Module 1

Why is API analysis essential in modern web application security assessments? [5]
Explain how poorly secured APIs can lead to potential security breaches.[5]

Explain the different types of reconnaissance (active vs. passive) and provide examples of tools
or techniques used for each type. [10]

Explain the risks associated with injection attacks, such as SQL injection and NoSQL
injection.[10]

Module 2
What role does code review play in ensuring the security of a web application? [5]
Prescribe the methods used to prevent CSRF attacks.[10]
What are some common techniques and tools used for discovering security vulnerabilities in
web applications? [10]
Discuss how tools like static code analysis and dynamic testing contribute to modern web
security. [5]
Describe the difference between manual and automated code review tools. What are the
advantages and limitations of each in finding security issues? [10]

Module3
Explain the importance of encryption in maintaining the confidentiality and integrity of data in
web applications. [5]

Why is it important for web applications to use HTTPS encryption consistently? [10] *D24

Explain the difference between symmetric and asymmetric encryption. [5]

Discuss the Secure Coding Practices. [10] *D24

Discuss the importance of secure coding practices in the coding phase of the SDLC. [5]

Explain how cookies can be used securely for session management in web applications. What
are the risks of improper session handling? [10]

Module 4
Explain the differences between design flaws and security bugs in the context of web applica on
security. [10]

Explain the importance of segrega ng produc on data from non-produc on environments in web
applica on development. [10]

Discuss the challenges organiza ons face when implemen ng SSDLC prac ces and integra ng
security into the so ware development process. [10]
Module 5
Discuss the benefits of dynamic profiling techniques such as penetration testing, vulnerability
scanning, and runtime analysis.[10]

Discuss the role of automated testing tools and manual testing techniques in verifying the
behavior of web applications. [10]

Compare between SAST and DAST.[10]

Discuss how network segmentation, firewall configuration, and monitoring tools play a role in
infrastructure security testing.[10]

Discuss the role of open-source tools like OWASP ZAP and SonarQube in web application
security testing.[10]

Discuss how functional testing and security testing differ.[10]

Module 6
Discuss how threat modeling can be integrated into a DevSecOps pipeline.[10]

What are the primary objec ves of threat modeling in the context of web applica on security? [5]