Web application security interview questions

A list of technical questions to use when interviewing a security engineer.


Following on from my previous article on interview screening questions for a Java engineer, here is a list I use for screening security engineers. Security is a very specialized field that requires a different mindset to a typical software engineer, so it is important to take a different approach to these candidates: they need to be as strong on platforms (Linux servers and everything that could be running on them), as well as writing secure code.

Interview questions

Q. 1. What are your favourite security learning resources?

Response flags: how do they keep up-to-date, this is vital in the infosec field.

Q. 2. What are you favourite security testing tools?

Response flags: opportunity to express broad knowledge of toolsets.

Q. 3. What does the term "social engineering" mean?

Response flags: should know what this means, and give and example.

Q. 4. In the hacking world, what is the difference between a "black hat" and a "white hat"?

Response flags: should know what this means.

Q. 5. What’s the difference between Symmetric and Asymmetric encryption?

Response flags: should know Asymmetric uses different keys for encrypt/decrypt, whereas Symmetric has one key that has to be securely distributed somehow (main weakness).

Q. 6. If you wanted to run SSHD securely on an online server, how would I do that?

Response flags: disable root access, disable password access, change the default port to confuse scanners...

Q. 7. What is XSS?

Response flags: Cross-site scripting, should provide an example and mitigation strategies.

Q. 8. What is SQL injection?

Response flags: Should provide an example and mitigation strategies (param binding via prepared statements for bonus points).

Q. 9. What is the difference between authentication and authorization?

Response flags: they should be clear on the differences.

Q. 10. What is two-factor authentication?

Response flags: combination of something they know, something they have, something they are (bio-metrics)...

Q. 11. What are salted hashes?

Response flags: should know about generating random data, and how it can be used to help store passwords more securely.

Q. 12. What is a dictionary attack?

Response flags: should explain what this is, and how to mitigate against it.

Q. 13. What kinds of details should a remote web server not expose when something goes wrong?

Response flags: details about software versions, error log details, stack traces...

Q. 14. What should you never record into a web app error log?

Response flags: passwords, credit card numbers, any other sensitive data...

Q. 15. What’s the difference between a White Box test and a Black Box test?

Response flags: should know the differences, give benefits for both approaches.

Q. 16. What is OAuth?

Response flags: provide a good overview.

Q. 17. What are the differences between 3-legged and 2-legged OAuth?

Response flags: should describe the 3 actors at play here, and when you would want to use one approach versus the other.

Q. 18. Why is deleted data not truly gone when you delete it?

Response flags: OS just flips a bit, data is still physically there.

Q. 19. What is the significance of software patching to security?

Response flags: should discuss update roll-out strategies.

Q. 20. When conducting a code review, what kinds of security anti-patterns do you watch out for?

Response flags: candidate should list off examples.

Q. 21. What is PCI? What is the purpose of the PCI-DSS specification?

Response flags: should know what this is and why it is important.

Q. 22. What is a replay attack?

Response flags: should provide an example, and how to mitigate against these.

Q. 23. What is a rainbow table?

Response flags: provide a thorough overview, and why they can help speed up password attacks.

Q. 24. If you had to both encrypt and compress data during transmission, which would you do first, and why?

Response flags: compress first, they should example why.

Q. 25. What is CSRF?

Response flags: Cross-Site Request Forgery, explain how to mitigate against (bonus points for mentioning nonce values).

Q. 26. What is a honeypot?

Response flags: explanation of what it is, and how one can be used for real-world deployments.

Q. 27. How would you encourage other developers to write secure code?

Response flags: looking for communication skills, what strategies they would suggest to rollout training and knowledge exchange etc.

Q. 28. What are URL manipulations?

Response flags: should give examples, bonus points for throughts on how to secure the contents of the query string.

Q. 29. How would you secure a Linux web application server?

Response flags: chance for the candidate to demonstrate broad knowledge.

Q. 30. How would you write a high-security web application?

Response flags: this is the "what if you could implement anything" question, candidate should express their vision of a gold standard for web application security best practices.

John Collins

I have been writing about web technology and software development since 2001. I am the developer of the Alpha Framework for PHP, and the five.today personal productivity app. I love open source, technology, and economics.