-lived items early. That preserves evidence that would be gone by the time you power off or image the drive.
Quick set: mem dump → netstat → process list → selective disk grabs
Envelope encryption uses short-lived data keys to encrypt content and then protects those data keys under a key encryption key managed by KMS. It scales and limits key exposure while keeping decryption under API control.
GenerateDataKey → use plaintext DEK to encrypt → store ciphertext DEK alongside data → decrypt via KMS when needed
SSDF describes core practices such as preparing the organization, protecting code and tools, producing well-secured software, and responding to vulnerabilities. It is outcome-based and fits into any life cycle model. You map your processes to these outcomes to raise assurance. This framing is common in interviews because it shows you can align engineering with policy. (Source: NIST SP 800-218 overview.)
Examples: policy for code signing; hardened CI; documented build provenance; vuln response playbook
SSDF emphasizes protecting tools and artifacts and proving that secure practices happened. Hardened CI, short-lived credentials, and evidence like signed attestations all support the framework’s outcomes. (Sources: NIST SP 800-218 summary pages.)
CI: ephemeral runner; O I D C to cloud; write-only to release repo; artifact signing enabled
Hashcat is an advanced, multi-platform password recovery tool that uses CPU and GPU acceleration and multiple attack modes to test or recover passwords at scale.
hashcat -m 1000 hashes.txt wordlist.txt -r rules/best64.rule
Full-disk encryption safeguards stored data by requiring a key or passphrase before the drive contents are readable. BitLocker integrates with Windows; LUKS is the common standard on Linux. Proper key backup and recovery procedures are critical in enterprise rollouts.
Windows: manage-bde -on C: Linux: cryptsetup luksFormat /dev/sdx
Ransomware locks data by encrypting it and pressures the victim to pay for decryption. The core impact is loss of availability and potential data loss. Good backups, segmentation, and fast detection reduce damage.
Common note file: README.txt with payment instructions
ZAP, the Zed Attack Proxy, is a widely used open-source web security scanner and proxy with automation options and a community add-on marketplace.
zap-cli quick-scan --self-contained --spider --scanners all https://target.local
The CIA triad is the foundational model in system security. Confidentiality means data is accessible only to authorised users. Integrity means data remains accurate and unaltered. Availability means authorised users can access data and systems when needed. Knowing this shows you understand basic security goals.
SQL injection is a major web-system vulnerability, where unsanitised user inputs allow attackers to execute arbitrary SQL commands on the database. Recognising this shows you understand application layer threats.
The Bell-LaPadula model is a formal state-machine model designed for enforcing confidentiality policies in military/government systems, using security classifications such as Top Secret and Secret. Knowing formal models shows strong system security theory knowledge.
The principle of least privilege is fundamental to system security: it reduces attack surface and limits damage if credentials are compromised. Interviewers often test this control.
CIS Benchmarks are consensus-built hardening guides that tell you exactly how to configure operating systems, databases, and platforms to reduce attack surface. Teams use them to baseline new builds and to assess drift over time. Source: Center for Internet Security overview and vendor explanations of CIS Benchmarks and hardened images.
Example items: disable unused services; enforce password policy; configure logging; restrict insecure protocols
Disabling direct root login reduces brute-force risk and audit ambiguity. Key-based authentication is stronger than passwords and enables MFA add-ons. Combine with allowlists, modern ciphers, and fail2ban or equivalent.
In /etc/ssh/sshd_config: PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes
Host firewalls restrict inbound and outbound flows per machine, containing blast radius if an attacker lands on an endpoint. They complement, not replace, network firewalls and segmentation.
Linux (ufw): ufw default deny incoming; ufw allow 22/tcp Windows: New-NetFirewallRule -DisplayName "Allow SSH" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow
Pick native tooling (BitLocker on Windows, LUKS on Linux) and integrate with key escrow so recovery keys are backed up securely. Pilot on a small group, validate performance and recovery flows, then phase to wider groups. Enforce pre-boot authentication where risk warrants and verify that recovery keys are retrievable before enabling at scale. Document support steps, train service desk, and test lost-device and rebuild scenarios. This balances confidentiality with operational safety and prevents lock-out incidents.
Windows: enable BitLocker with escrow to Azure AD/MBAM Linux: cryptsetup luksFormat + enroll keys; store recovery in vault
BOLA occurs when endpoints expose object identifiers without enforcing ownership checks, allowing unauthorized reads or edits. It remains the top API risk.
GET /api/users/1234 // must verify auth.userId == 1234 before returning
Good response work starts before day one. Preparation builds playbooks, access, tools, and comms. Then you detect and analyze what really happened. Containment limits blast radius while you plan. Eradication removes root cause, not just symptoms. Recovery brings systems back safely with extra monitoring. Finally, lessons learned feeds fixes into people, process, and tech so the same issue does not return.
Start with Security logs for logon events and privilege use. Look at successful and failed logons, logon type, source IP, and correlated account changes. Pull PowerShell logs and, if enabled, script block logging to see exact commands, not just start events. Review Sysmon or equivalent for process creation with full command line, parent-child relationships, and network connections. This mix quickly answers who did what, from where, and how, which is the fastest route to confidence.
Windows Event IDs to watch: 4624/4625 logon, 4672 special privileges, 4688 process creation (if enabled), 4720/4728 account changes
A J W S (signed token) lets receivers verify that claims were not altered. A J W E (encrypted token) protects claim contents in transit. Many breaches stem from poor token handling rather than the format itself, so follow best practices for storage and lifetime.
Header: { alg: RS256, typ: JWT }
Payload: { sub: "123", scope: "read" }
Signature: RSASSA-PKCS1-v1_5 over header.payloadUpdated guidance favors usability and breach resistance: longer passphrases, no composition gymnastics, checks against compromised lists, and only reset on evidence of compromise. This reduces reuse and help-desk burden while improving security.
Example: minLength 12; allow spaces; check against breached list; lockout after risk-based threshold
PAM lets each service define a stack of modules for auth, account, password, and session management. You can add multi-factor, set login bans, or force password policies per service without modifying the daemon itself. It is a core building block for access control on Unix-like systems.
/etc/pam.d/sshd includes pam_unix.so, pam_faildelay.so, pam_google_authenticator.so (example)
ACLs act like simple, fast filters on routers, firewalls, or cloud subnets. They enforce least-privilege by permitting only the traffic patterns your system actually needs. Clear rules reduce attack surface and limit lateral movement if a host is compromised.
Example idea: allow tcp 10.0.1.10:443 from 10.0.2.0/24; deny all else
With 802.1X, a switch port or AP checks the device identity before allowing full network access. This keeps rogue devices from plugging in and roaming freely. Combined with VLAN assignment, it enforces least-privilege at the first hop.
High level: supplicant → authenticator (switch/AP) → RADIUS server; on success, port unblocks and VLAN applies
ARP spoofing lets an attacker redirect traffic on a LAN. Switch features like DHCP snooping build a binding table, and Dynamic ARP Inspection checks ARP replies against that table. Together they stop forged ARP messages on untrusted access ports.
Switch idea: ip dhcp snooping; ip arp inspection vlan 10; trust uplink ports; untrust access ports
Security misconfiguration includes unsafe defaults, extra features, verbose errors, open cloud storage, and missing patches. It is common and easy to fix with hardened baselines and automation.
spring.profiles.active=prod server.error.include-stacktrace=never
CORS does not block raw HTTP requests. It governs whether browser-run code can read the response. Configure explicit allowlists and avoid reflecting wildcard with credentials. This prevents unintended data exposure to other sites.
Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Credentials: true
Static analysis includes strings, headers, and control-flow. Dynamic analysis executes the sample to see live process, file, and network actions. Mature investigations mix both to cross-check findings.
strings sample.bin | findstr http
Packers compress or wrap code to hide strings and structure. Unpacking at runtime reveals the real payload. Analysts rely on behavior, emulation, and memory dumps to see through the layer.
Symptom: high entropy sections; suspicious unpacking loops
The cloud provider is responsible for security of the cloud, like data center, hardware, and the virtualization layer. Customers are responsible for security in the cloud, like configuration, identity, data, and workloads. Understanding this split prevents dangerous assumptions and audit gaps.
Rule of thumb: provider = infra layer; you = identity, config, data, app
API3:2023 merges earlier categories to stress that servers must check authorization not only at the object level but also for each writable field. Blind model binding without allowlists causes painful leaks and privilege flips.
allowedFields = ['name','email']; user.update(pick(req.body, allowedFields))
Enforce Pod Security Standards at restricted where possible, baseline elsewhere, using Pod Security Admission. Lock down network with namespace-scoped Network Policies so only required flows are allowed. Use minimal images, read-only root filesystems, and run as non-root. Rotate secrets and prefer external secret managers. Restrict node metadata access and audit RBAC for least privilege. Capture and ship audit logs. These steps reduce breakout, lateral movement, and credential theft in real clusters.
Namespace labels: pod-security.kubernetes.io/enforce=restricted; create default-deny netpol; allow only app→db ports
Both SPDX and CycloneDX are widely used and overlapping. CycloneDX is popular in AppSec and component analysis; SPDX is strong for compliance metadata. Many teams support both and even convert between them. (Sources: Sonatype and other comparisons.)
Tools: syft, cyclonedx-cli, spdx-sbom-generator; convert between formats as needed
Snort is a free, open-source IDS and IPS that performs real-time traffic analysis and packet logging using a powerful rule language.
alert tcp any any -> 10.0.0.5 22 (msg:"SSH scan"; flags:S; sid:1000001; rev:1;)
Ask for an S B O M and vulnerability status. Review their build and signing process, including provenance and who can push releases. Check policy for reporting and fixing vulnerabilities. Map their controls to SSDF or SCVS so you have a common language. Finally, test updates in a sandbox and monitor behavior. This shows you can turn policy into real checks.
Checklist: SBOM → signing & provenance → vuln SLA → access control → incident comms → pilot test
Nmap, the Network Mapper, is best known for fast and flexible port scanning, service and version detection, host discovery, and OS fingerprinting. It helps you map an attack surface before deeper testing.
nmap -sV -O -Pn 10.10.10.10
Sysmon is a Sysinternals service and driver that persists across reboots and writes rich security-relevant events to the Windows Event Log, such as process creation and network connections.
sysmon.exe -i sysmonconfig.xml // then ship Microsoft-Windows-Sysmon/Operational
Burp Suite shines for deep manual testing using intercept, repeater, intruder, and its ecosystem, while also offering automated scans. ZAP is a strong free option for proxying, spidering, and automation pipelines with community add-ons. For quick CI checks or budget-constrained teams, ZAP automation is great. For advanced manual exploitation and commercial reporting, Burp Pro is often preferred. Many assessors keep both.
ZAP automation: zap-baseline.py -t https://app.local Burp: Proxy on, send to Repeater, craft request
A vulnerability scan uses automated tools to identify known weaknesses like missing patches or mis-configurations. A penetration test goes further by simulating an attacker exploiting those weaknesses to determine real risk and exploitability. This knowledge is key in system security interviews.
The goal is to stop spread without causing extra damage. Network-isolating infected endpoints and disabling the account’s scheduled or interactive access reduces impact while keeping data available for forensics. Blind mass deletion or global changes can destroy evidence or break operations.
Containment stops the bleeding. Recovery brings the system back. Eradication is about taking away the attacker’s foothold and closing the hole they used, so they cannot walk right back in after you un-isolate the system.
Use adaptive lockouts that trigger on suspicious patterns instead of a fixed small number. Combine rate limiting, progressive delays, and device or network reputation. Require step-up multi-factor for resets, and log every reset with alerting on unusual patterns. Provide secure self-service recovery with verified channels. Keep user experience in mind so you do not create a denial of service for real users. Align thresholds to your authenticator assurance level and monitor outcomes to tune the policy.
Example: 5 failures → 15-minute cool-down; repeated across IPs triggers CAPTCHA and step-up MFA; audited reset flow