Has anyone been through any of these rounds recently for onsites? I have no extensive experience with security engineering interviews given my initial work before getting into security was in ML, so all my interviews were in that realm. Adversarial Mindset: The recruiter mentioned it is reviewing some code for vulnerabilities, and that going through HackTheBox helps, so I'm not sure the approach here (I'm familiar with HTB, but haven't seen much needed code review for vulns there tbh). I saw a post in Blind were someone mentioned they were given a hypothetical scenario and they asked for logs and then found an IP and discovered the issue, but it did not make clear if this was all just talking or if they give you an environment for you to play with (I did ask but got no answer) In Domain: Nothing much was said here besides reviewing MITRE, so it gives me more blue team vibes, detecting, preventing and mitigating threats, etc. I'm not super familiar with this given it is not my area of expertise, but I am guessing they will give you a hypothetical scenario and you have to carry-out your response step by step? If anyone can give me any input, tips, resources that have helped them or simply share their experience it would be great! Thanks in advance TC: ~ 180K YOE: 3.5 #interview #security #meta #facebook #engineering
It feels like itβs more of a AppSec or ProdSec role. Adversarial mindset is key in security. In general, not about Meta specifically, if they expect you to review the code there are several things that might help. 1. Learn what training in secure coding is available at you company. Iβm sure your AppSec team have something available. Maybe you even have security champions and they might also take some training. Iβd recommend you starting there and get as much useful information as possible. 2. OWASP top 10. There was a new version released in 2021. They provide not only prioritized list of vulnerabilities but recommendations on how to mitigate them as well. This could help you to spot anomalies in the provided code. Learning best practices could help as well to see if something is not in place. 3. There are different training platforms available to train developers in secure coding. The most advanced and actual is probably the Secure Code Warrior. Itβs not easy to get access since itβs a commercial product but there is one way that could work. But this way would require time to prepare so itβs relevant if you are already in interview process. As for the scenarios, they usually want to see how you think. And itβs important not only to detect the issues and provide mitigation strategies but also to make sure they were implemented. Like with the rest of QA. You need to make sure that the issue is fixed. If you want to star - make sure you focus on preventing issues. Knowing best practices, SSDLC, etc help here a lot.
Thank you so much for the information!