I've been seeing more and more posts on LinkedIn recently about the interview process for security folks. Compared to other tech positions like Software Engineer, there really isn't a whole lot of content out there for candidates who are prepping for interviews. I've personally kept a record of notable questions that I've gathered from both my own interviews and from discussions with my colleagues. This post highlights a few relatively open-ended ones that go beyond simple knowledge/definitions.
Describe your home networking setup
Back in my consulting days a Director that I worked with said he always uses this with junior level candidates. For many entry level candidates, they likely have not had a ton of real world, hands on experience, so this question offers some insight as to how they think about security in their personal lives. In addition to normal things like using WPA2 instead of WPA and WEP, he usually wanted to hear that the candidate had configured a separate guest wireless network for visitors. I also remember him telling me that one candidate had setup a site to site connection from her home to her parent's home so that she could RDP onto their desktops whenever they had computer issues. Was this a make or break question? Probably not, but passionate candidates could've certainly used this as an opportunity to stand out more.
You are a security engineer at a large payment processor. All servers allow administrators to remotely logon to them using SSH and their company LDAP credentials. Your manager suggested that as a precaution, you should configure a 3 failed attempt lockout policy for all accounts. Your colleague is worried that someone can lockout every account by writing a script to brute force login attempts. How do you prevent this from happening while implementing a 3 failed attempt lockout rule, or something similar to prevent unauthorized access?
I actually started asking this question to candidates after a friend of mine mentioned that this exact scenario happened to him while doing a pen test. Of course, the client wasn't happy, but at the same time they needed to account for this situation going forward to prevent it from happening again in the future.
Here are some of the answers I've heard from candidates:
- Tie the rate limit to an internal IP address or MAC address (more common with junior candidates)
- Implement some form of 2FA with a OTP instead of using lockouts (rare, but did come up from time to time)
- Use SSH keys or certificates that are harder to brute force instead of LDAP and forgo lockout (more common with senior candidates)
- Just require extremely long passwords for all users and forgo the account lockout
If you're curious, there's a neat tool out there called Teleport that uses some cool new ideas to secure SSH access.
You are running a website called Flightify that lets users search for and book flights from a variety of companies. Your product team is considering introducing a new feature that allows websites to embed flight information from Flightify. For example, if a travel blog has an article about Alaska, it can choose to display flights to Alaska and allow users to view additional information on the Flightify website via a referral URL. Websites receive a commission when users book a flight after coming to Flightify through a referral link. The product team has decided that users come from certain websites, such as those with a high amount of traffic, will receive an additional discount on any flights they see on these websites. The product team is concerned that users will simply spoof referral URLs until they find one with cheaper prices without having to actual visit the affiliate sites. Design a system that both prevents users from spoofing referral URLs.
This one was in the interview question bank of a friend of mine. It's designed to be a question with back and forth communication between the candidate and the interviewer, and is definitely not supposed to be quick. For the most part, candidates are able to use a whiteboard to gather their thoughts, and are asked to think out loud so the interviewer can understand their thought process and bring up corner cases. I always find scenario and design questions to be more useful for evaluating candidates than trivia based questions like "Is HTTP a stateless protocol?"
Some answers that he mentioned he heard include:
- Ensure that the referral URLs are generated using something like UUIDs
- Use CSRF tokens to ensure that the requests are actually coming from the affiliate website
- Just offer visitors of all affiliate partner sites the same discount
- Apply a rate limit to IPs that submit multiple requests with brute forced referral code parameters
These are just a few of the questions that have stood out to me over the years of interviewing, being interviewed, and sharing notes with colleagues. Do you have any additional questions that you like? Share in the comments!
SafeBase is the single source of truth for your security program. Close deals faster with a Security Status Page that accelerates the vendor assessment process for your customers.
