When I apply for security engineer roles at FAANG that require coding skills it seems that I always get auto rejected with no interview. Do they look for people who have a hardcore software engineering background? Also why does it seem like there is almost no information online to prepare for the interviews? #google #meta #snap #microsoft #apple #uber #lyft #stripe #adobe #spacex #airbnb #slack #zoom
Security engineer isn’t the same thing as cybersecurity. It’s basically SWE with some sort of security specializations/skills. You’re still developing software at the end of the day - security engineer
devOps and cloud skills not viable?
Not for FAANG imo. You could pivot to a smaller software company for a couple years to build up something like: https://www.linkedin.com/jobs/view/3768821984 I think the big piece they’re looking for is developing security tools
it might be that the job is a development focused role
It depends on the focus area. Security engineers working on networking and infrastructure might be required to only have some scripting skills. If it’s AppSec/ProdSec then development background is required is most cases. Especially in high-paying companies.
Then maybe my question should be “how do I get into appsec”. It seems people have different ideas of what that means as well though.
True. Each company, team, management would have they own vision of what this means and what to expect from people in such roles. It could be useful and important to do some research, review a bunch of job descriptions from different companies and for different security roles and see what is required. Inquire on Blind or connect with someone from the company of interest in a similar role and ask what is required and how to better prepare for the interview. The resume is very important and building a good one would require some effort. It should be relevant. If you are getting automated rejection this might mean that your resume doesn’t work out. The assumption about background could be irrelevant. Job search is a skill and requires effort. Especially in this market, just sending out resumes or changing LinkedIn status might not be enough
Security is the bastard child of SWE when it comes to information about interviews. If you go on Levels.fyi you'll find the Security salaries under SWE, but you have to keyword search them. You're getting auto-rejected because*everybody* is getting auto-rejected. It's brutal out there right now, especially if you don't already have FAANG on your resume. Keep trying, get referrals, and grind some LeetCode. Speaking of LC, you'll want to look through the list of Easy/Medium problems for L3-L4 roles, that seems to be the sweet spot for the types of questions asked in Security interviews. I come from a sysadmins background - no degree in CS, no development jobs in my history, and no SWE title before becoming SecEng at Amazon. It took me a lot of applications and about 3 sets of interviews to get hired across about 4 years.
Nothing personal but Can you be more specific about your background? Any certifications? Also how much coding do you do at work?
No certs, a bunch of IT experience going up to senior sysadmin. My day to day involves basically no programming, but I'm interfacing with people who code, and the problem space often involves code, so it's definitely required to understand it well enough to ask intelligent questions. Similarly a lot of the problem space involves infrastructure, architecture, networking, permissions, and people doing dumb stuff, so it's not like there's not plenty to keep track of.
you don’t need SWE experience but you should know how to code, many interviews have a coding bar. For AppSec roles, expect that bar to be even higher than other security roles
It sounds like I should just apply for anything that gets my foot in the door then unless its something completely irrelevant like compliance maybe.
Not really as much as the SWEs but they require at least easy/medium level LC with array manipulation and some sort of scripting like log parsing and using some certain libraries (os, request, hashlib, socket, sys etc.). Depending on the role they may require code revieweing, analyzing given code snippet to find possible security issues, also some reverse engineering tasks on given assembly code, hex binary file etc. They dont require all of the mentioned stuff together, but depending on the role they mey require this level stuffs. They dont ask dynamic programming, DFS/BFS, linked list etc. as long as you are not applying for security software engineering role. They can require same level of coding with plain SWE roles.
I thought reverse engineering malware was, normally, a separate dedicated role that would fall under incident response. Not exactly what I’m going for.
Yes, reverse engineering can be asked for incident response, forensic analysis, security investigations roles. However if you interviewing for appsec roles, they may ask vulnerable code snippets to spot security flaws etc. Which field are you applying for?
Security engineer here - I'm surrounded by security engineers that are very sharp in coding, but there's a notable and qualitative difference between our (Security Engineers) software engineering skills and an actual SWE. Writing code IS expected, and you should be comfortable in it, but it's understood that there's going to be a skills gap between SE and SWE. That said, the stronger your coding skills the better you do generally since you can implement your security engineering ideas more directly and more rapidly.
How do you get past the phone screen though?
I think another poster nailed it when they said: no one is getting through right now. Unless you live in India, Dublin, or some other low-cost area, you're not getting in. At least at Google, they're cutting costs anywhere they're able right now. I'm not a recruiter, so there may be other secret sauce qualifications at play....
The questions differ from interviewer to interviewer. The phone screen is intended to be a basic filter. The idea is that the phone screen does the initial work of ensuring that the candidate is worth the time spent for a googler to interview them. So yeah, they ARE meant to be basic.
In practice I don’t really feel like this is what happens. Its like asking a PhD graduate what they learned in 2nd grade.
Just telling it as I see it man. Sorry it's been such a rough go of it for you.
Do you still see a lot of SE getting laid off?
I don't really have great visibility (just a lowly L4), but no - compared to sales, marketing, HR and SWEs, we seem to have had fewer than most.
for the sake of the actual programmers you work with please learn to code so you can develop some sympathy for the people affected by what you do
I have coding skills and experience listed on my resume. But never had a strict swe role where i stare at code all day.