Security Engineers
Why do security engineer interviews often include coding rounds with the development team, seemingly requiring candidates to possess both software development and security expertise, making the interview process more challenging and potentially unfair? Day-Day roles of app-sec/offensive engineer may-not require coding. I understand it is required skill for scripting but not mandatory. When encountering challenges similar to LeetCode or HackerRank, it can give the impression that the position prioritizes development over security expertise, contrary to what is outlined in the job description. This standardized interview process seems to be a common trend across many companies.
Can’t NOP slide if you don’t understand memory allocation. I would expect higher-level security engineers to be competent in a higher-level language, especially for tool development, and be able to reason about what that code does on the C level, what system calls are happening, what the attack surface is like, what the threat model is at runtime both in pre-prod environments and production, etc. IMO to be really excellent at security, you need more breadth than SWE, and you need much more depth specifically on the security stuff. How good is a security engineer going to be if they don’t understand how directory traversal attacks work in code? At lots of big cos, there’s heuristic scanning happening on all their code bases all the time. Security engineers that maintain that stuff need to know if they’re about to deploy some rule that’s going to flag every codebase at the company with a P0 security JIRA because there’s some weird thing in their SSO lib that triggers a false positive. It’s of course going to vary by actual position and by company, but I think it’s pretty reasonable to go through some kind of FizzBuzz-as-a-function with a sec eng candidate and make sure they can reason about what’s happening on memory, CPU, and system levels. A lot of the OG security people were just devs that went super deep and understood how programs work from the highest-level code down to what’s happening on the silicon and the network at an electrical level.
You can break so many bugs from the outside
And this guy works at deloitte... Lol
i would suggest just picking it up, AppSec in AWS includes a lot of security sign off on designs and we don't have enough security guys with enough real dev experience, so it's currently a bottleneck in the development process. plus knowing enough about coding and the languages in use is good in general, a lot of issues pop out from edge cases or bad assumptions by devs about languages and libraries, config issues etc, that may not have a CVE
And I’m guessing they’d want you to be able to write airtight IAM policies behind your back blindfolded for that position, which again is totally fair.