Awesome
Updated post at https://ishaqmohammed.me/posts/application-security-engineer-interview-questions/
Application Security Engineer Interview Questions
Some of the questions/topics which i was asked when i was giving interviews for Application/Product Security Engineering roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer. I tried to include the reference resource for some of the questions/topics, feel free to reach out to me on twitter for any feedback/suggestions/discussions.
-
Which architecture is more secure? 2 tier or 3 tier
-
Explain SSL Handshake
-
Recommend XXE mitigation for application which requires external entities to be called because of business requirement
-
Explain CORS and SOP
-
Does SOP mitigate CSRF attacks?
-
Exploiting SSRF attacks
-
What is web cache deception?
-
What is HTTP request smuggling?
-
Explain DOM XSS. Can DOM XSS be stored? Can CSP header mitigate dom based XSS
-
What will be your testcase for a file upload functionality?
-
What is HSTS?
-
Explain SSL Stripping
-
If you have API calls which need to fetch credentials, what will be the secure way to store secrets and making them available for API calls?
-
How does file compression work?
-
Which method is secure? Compress First and then Encrypt the data or Encrypt First then Compress
-
You have found a vulnerability a product/infrastructure, how will you investigate if this was not exploited already by an attacker
-
What is SPF, DKIM and DMARC?
-
Explain DNS Exfiltration
-
Explain Log Poisoning using LFI/RFI
-
Do the HttpOnly cookie and X-XSS-Protection header mitigate cross-site scripting attacks?
-
How do you exploit XSS in a post request?
-
Difference: IDOR, Missing function level access control and privilege escalation
-
How does burp suite work with HTTPs requests?
-
Is the DNS service's communication encrypted?
-
Security implications in DNS
-
DNS over HTTPs
-
How does ssh authentication work?
-
How to create and implement an SSL certificate?
-
How to verify if a database is encrypted?
-
If you want a script to use credentials from the system, where will you store the credentials?
-
Explain SDLC
-
In which phase of SDLC should security be integrated?
-
Explain encryption in Wifi network communication.
-
What are stateless and stateful requests?
-
How is the state of a request saved in HTTP?
-
What data does the shadow file contains?
-
What is salt in cryptography?
-
What is Double-Submit Cookie?
-
What is Preflight request?
-
What are Certificate Transparency Logs?
-
What is your favourite vulnerability and why?
-
Talk about any latest/interesting vulnerability or breach you learnt about.