├── .gitignore ├── Cloud_Security_Engineer_Scenario_Questions.md ├── README.md ├── Security_Architect_Scenario_Questions.md ├── Senior AI Pentester_Interview.md ├── ai-security-interview-questions.md ├── api-security-interview-questions.md ├── application-security-interview-questions.md ├── aws-security-interview-questions.md ├── common-security-interview-questions.md ├── container-security-interview-questions.md ├── cybersecurity-interview-questions.png ├── devsecops-interview-questions.md ├── gcp-security-interview-questions.md ├── grc-interview-questions.md ├── network-security-interview-questions.md ├── soc-interview-questions.md └── web-security-interview-questions.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | .idea/* 3 | -------------------------------------------------------------------------------- /Cloud_Security_Engineer_Scenario_Questions.md: -------------------------------------------------------------------------------- 1 | 2 | # Cloud Security Engineer Scenario Based Interview Questions 3 | 4 | ## Scenario 1: Securing AWS Deployment 5 | 6 | **Question**: Your team is deploying a new application on AWS. What steps would you take to secure this deployment? 7 | 8 | ### Answer: 9 | 10 | - **IAM Configuration**: Configure IAM roles and policies to enforce least privilege. 11 | - Tools: AWS IAM, AWS Organizations. 12 | - Practices: Define granular permissions, use service-linked roles. 13 | 14 | - **Network Security**: Set up network security groups and VPCs. 15 | - Tools: AWS VPC, Security Groups, NACLs. 16 | - Practices: Implement VPC peering, enable flow logs, use private subnets. 17 | 18 | - **DDoS Protection**: Use AWS Shield and WAF for DDoS protection. 19 | - Tools: AWS Shield, AWS WAF. 20 | - Practices: Configure WAF rules to filter malicious traffic. 21 | 22 | - **Monitoring and Logging**: Enable CloudTrail and CloudWatch for monitoring. 23 | - Tools: AWS CloudTrail, AWS CloudWatch. 24 | - Practices: Set up alarms and notifications, monitor logs for suspicious activity. 25 | 26 | - **Data Encryption**: Ensure encryption for data at rest and in transit. 27 | - Tools: AWS KMS, S3 encryption, TLS/SSL. 28 | - Practices: Use KMS to manage keys, enable bucket-level encryption. 29 | 30 | ## Scenario 2: Multi-Cloud Security Management 31 | 32 | **Question**: How would you handle the security of multi-cloud environments, considering the different security models of each provider? 33 | 34 | ### Answer: 35 | 36 | - **Unified Security Policy**: Develop a unified security policy for all environments. 37 | - Practices: Define common security controls, standardize policies across clouds. 38 | 39 | - **Centralized IAM**: Use a centralized identity provider for consistent IAM. 40 | - Tools: Okta, Azure AD, Google Cloud IAM. 41 | - Practices: Implement SSO, MFA, and centralized user management. 42 | 43 | - **Network Security**: Implement consistent network security controls. 44 | - Tools: Cloud-native firewalls, SDN solutions. 45 | - Practices: Use network segmentation, apply consistent security group rules. 46 | 47 | - **Continuous Monitoring**: Set up centralized logging and monitoring. 48 | - Tools: SIEM solutions like Splunk, ELK Stack. 49 | - Practices: Aggregate logs, configure cross-cloud monitoring dashboards. 50 | 51 | - **Compliance and Auditing**: Ensure compliance across all cloud environments. 52 | - Tools: Compliance management tools like AWS Config, Azure Policy. 53 | - Practices: Regular audits, compliance checks, automated remediation. 54 | 55 | ## Scenario 3: Implementing Cloud Security Automation 56 | 57 | **Question**: How would you integrate security into CI/CD pipelines for cloud deployments? 58 | 59 | ### Answer: 60 | 61 | - **Static Analysis**: Integrate static code analysis in the CI pipeline. 62 | - Tools: SonarQube, Checkmarx. 63 | - Practices: Automate code scanning, enforce code quality gates. 64 | 65 | - **Dynamic Analysis**: Perform dynamic application security testing (DAST). 66 | - Tools: OWASP ZAP, Burp Suite. 67 | - Practices: Automate DAST scans, integrate with CI/CD pipeline. 68 | 69 | - **Infrastructure as Code (IaC) Security**: Scan IaC templates for vulnerabilities. 70 | - Tools: Terraform, AWS CloudFormation, Checkov. 71 | - Practices: Automate IaC security checks, enforce security policies in IaC. 72 | 73 | - **Container Security**: Implement container security scanning. 74 | - Tools: Docker Bench, Aqua Security. 75 | - Practices: Automate container scans, enforce secure container images. 76 | 77 | - **Continuous Compliance**: Ensure continuous compliance checks. 78 | - Tools: AWS Config, Azure Policy. 79 | - Practices: Automate compliance scans, integrate compliance checks in CI/CD. 80 | 81 | ## Scenario 4: Responding to Cloud Security Incidents 82 | 83 | **Question**: How would you respond to a security incident in a cloud environment? 84 | 85 | ### Answer: 86 | 87 | - **Detection and Analysis**: Detect and analyze the incident. 88 | - Tools: Cloud-native monitoring tools like CloudWatch, Azure Monitor. 89 | - Practices: Set up alerts, analyze logs, and identify the root cause. 90 | 91 | - **Containment and Mitigation**: Contain the incident to prevent further damage. 92 | - Practices: Isolate affected resources, apply temporary controls, disable compromised accounts. 93 | 94 | - **Eradication and Recovery**: Eradicate the root cause and recover affected systems. 95 | - Practices: Apply patches, clean affected systems, restore data from backups. 96 | 97 | - **Post-Incident Review**: Conduct a post-incident review to improve processes. 98 | - Practices: Document the incident, identify lessons learned, update incident response plan. 99 | 100 | - **Communication**: Communicate with stakeholders throughout the incident. 101 | - Practices: Provide regular updates, coordinate with legal and compliance teams, inform affected users. 102 | 103 | ## Scenario 5: Securing Cloud-Based APIs 104 | 105 | **Question**: How would you secure APIs deployed in a cloud environment? 106 | 107 | ### Answer: 108 | 109 | - **Authentication and Authorization**: Implement strong authentication and authorization. 110 | - Tools: OAuth 2.0, OpenID Connect, API Gateway. 111 | - Practices: Enforce MFA, use access tokens, apply RBAC. 112 | 113 | - **Rate Limiting and Throttling**: Implement rate limiting to prevent abuse. 114 | - Tools: API Gateway features. 115 | - Practices: Define rate limits, implement throttling policies. 116 | 117 | - **Input Validation and Sanitization**: Validate and sanitize all inputs. 118 | - Practices: Apply input validation rules, sanitize user inputs to prevent injection attacks. 119 | 120 | - **Logging and Monitoring**: Enable logging and monitoring for APIs. 121 | - Tools: API Gateway logs, CloudWatch, Azure Monitor. 122 | - Practices: Monitor API usage, set up alerts for suspicious activities. 123 | 124 | - **Encryption**: Ensure data encryption for APIs. 125 | - Practices: Use TLS for data in transit, encrypt sensitive data at rest. 126 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cybersecurity Interview Questions Collections 2 | **Security interview questions for different security skills with possible explanations.** 3 | 4 | ![Cybersecurity Interview Questions](cybersecurity-interview-questions.png "Cybersecurity Interview Questions") 5 | 6 | This GitHub repo is for security professionals who want to prepare for various security roles with different skill sets, such as AppSec, DevSecOps, cloud security, etc. 7 | 8 | _Feel free to contribute to different security interview pages based on your interview experience._ 9 | I am adding interview questions based on my experience and different network conversations on the same topic(s). 10 | 11 | ## ToC 12 | 1. [Common Security Interview Questions](common-security-interview-questions.md) 13 | 2. [Web Security/ Penetration testing Interview Quesitons](web-security-interview-questions.md) 14 | 3. [Application Security Interview Questions](application-security-interview-questions.md) 15 | 4. [API Security Interview Questions](api-security-interview-questions.md) 16 | 5. [Network Security Interview Questions](network-security-interview-questions.md) 17 | 6. [AWS Security Interview Questions](aws-security-interview-questions.md) 18 | 7. [GCP Security Interview Questions](gcp-security-interview-questions.md) 19 | 8. [DevSecOps Interview Questions](devsecops-interview-questions.md) 20 | 9. [Container Interview Questions](container-security-interview-questions.md) 21 | 10. [SOC Interview Questions](soc-interview-questions.md) 22 | 11. [GRC Interview Questions](grc-interview-questions.md) 23 | -------------------------------------------------------------------------------- /Security_Architect_Scenario_Questions.md: -------------------------------------------------------------------------------- 1 | 2 | # Security Architect Scenario Based Interview Questions 3 | 4 | ## Scenario 1: Hybrid Cloud Migration 5 | 6 | **Question**: Your company is migrating critical services to a hybrid cloud environment. How would you ensure data security and compliance during this migration? 7 | 8 | ### Answer: 9 | 10 | - **Risk Assessment**: Start with a comprehensive risk assessment to identify potential vulnerabilities in the current and new environments. 11 | - Tools: Use tools like NIST Cybersecurity Framework, and CIS Controls. 12 | - Output: Document potential risks and corresponding mitigations. 13 | 14 | - **Data Encryption**: Implement encryption for data at rest and in transit. 15 | - Tools: Use encryption tools like AWS KMS, Azure Key Vault, or Google Cloud KMS. 16 | - Techniques: Apply AES-256 for data encryption and TLS 1.2/1.3 for data in transit. 17 | 18 | - **Compliance**: Ensure adherence to relevant regulations (e.g., GDPR, HIPAA). 19 | - Steps: Regular audits, data classification, and applying specific security controls. 20 | - Documentation: Maintain an updated compliance matrix. 21 | 22 | - **IAM Policies**: Establish robust Identity and Access Management policies. 23 | - Tools: AWS IAM, Azure AD, Google IAM. 24 | - Practices: Implement MFA, RBAC, and least privilege access. 25 | 26 | - **Monitoring and Logging**: Implement continuous monitoring and logging. 27 | - Tools: AWS CloudTrail, Azure Monitor, Google Cloud Operations Suite. 28 | - Setup: Configure alerts for unusual activities and regularly review logs. 29 | 30 | ## Scenario 2: Vulnerability Response 31 | 32 | **Question**: A new vulnerability has been discovered in a critical application used by your organization. As a Security Architect, how would you handle this situation? 33 | 34 | ### Answer: 35 | 36 | - **Assessment and Prioritization**: Assess the severity and impact of the vulnerability. 37 | - Tools: CVSS scoring, vulnerability management tools like Qualys or Nessus. 38 | - Output: Determine the urgency based on business impact. 39 | 40 | - **Coordination**: Coordinate with development and operations teams for patching. 41 | - Steps: Schedule patching during maintenance windows to minimize disruption. 42 | - Tools: Patch management tools like WSUS, SCCM. 43 | 44 | - **Mitigation**: Apply temporary mitigations if immediate patching is not possible. 45 | - Techniques: Network segmentation, application firewalls, disabling vulnerable features. 46 | 47 | - **Communication**: Inform stakeholders and provide updates on the remediation process. 48 | - Steps: Regular status meetings, email updates, incident tracking systems. 49 | 50 | - **Post-Incident Review**: Conduct a post-incident review to identify gaps. 51 | - Tools: RCA (Root Cause Analysis) tools. 52 | - Output: Implement lessons learned and update security practices. 53 | 54 | ## Scenario 3: Designing a Secure Application 55 | 56 | **Question**: You are tasked with designing a new web application with security as a priority. What steps would you take? 57 | 58 | ### Answer: 59 | 60 | - **Security Requirements Gathering**: Identify and document security requirements. 61 | - Techniques: Threat modeling, stakeholder interviews. 62 | - Output: A comprehensive security requirements document. 63 | 64 | - **Secure Development Practices**: Incorporate secure coding practices. 65 | - Techniques: OWASP Secure Coding Practices. 66 | - Tools: Static code analysis tools like SonarQube, Checkmarx. 67 | 68 | - **Authentication and Authorization**: Implement strong authentication and authorization mechanisms. 69 | - Tools: OAuth 2.0, OpenID Connect, JWT for session management. 70 | - Practices: Enforce MFA, use RBAC. 71 | 72 | - **Data Protection**: Ensure data is protected at rest and in transit. 73 | - Techniques: AES-256 encryption, TLS for data in transit. 74 | - Tools: Database encryption features, key management systems. 75 | 76 | - **Regular Security Testing**: Conduct regular security testing throughout the development lifecycle. 77 | - Tools: SAST, DAST tools like OWASP ZAP, Burp Suite. 78 | - Practices: Continuous integration of security testing in CI/CD pipelines. 79 | 80 | ## Scenario 4: Implementing Zero Trust Architecture 81 | 82 | **Question**: Your organization wants to move to a Zero Trust Architecture. How would you approach this transformation? 83 | 84 | ### Answer: 85 | 86 | - **Assessment and Planning**: Conduct a current state assessment and plan the Zero Trust implementation. 87 | - Techniques: Gap analysis, defining clear goals and objectives. 88 | - Output: Zero Trust roadmap. 89 | 90 | - **Identity and Access Management**: Strengthen IAM policies. 91 | - Tools: Identity providers like Okta, Azure AD. 92 | - Practices: Enforce MFA, context-aware access controls. 93 | 94 | - **Network Segmentation**: Implement micro-segmentation to isolate resources. 95 | - Tools: SDN solutions like VMware NSX, Cisco ACI. 96 | - Practices: Define granular network policies. 97 | 98 | - **Continuous Monitoring**: Establish continuous monitoring and analytics. 99 | - Tools: SIEM solutions like Splunk, ELK Stack. 100 | - Practices: Real-time monitoring, anomaly detection. 101 | 102 | - **Least Privilege**: Apply the principle of least privilege across the organization. 103 | - Tools: PAM solutions like CyberArk, BeyondTrust. 104 | - Practices: Regularly review and adjust access permissions. 105 | 106 | ## Scenario 5: Securing a Remote Workforce 107 | 108 | **Question**: With a significant portion of the workforce now remote, how would you ensure security and compliance? 109 | 110 | ### Answer: 111 | 112 | - **Secure Remote Access**: Implement secure remote access solutions. 113 | - Tools: VPNs, Zero Trust Network Access (ZTNA) solutions like Zscaler, Perimeter 81. 114 | - Practices: Use split-tunneling, enforce MFA. 115 | 116 | - **Endpoint Security**: Ensure all remote endpoints are secure. 117 | - Tools: EDR solutions like CrowdStrike, Carbon Black. 118 | - Practices: Regularly update and patch systems, use disk encryption. 119 | 120 | - **Data Protection**: Protect sensitive data accessed remotely. 121 | - Tools: DLP solutions, encryption tools. 122 | - Practices: Enforce data classification, restrict data sharing. 123 | 124 | - **User Awareness Training**: Conduct regular security awareness training. 125 | - Topics: Phishing, secure password practices, remote work security tips. 126 | - Tools: Training platforms like KnowBe4, SANS Security Awareness. 127 | 128 | - **Monitoring and Compliance**: Continuously monitor and ensure compliance. 129 | - Tools: SIEM solutions, compliance management tools. 130 | - Practices: Regular audits, real-time monitoring of remote access logs. 131 | -------------------------------------------------------------------------------- /Senior AI Pentester_Interview.md: -------------------------------------------------------------------------------- 1 | # AI Pentester Scenario-Based Interview Questions 2 | 3 | ## Scenario 1: AI Model Security Assessment 4 | 5 | **Question**: You are tasked with assessing the security of an AI model used for critical decision-making. What steps would you take? 6 | 7 | **Answer**: 8 | 9 | - **Understanding the Model**: 10 | - Start by understanding the AI model’s architecture. 11 | - **Techniques**: Review documentation, understand data inputs and outputs. 12 | - **Tools**: Model interpretability tools like LIME, SHAP. 13 | 14 | - **Adversarial Testing**: 15 | - Perform adversarial testing to identify vulnerabilities. 16 | - **Techniques**: Generate adversarial examples, test model robustness. 17 | - **Tools**: CleverHans, Foolbox. 18 | 19 | - **Data Pipeline Security**: 20 | - Evaluate the data pipeline for vulnerabilities. 21 | - **Practices**: Ensure data sanitization, secure data storage. 22 | - **Tools**: Data validation libraries. 23 | 24 | - **Compliance Review**: 25 | - Ensure the model complies with relevant security standards. 26 | - **Practices**: Review compliance with GDPR, HIPAA, etc. 27 | - **Tools**: Compliance checklists, audit tools. 28 | 29 | - **Reporting**: 30 | - Provide a comprehensive report detailing vulnerabilities and recommendations. 31 | - **Practices**: Document findings, suggest mitigations, and improvements. 32 | 33 | --- 34 | 35 | ## Scenario 2: Model Poisoning Attack 36 | 37 | **Question**: During a pentest, you discover that an AI system is vulnerable to model poisoning attacks. How would you address this issue? 38 | 39 | **Answer**: 40 | 41 | - **Immediate Alert**: 42 | - Alert stakeholders about the vulnerability. 43 | - **Practices**: Immediate communication with relevant teams. 44 | 45 | - **Data Validation**: 46 | - Implement stricter controls on data input sources. 47 | - **Techniques**: Data validation, anomaly detection. 48 | - **Tools**: Data validation libraries, anomaly detection tools. 49 | 50 | - **Monitoring**: 51 | - Set up continuous monitoring for suspicious activities. 52 | - **Tools**: Monitoring tools, anomaly detection systems. 53 | - **Practices**: Real-time monitoring, alerting for unusual patterns. 54 | 55 | - **Model Retraining**: 56 | - Retrain the model with clean, verified data. 57 | - **Practices**: Use a clean dataset, apply data augmentation techniques. 58 | - **Tools**: Machine learning platforms for retraining. 59 | 60 | - **Post-Mortem Analysis**: 61 | - Conduct a post-mortem analysis to improve security. 62 | - **Practices**: Document the attack, analyze the root cause, implement lessons learned. 63 | 64 | --- 65 | 66 | ## Scenario 3: Privacy in AI Models 67 | 68 | **Question**: How would you ensure that an AI model adheres to privacy regulations like GDPR? 69 | 70 | **Answer**: 71 | 72 | - **Data Minimization**: 73 | - Ensure only necessary data is collected and used. 74 | - **Practices**: Implement data minimization principles. 75 | - **Tools**: Data anonymization and pseudonymization tools. 76 | 77 | - **User Consent**: 78 | - Ensure explicit user consent for data usage. 79 | - **Practices**: Implement consent management, user agreements. 80 | - **Tools**: Consent management platforms. 81 | 82 | - **Data Access Control**: 83 | - Restrict access to sensitive data. 84 | - **Practices**: Use RBAC, least privilege access. 85 | - **Tools**: IAM solutions, data access control tools. 86 | 87 | - **Data Anonymization**: 88 | - Anonymize data to protect user identities. 89 | - **Practices**: Apply anonymization techniques, ensure irreversibility. 90 | - **Tools**: Anonymization libraries and tools. 91 | 92 | - **Compliance Audits**: 93 | - Conduct regular compliance audits. 94 | - **Practices**: Schedule regular audits, maintain compliance documentation. 95 | - **Tools**: Compliance management tools, audit frameworks. 96 | 97 | --- 98 | 99 | ## Scenario 4: AI Model Bias and Fairness 100 | 101 | **Question**: You are asked to assess an AI model for bias and fairness. What steps would you take? 102 | 103 | **Answer**: 104 | 105 | - **Data Review**: 106 | - Review the training data for bias. 107 | - **Practices**: Analyze data distribution, identify potential biases. 108 | - **Tools**: Data analysis tools like pandas, NumPy. 109 | 110 | - **Model Evaluation**: 111 | - Evaluate the model’s performance across different demographics. 112 | - **Practices**: Perform fairness testing, analyze model outputs. 113 | - **Tools**: Fairness tools like IBM AI Fairness 360, Google’s What-If Tool. 114 | 115 | - **Bias Mitigation**: 116 | - Implement techniques to mitigate bias. 117 | - **Practices**: Use techniques like re-sampling, re-weighting, or adversarial debiasing. 118 | - **Tools**: Bias mitigation libraries and frameworks. 119 | 120 | - **Continuous Monitoring**: 121 | - Continuously monitor the model for bias. 122 | - **Practices**: Set up regular evaluations, monitor for performance drifts. 123 | - **Tools**: Monitoring tools, model evaluation scripts. 124 | 125 | - **Stakeholder Communication**: 126 | - Communicate findings and mitigation strategies to stakeholders. 127 | - **Practices**: Regular reports, stakeholder meetings. 128 | - **Output**: Documentation of bias mitigation strategies and their effectiveness. 129 | 130 | --- 131 | 132 | ## Scenario 5: Securing AI APIs 133 | 134 | **Question**: How would you secure APIs that expose AI model functionalities? 135 | 136 | **Answer**: 137 | 138 | - **Authentication and Authorization**: 139 | - Implement strong authentication and authorization mechanisms. 140 | - **Tools**: OAuth 2.0, OpenID Connect. 141 | - **Practices**: Enforce MFA, use access tokens, and implement RBAC. 142 | 143 | - **Rate Limiting**: 144 | - Implement rate limiting to prevent abuse. 145 | - **Tools**: API Gateway features. 146 | - **Practices**: Define and enforce rate limits. 147 | 148 | - **Input Validation**: 149 | - Ensure inputs are validated and sanitized. 150 | - **Practices**: Implement input validation rules, sanitize user inputs to prevent injection attacks. 151 | 152 | - **Logging and Monitoring**: 153 | - Enable logging and monitoring for API usage. 154 | - **Tools**: API Gateway logs, CloudWatch, Azure Monitor. 155 | - **Practices**: Monitor API usage, set up alerts for suspicious activities. 156 | 157 | - **Encryption**: 158 | - Ensure data encryption for APIs. 159 | - **Practices**: Use TLS for data in transit, encrypt sensitive data at rest. 160 | -------------------------------------------------------------------------------- /ai-security-interview-questions.md: -------------------------------------------------------------------------------- 1 | # AI Security Interview Questions 2 | -------------------------------------------------------------------------------- /api-security-interview-questions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jassics/security-interview-questions/6fa8ab4a17032023622bc174fa37ccd0b0f067a2/api-security-interview-questions.md -------------------------------------------------------------------------------- /application-security-interview-questions.md: -------------------------------------------------------------------------------- 1 | # Application Security Interview Questions 2 | 3 | ## Setting up the context 4 | You can assess yourself by checking how many of these application security interview questions are easy for you, how many need finetuning and how many are yet to learn and master. Remember, every one of us is learning and a question is easy for you doesn’t mean it’s the same for everyone. However, it depends upon the role, and expectations set by the hiring manager and the interviewer. 5 | 6 | The question might look straightforward but your answer speaks more about your experience and hands-on in this domain. Try to analyze the question and answer honestly. 7 | 8 | Many questions might not be for your experience or role as I am sharing mixed questions asked for various roles in the Application Security domain. 9 | 10 | Also, I am not sharing questions on any programming language-specific or even programming-based security questions. That can possibly be another series of questions in my next release. 11 | 12 | ### First thing first 13 | This interview question set is mostly for defensive roles as compared to offensive roles which are mainly called “Penetration Testing or Web Security (sometimes it’s used interchangeably) ”. I will concentrate more on how an application is developed, maintained, and deployed and how as a security engineer you would help an engineering team to overcome security challenges. 14 | 15 | 16 | ### Second important note 17 | I am listing questions based on a few criteria: 18 | 19 | 1. Common to everyone who is in this domain or trying to enter this domain. 20 | 2. Some questions would be theoretical and you can consider those questions as a starting point to check the candidate’s overall knowledge 21 | 3. Some questions are for senior professionals 22 | 4. Some questions may have different answers depending on seniority level 23 | 5. Some questions can be to check your domain and leadership skills in this domain 24 | 25 | **_One more thing_** 26 | 27 | If you are new to this domain or planning to make a career in cybersecurity. You should see the study plan before delving into interview questions. 28 | 29 | __They are:__ 30 | 31 | 1. [Common Skills Study Plan](https://jassics.medium.com/study-plan-to-learn-common-skills-in-cybersecurity-865d15e28c46) that you can finish within 3 months 32 | 2. [20 Essential books that you should read from security world](https://jassics.medium.com/20-essential-books-for-every-security-pros-journey-cfba7033bb1c) 33 | 3. [Application Security Study Plan](https://github.com/jassics/security-study-plan/blob/main/application-security-study-plan.md) (You must go through it before trying for appsec interviews) 34 | 4. You can’t ignore API security at present. So, here is your [API Security Study Plan](https://github.com/jassics/security-study-plan/blob/main/api-security-study-plan.md) 35 | 5. Knowledge of Pentest will be an added advantage for you. Check this out: [Web Pentest Study Plan](https://github.com/jassics/security-study-plan/blob/main/web-pentest-study-plan.md) 36 | 6. You can star or bookmark [Security Study Plan](https://github.com/jassics/security-study-plan) which will give you an insight into what to study for various security domains. 37 | 38 | ## This space will focus more on: 39 | 40 | 1. Secure Code Review 41 | 2. Threat Modeling 42 | 3. Secure Coding 43 | 4. Secure Development 44 | 5. And anything that is defensive in nature and developer centric. For everything else related to [web security we have another page](web-security-interview-questions.md). 45 | 46 | If you are interviewing someone for Application Security Engineer role, could be juinor, senior or architect level. 47 | You can always start questions based on the person's experience in AppSec. However, below questions can be always interesting and will help you to understand the candidate better technically. 48 | Soft skills, team player, presentation skills, communication skills are out of the scope of this space. 49 | 50 | ### Application Security Basics Questions 51 | 1. Explain your top 3 favorite OWASP Top 10 vulnerabilities and why 52 | 2. How does TCP 3-way handshake work? 53 | 3. Why is TLS important in cybersecurity and can you [explain the use of TLS in detail](https://kartik-chauhan.medium.com/demystifying-tls-f049b46eb2b3) for a website? 54 | 4. How SSL/TLS makes my content secured over the internet? 55 | 5. [What happens when you type google.com in your browser?](https://kevinkiruri.medium.com/what-happens-when-you-type-google-com-in-your-browser-and-press-enter-979955e31baf) 56 | 6. What’s the difference between SAST and SCA? 57 | 7. What is SQLi and how would you prevent/mitigate it? 58 | 8. Explain XSS with a few examples and how it can be avoided in the current software world. 59 | 9. How to avoid brute-force attacks on an application. Let’s say the login page. Explain everything that comes to your mind. 60 | 10. Tell us about a time when you had to learn something new really quickly and how did you go about it? 61 | 62 | ### Application Security Role-based questions 63 | 1. [Explain CORS, SOP, and CSP from security point of view](https://medium.com/@zhaojunemail/sop-cors-csrf-and-xss-simply-explained-with-examples-af6119156726) 64 | 2. How is CSRF dangerous for an application and what must be done to prevent CSRF in an application? 65 | 3. Explain the concept of input validation and why it is crucial for secure coding. Provide examples. 66 | 4. How do you approach secure error handling and logging in an application? 67 | 5. Discuss the role of encryption in secure coding and some best practices for implementing it. 68 | 6. What are some best practices for managing secrets and sensitive information in code? 69 | 7. How do you ensure the security of third-party libraries and dependencies in your code? 70 | 8. What are the key differences between manual code review and automated static analysis? 71 | 9. Describe your approach to conducting a secure code review. What do you look for first? 72 | 10. Can you give an example of a security vulnerability you discovered during a code review and how you addressed it? 73 | 11. Which secure coding standards do you follow during a code review (e.g., OWASP, CERT)? 74 | 12. How do you balance between finding security issues and maintaining development velocity during a secure code review? 75 | 13. Describe the STRIDE threat modeling methodology and provide examples of each threat type. 76 | 14. How do you prioritize threats identified during a threat modeling exercise? 77 | 15. How would you integrate threat modeling into an Agile development process? 78 | 79 | ### Overall Application Security Assessment-based Questions 80 | 1. Where do we need [security in the SDLC phase](https://www.wiz.io/academy/secure-sdlc)? 81 | 2. What would you suggest for input sanitization? 82 | 3. What should a developer do for secrets management? 83 | 4. What are some strategies for ensuring secure session management in web applications? 84 | 5. How do you handle security misconfigurations in development and production environments? 85 | 6. Discuss the importance of least privilege and role-based access control in application security. 86 | 7. How do you ensure that logging and monitoring are implemented securely and do not expose sensitive information? 87 | 8. What are the challenges of implementing SDL in a fast-paced development environment, and how do you overcome them? 88 | 9. Describe the various phases of SDL and the security activities involved in each phase. 89 | 10. How can an attacker exploit SSRF and what an application developer must do to prevent SSRF? [This medium article might help you to understand](https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b) how to bypass SSRF protection. 90 | 91 | ### Some common “test your problem-solving skills” Application Security questions (mostly for senior roles) 92 | 1. What step would you plan to ensure developers follow secure coding practices? 93 | 2. How would you make developers aware and involved in secure code development? 94 | 3. How do you handle typical developer and security clash situations? 95 | 4. What were your interesting findings in the secure code review? 96 | 5. What are the common vulnerabilities you have experienced so far? 97 | 6. How would you approach identifying and mitigating security risks in a large, legacy codebase that hasn’t been regularly maintained for security? 98 | 7. Describe a strategy to ensure secure coding practices in a multi-team development environment, especially when teams are working on interdependent components. 99 | 8. How would you implement and enforce a secure coding standard in a globally distributed development team? 100 | 9. How would you design a security strategy to protect a microservices architecture from both external and internal threats? What are the challenges you might face while designing and implementing it? 101 | 10. Describe how you would conduct threat modeling for a cloud-native application. What specific security concerns are most critical in any cloud native application? 102 | 11. Can you provide an example of how you have implemented SDL in a past project? 103 | 12. What are some key metrics you would track to measure the effectiveness of an SDL program? 104 | 105 | ### Application Security Scenario-based interview questions 106 | Consider this section as the toughest one and mainly for senior appsec professional. 107 | 108 | 1. How would you design a safe and secure password mechanism? 109 | 2. Can you explain the password hashing function and the importance of salt? Also, how salting and hashing passwords are used in this domain? 110 | 3. You use the SCA tool to find vulnerabilities in 3rd party libraries. How would you mitigate those vulnerabilities found and risks associated with third-party libraries and frameworks? 111 | 4. Your company is developing a new financial application that handles sensitive customer data, including banking information. Describe how you would approach threat modeling for this application. What specific threats would you consider, and how would you prioritize and mitigate them? 112 | 5. You are tasked with performing a secure code review for a web application that has been recently developed. During the review, you find several instances where user inputs are directly concatenated into SQL queries. Explain how you would address this issue and guide the development team to implement a secure solution. 113 | 6. A development team is working on a new feature that requires handling and storing user passwords. They plan to use a simple hash function (e.g., MD5) to store these passwords. As a security architect, how would you advise them on securely handling and storing passwords? Provide a detailed explanation of best practices. 114 | 7. During a code review, you discover that the application does not properly handle errors and exceptions. For example, stack traces are exposed to end users, which could potentially reveal sensitive information. Describe how you would rectify this situation and implement secure error handling and logging practices. 115 | 8. A critical vulnerability is discovered in a third-party library used extensively in your company’s application. Explain the process you would follow to assess the impact, communicate with stakeholders, and implement a fix. How would you prevent similar issues in the future? 116 | 9. You are designing the architecture for a new e-commerce platform that includes a web application, mobile application, and backend APIs. Outline the security architecture you would propose, including key components and technologies to ensure robust security across all layers. 117 | 10. How would you review an architecture to prevent an automated brute force attack or dictionary attack (think of different brute force attack techniques)? 118 | 119 | ### Secure Code Review round with code snippets 120 | Many companies won’t have this round, but I feel one should involve a few code snippets in an interview to check the candidate’s indirect coding knowledge from security point of view, at least for a senior role like a lead or staff role. 121 | 122 | Insecure code snippets can be on a tougher note. However, I am adding a few easy ones for practice and to give an idea of how this round can be prepared well as per the JD. 123 | 124 | I would give you a hint for your practice, but in an interview, you won’t be given any hint. 125 | 126 | 1. Identify the security issue in this code snippet and explain how you would fix it. [Hint: Can you spot the CSRF issue here?] 127 | ```php 128 | if ($_SERVER['REQUEST_METHOD'] === 'POST') { 129 | $userId = $_POST['userId']; 130 | $newEmail = $_POST['newEmail']; 131 | updateEmail($userId, $newEmail); 132 | } 133 | ``` 134 | 135 | 2. Identify the security issue in this code snippet and explain how you would fix it. [Hint: Insecure desrialization] 136 | 137 | ```java 138 | ObjectInputStream in = new ObjectInputStream(new FileInputStream("data.ser")); 139 | Object obj = in.readObject(); 140 | in.close(); 141 | ``` 142 | 3. Identify the security issue in this code snippet and explain how you would fix it. [Hint: password hashing issue] 143 | 144 | ```python 145 | import hashlib 146 | def store_password(password): 147 | hashed_password = hashlib.md5(password.encode()).hexdigest() 148 | save_to_database(hashed_password) 149 | ``` 150 | 4. Which security issue it can cause? [Hint: XSS] 151 | 152 | ```typescript 153 | const userInput = request.query.userInput; 154 | const output = "
" + userInput + "
"; 155 | response.send(output); 156 | ``` 157 | 5. Most common question asked in a secure coding round. It doesn’t need a hint I suppose. What issue this code snippet would cause and how would you help the developer in fixing it? 158 | 159 | ```javascript 160 | String userId = request.getParameter("userId"); 161 | String query = "SELECT * FROM users WHERE user_id = '" + userId + "'"; 162 | Statement stmt = connection.createStatement(); 163 | ResultSet rs = stmt.executeQuery(query); 164 | ``` 165 | 166 | ## Topics or concepts that are subjective and can check your in-depth knowledge regarding that area 167 | ### 1. What do you think about the good password? 168 | 169 | This question looks very similar, but can help the interviewer to understand if the person has experience with password management related skills or not. 170 | 171 | This question will help you to drill down to more specific questions to understand the competence of the candidate: 172 | 1. What is complex password 173 | 2. Should the password complexity be same for admin and user 174 | 3. How do you save the password in Database, encrypted or hashed or plain text 175 | 4. Do you use salt? Is it same for all the password? is it random in nature per user? 176 | 5. How do you make your code safe for password attacks? 177 | 178 | ### 2. How do you stop bruteforce attack on login/signup/forgot password page(s)? 179 | This question helps you to understand if the person is aware of secure code development and secure design for such features and how far he/she can think. 180 | Check if the person talks about: 181 | 182 | 1. Captcha 183 | 2. CSRF token 184 | 3. Rate Limiting 185 | 4. MFA 186 | 5. Alert and Monitor for such anomalous behavior 187 | 6. Account Lockout after n failed attempts 188 | 189 | ### 3. What happens when you type google.com on browser 190 | This question is just to check if the person understands the behind the curtain scene like url to IP conversion, DNS involvement, server response and so on. 191 | Listen the interviewee and see if he/she mentions below things: 192 | 1. How DNS resolves the url 193 | 2. TCP 3 way handshake 194 | 3. How HTTPS work and what's its advantages 195 | 4. How to prevent the application from MiTM (Man in The Middle Attack) 196 | 197 | ### 4. How SSL/TLS actually makes my content secured over the internet 198 | This question is the extension of previous question to understand if the person understands: 199 | 200 | 1. How client server hello established 201 | 2. How key exchange happens i.e. public key or certificate 202 | 3. Is it symmetric or asymmetric encryption or both and when it is used 203 | 4. Talks about Certificate Signing Request (CSR) 204 | 5. What are weak ciphers and what are good SSL Cipher Suites 205 | 6. Able to use openssl command to see the details of ssl information 206 | 7. Can explain ssl format like this: **TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256** 207 | 8. TLS 1.2 or TLS 1.3 and why? 208 | 9. What is PFS (Perfect Forward Secrecy) and why it is used? 209 | 10. Why https enabled website still gets hacked? 210 | 211 | ### 5. How you would make developers aware and involved for secure code development? 212 | This question would help you to understand if the person has delivered any training, presentaed slides, gave demo, delivered secure coding practices workshops. 213 | See if person talks about: 214 | 215 | 1. OWASP ASVS (Application Security Verification Standard) 216 | 2. OWASP Top 10 2017/2021 217 | 3. OWASP Secure Review with some examples 218 | 4. Secure Design Principles 219 | 5. Then you can go little deeper like what difficulties you faced while giving training to them on secure code design, principles etc. 220 | 6. How do you make sure developers follow what you taught or made aware? IDE plugin, git actions, SAST tools etc? 221 | 222 | ### 6. Which one would you prefer and why? Manual secure code review or automated or both ? 223 | 224 | ### 7. Which tools have you used for SAST? 225 | 226 | ### 8. What is the difference between SAST and SCA? 227 | 228 | ### 9. How well you understand SQLi (SQL Injection)? 229 | See if the person is able to explain: 230 | 231 | 1. When data becomes code and how to test it 232 | 2. Any specific tool to fasten SQL Injection 233 | 3. Can you spot SQLi from code review 234 | 4. Experience of any SAST tool through which you can verify and validate SQLi 235 | 5. Mitigation for SQLi 236 | 6. Prepared statement in sql injection 237 | 238 | ### 10. Do you understand the key difference between encryption, hashing, salt, obfuscation and encoding? 239 | 240 | ### 11. What you should check if the website is damn slow suddenly? 241 | 242 | ### 12. Explain how do you handle AuthN and AuthZ? 243 | An interviewer can assess whether the candidate has a robust and comprehensive understanding of both authentication and authorization, as well as their practical application in ensuring application security. 244 | 245 | #### Depth of Understanding: 246 | 247 | Does the candidate understand the fundamental differences and purposes of authentication and authorization? 248 | Are they able to explain common methods and protocols for both AuthN and AuthZ? 249 | 250 | #### Practical Knowledge: 251 | 252 | 1. Can the candidate discuss specific implementations and technologies (e.g., OAuth, SAML, RBAC)? 253 | 2. Do they mention industry best practices and why they are important? 254 | 255 | #### Security Focus: 256 | 257 | 1. Is the candidate aware of common security risks and how to mitigate them in both AuthN and AuthZ? 258 | 2. Do they highlight the importance of monitoring and logging? 259 | 260 | #### Experience: 261 | 262 | 1. Can the candidate provide examples from past experience where they have implemented or improved AuthN and AuthZ mechanisms? 263 | 2. Are they able to discuss challenges faced and how they overcame them? 264 | 265 | #### Current Trends: 266 | 267 | 1. Is the candidate up-to-date with current trends and emerging technologies in authentication and authorization? 268 | 2. Do they mention advanced methods like biometrics, adaptive authentication, or zero trust models? 269 | 270 | ### 13. How do you implement CSP? Do you think it adds extra security for a web application? How? 271 | Go as much deep as you can. 272 | Use this article to [understand details of CSP](https://hackernoon.com/everything-you-need-to-know-about-content-security-policy-csp-qt2g37wv) 273 | 274 | ### 14. Benefits of using SoP, CORS and CSP? 275 | Explain the basics of these concepts with one or two real world examples. 276 | Also, explain why to use these and where with few scenarios. 277 | 278 | ### 15. How do you handle typical developer and security clash situation? 279 | 280 | ### 16. List out the techniques used to prevent web server attacks 281 | Check what all points one can cover and then you can deep dive based on the answer: 282 | 283 | 1. Patch management 284 | 2. Web Server hardening 285 | 3. Scanning system vulnerability 286 | 4. Custom vs default port 287 | 5. Firewall and other server setting avoiding default settings 288 | 6. Proper alerting and monitoring mechanism 289 | 7. Server log settings 290 | 291 | ### 17. List out the steps to successful data loss prevention controls. 292 | See if the interviewee is able to explain below points: 293 | 294 | 1. Information risk profile 295 | 2. Assign roles and responsibilities to the technical administrator, incident analyst, auditor and forensic investigator 296 | 3. Develop the technical risk framework 297 | 4. Expand the coverage of DLP controls 298 | 5. Monitor the results of risk reduction 299 | 6. Incident Response, risk severity, playbook etc. 300 | 301 | ### 18. Where do we need security in SDLC phase? 302 | 303 | ### 19. What would do you suggest for input sanitization? 304 | 305 | ### 20. What have you done so far for API Security? 306 | You can't think of application security without API security at present. However, I will cover more on [API security Interview Questions](/api-security-interview-questions.md) in another page. 307 | 308 | ### 21. Why XoR is very important in Crypto world? 309 | It's basic of Cryptography but untouched topic and I would recommend every AppSec engineer to go through basics of Cryptography. 310 | 311 | ### 22. How OAuth works? 312 | 313 | ### 23. What is SCA and how do you perform SCA? 314 | 315 | ### 24. What should a developer do for secrets management? 316 | 317 | ### 25. What is your interesting finding in secure code review? 318 | 319 | ## Summary 320 | I have tried to cover all the possible questions from basics to advanced from various topics under the AppSec domain like Threat Modeling, Secure Code Review, OWASP Top 10, Secure Design, Cryptography (basics), Overall understanding of application from a security perspective, dealing few scenarios with agile development, developers etc. All the best for your bright future and hope this set of questions would help you to excel in an interview. 321 | 322 | I will try to add more security interview questions for specific role as well. Please share in the comments which one you want to see next. Some examples are Sr. or Lead AppSec Engineer, AppSec Architect, DevSecOps engineer, and Product Security Engineer role. 323 | -------------------------------------------------------------------------------- /aws-security-interview-questions.md: -------------------------------------------------------------------------------- 1 | # AWS Security Interview Questions 2 | 3 | 1. How would you find evidence of malicious activity within the services like AWS EBS, Application using Lambda etc. 4 | 5 | This is to check if the person have experience with GuardDuty, CloudTrail, Config and have worked on any such malicious activities in past. If so, what all he/she did. 6 | 7 | 2. CloudTrail vs CloudWatch and explain in depth from security perspective. 8 | 9 | Person has to work on CloudTrail functionalities more often and has to be good at incident/event analysis. Also, to check whether an interviewee is aware about CloudWatch. 10 | 3. How IMDSv1 is vulnerable to SSRF, explain. 11 | 12 | There are many org wide admins, developers of whoever launch instance, by default AWS creates v1 reference. 13 | This can lead to key stealing, privilege escalation etc. through SSRF or sometimes even through curl commands. 14 | Is person aware of IMDSv1 and how IMDSv2 solves SSRF issue. 15 | 16 | 4. Did you implement IMDSv2 and how it fixed SSRF? 17 | References: 18 | 1. https://medium.com/@shurmajee/aws-enhances-metadata-service-security-with-imdsv2-b5d4b238454b 19 | 2. https://www.cyberbit.com/blog/uncategorized/aws-imds-v2-secures-ssrf-vulnerability/ 20 | 3. https://www.accurics.com/blog/security-blog/aws-cloud-security-protect-ssrf/ 21 | 4. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html 22 | 5. https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ 23 | 6. https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af 24 | 7. https://www.youtube.com/watch?v=2B5bhZzayjI (re:Invent SEC310) 25 | 5. How logs are stored in AWS and how you can monitor those? 26 | 6. Can you analyse and explain risk and security issues for ElasticSearch services? 27 | 7. When should you use TGW? is there any security improvement for using this? 28 | 8. Should we expose Database access publicly or to web application directly? 29 | 9. Can you help me to understand the security posture for Wordpress site being hosted in AWS? 30 | 10. Do you have experience in AWS services security design and enforcement review or documentation? 31 | 11. What issue you see when any API endpoint is exposed to public? 32 | 12. There is a security group names as default and have port 22, 25, 53, 80,443, 3679, 3306, 9001. Do you see any issue here? 33 | 13. Have you worked on Backup security and monitoring. Can you explain? 34 | 14. We want to enable SSO and integrate a tool call Trello in our AWS environment where other applications are hosted. What security posture you think we should work on to keep everything secured? 35 | 15. How the security alerts of AWS resources being captured and sent to security people automatically? 36 | 16. Have you worked on GuardDuty? It has lots of false positives. Do you have any suggestions to reduce false positives. 37 | 17. Can you explain how to use and when to use Access key id and Principal id with one example? 38 | 18. What are the different data sources for GuardDuty? 39 | 19. What are the various options/features you have worked in GuardDuty? 40 | 20. I need to get an alert to slack/mail, whenever my backend APIs start giving 5xx in CloudWatch, how would you achieve that? 41 | 21. RTO (Recovery Time Objective) vs RPO (Recovery Point Objective) 42 | 22. [You are trying to SSH into an EC2 instance but it is failing.](https://aws.plainenglish.io/i-have-asked-this-ssh-question-in-every-aws-interview-and-heres-the-catch-ee2013a83e99) 43 | 44 | ## IAM 45 | 1. Explain below IAM policy: 46 | 47 | As a Cloud Security Engineer, you would need to work on reviewing and inspecting IAM policies time to time. 48 | Main idea behind asking such question is to check if you are ok with IAM policies and know the basic idea about effect, resource, condition etc. 49 | 50 | ```json 51 | { 52 | "Version": "2012-10-17", 53 | "Statement": [{ 54 | "Sid": "DenyAllUsersNotUsingMFA", 55 | "Effect": "Deny", 56 | "NotAction": "iam:*", 57 | "Resource": "*", 58 | "Condition": {"BoolIfExists": 59 | {"aws:MultiFactorAuthPresent": "false"} 60 | } 61 | }] 62 | } 63 | ``` 64 | 2. Explain below policy. What's wrong with this policy 65 | ```json 66 | { 67 | "Version": "2012-10-17", 68 | "Statement": { 69 | "Effect": "Deny", 70 | "Action": "s3:*", 71 | "NotResource": [ 72 | "arn:aws:s3:::HRBucket/Payroll", 73 | "arn:aws:s3:::HRBucket/Payroll/*" 74 | ] 75 | } 76 | } 77 | ``` 78 | 79 | 3. What comes in your mind when a service need cross account access? 80 | 81 | ## Data Security 82 | 1. How do you secure data transfer in transit? 83 | 2. Do you agree that we need to enable data encryption at rest by default? 84 | 85 | ## Scenario Based questions: 86 | ###Scenario 1 (Lambda, SES and config rules) : 87 | Task is to create lambda function for config rules and send email using SES. 88 | I have multi account and one of the account is for organization level aggregator. Using that org aggregator account write a lambda function to retrieve all non-compliant config rules based on each aggregator. I wanted to have a list which has the following results  89 | 90 | Aggregator name = AggregatorTest 91 | OrgConfigRule – VPCFlowlog-o30sfig, Non_complaint, Acc No: 23135134235 92 | Account id, Resource id, Resource type, AWS Region 93 | Account id, Resource id, Resource type, AWS Region 94 | 95 | So above we have an email configured for aggregator test and then got the list of all OrgConfigRule then after that whatever resources are there for that org config rule you need to list out and then send email to users using SES. 96 | 97 | ### Logging and Monitoring 98 | 1. Data integrity for cloudtrail logs 99 | 2. How to get unencrypted EBS volume(s) in an easy way: config -> filter 100 | 3. cloudwatch -> metrics filter 101 | 102 | ### Infrastructure security 103 | 1. EC2 vulnerability patch management in automated way 104 | 2. What checks AWS Inspector does to figure out instance vulnerabilities 105 | 106 | ### Data protection 107 | 1. KMS key usage: s3 bucket, file download but can’t see the object. what solution do you propose 108 | 2. CMK keys auto-renew solution after 3 month (key rotation): cloudwatchevent to check it 109 | 3. What comes to your mind when you have to secure RDS instance? 110 | 4. When encryption by default is not enough? 111 | 5. Would you suggest key rotation? why and what should be the rotation period? Justify. 112 | 113 | ### IAM 114 | 1. Let's say an event is triggered and lambda does something. To make sure it works what you check in IAM 115 | 116 | ### Programming question (Depends on the role) 117 | A non-decreasing number list is given and a target number. You need to print if target number exists in the list or print the most nearest number to the target number 118 | 119 | ## Some more Questions, if you still have time and out of quesitons 120 | 1. What are the top 3 things you would do if you are working on CSPM tool from the scratch. 121 | 2. What and how you check if AWS resource is deployed/implemented over encrypted communication/channel. 122 | 3. How do you make sure everyone in the organisation follow AWS security guideline while working with AWS Services? 123 | 124 | 125 | **_You can help us to add more questions or even suggest any edits. Kind gesture to help the community is always welcome._** 126 | -------------------------------------------------------------------------------- /common-security-interview-questions.md: -------------------------------------------------------------------------------- 1 | # Common interview questions for security role 2 | 3 | ## How do you handle common scenarios 4 | 1. Developer security management issue - what’s your call? 5 | 2. Technologies are changing; how comfortable are you? 6 | 3. How do you keep yourself updated in the security domain? 7 | 4. What personal achievement are you most proud of? 8 | 5. Tell me one critical bug you found in the AppSec domain and one in the Infra domain. 9 | 6. What would you do typically on the first day of your job? 10 | 7. How will you scale security scope for heavy application-focused projects 11 | 8. How will you convince the engineering team to fix 1000s of issues that your tool found 12 | 9. What security measure would you take from a data integrity perspective 13 | 14 | 15 | ## Questions that look easier but are challenging to answer 16 | 1. What interests you about this role? 17 | 2. What is your typical routine in office? 18 | 3. How do you keep your team updated with work, etc.? 19 | 4. What would be your first 30, 60, 90 days goal for product security? 20 | 5. Why are you looking for a change? 21 | 6. What are your biggest strengths? 22 | 7. What are your most significant weaknesses? 23 | 8. Where do you see in the next five years? 24 | 9. Any serious issues you fixed/worked on in the last quarter/year? How did you resolve it? Have you learned anything from it? 25 | 10. What are the significant challenges you have faced recently? 26 | 11. What are your salary expectations? 27 | 12. What are your career goals? 28 | 13. What do you consider to be your most significant professional achievement? 29 | 14. Describe your dream job. 30 | 15. What is your leadership style? 31 | 16. What questions do you have for me? 32 | 17. What do you expect me to accomplish in the first 90 days? 33 | 18. Market seems unstable, how do you keep attrition rate low? 34 | 35 | ## Security fundamental questions: 36 | * OWASP top10 understandings 37 | * Crypto algorithms, primitives 38 | * Stream Cipher vs Block Cipher 39 | * Encryption vs Hashing vs Encoding vs Obfuscation 40 | * Why XoR is very important in the Crypto world 41 | * Network Protocols 42 | * Could you explain what is phishing? How can it be prevented?
 43 | 44 | Phishing is a technique that deceives people into obtaining data from users. The social engineer tries to impersonate a genuine website webpages like Yahoo or facebook and will ask the user to enter their password and account ID. 45 | 46 | It can be prevented by: 47 | 48 | * Having a guard against spam 49 | * Communicating personal information through secure websites only 50 | * Download files or attachments in emails from unknown senders 51 | * Never e-mail financial information 52 | * Beware of links in e-mails that ask for personal information 53 | * Ignore entering personal information in a pop-up screen 54 | -------------------------------------------------------------------------------- /container-security-interview-questions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jassics/security-interview-questions/6fa8ab4a17032023622bc174fa37ccd0b0f067a2/container-security-interview-questions.md -------------------------------------------------------------------------------- /cybersecurity-interview-questions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jassics/security-interview-questions/6fa8ab4a17032023622bc174fa37ccd0b0f067a2/cybersecurity-interview-questions.png -------------------------------------------------------------------------------- /devsecops-interview-questions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jassics/security-interview-questions/6fa8ab4a17032023622bc174fa37ccd0b0f067a2/devsecops-interview-questions.md -------------------------------------------------------------------------------- /gcp-security-interview-questions.md: -------------------------------------------------------------------------------- 1 | # GCP Security Interview Questions 2 | -------------------------------------------------------------------------------- /grc-interview-questions.md: -------------------------------------------------------------------------------- 1 | # GRC Interview Questions 2 | -------------------------------------------------------------------------------- /network-security-interview-questions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jassics/security-interview-questions/6fa8ab4a17032023622bc174fa37ccd0b0f067a2/network-security-interview-questions.md -------------------------------------------------------------------------------- /soc-interview-questions.md: -------------------------------------------------------------------------------- 1 | # SOC Interview Questions 2 | -------------------------------------------------------------------------------- /web-security-interview-questions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jassics/security-interview-questions/6fa8ab4a17032023622bc174fa37ccd0b0f067a2/web-security-interview-questions.md --------------------------------------------------------------------------------