World Conflicts
9h
456
Canadian family moves to Russia for opportunities
World Conflicts
3h
164
Why I Find Free Palestine Inspiring
AMA
Yesterday
992
PM Manager, early 40s, married and ENM (Ethical Non Monogamous) AMA
India
6h
409
'Hindutva': The Radical Hindu Ideology That Seeks to 'Push Christianity Out of India’
Tech Industry
Yesterday
3546
What happens when most of your team is Indian?
I am trying to create a Security Engineer Interview Question bank. What are the Questions that you ask for interviewing the Security Engineers for your teams. #cybersecurity #interview #security
Cors, csp, csrf, owasp, threat model,
CSRF fixes , Cookies attributes, XXE fixes , Buffer Overflow and ASLR, XSS types and Fixes from browser headers to encoding, SQLi and 2nd over sqli. How parameter queries and stored procedures calls works. Http response splitting and request smuggling. Zip slip , JWT attacks , Oauth attacks and PKCE working. Many more but couldn’t recall
There is cookie prefix also. Post message xss. Token and session jacking prevention. CSP unsafe eval and unsafe inline, sub resource integrity and hash and nonce and strict transport means in CSP
Goodluck getting good responses from security folks. There's a reason why security engineering interview details are limited here.
You contribute to learn. Its not only about sharing. It helps understand the bar set by security teams and understand the hiring as well.
Would the code snippets be in Java etc? Nothing much of Threat Model.?
Have you seen Grace Nolan's interview notes? https://github.com/gracenolan/Notes
This thread will die as many other did before it. The reason for this is not that security folks are not sharing information. But because the field is too broad. Even for security engineers there are many focus areas and each will have a specific list of questions. Even more. Each company will have specific requirements. And I’ve seen cases where people with the same title were focusing on a different things to the point it became difficult to find a job in a different company (they were looking for a different skill set in that role). So if you want to make this thread useful you should be more specific. Even having separate comments about specific role or company name could allow people to start a thread with relevant suggestions.
Makes sense. Given broad areas. It's good to know what questions each companies ask in common and what are interview tactics each teams use
The problem is knowing common questions is not helpful. For infrastructure security they ask one set of questions, for AppSec or ProdSec another one, and completely different for cloud security. And so on. Even if people share something here ideas would scattered across the thread and will still be difficult to use 🤷
Completely depends on the role and org as others have said. Last job was corp sec so lots of endpoint knowledge was needed. Now I’m on tech web based attacks are more valuable to know. But if I was in corp sec again, then yeah endpoints matter again. My FAANG interviews varied in Sec topics so heavily that I couldn’t really study for all of it even if I knew before hand what I would be asked.
Basically all questions for blue team come down to a simple framework (keep in mind answers will be unique for every company given their infrastructure): 1. can you find security holes in this company’s infra? Basic thing s like visibility, scanning etc. 2. Do you know how to mitigate these threats, even better if you can assemble teams& create processes that can handle entire area for the company, lets say IAM 3. Can you own a specific area of cybersecurity and provide a path to grow security program. Lets say company has problems with endpoint security: the more you know about how to bring endpoint security program to very mature level - the better. Especially if you are handson engineer and can create/improve the infrastructure to cover your area 4. If I give you our current architecture - can you spot weak areas and propose improvements for security infra? At the end of the day CISO or or hiring manager is looking for a specifically skilled&experienced individual who can solve his current problems in security program. Thats it and nothing more
Depends on level you are targeting. Some of the questions I was asked last year when interviewing for staff level - How do you introduce notion of security in dev teams - How do you influence org without authority or gating function - Tell me about a time you fixed an issue at platform or organizational level. But this is for staff level positions and I wouldn’t expect these questions for junior level positions.
You can try my resource as well. This has a lot of questions that I had prepared. https://github.com/nixonion/Cybersecurity-Interview-Questions
Can you post some of the questions. I can add to same comment